RE: [ActiveDir] Adfind + Admod help
I agree with Al in that I don't see an obvious way to do this from a single command line. The key, as he mentioned, is going to be getting a list of unique department numbers and section numbers. I'd probably separate those out into two distinct lists, one for departments and one for sections. Once you have those lists, you could pipe them to admod or any other tool of your choice to create the groups. However, since you're probably going to need some script to generate the lists, you might as well keep the group creation within the script as well. The problem with trying to use adfind is that you are not going to be able to construct an LDAP query that returns only unique instances of apsgDepartment and apsgSection. No knock on adfind, you'll run into the same thing with ldp or dsquery. You can query for and return any object that has those attributes populated, but the returned set of those attributes will have duplicates. That's where your script will throw the attributes into a hash (or scripting dictionary) to eliminate the duplicates. The outline of your script would look something like this: -query AD for all user objects that have apsgDepartment and/or apsgSection populated -loop through the returned set to build unique lists of Department numbers and Section numbers -loop through the Department number list and create a group for each one -loop through the Section number list and create a group for each one, and nest it in the corresponding Department group None of that is heinously difficult to script. I'd probably lean towards powershell or perl, since they handle hashes better than VBScript. But it's certainly feasible in VBScript as well. Holler if you want some help going down this road. Hunter _ From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of WATSON, BEN Sent: Tuesday, January 23, 2007 8:46 AM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Adfind + Admod help Thank you for the response Al. To answer your ultimate question, which was Does that help, or ??, then I would have to lean more towards ?? in my case. Not to say you didn't give some excellent options, but unfortunately it all boils down to me simply not being any sort of a programmer and so I currently wouldn't know how to do any of the options you suggest. (I'm studying the ways of VBScripting right now). To answer an earlier question, Do you already have the department names in a list? Or is that something that you have to gather first?, the department and section information is already contained within Active Directory through Schema Extensions. The actual names of the departments/sections are not important at this level, all I need to be concerned with is the department and section numbers. As an example... dn:CN=Ben Watson,OU=UserAccounts,DC=appsig,DC=com apsgDepartment: 24 apsgSection: 242 I am a part of Department 24, section 242. Thus, my user account should be a member of the (not created yet) Sec242 security group, and then the Sec242 security group would be a member of the (not created yet) Dep24 security group. I too was hoping I could lure Joe out to respond and see if Adfind + Admod could meet this challenge. I'm certainly hoping so. J Thanks, ~Ben From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Al Mulnick Sent: Monday, January 22, 2007 5:38 PM To: ActiveDir@mail.activedir.org Subject: Re: [ActiveDir] Adfind + Admod help Do you already have the department names in a list? Or is that something that you have to gather first? If you have to gather, then I assume you'll have to iterate each user object and determine the department value. Then, you'll create a group for every single unique instance of department value. After those are created, you'd then create the section sg's and make them members of the relevant department sg. Is there a clean way? I don't think it's something that you can do on a single command line, although I throw that out there mostly as a challenge to joe. He likes that kind of challenge I suspect ;) Couple of options come to mind: You could build a table and based on that table you can create/populate. ADMOD and ADFIND could be useful to you there. You could build a script that uses dictionary objects and creates the unique instances for you and correlates that information to the sections and then creates/populates. It's slightly complex, but... Building the tables, you could then execute manually. Depends on the scope of course. Of course, .NET is an option as well. Same logic depending on language though. And you will want to do this in passes most likely so you can ensure that the department group is created when it comes time to add an object to it. It's helpful to do it that way... Does that help, or ?? Al On 1/22/07, WATSON, BEN [EMAIL PROTECTED] wrote: Hey guys, I'm trying to wrap my brain around how best to accomplish this and
RE: [ActiveDir] Adfind + Admod help
Powershell is the latest-greatest command shell for Windows. http://www.microsoft.com/technet/scriptcenter/webcasts/ps.mspx has some webcasts on it, and http://www.microsoft.com/windowsserver2003/technologies/management/power shell/faq.mspx is the FAQ. I don't see VBScript going away anytime soon, but I suspect that PS is going to be the way of the future in many respects, especially for sys admin types. The downside, for now, is that there isn't the depth and breadth of resources available yet for PS that exist for VBScript. That's slowly changing, but will take some time. The script center is a good spot to poke through sample code for either one: http://www.microsoft.com/technet/scriptcenter/default.mspx Hunter _ From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of WATSON, BEN Sent: Tuesday, January 23, 2007 11:40 AM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Adfind + Admod help Thanks for the response Hunter. Yeah, that's pretty much the logic that I had come down to. By the way, what is the real difference between Powershell and VBScript anyway? I've been hearing more and more about Powershell lately, and since I'm going to take the time to learn a scripting language, I will want to make sure I learn the one that will have the most value to me from an administration perspective. Let me go talk to my local software dev here in our department. I'm sure we'll be able to come to a solution no problem. It just bugs me that I don't know how to do scripting like this yet. And I'll certainly holler if I run out of options. Thanks again, ~Ben From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Coleman, Hunter Sent: Tuesday, January 23, 2007 9:12 AM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Adfind + Admod help I agree with Al in that I don't see an obvious way to do this from a single command line. The key, as he mentioned, is going to be getting a list of unique department numbers and section numbers. I'd probably separate those out into two distinct lists, one for departments and one for sections. Once you have those lists, you could pipe them to admod or any other tool of your choice to create the groups. However, since you're probably going to need some script to generate the lists, you might as well keep the group creation within the script as well. The problem with trying to use adfind is that you are not going to be able to construct an LDAP query that returns only unique instances of apsgDepartment and apsgSection. No knock on adfind, you'll run into the same thing with ldp or dsquery. You can query for and return any object that has those attributes populated, but the returned set of those attributes will have duplicates. That's where your script will throw the attributes into a hash (or scripting dictionary) to eliminate the duplicates. The outline of your script would look something like this: -query AD for all user objects that have apsgDepartment and/or apsgSection populated -loop through the returned set to build unique lists of Department numbers and Section numbers -loop through the Department number list and create a group for each one -loop through the Section number list and create a group for each one, and nest it in the corresponding Department group None of that is heinously difficult to script. I'd probably lean towards powershell or perl, since they handle hashes better than VBScript. But it's certainly feasible in VBScript as well. Holler if you want some help going down this road. Hunter _ From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of WATSON, BEN Sent: Tuesday, January 23, 2007 8:46 AM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Adfind + Admod help Thank you for the response Al. To answer your ultimate question, which was Does that help, or ??, then I would have to lean more towards ?? in my case. Not to say you didn't give some excellent options, but unfortunately it all boils down to me simply not being any sort of a programmer and so I currently wouldn't know how to do any of the options you suggest. (I'm studying the ways of VBScripting right now). To answer an earlier question, Do you already have the department names in a list? Or is that something that you have to gather first?, the department and section information is already contained within Active Directory through Schema Extensions. The actual names of the departments/sections are not important at this level, all I need to be concerned with is the department and section numbers. As an example... dn:CN=Ben Watson,OU=UserAccounts,DC=appsig,DC=com apsgDepartment: 24 apsgSection: 242 I am a part of Department 24, section 242. Thus, my user account should be a member of the (not created yet) Sec242 security group, and then the Sec242 security group would be a member of the (not created yet) Dep24 security group. I too was hoping I could lure
RE: [ActiveDir] Remote DC's on Virtual Server
IMHO, ESX/VM Infrastructure and Virtual Server are like apples and oranges. Yes, they are both virtualization environments, but have vastly different capabilities. VM Infrastructure has a much broader and deeper feature set that does come with added cost and complexity. Regardless, in the context of the original question I'd be concerned about the load Exchange is going to place on the host hardware. How many Exchange users are in the 8 domains, and how many of these would potentially be connecting to the alternate site? Are you going to have GC availability to support Exchange? What other resources at the hotsite might be looking for DC/GC services? I would also be careful about having a configuration at my hotsite that is significantly different from my normal production environment. When things have melted down to the point of failing over to the hotsite, it's not a good time to be pulling out the manuals for your infrastructure because you don't work with it day in and day out. _ From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Akomolafe, Deji Sent: Thursday, January 18, 2007 1:22 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Remote DC's on Virtual Server ESX (VMWare) is good - and pricey. And very strict as to hardware specs. And complex to setup and administer. And, I could be wrong on this, NOT (MS)-supported for virtualizing DCs. Virtual Server, on the other hand, is good, not pricey, less picky, more supported (I believe it's actually validated) for DCs virtualization. Plus, the liberal OS licensing scheme is very attractive to me. Yes, I know, VMWare rules the market. Yes, I am biased. Sincerely, _ (, / | /) /) /) /---| (/_ __ ___// _ // _ ) /|_/(__(_) // (_(_)(/_(_(_/(__(/_ (_/ /) (/ Microsoft MVP - Directory Services www.akomolafe.com x-excid://3277/uri:http://www.akomolafe.com - we know IT -5.75, -3.23 Do you now realize that Today is the Tomorrow you were worried about Yesterday? -anon _ From: Salandra, Justin A. Sent: Thu 1/18/2007 11:57 AM To: ActiveDir@mail.activedir.org Subject: [ActiveDir] Remote DC's on Virtual Server What would you recommend for the following situation. We are thinking of having a hot site where Exchange will be replicated to a remote location. Since Exchange will be remote over the Internet, we will need to have DC's for each domain available in that remote site. (This would all be going across a VPN) I was thinking about placing 8 DC's on a VMWare Infrastructure 3 server Enterprise edition. These DC's would really only be used in the event of a disaster and people started connecting to Exchange up in the remote site. Is VMWare Infrastructure 3 good? What would you use? Justin A. Salandra MCSE Windows 2000 2003 Network and Technology Services Manager Catholic Healthcare System 646.505.3681 - office 917.455.0110 - cell [EMAIL PROTECTED] mailto:[EMAIL PROTECTED]
RE: [ActiveDir] Remote DC's on Virtual Server
On the Virtual Infrastructure side: Moving running guests across hosts (vmotion), the network configuration options, lower host overhead, grouping hosts into resource pools and allowing guests to automatically migrate based on allocation guarantees, 4-way SMP guests, 64-bit guests :- Nothing wrong with Virtual Server, but I see it more on par with VMware Server than ESX/Virtual Infrastructure. _ From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Akomolafe, Deji Sent: Thursday, January 18, 2007 2:40 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Remote DC's on Virtual Server Interesting points, Hunter. Not to engage in a holy war or something, but would you mind mentioning what makes one of these Orange and the other Apple (the fruit)? No, don't mention 64-bit Guest, thank you very much :)[1] [1]Grumbling I wish MS will hurry up on this front already. /grumbling Sincerely, _ (, / | /) /) /) /---| (/_ __ ___// _ // _ ) /|_/(__(_) // (_(_)(/_(_(_/(__(/_ (_/ /) (/ Microsoft MVP - Directory Services www.akomolafe.com x-excid://3277/uri:http://www.akomolafe.com - we know IT -5.75, -3.23 Do you now realize that Today is the Tomorrow you were worried about Yesterday? -anon _ From: Coleman, Hunter Sent: Thu 1/18/2007 1:24 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Remote DC's on Virtual Server IMHO, ESX/VM Infrastructure and Virtual Server are like apples and oranges. Yes, they are both virtualization environments, but have vastly different capabilities. VM Infrastructure has a much broader and deeper feature set that does come with added cost and complexity. Regardless, in the context of the original question I'd be concerned about the load Exchange is going to place on the host hardware. How many Exchange users are in the 8 domains, and how many of these would potentially be connecting to the alternate site? Are you going to have GC availability to support Exchange? What other resources at the hotsite might be looking for DC/GC services? I would also be careful about having a configuration at my hotsite that is significantly different from my normal production environment. When things have melted down to the point of failing over to the hotsite, it's not a good time to be pulling out the manuals for your infrastructure because you don't work with it day in and day out. _ From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Akomolafe, Deji Sent: Thursday, January 18, 2007 1:22 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Remote DC's on Virtual Server ESX (VMWare) is good - and pricey. And very strict as to hardware specs. And complex to setup and administer. And, I could be wrong on this, NOT (MS)-supported for virtualizing DCs. Virtual Server, on the other hand, is good, not pricey, less picky, more supported (I believe it's actually validated) for DCs virtualization. Plus, the liberal OS licensing scheme is very attractive to me. Yes, I know, VMWare rules the market. Yes, I am biased. Sincerely, _ (, / | /) /) /) /---| (/_ __ ___// _ // _ ) /|_/(__(_) // (_(_)(/_(_(_/(__(/_ (_/ /) (/ Microsoft MVP - Directory Services www.akomolafe.com x-excid://3277/uri:http://www.akomolafe.com - we know IT -5.75, -3.23 Do you now realize that Today is the Tomorrow you were worried about Yesterday? -anon _ From: Salandra, Justin A. Sent: Thu 1/18/2007 11:57 AM To: ActiveDir@mail.activedir.org Subject: [ActiveDir] Remote DC's on Virtual Server What would you recommend for the following situation. We are thinking of having a hot site where Exchange will be replicated to a remote location. Since Exchange will be remote over the Internet, we will need to have DC's for each domain available in that remote site. (This would all be going across a VPN) I was thinking about placing 8 DC's on a VMWare Infrastructure 3 server Enterprise edition. These DC's would really only be used in the event of a disaster and people started connecting to Exchange up in the remote site. Is VMWare Infrastructure 3 good? What would you use? Justin A. Salandra MCSE Windows 2000 2003 Network and Technology Services Manager Catholic Healthcare System 646.505.3681 - office 917.455.0110 - cell [EMAIL PROTECTED] mailto:[EMAIL PROTECTED]
RE: [ActiveDir] R2 Schema
No, you will still need to extend the schema to support DFS: http://technet2.microsoft.com/WindowsServer/en/library/84445c1b-a418-4a0 9-a50c-5f3258cfc5b51033.mspx?mfr=true -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Vinnie Cardona Sent: Friday, January 12, 2007 4:06 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] R2 Schema Interesting. I have a similar situation. But in my case they want me to roll out R2 on 10 of my W2K3sp1 file and print servers to take advantage of DFS. After reading the installation docs from the CD it appears to me that I don't have to extend the schema because the servers I will be upgrading are not DCs...would like a reassurance that this is indeed the case with the community... -many thanks -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Isenhour, Joseph Sent: Friday, January 12, 2007 3:11 PM To: ActiveDir@mail.activedir.org Subject: [ActiveDir] R2 Schema I have a customer that is really pushing to have the R2 schema loaded in our W2K3 SP1 environment. The plan is to take advantage of the new DFS extensions. We don't have any plans to upgrade to R2 in the foreseeable future so we'd basically be running W2K3 with the R2 schema for several months or years. Does anyone see any potential issues with that? List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.activedir.org/ma/default.aspx List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.activedir.org/ma/default.aspx List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.activedir.org/ma/default.aspx
RE: [ActiveDir] quota issues
http://www.google.com/search?sourceid=navclientie=UTF-8rls=GGLD,GGLD:2004-22,GGLD:enq=windows+alternate+data+stream http://support.microsoft.com/kb/814594/en-us From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Antonio ArandaSent: Wednesday, October 25, 2006 10:17 AMTo: ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] quota issues Im sorry but I dont know what you mean by files having streams. Can you explain that attribute to me? From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Mike GuestSent: Wednesday, October 25, 2006 10:06 AMTo: ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] quota issues Just a couple of thoughts Have you tried searching the disk for other files marked with him as owner perhaps from a legacy share which no longer exists? Alternatively, is it possible that one of the files hes copying has streams? I understand the space used by a stream does not get added to the disk space that windows reports, but perhaps it affects the quota? Mike GuestIT SolutionsHMLPadiham DDI: +44 (0)1282 682550 Internal Extension: (61) 2550 From: Antonio Aranda [mailto:[EMAIL PROTECTED] Sent: 25 October 2006 15:33To: ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] quota issues There seems to be mostly small files; 5 to 7 K. From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Parag NagwekarSent: Tuesday, October 24, 2006 11:26 PMTo: ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] quota issues I guess he is probably trying to write or copy file which is quite big, may be more than 200Mb in size. Please tell him to write smaller file on the file system where he already using 300MB. From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Antonio ArandaSent: Tuesday, October 24, 2006 12:55 PMTo: ActiveDir@mail.activedir.orgSubject: [ActiveDir] quota issues Im having weird quota issues. I have a partition that has the default quota set to a 500 MB. There are a good hundred users that wring to that partition but only one is having this issue; he keeps running out of quota even though he has only written about 300 MB to his subdirectory. He can only write to that subdirectory so why is he running out of space? Antonio Aranda Network Analyst UT-Permian Basin 432-552-2413 *This email is intended only for the addressee named above. As this email may contain confidential or privileged information, if you are not the named addressee or receive this message in error, please notify us immediately, delete it and do not make use of or copy it.This message is protected by copyright. HML accepts no responsibility for viruses found in this message or any file attachment.Homeloan Management LimitedRegistered in England No. 22148391 Providence Place, Skipton, North Yorkshire BD23 2HL**
RE: [ActiveDir] Switching distibution lists to security groups
Rob- This came up just the other day. Check http://www.mail-archive.com/activedir@mail.activedir.org/msg47273.htmland see if the responses there help. Hunter From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Huber, Rob (HNI Corp)Sent: Tuesday, October 24, 2006 8:10 AMTo: ActiveDir@mail.activedir.orgSubject: [ActiveDir] Switching distibution lists to security groups Hello, This may be an easy answer, but I want to get feedback anyway. What are the potential problems/issues/concerns with switching distribution groups to security groups? Our Sharepoint group has rolled out Sharepoint site permissions based on DLs. I believe that DLs should be used for DLs and security groups should be used for security (or permissions in this case) and have encouraged them to set the permissions accordingly. Their counter is that the site owners do not know the membership of the security groups, but know the membership of their respective groups DLs and therefore it is easier to administrate the permissions that way. A simple fix would be to switch the DLs to security groups, however that seams a bit too simple.
RE: [ActiveDir] nslookup. AD beginer question
You may be running into this: http://support.microsoft.com/kb/825675/en-us From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Ramon LinanSent: Monday, August 28, 2006 12:15 PMTo: ActiveDir@mail.activedir.orgSubject: [ActiveDir] nslookup. AD beginer question Hi Everyone, When I do a nslookup domain.com, being domain.com my AD domain, what should I see? A list of the dns server in my domain? A list of the DC? The fact is that I am doing nslookup and I am getting, domain controllers but also a users computer Thanks
RE: [ActiveDir] Replication from ASP
Can't you code your ASP so that it points to the same DC when it creates the user account that PeopleSoft is using for authentication? From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Lucas, BryanSent: Friday, August 04, 2006 12:05 PMTo: ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] Replication from ASP Anyone have any thoughts on this? Thanks, Bryan Lucas Server Administrator Texas Christian University From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Lucas, BryanSent: Monday, July 31, 2006 4:12 PMTo: ActiveDir@mail.activedir.orgSubject: [ActiveDir] Replication from ASP Does anyone know how I force replication through ASP 2.0? My DCs are all local (no WANs) and 2003 SP1. I have a web page that does account creation and then points the user to a portal which attempts to authenticate against AD. The portal software (Peoplesoft) can only attempt against a single DC, so if that user didnt create his account there it doesnt work right away. Bryan Lucas Server Administrator Texas Christian University
RE: [ActiveDir] Granting Exchange Mailbox Access
A different approach is for the Exch Full Admin to simply grant him/herself Full Mailbox Access-Allow on an individual,as-needed basis. I prefer this because it requires a conscious effort on the admin's part to access someone else's mailbox, regardless of what your corporate use policies state about email being the company's property. From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Crawford, ScottSent: Wednesday, August 02, 2006 5:20 PMTo: ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] Granting Exchange Mailbox Access The perm youre looking for is Receive As on the Mailbox store. The problem is that delegating Exchange Full Administrator adds an explicit Deny ACE to CN=First Organization,CN=Microsoft Exchange,CN=Services,CN=Configuration,DC=domain,DC=com for Receive As and that gets replicated all the way down to the mailboxes. So even if you grant your group the required perms, if theyve been delegated EFA, the Deny will override it. Id imagine you can remove the Deny ACE manually, but we just skipped the delegation wizard and added the ACE for Receive As for our Mailbox Admins. From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of WATSON, BENSent: Wednesday, August 02, 2006 5:46 PMTo: ActiveDir@mail.activedir.orgSubject: [ActiveDir] Granting Exchange Mailbox Access In an effort to cut down on service account abuse, Ive been removing and reducing privileges left and right. I have delegated Exchange Full Administrator rights to a few users who had previously been using the service account we originally installed Exchange 2003. Sometimes, the Exchange Administrators will need to access a users mailbox to assist with various issues, and Im having trouble delegating that right to the members of the Exchange Full Administrators group. I have created a domain security group named simply Exchange Full Administrators, and I delegated Exchange Full Administrator rights to that security group at the organizational level. So anyone in that security group should have full administration rights. Ive had to delegate a few other rights in Active Directory for some other reasons to this new security group (for instance to give this security group rights to modify the dynamic mailing list OU); however Im having trouble finding exactly where to delegate rights to give this security group full access to everyones mailbox. Any thoughts? Thanks, ~Ben
RE: [ActiveDir] Granting Exchange Mailbox Access
Check to see if someone removed the explicit Deny for the individual account on Send-As/Receive-As at the Exchange Org level, and if not whether it's getting overridden by an explicit Allow further down the hierarchy. From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of WATSON, BENSent: Thursday, August 03, 2006 11:17 AMTo: ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] Granting Exchange Mailbox Access Thats actually a very good idea, and I may enforce that on them. I suppose if anything, my curiosity is getting the best of me and Im really wondering what is different between that delegated security group and the individual account that installed Exchange which is granting full mailbox access across the board. I just cant find anything that actually is different between the two. From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Coleman, HunterSent: Thursday, August 03, 2006 9:20 AMTo: ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] Granting Exchange Mailbox Access A different approach is for the Exch Full Admin to simply grant him/herself Full Mailbox Access-Allow on an individual,as-needed basis. I prefer this because it requires a conscious effort on the admin's part to access someone else's mailbox, regardless of what your corporate use policies state about email being the company's property. From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Crawford, ScottSent: Wednesday, August 02, 2006 5:20 PMTo: ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] Granting Exchange Mailbox Access The perm youre looking for is Receive As on the Mailbox store. The problem is that delegating Exchange Full Administrator adds an explicit Deny ACE to CN=First Organization,CN=Microsoft Exchange,CN=Services,CN=Configuration,DC=domain,DC=com for Receive As and that gets replicated all the way down to the mailboxes. So even if you grant your group the required perms, if theyve been delegated EFA, the Deny will override it. Id imagine you can remove the Deny ACE manually, but we just skipped the delegation wizard and added the ACE for Receive As for our Mailbox Admins. From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of WATSON, BENSent: Wednesday, August 02, 2006 5:46 PMTo: ActiveDir@mail.activedir.orgSubject: [ActiveDir] Granting Exchange Mailbox Access In an effort to cut down on service account abuse, Ive been removing and reducing privileges left and right. I have delegated Exchange Full Administrator rights to a few users who had previously been using the service account we originally installed Exchange 2003. Sometimes, the Exchange Administrators will need to access a users mailbox to assist with various issues, and Im having trouble delegating that right to the members of the Exchange Full Administrators group. I have created a domain security group named simply Exchange Full Administrators, and I delegated Exchange Full Administrator rights to that security group at the organizational level. So anyone in that security group should have full administration rights. Ive had to delegate a few other rights in Active Directory for some other reasons to this new security group (for instance to give this security group rights to modify the dynamic mailing list OU); however Im having trouble finding exactly where to delegate rights to give this security group full access to everyones mailbox. Any thoughts? Thanks, ~Ben
RE: [ActiveDir] Types of network Card in AD forest like Intel, 3-COM..
You can start with this http://www.microsoft.com/technet/scriptcenter/scripts/network/client/list/nwlsvb05.mspx?mfr=trueand add in some logic to query AD for DCs and Exchange servers and then run the scriptcenter code against those particular servers. From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Manjeet SinghSent: Monday, July 31, 2006 10:51 AMTo: ActiveDir@mail.activedir.orgSubject: [ActiveDir] Types of network Card in AD forest like Intel, 3-COM.. Hi, Setup: Windows 2003 + exchange 2003. My AD + Ex setup is running on different hardware. Now what is the best way to find what types of Network (and also how many on one server) cards are installed on my all DCs and Exchange. I need to write a script or a wmi query. Thanks, Manjeet
RE: [ActiveDir] Schema Question
I'm wondering why you would want to do that. You can tell if a person is using the defaults by checking mDBUseDefaults, and if she is not you can pull actual limits from mDBStorageQuota, mDBOverQuotaLimit, and mDBOverHardQuotaLimit. Hunter From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Clay, Justin (ITS)Sent: Friday, June 30, 2006 11:38 AMTo: ActiveDir@mail.activedir.orgSubject: [ActiveDir] Schema Question All, Let me start with, Im a total newb when it comes to Schema and Schema modifications. Is it possible to modify the schema that so every time a new user is created (via ADUC) an extension attribute is populated with a default value? Our Exchange guys would like extensionAttribute5 to be populated automatically with 100, which is the default mailbox size. Is this possible? It seems like it would be, but as I warned, Im a newb. Thanks, Justin ClayITS Enterprise Services Metropolitan Government of Nashville and Davidson County Howard School Building Phone: (615) 880-2573 ITS ENTERPRISE SERVICES EMAIL NOTICEThe information contained in this email and any attachments is confidential and may be subject to copyright or other intellectual property protection. If you are not the intended recipient, you are not authorized to use or disclose this information, and we request that you notify us by reply mail or telephone and delete the original message from your mail system.
RE: [ActiveDir] Question regarding compacting AD DB.
If each 2k3DC is newly promoted, as opposed to an in-place upgrade, then the .dit on those DCs will essentially be compacted with minimal whitespace. Were you planning on rebuilding your DCs as part of the migration, or doing in-place upgrades? From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of YannSent: Tuesday, June 27, 2006 10:29 AMTo: ActiveDir@mail.activedir.orgSubject: [ActiveDir] Question regarding compacting AD DB. Hello, It may be a silly question, but when u perform a migration from winNT/w2k to a w2k3 domain, do i have next to compact+defrag the ntds.diton *EACH* DC2k3that have been migrated ? or may i do the operation on only one DC and this DC will replicate the state (compactdefrag) on all other DCs ? I have at least 60 DCs :( I think the answer will be "compact defrag each DC that have been upgraded", but just to be 100 % sure. Thanks for answer. Yann Yahoo! Mail réinvente le mail ! Découvrez le nouveau Yahoo! Mail et son interface révolutionnaire.
RE: [ActiveDir] Domain gets Blacklisted
You'll probably have better luck if you post this in one of the Exchange newsgroups (microsoft.public.exchange*) or lists (http://groups.yahoo.com/group/exchange-2003/) From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Ajay KumarSent: Tuesday, June 13, 2006 11:43 PMTo: ActiveDir@mail.activedir.orgSubject: [ActiveDir] Domain gets Blacklisted Hi all, Can u help me on this prob. Problem is that my exchange 2003 which installed on win 2003 dc agets blacklisted (Means my static ip is blacklisted). I searched how to stop this and on net i found solutions pointing towards open relay and spam protection. They r saying that ur exchange is spaming so tell me how to control and stop spamming. Thanx Ajay
RE: [ActiveDir] OT:Exchange mailnickname
Empirical evidence suggests that he shouldn't be insisting so much. Very few of our users have a proxy address of [EMAIL PROTECTED], and we have no problems getting to subfolders via OWA. I'm sure you could take a test user account in your environment and duplicate this. From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Tom KernSent: Friday, June 09, 2006 7:41 AMTo: activedirectorySubject: [ActiveDir] OT:Exchange mailnickname My company wants to use a mail stubing app called "Mailbox Manager" from CA. I've been going back and forth with the tech there. He claims that, according to him, due to a limitation in WebDAV, one of the user's proxy addresses needs to be in the format of [EMAIL PROTECTED], for users to be able to see subfolders underneath their inbox in OWA. I've never heard of such a limitation and think he may be talking about "mailnickname"(alias), but he inisits I'm wrong. Can anyone shed some light on this? Thanks
RE: [ActiveDir] OT:Exchange mailnickname
Not that I've run into, as far as accessing subfolders via OWA. Again, this would be very easy for you to confirm in your environment and throw back at the CA tech, though you might consider this a good indicator of what you're in for support-wise from them. From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Tom KernSent: Friday, June 09, 2006 8:53 AMTo: ActiveDir@mail.activedir.orgSubject: Re: [ActiveDir] OT:Exchange mailnickname Thanks. What about mailNickname? Arethere any issues if mailNickname is different than sAMAccountName in re: to WebDAV? Thanks again On 6/9/06, Coleman, Hunter [EMAIL PROTECTED] wrote: Empirical evidence suggests that he shouldn't be insisting so much. Very few of our users have a proxy address of [EMAIL PROTECTED], and we have no problems getting to subfolders via OWA. I'm sure you could take a test user account in your environment and duplicate this. From: [EMAIL PROTECTED] [mailto: [EMAIL PROTECTED]] On Behalf Of Tom KernSent: Friday, June 09, 2006 7:41 AMTo: activedirectorySubject: [ActiveDir] OT:Exchange mailnickname My company wants to use a mail stubing app called "Mailbox Manager" from CA. I've been going back and forth with the tech there. He claims that, according to him, due to a limitation in WebDAV, one of the user's proxy addresses needs to be in the format of [EMAIL PROTECTED], for users to be able to see subfolders underneath their inbox in OWA. I've never heard of such a limitation and think he may be talking about "mailnickname"(alias), but he inisits I'm wrong. Can anyone shed some light on this? Thanks
RE: [ActiveDir] AD lag sites and replication
Title: AD lag sites and replication This may be further out on the unsupported limb than you want to crawl, but IIRC Deanreferenced an alternative to lag sites in his part of the joe and Dean show at DEC. You could schedule a script that toggles the replication epoch value and during "off-hours", nothing (and nobody)will be able to force replication without setting the epoch back first. From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of [EMAIL PROTECTED]Sent: Tuesday, May 30, 2006 2:33 AMTo: ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] AD lag sites and replication Thanks Ulf. I was hoping to avoid NIC disabling and such like. I was looking for a solution which would enforce the replication schedule between sites, such that an admin could not 'over ride' it. I'd rather handle the situation with procedures and policies than use scripts to disable NICs (or connection objects) at scheduled times :) neil From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Ulf B. Simon-WeidnerSent: 30 May 2006 09:01To: ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] AD lag sites and replication You are able to disable the network interfaces, pretty easy with VMWare or Virtual Server since you are able to do it from the host via scripting, bit more painfull if you have to do it from the DC itself since you don't have any remote access when the nic is disabled (you could use a scheduled task which runs netsh to activate / deactivate the interface). Also putting a firewall with scheduled rules in between would work very well, especially since you can block everything but RDP at the no-sync times. As long as you don't exceed the tombstone-lifetime I don't see any reasons why this should not be supported since we are just talking about lag-sites without any memberservers / clients / users who log onto those DCs. Gruesse - Sincerely, Ulf B. Simon-Weidner Profile Publications:http://mvp.support.microsoft.com/profile=""> Weblog: http://msmvps.org/UlfBSimonWeidner Website: http://www.windowsserverfaq.org From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of [EMAIL PROTECTED]Sent: Tuesday, May 30, 2006 9:49 AMTo: ActiveDir@mail.activedir.orgSubject: [ActiveDir] AD lag sites and replication I'm looking to implement one or more lag sites, with staggered replication schedules. (i.e. NYC lag replicates tues and thurs, 2-4 am; LON lag replicates mon, wed and fri 2-4 am). We're concerned that admins can still force replication outside of these hours using repadmin or replmon etc. Is there a (supported) way to ensure that replication can ONLY occur within the hours described above? Thanks, neil PLEASE READ: The information contained in this email is confidential and intended for the named recipient(s) only. If you are not an intended recipient of this email please notify the sender immediately and delete your copy from your system. You must not copy, distribute or take any further action in reliance on it. Email is not a secure method of communication and Nomura International plc ('NIplc') will not, to the extent permitted by law, accept responsibility or liability for (a) the accuracy or completeness of, or (b) the presence of any virus, worm or similar malicious or disabling code in, this message or any attachment(s) to it. If verification of this email is sought then please request a hard copy. Unless otherwise stated this email: (1) is not, and should not be treated or relied upon as, investment research; (2) contains views or opinions that are solely those of the author and do not necessarily represent those of NIplc; (3) is intended for informational purposes only and is not a recommendation, solicitation or offer to buy or sell securities or related financial instruments. NIplc does not provide investment services to private customers. Authorised and regulated by the Financial Services Authority. Registered in England no. 1550505 VAT No. 447 2492 35. Registered Office: 1 St Martin's-le-Grand, London, EC1A 4NP. A member of the Nomura group of companies. PLEASE READ: The information contained in this email is confidential and intended for the named recipient(s) only. If you are not an intended recipient of this email please notify the sender immediately and delete your copy from your system. You must not copy, distribute or take any further action in reliance on it. Email is not a secure method of communication and Nomura International plc ('NIplc') will not, to the extent permitted by law, accept responsibility or liability for (a) the accuracy or completeness of, or (b) the presence of any virus, worm or similar malicious or disabling code in, this message or any attachment(s) to it. If verification of this email is sought then please request a
RE: [ActiveDir] Permission to modify description
What happens when you run the script interactively, as opposed to within the login script? You can (should?) tighten the security on this...granting Self allow on Write Description should be sufficient. -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Oliver Marshall Sent: Wednesday, April 19, 2006 4:41 AM To: ActiveDir@mail.activedir.org Subject: [ActiveDir] Permission to modify description I have a logon script which changes the description of the current user when they logon, or rather it should do. Whenever I pop that script in to a logon script it fails with a general access denied error. The line it fails on it the last of these two; objUser.Description = strMessage objUser.SetInfo objUser is pointing to the correct user, and it can set the local cached description setting, it only fails when it trys to set that info on the server. I have tried giving Authenticated Users the Write General Information permission, but that doesn't help. Any ideas what permission I need to assign so that people are able to edit the description properties ? Is there an associated permission for using the setinfo method ? If it helps, this is win2k servers with xp desktops. Olly List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
RE: [ActiveDir] automatic account disable
What criteria are you using to determine that a user is inactive? -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Myke Sent: Wednesday, April 19, 2006 8:39 AM To: ActiveDir@mail.activedir.org Subject: [ActiveDir] automatic account disable hi guys, it's possible to make a automatic lockout in user accounts by inactivity, or I need a third party tool? thanks Myke List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
RE: [ActiveDir] Lingering Objects
Have you looked at http://support.microsoft.com/kb/314282and http://technet2.microsoft.com/WindowsServer/en/Library/4a1f420d-25d6-417c-9d8b-6e22f472ef3c1033.mspx? And are you sure that the lingering objects are the root cause of the replication problems, and not vice-versa? From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of [EMAIL PROTECTED]Sent: Thursday, March 30, 2006 12:15 PMTo: ActiveDir@mail.activedir.orgSubject: [ActiveDir] Lingering Objects I have many problems with lingering objects. I would like to solve them. I Recive this message when I use repadmin /showreps: HQSite\DC1 via RPC objectGuid: 2521a874-d379-4281-8744-4bd34c792026Last attempt @ 2002-01-21 16:10.54 failed, result 8240:There is no such object on the server.Last success @ (never). I have read this Ms article (http://support.microsoft.com/?id=317097 - Lingering objects prevent Active Directory replication from occurring) How can I discover with object is that and how to delete it? CAN I find a server that does not have the Object to rehost from? Does anyone have anything else about this problem? I have many (about 165) dc´s with about 80 GC´s. I have many problems with replication The Strict replication Consistency 0 is making things better . but tin some of them the problems remains. I wait for your help... Adrião Ferreira Ramos Superintendência de Tecnologia da Informação Depto. de Operações e Infra-estrutura - CII * [EMAIL PROTECTED] ( 11 - 3388-8193 "matheesha weerasinghe" [EMAIL PROTECTED] Enviado Por: [EMAIL PROTECTED] 30/03/2006 07:26 Favor responder aActiveDir@mail.activedir.org Para ActiveDir@mail.activedir.org cc Assunto Re: [ActiveDir] DC Demotion AD Site Configuration The whole point of a site is to have a DC in it isn't it? Therefore you should cleanup the unnecessary sites and associate subnets with sites you want them to be a part of. The DC locator will only do its job correctly if DNS is right. DNS will be correct if you maintain a nice sites and services plan and clean up all other unnecessary records in DNS. In my opinion "a" is the way to go. M@On 30/03/06, James Carter [EMAIL PROTECTED] wrote: Hey guys, Single Windows 2003 Domain. I have 5 core sites and 70 branch offices. Each of the core sites host 2 x dc's and each branch office has a DC. The design is legacy from NT4 whereby we had a BDC at each of the branch offices as they had slow WAN links at the time. During the upgrade, each of the BDC's were made dc's. Each dc is located in it's own AD Site IP Subnet defined. Our concerns are that some of these remote dc's are located in insecure environments, i.e the are just a server sat in an unlocked closet in a business office environment. We've just completed an WAN upgrade and our links are minimum of 1mb to each of the remote offices. This is good news for us, as we can now demote most of the remote dc's (about 60 of them) My question is regarding the cleanup process. We have 75 AD Sites created with a subnet assigned to each site. Once the demotion process takes place, will I need to a) add the IP subnet to the core site so that the branch office is serviced by the dc's located there and then delete the old AD Site which no longer holds a dc. b) leave the AD site in existance with the IP Subnet assigned and let the DC locator service find a DC for the client to authenticate to? (this means I am left with a load of un-needed Sites in AD..I assume) We also use DFS but moving to DFS-R shortly. Thoughts anyone? Jim __Do You Yahoo!?Tired of spam? Yahoo! Mail has the best spam protection around http://mail.yahoo.com
RE: [ActiveDir] Disaster Recovery
Using virtual disk file backups or images for AD disaster recovery has USN-rollback perils that have been discussed several times here. It's worth a visit to the archives to check those out before staking your disaster recovery abilities on this strategy. On the other hand, using AD-aware backups in conjunction with virtual servers *does* greatly simplify the hardware issues during a restore, and may be worth considering for that benefit alone. From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Ken CornetetSent: Tuesday, March 21, 2006 9:04 AMTo: ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] Disaster Recovery I do a backup of the C: drive and system state using NTBACKUP to a file on an alternate DC, then I back up the whole DC (files and system state) using Legato Networker. Why the NTBACKUP? Just in case... I've done a couple of hotsite test recoveries of our DCs (HP DL380G2) to various other HP server models, and even to Dells. I've never had a major problem doing this with server 2003 (windows 2000, on the other hand, seemed to always give me grief). I have toyed with the idea of having a couple of DCs running on virtual servers. I'd create a perl script to nightly shut down the DCs, copy thevirtual diskfiles, then bring the DCs back up. I want to do this not so much for the hardware independence, but rather for the speed of recovery. From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Amy HunterSent: Tuesday, March 21, 2006 10:34 AMTo: ActiveDir@mail.activedir.orgSubject: [ActiveDir] Disaster Recovery Hello there, I have a question regarding Active Directory disaster recovery. I was just curious as to what steps you all take to protect your forest. An example is I back up my System State nightly and these tapes go off to a offsite location. If my building and computer suite was to burn down, I would need to rebuild my forest. In this scenario I am assuming it would be easier to have identical hardware to carry out a restore, I know you can restore to alternate hardware but I hear bad things about this. The other thought is to haveDC built using virtual server and start this DC one per month to replicate the latest copy of AD, then shutting it down, saving a copy of the VHD and sending to a offsite location, That way it's not hardware dependant and just need to do a metadata cleanup what do you all do? amy Yahoo! Cars NEW - sell your car and browse thousands of new and used cars online search now
RE: [ActiveDir] Export AD user list in hirerarchy
http://support.microsoft.com/kb/237677/en-ushasinstructionsonexportingtheOUstructure From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Bernard Michael TyersSent: Tuesday, March 21, 2006 10:13 AMTo: ActiveDir@mail.activedir.orgSubject: [ActiveDir] Export AD user list in hirerarchy Hi all,I have a DC running W2K server, with a number of OUs.I want to export the hirerarchy out, possibly to a CSV, or at worst excel (xls) file.Can anyone point me in the direction of where I would find out how to do that? thanks in advance,b
RE: [ActiveDir] Monitoring DC's
Never used Tivoli. From an RFP that an IBM vendor presented usa couple of years ago, I thought it was excessively complex, at least for our environment. Regardless of the product, if it installs an agent on your DCs and you don't control the monitoring framework, then you're creating an opportunity for a non-domain admin to become one. From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Tom KernSent: Friday, March 10, 2006 2:19 PMTo: activedirectorySubject: [ActiveDir] Monitoring DC's We currently run Tivoli for monitoring and software distribution here(No, SMS and MOM are not an option). Right now there are talks about installing Tivoli endpoints on our Win2k3 DC's for monitoring those as well. How do people on this list feel about Tivoli for monitoring, specifically, and installing 3rd party software on a DC for monitoring things like FRS,DNS,DC availability,etc, in general? Thanks
RE: [ActiveDir] R2 and W2K3 SP1
You're just upset that ADAM has gone Mormon :-) -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of joe Sent: Friday, February 17, 2006 12:49 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] R2 and W2K3 SP1 A couple of reasons 1. As people keep buying the product they will buy the SP1 version of it which has significant updates for security, etc. Best to get the old stuff out of the channels. 2. Gets several feature packs out there with the media so people a. Know about it at all, lots of folks don't know about the RTW stuff b. Feel that it is fully supported (this was an issue with acceptance of ADAM) Even if you don't want any of the feature packs, you want R2 or at least ADAM SP1 for the AD Tool updates. This and more is discussed in the book in the signature below[1]. ;o) Don't upgrade to R2 because you think it is a new OS. Upgrade if you need the feature packs (or tools as mentioned above). I do recommend slapping the schema in when you can, at some point, you will most likely need to apply it so this gives you good head start for getting it in there if you don't need it right away. joe [1] BTW, anyone who has had a chance to go through the book I wouldn't mind hearing reviews (or better reading them on Amazon) and/or thoughts on it. I am getting very positive feedback so far on the updates and folks are really enjoying it. Worst comment is that ADAM deserves more room and I completely agree, ADAM is a book unto itself that I am making up notes on now for including a whole section on Microsoft dorking with the name. If you know an MS Marketing person, please kick them in the knee for me. Tell them they can respond to me at my email address. ADAM was a great name, you could say, this is a case for ADAM madam! Oh no, now you have to say something stupid like we need MSADLDS or ADLDS or even LDS. At least they could have something fun and called it Lightweight Service Directory. ADLDS and LDS are not fun. ADAM is fun. Microsoft, stop being a stick in the mud you boobs. Ah, back to work. Maybe post more over the weekend but probably not, too busy. -- O'Reilly Active Directory Third Edition - http://www.joeware.net/win/ad3e.htm -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Salandra, Justin A. Sent: Friday, February 17, 2006 2:26 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] R2 and W2K3 SP1 So Windows 2003 R2 is nothing more then Windows 2003 SP1??? Then why release R2 at all? Justin A. Salandra MCSE Windows 2000 2003 Network and Technology Services Manager Catholic Healthcare System 646.505.3681 - office 917.455.0110 - cell [EMAIL PROTECTED] -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of [EMAIL PROTECTED] Sent: Friday, February 17, 2006 10:45 AM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] R2 and W2K3 SP1 R2 CD1 == w2k3 SP1. R2 CD2 == addon components. Does that help? neil -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Bahta, Nathaniel V Contractor NASIC/SCNA Sent: 17 February 2006 15:34 To: ActiveDir@mail.activedir.org Subject: [ActiveDir] R2 and W2K3 SP1 Hey list, Do you guys/gals know whether it is true that R2 disk 1 is the same as Windows 2003 SP1? I loaded the first disk and it loads exactly and looks exactly like Windows 2003 SP1, except when the license agreement screen comes up, it lists the OS as 2003 R2. In the R2 FAQ page on the Microsoft site, it says that you do not need to upgrade your 2003 servers to R2, you need to only upgrade them to SP1 http://www.microsoft.com/windowsserver2003/R2/R2FAQ.mspx. Is there not a distinct difference in the Kernel of R2 and the Kernel of 2003 SP1? If not, then for the 2003 servers that I already have online, they need only SP1 to be up to standards. R2 Disk 2 seems like the NT4 Option Pack, not another OS release or kernel, but another set of features on a separate disk. Correct me if I am wrong. Nathaniel Bahta GD-NS List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ PLEASE READ: The information contained in this email is confidential and intended for the named recipient(s) only. If you are not an intended recipient of this email please notify the sender immediately and delete your copy from your system. You must not copy, distribute or take any further action in reliance on it. Email is not a secure method of communication and Nomura International plc ('NIplc') will not, to the extent permitted by law, accept responsibility or liability for (a) the accuracy or completeness of, or (b) the presence of any virus, worm or similar malicious or disabling code in, this message or any attachment(s) to it. If verification of this email is sought then please request a hard copy.
RE: [ActiveDir] Replication traffic monitoring accounting
Title: Replication traffic monitoring & accounting You can look at the NTDS perfmon counters, which include some replication traffic metrics. You might also want to look at your SYSVOL for recent large (relatively speaking) files that someone may have inserted via group policy objects. Possibly software distribution? From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Freddy HARTONOSent: Wednesday, February 15, 2006 4:56 AMTo: activedir@mail.activedir.orgSubject: [ActiveDir] Replication traffic monitoring accounting Hi all, Our network guys posted an interesting stats today, one of the DC in the remote site was using 40MByte of bandwidth over 3 hours in total. The dcs are plain dc with wins service installed (but the wins arent replicating to that particular dc) - the only thing is that one of the dc is running msmq with public queues on it. Since the two DCs are rather standard, im wondering how do I do accounting on my end if possible to find out what could possibly be wrong - 40Mbyte of data over 3 hours is rather huge and choking up one of our slow 128k lines (sucky I know) Without doing sniffing or on the network end etc, is there a way I could count replication traffic over to particular DC (perfmon maybe?) - not sure if inbound dra etc counters are related... Anyone went down similar track before? Thank you and have a splendid day! Kind Regards, Freddy Hartono Group Support Engineer InternationalSOS Pte Ltd mail: [EMAIL PROTECTED] phone: (+65) 6330-9785
RE: [ActiveDir] permon access
Are you wanting them to run perfmon against your domain controllers, or against member servers/workstations? Locally, or remotely? From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Tom KernSent: Monday, February 13, 2006 8:14 AMTo: activedirectorySubject: [ActiveDir] permon access In windows 2000 Forest, what are the bare minium rights needed for a user to run perfmon? I'd like to delegate this to someone without making them alocal admin on the box. Is this possible? I can't seem to find a gpo adm template that allows this for win2k. Thanks
RE: [ActiveDir] permon access
http://support.microsoft.com/?kbid=300702if you have 2k3 members From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Tom KernSent: Monday, February 13, 2006 9:04 AMTo: ActiveDir@mail.activedir.orgSubject: Re: [ActiveDir] permon access Sorry, member servers. remotely. Thanks On 2/13/06, Tom Kern [EMAIL PROTECTED] wrote: Thank you very much!! Thats exactly what I was looking for... On 2/13/06, Olivarez, Sergio J Mr ANOSC/FCBS [EMAIL PROTECTED] wrote: Yeah sorry bout that! I realized that after I had already sent it. Check out the links below maybe they will help! http://www.windowsitpro.com/WindowsSecurity/Article/ArticleID/16529/16529.html http://support.microsoft.com/default.aspx?scid=kb;en-us;164018 Thanks... ... ... ... Sergio J. Olivarez - Contractor GD-NS From: Tom Kern [mailto: [EMAIL PROTECTED]] Sent: Monday, February 13, 2006 8:36 AMTo: ActiveDir@mail.activedir.orgSubject: Re: [ActiveDir] permon access Thats why i stated I was on a windows 2000 Forest. That group is only available on Wink23 dc's. Thanks On 2/13/06, Olivarez, Sergio J Mr ANOSC/FCBS [EMAIL PROTECTED] wrote: How about utilizing the "Performance Monitor Users" built-in security group! Thanks... ... ... ... Sergio J. Olivarez - Contractor GD-NS From: Tom Kern [mailto: [EMAIL PROTECTED]] Sent: Monday, February 13, 2006 8:14 AMTo: activedirectorySubject: [ActiveDir] permon access In windows 2000 Forest, what are the bare minium rights needed for a user to run perfmon? I'd like to delegate this to someone without making them alocal admin on the box. Is this possible? I can't seem to find a gpo adm template that allows this for win2k. Thanks
RE: [ActiveDir] permon access
What account is the Performance Logs and Alerts running under, and what account did you give permissions to on the remote server's registry keys? From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Tom KernSent: Monday, February 13, 2006 2:59 PMTo: ActiveDir@mail.activedir.orgSubject: Re: [ActiveDir] permon access That works except when the user tries to create a counter log. The log doesn't start and when an attempt is made to start it, the user gets an event id 2046. The soultion here- http://eventid.net/display.asp?eventid=2046eventno=2556source=SysmonLogphase=1 says to allow the Performance Logs and Alerts service on the local boxto use an account that has the "logon as service" right on the remote server. Is this my only solution? Thanks On 2/13/06, Coleman, Hunter [EMAIL PROTECTED] wrote: http://support.microsoft.com/?kbid=300702 if you have 2k3 members From: [EMAIL PROTECTED] [mailto: [EMAIL PROTECTED]] On Behalf Of Tom KernSent: Monday, February 13, 2006 9:04 AMTo: ActiveDir@mail.activedir.orgSubject: Re: [ActiveDir] permon access Sorry, member servers. remotely. Thanks On 2/13/06, Tom Kern [EMAIL PROTECTED] wrote: Thank you very much!! Thats exactly what I was looking for... On 2/13/06, Olivarez, Sergio J Mr ANOSC/FCBS [EMAIL PROTECTED] wrote: Yeah sorry bout that! I realized that after I had already sent it. Check out the links below maybe they will help! http://www.windowsitpro.com/WindowsSecurity/Article/ArticleID/16529/16529.html http://support.microsoft.com/default.aspx?scid=kb;en-us;164018 Thanks... ... ... ... Sergio J. Olivarez - Contractor GD-NS From: Tom Kern [mailto: [EMAIL PROTECTED]] Sent: Monday, February 13, 2006 8:36 AMTo: ActiveDir@mail.activedir.orgSubject: Re: [ActiveDir] permon access Thats why i stated I was on a windows 2000 Forest. That group is only available on Wink23 dc's. Thanks On 2/13/06, Olivarez, Sergio J Mr ANOSC/FCBS [EMAIL PROTECTED] wrote: How about utilizing the "Performance Monitor Users" built-in security group! Thanks... ... ... ... Sergio J. Olivarez - Contractor GD-NS From: Tom Kern [mailto: [EMAIL PROTECTED]] Sent: Monday, February 13, 2006 8:14 AMTo: activedirectorySubject: [ActiveDir] permon access In windows 2000 Forest, what are the bare minium rights needed for a user to run perfmon? I'd like to delegate this to someone without making them alocal admin on the box. Is this possible? I can't seem to find a gpo adm template that allows this for win2k. Thanks
RE: [ActiveDir] ldap error during search. Paging related?
Try it with a capital "Z" adfind -b dc=mydomain,dc=com -f "((objectcategory=computer)(whencreated=2005111200.0Z))" From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Tom KernSent: Friday, February 10, 2006 1:53 PMTo: activedirectorySubject: [ActiveDir] ldap error during search. Paging related? I'm running this query - C:\WinAdminToolsadfind -b dc=mydomain,dc=com -f "((objectcategory=computer)(whencreated=2005111200.0z))" I get this error- ldap_get_next_page_s: [myDC.mydomain.com] Error 0x35 (53) - Unwilling To Perform Is this related to paging? Am i going over the 1000 object limit or am i screwing up the query? Thanks
RE: [ActiveDir] ds* or joeware to get DN from email address
adfind -default -f "(objectCategory=person)([EMAIL PROTECTED])" dn You can change your search base as necessary. This also assumes that you want to check the primary SMTP address, and not match on a secondary address. From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Teo De Las HerasSent: Friday, February 10, 2006 2:50 PMTo: ActiveDir@mail.activedir.orgSubject: [ActiveDir] ds* or joeware to get DN from email address Are there any tools out there that can get me the DN from an email address? I canwrite a script for this pretty easily, but I want to hand the task off to another admin that does not know scripting. Having him use pre-existing tools will simplify things. Teo
RE: [ActiveDir] DSQUERY filter for space character only
(objectCategory=user)(displayName=\20)) From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Sitton Glen ESent: Tuesday, February 07, 2006 10:17 AMTo: ActiveDir@mail.activedir.orgSubject: [ActiveDir] DSQUERY filter for space character only I need to run an obscure DSQUERY with a filter that finds displayNames with a value of a single space character. I'm stumped. I've tried every escape character possibility that I'm aware of. I know how to find null values, but can't seem to query on a space character alone. It hoses the ldap syntax. When ADUC builds the ldap query itself, it fails: ((objectCategory=user)(displayName= )) The query filter ... is not a valid query string. I've tried: " " ' ' %20 + and escaping it with a \ or a ^ Any ideas? Thanks in advance, - Glen
RE: [ActiveDir] Automagic Security groups.
Two options come to mind, I'm sure there are others... 1) Build a set of scripts and put a web front-end on them, which would allow others to move the user account and as part of the move, the OUone groups would get stripped and the OUtwo groups would get added. 2) Directly delegate the object move (or like above, stick it in a web page). Then have a scheduled task that periodically runs and looks at all user objects in OUone and sets the group membership correctly, same for OUtwo. Option 1 has a more immediate effect, and that may be an important point. Option 2 has the advantage of consistently enforcing group membership, so even if someone makes an inadvertant change it will get corrected on the next pass of the script. It also makes it easier to change the groups and have all users get updated. From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Kennedy, JimSent: Tuesday, February 07, 2006 12:47 PMTo: ActiveDir@mail.activedir.orgSubject: [ActiveDir] Automagic Security groups. I am almost looking for a query based Security Group, similar to Distribution Groups. It would save me a ton of time if when I moved a user from OUone to OUtwo if it would/could strip that user of all their old groups and drop them into the new groups, based upon what OU the user account currently resides in. 15 schools, students moving from school to school all year longit would save us a ton of time. In fact I could delegate the move and have others do it. It would be the last part of the puzzle to making these moves near zero administrative overhead. Any ideas? Jim Kennedy
RE: [ActiveDir] Script to determine a machine's site
You can pull it with WMI (not sure about the PE scenario) http://windowssdk.msdn.microsoft.com/library/default.asp?url=/library/en-us/wmisdk/wmi/wmi_tasks__networking.asp (watch the wrap) -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of [EMAIL PROTECTED] Sent: Monday, February 06, 2006 7:48 AM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Script to determine a machine's site Thanks for the feedback, Deji, Guido, joe et al. The one piece of code I'm missing now is one that can determine a machine's IP address. Any suggestions how that may be done (again, assume the machine is not joined to a domain and is running PE). I can then feed that address into the logic that I do have (similar to that outlined below). neil -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of [EMAIL PROTECTED] Sent: 03 February 2006 23:21 To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Script to determine a machine's site I don't have the script I wrote for this handy, but the logic I used is this: Get host's IP Address Split it into whatever subnet mask use in your subnet/site configurations. Do a CaseCase Else looking for a match. If you get a match, that computer is in that site. e.g. IP is 192.168.100.201 Subnet Mask is /16 192.168.100 = SiteA 192.168.101 = SiteB 192.168.102 = SiteC 192.168.103 = SiteC So, you go Select Case IPAddy Case 192.168.100 : strSiteName = SiteA Case 192.168.101 : strSiteName = SiteB Case 192.168.102, 192.168.103 : strSiteName = SiteC . Works in PE HTH Sincerely, Dèjì Akómöláfé, MCSE+M MCSA+M MCT Microsoft MVP - Directory Services www.readymaids.com - we know IT www.akomolafe.com Do you now realize that Today is the Tomorrow you were worried about Yesterday? -anon From: [EMAIL PROTECTED] on behalf of joe Sent: Fri 2/3/2006 2:53 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Script to determine a machine's site Actually DsAddressToSiteNames will only take socket addresses (PSOCKET_ADDRESS, type AF_INET) to translate, the parameter that takes the dnshostname is the one to specify what DC you want to resolve the addresses to subnet/sites on. Actually the previously mentioned ATSN[1] utiltity is a light wrapper over this call. joe [1] Note the initials - I am not great with tool names. The best tool name I have isn't even a name I thought up and I haven't made the tool yet. I just know what I want it to do and what its name will be. -- O'Reilly Active Directory Third Edition - http://www.joeware.net/win/ad3e.htm From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Greene, Adam S Sent: Friday, February 03, 2006 3:54 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Script to determine a machine's site The function call DsAddressToSiteNames will take a dnsHostName and give you the site it belongs to. If you cannot implement that call, there are scripts out there that do a brute force query of AD for sites and subnets to get you the site name. Search for the function call and DsAddressToSiteNames vbscript to find them on google. With a lot of sites and subnets, that approach could get unwieldy though. If you can call a remote web service from your vbscript or write a win32 implementation of the call, that would be a better way to go. There is code out there on doing a C# version. -Adam From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of [EMAIL PROTECTED] Sent: Friday, February 03, 2006 7:52 AM To: ActiveDir@mail.activedir.org Subject: [ActiveDir] Script to determine a machine's site Does anyone have a script which can: - Interrogate the local machine for its IP address and mask - Determine the subnet which the machine resides in - Determine the site that corresponds to the that subnet And all this must be possible on a machine which is not joined to a domain. Ideally, the script should work when WinPE is running, too, as the machine is being built. Any ideas? neil PLEASE READ: The information contained in this email is confidential and intended for the named recipient(s) only. If you are not an intended recipient of this email please notify the sender immediately and delete your copy from your system. You must not copy, distribute or take any further action in reliance on it. Email is not a secure method of communication and Nomura International plc ('NIplc') will not, to the extent permitted by law, accept responsibility or liability for (a) the accuracy or completeness of, or (b) the presence of any virus, worm or similar malicious or disabling code in, this message or any attachment(s) to it. If verification of this email is sought then please request a hard copy. Unless otherwise stated this email: (1) is not, and should not be treated or relied upon
RE: [ActiveDir] OT: Roaming Profiles
"can't" and "unsupported" are two different things From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Navroz ShariffSent: Monday, February 06, 2006 2:12 PMTo: ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] OT: Roaming Profiles That's interesting...I have been doing exactly what the article states one can't. From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Mark ParrisSent: Monday, February 06, 2006 3:56 PMTo: ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] OT: Roaming Profiles Dont you just love Microsoft.. Personal folder files are unsupported over a LAN or over a WAN link http://support.microsoft.com/?kbid=297019 From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]] On Behalf Of Navroz ShariffSent: 06 February 2006 19:28To: ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] OT: Roaming Profiles Frank, Below is a link to MS Outlook plugin that when configured, will automatically archive folders to a network share at regular intervals, making it easy to keep all of you Outlook folders safely backed up. http://www.microsoft.com/downloads/details.aspx?FamilyId=8B081F3A-B7D0-4B16-B8AF-5A6322F4FD01displaylang=en -Nav From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]] On Behalf Of Frank AbagnaleSent: Monday, February 06, 2006 1:22 PMTo: ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] OT: Roaming Profiles No need to apologise, I blame spielberg anyway. frank "Ulf B. Simon-Weidner" [EMAIL PROTECTED] wrote: Sorry - wasn't sure if it's your real name. If I'd choose a fake name for a community yours is in the top10 ;-) Hope you don't mind. Ulf From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]] On Behalf Of Frank AbagnaleSent: Friday, February 03, 2006 11:28 PMTo: ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] OT: Roaming Profiles Ulf everyone, thanks for your responses, roaming profilesare mandatory here, if we were to take this away, all hell would break loose. I guess educating them to store files elsewhere would be a good start. thanks Frank Ulf - you are not the first to mention Carl Hanratty, youwon't be the last!"Ulf B. Simon-Weidner" [EMAIL PROTECTED] wrote: Hi Frank, with those large roaming profiles you need to 1. educate your users 2. question the use of roaming profiles In fact I've seen a lot of companies who tend to stick to local only profiles in the recent past. Roaming profiles are great - however I see them in infrastructures where people are moving around on multiple computers a lot, and where they don't have that much individual applications. I would use roaming profiles for the production workers who are spending not a lot of time on the computer and might share a pool of computers, however for the regular office worker and the board of directors I'd use local profiles since they tend to work on the same computer a lot and also travel a lot. Educate them not to store their critical data within the profile, and maybe a desktop backup software which is taking care of their profile and data when connected comes in handy too. Carl Hanratty From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]] On Behalf Of Frank AbagnaleSent: Friday, February 03, 2006 10:51 AMTo: ActiveSubject: [ActiveDir] OT: Roaming Profiles Hi all, I have a question regarding Roaming Profiles. Our environment currently have 3500 users which are all roaming profile enabled. Their profiles are stored on the local site server. We have approx 56 sites which are all linked by 256-1mb lines. I like the concept of roaming profiles, however some of our users have profiles ranging from 5mb - 200mb, some even with 1GB profiles. Because alot of our users log on to different computers at different sites, we are finding issues with corrupted profiles and logon speeds. On a few occasions, where a user has been added to a group, the permissions assign to this group are not shown when the users is logged back on. Deleting the profile and recreating fixes this issue but it's quite a time consuming effort. How does everyone deal with roaming profiles if used? sometimes there are instances where users just want to logon to the PC without their roaming profile so they can remote desktop to their PC. In this situation
RE: [ActiveDir] Script to change owner?
You can only take ownership of an object, not push it onto another security principal. Look at dsacls and the "wo" flag, running in the security context of the 3rd party. From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Crawford, ScottSent: Wednesday, February 01, 2006 3:46 PMTo: ActiveDir@mail.activedir.orgSubject: [ActiveDir] Script to change owner? Is there anyway in script (preferred) or through the GUI to change the owner of an object? I realize I can seize ownership in ADUC, but Id like to be able to assign ownership to a 3rd party. If need be, I can login as that 3rd party to seize ownership, but Id like to be able to do it on a whole tree of objects, hence the desire to do it in script. Thanks Scotte
RE: [ActiveDir] ADAM msds-UserPasswordExpired
IIRC, some of the userAccountControl flags got pulled out into discrete attributes in ADAM. I think that UF_DONT_EXPIRE_PASSWD is now represented by ms-DS-User-Dont-Expire-Password. However, even with ms-DS-User-Dont-Expire-Password set to False and pwdLastSet set to 0, I'm still not seeing msds-UserPasswordExpired flip to True. From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Al MulnickSent: Tuesday, January 31, 2006 11:17 AMTo: ActiveDir@mail.activedir.orgSubject: Re: [ActiveDir] ADAM msds-UserPasswordExpired The only thing that comes to mind as to why this might be the case is that your useraccountcontrol value is incorrect for what you're trying to do. In order for the user to be required to reset their password, UF_DONT_EXPIRE_PASSWD must not be set as well as I understand it. Can you check the user account control and make sure that the user object is not configured to never expire the password? If this value is set to 0 and the User-Account-Control attribute does not contain the UF_DONT_EXPIRE_PASSWD flag, then the user must set the password at the next logon On 1/30/06, Mr Oteece [EMAIL PROTECTED] wrote: I am using ADAM R2. I am setting the password and pwdLastSetattributes via the ADAM ADSI Edit program. msDS-UserPasswordExpired does become TRUE if you backdate the password (to backdate thepwdLastSet, I set the system time back a year, set the pwd, thenreturn it to current time). It just doesn't become TRUE if pwdLastSetis 0.On 1/30/06, Al Mulnick [EMAIL PROTECTED] wrote: Just so we're on the same page, which version of ADAM are you testing this against?Also, what are you using to set and test the test conditions? Al On 1/27/06, Mr Oteece [EMAIL PROTECTED] wrote: I am looking at ADAM to store bindable users for authentication. I am seeing some unexpected behavior when it comes to the various attributes that ADAM is using instead of userAccountControl. I would expect that setting pwdLastSet to 0 would cause msds-UserPasswordExpired to become TRUE. Attempting to bind with a user with pwdLastSet = 0 does indeed fail. Yet looking at the attributes in ADSIEDIT or LDP shows msds-UserPasswordExpired to still be false. Is that as expected? Is the logic to check both attributes to determine if a pwd is expired? Or just check pwdLastSet and ignore the msds-UserPasswordExpired attribute? List info : http://www.activedir.org/List.aspx34 List FAQ: http://www.activedir.org/ListFAQ.aspx 35 List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/36 List info : http://www.activedir.org/List.aspxList FAQ: http://www.activedir.org/ListFAQ.aspxList archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
RE: [ActiveDir] ADAM msds-UserPasswordExpired
What is strange, though, is that a bind attempt using an account with pwdLastSet of 0 fails, and a subsequent query (using a different account) of msds-UserPasswordExpired on the original account still doesn't show it as true. I would have expected the construction to occur on the later query. -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of joe Sent: Tuesday, January 31, 2006 7:28 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] ADAM msds-UserPasswordExpired The attribute msds-UserPasswordExpired is constructed. It depends entirely on how that construction is occurring. It sounds like it is only checking pwdLastset against policy and isn't acknowledging a value of 0 in pwdLastSet. That source hasn't been posted yet for us to view so I sent an email to someone inside of MS to see if I can get clarification. joe -- O'Reilly Active Directory Third Edition - http://www.joeware.net/win/ad3e.htm -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Mr Oteece Sent: Tuesday, January 31, 2006 4:19 PM To: ActiveDir@mail.activedir.org Subject: Re: [ActiveDir] ADAM msds-UserPasswordExpired The users are not set to not expire password. On 1/31/06, Al Mulnick [EMAIL PROTECTED] wrote: The only thing that comes to mind as to why this might be the case is that your useraccountcontrol value is incorrect for what you're trying to do. In order for the user to be required to reset their password, UF_DONT_EXPIRE_PASSWD must not be set as well as I understand it. Can you check the user account control and make sure that the user object is not configured to never expire the password? If this value is set to 0 and the User-Account-Control attribute does not contain the UF_DONT_EXPIRE_PASSWD flag, then the user must set the password at the next logon On 1/30/06, Mr Oteece [EMAIL PROTECTED] wrote: I am using ADAM R2. I am setting the password and pwdLastSet attributes via the ADAM ADSI Edit program. msDS-UserPasswordExpired does become TRUE if you backdate the password (to backdate the pwdLastSet, I set the system time back a year, set the pwd, then return it to current time). It just doesn't become TRUE if pwdLastSet is 0. On 1/30/06, Al Mulnick [EMAIL PROTECTED] wrote: Just so we're on the same page, which version of ADAM are you testing this against? Also, what are you using to set and test the test conditions? Al On 1/27/06, Mr Oteece [EMAIL PROTECTED] wrote: I am looking at ADAM to store bindable users for authentication. I am seeing some unexpected behavior when it comes to the various attributes that ADAM is using instead of userAccountControl. I would expect that setting pwdLastSet to 0 would cause msds-UserPasswordExpired to become TRUE. Attempting to bind with a user with pwdLastSet = 0 does indeed fail. Yet looking at the attributes in ADSIEDIT or LDP shows msds-UserPasswordExpired to still be false. Is that as expected? Is the logic to check both attributes to determine if a pwd is expired? Or just check pwdLastSet and ignore the msds-UserPasswordExpired attribute? List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
RE: [ActiveDir] CPU/Memory usage .vbs?
The error message is pretty accurate :-) Try it this way oFileName = Inputbox("c:\cpuuse.txt","CPU Usage","CPUuse.txt") Set FSO = CreateObject("Scripting.FileSystemObject") Set oFile = FSO.CreateTextFile(oFileName, True) strComputer = "." Set objWMIService = GetObject("winmgmts:\\" strComputer "\root\CIMV2") Set colItems = objWMIService.ExecQuery( _ "SELECT * FROM Win32_PerfRawData_PerfOS_Processor",,48) For Each objItem in colItems Wscript.Echo "PercentProcessorTime: " objItem.PercentProcessorTime oFile.WriteLineobjItem.PercentProcessorTime Next From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Harding, DevonSent: Tuesday, January 24, 2006 8:25 AMTo: ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] CPU/Memory usage .vbs? This is what I have. But I get an Object Required on intProcessoeUse strComputer = "." Set objWMIService = GetObject("winmgmts:\\" strComputer "\root\CIMV2") Set colItems = objWMIService.ExecQuery( _ "SELECT * FROM Win32_PerfRawData_PerfOS_Processor",,48) For Each objItem in colItems Wscript.Echo "PercentProcessorTime: " objItem.PercentProcessorTime Next oFileName = Inputbox("c:\cpuuse.txt","CPU Usage","CPUuse.txt") Set FSO = CreateObject("Scripting.FileSystemObject") Set oFile = FSO.CreateTextFile(oFileName, True) oFile.WriteLine intProcessorUse.PercentProcessorTime From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Derek HarrisSent: Monday, January 23, 2006 3:49 PMTo: ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] CPU/Memory usage .vbs? Very easily; just put the following lines near the top: oFileName = Inputbox("Enter the path and filename to save the info.","CPU Usage","CPUuse.txt")Set FSO = CreateObject("Scripting.FileSystemObject")Set oFile = FSO.CreateTextFile(oFileName, True) and put an oFile.WriteLine, with whatever data you want, wherever you want. eg. oFile.WriteLine intProcessorUse.PercentProcessorTime Of course, it's usually better to put the values into a variable, and then do what you want with the variable... From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Harding, DevonSent: Monday, January 23, 2006 12:47 PMTo: ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] CPU/Memory usage .vbs? This is great! What I need is to use this code to output the current usage percentage to a text file. Can this be done? strComputer = "."Set objWMIService = GetObject("winmgmts:" _ "{impersonationLevel=impersonate}!\\" strComputer "\root\cimv2")set objRefresher = CreateObject("WbemScripting.Swbemrefresher")Set objProcessor = objRefresher.AddEnum _ (objWMIService, "Win32_PerfFormattedData_PerfOS_Processor").objectSetintThresholdViolations = 0objRefresher.RefreshDo For each intProcessorUse in objProcessor If intProcessorUse.PercentProcessorTime 90 Then intThresholdViolations = intThresholdViolations + 1 If intThresholdViolations = 10 Then intThresholdViolations = 0 Wscript.Echo "Processor usage threshold exceeded." End If Else intThresholdViolations = 0 End If Next Wscript.Sleep 6000 objRefresher.RefreshLoop From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Al MulnickSent: Sunday, January 22, 2006 11:52 AMTo: ActiveDir@mail.activedir.orgSubject: Re: [ActiveDir] CPU/Memory usage .vbs? WMI is a pretty easy way to get this done. What's your comfort level with scripting? Have you seen this? http://www.activexperts.com/activmonitor/windowsmanagement/adminscripts/monitoring/performance/ On 1/22/06, Harding, Devon [EMAIL PROTECTED] wrote: That being said.I'm looking for a script that will output the current memory usage (in percentage) the top cpu processes.Is this possible?wmi? From: [EMAIL PROTECTED] on behalf of Michael B. SmithSent: Sat 1/21/2006 6:14 PMTo: ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] OT: .vbs mailing list?Although my most useful information about tough _vbscript_ questions hascome from here and from Robbie Allen's various books, there is [EMAIL PROTECTED].-Original Message-From: [EMAIL PROTECTED][mailto:[EMAIL PROTECTED]] On Behalf Of Harding, DevonSent: Saturday, January 21, 2006 12:17 PMTo: ActiveDir@mail.activedir.orgSubject: [ActiveDir] OT: .vbs mailing list?Is there a VBSript mailing list out there?-Devon-__ This message and any attachments are solely for the intendedrecipient and may contain confidential or privileged information.If you are not the intended recipient, any disclosure, copying, useor distribution of the information included in the message and any attachments is prohibited.If you have received this communicationin error, please notify us by reply e-mail and immediately andpermanently delete this message and any attachments.Thank You.List info : http://www.activedir.org/List..aspxList FAQ:
RE: [ActiveDir] OT: speaking of AD books...
http://www.joeware.net/win/ad3e.htm -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Al Lilianstrom Sent: Monday, January 23, 2006 7:19 AM To: ActiveDir@mail.activedir.org Subject: Re: [ActiveDir] OT: speaking of AD books... I lost track of which book Joe was writing about below. Can someone refresh my memory? As for Joe writing a book about how he does things - what would be cool. al Rich Milburn wrote: Joe I have one question for you on this book before mine arrives... am I going to read it, and then start bugging you again about compiling a book of AD and server best practices based off of all the good novels you have posted on this list?? :) In fact... come to think of it... maybe there is still an unwritten book... one that takes topics that tend to come up on this list and deals with each on a discussion basis. It might be more useful for consultants and architects though, but still... two examples: 1) empty root domain issue - pros and cons 2) remotely managing DCs - joe you once had a long spiel on how you used to manage all those DCs remotely, and rather than give someone DA rights to work on it, you'd demote it, then rebuild it from bare metal. A decent percentage of us probably knows how to do these things remotely. But what if someone wanted to set something like this up, and it was a new concept to them. Is there a guide out there anywhere that could show how to do it? From setting up the imaging software, to configuring a DC image to come up without someone clicking any buttons locally, etc? A book like that would probably want a lot of input from a lot of people, because the answers to a lot of best practices questions are it depends. But I bet there's a need... Rich -- - Rich Milburn MCSE, Microsoft MVP - Directory Services Sr Network Analyst, Field Platform Development Applebee's International, Inc. 4551 W. 107th St Overland Park, KS 66207 913-967-2819 -- I love the smell of red herrings in the morning - anonymous -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of joe Sent: Sunday, January 22, 2006 10:15 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] OT: speaking of AD books... Yeah there is a chapter on migration from 2K to K3 as well as a small chapter on upgrading to K3R2. The big wins in this version of the book if anyone asks me though are 1. A real live chapter on ADAM. First in existence that I am aware of. I like this chapter, if anyone reads it and has issues with it, please email me directly. I really like ADAM, I want to make sure my info is all correct and that it fits people's experiences with it. Heck I wouldn't mind just hearing about people's experiences so if I write anything else concerning ADAM, I can comment on it so others may not hit the same issues/pitfalls. 2. Significant updates to the Schema Chapters. 3. Significant updates to the Security Chapters. 4. A chapter on basic Exchange (AD-Related) tasks and how to script them. 5. The Site Topology and Replication chapter got a pretty serious update as well. 6. A lot of the scripts were reworked. Do not buy the book for the VB.NET and Directory Services chapter. I am not a NET person, I fully admit it, it is pretty much the same as it was in 2E. If you want a book in that realm, you want the book Joe Kaplan has been working on, I was a technical reviewer for that book and it looks like it is going to be pretty good. The TR folks can comment if they like on what they liked about it or anything they think that is in it that makes it worthwhile. I had, what I considered unusual, a two way street with feedback with the TRs. They sent me their comments, I sent back responses for many of the comments and asked for more detail or asked questions or what not as needed. I know most everything I have ever TR'ed has been sort of a black hole where I don't know if the feedback is being used or not which I never liked. At least one reviewer mentioned to me that the feedback was unusual and well accepted. I don't expect this to be the be all end all book on AD but I did try to make it so I would be happy my name was on it which if anyone knows me is not a low achievement bar, I am a bit picky. But at the same time, I know I didn't get everything perfect, there wasn't time for perfect, it had to be released this decade. It isn't a book that is in my voice/tone; it is a refresh so I attempted to follow the voice/tone that was there as much as possible as it wasn't mine to change. Some people will not like that and some people are probably thankful for it. :o) -Original Message- From: [EMAIL PROTECTED]
RE: [ActiveDir] OT: Script Request - Restart Remote Service
Here is part of a script that I poached from somewhere. It's only set to stop a list of services, but you could include a second step in the For...Next loop that calls the oInstance.ExecMethod_(StartService) after you've stopped the service. Watch for line wraps and such... sComputer = 'enter the target computer name here ' In 'services_list', add your sevices in the order you want them to stop. ' If some of the services have comma in their names, ' you must choose another delimiter services_list = IMAP4Svc,POP3Svc,MSExchangeES,MSExchangeIS,MSExchangeMTA,MSExchangeSA,M SExchangeMGMT,MSExchangeSRS,RESvc services_array = Split(services_list,,) For i = 0 to UBound(services_array) sService = Trim(services_array(i)) 'fileTxt.WriteLine(ServiceName = sService) Set oInstance = GetObject(winmgmts:{impersonationLevel=impersonate}// sComputer _ /root/cimv2:Win32_Service= Chr(34) sService Chr(34)) 'fileTxt.WriteLine(ServiceState = oInstance.Properties_(State).Value) fileTxt.WriteLine(oInstance.Name : oInstance.Properties_(State).Value) If (oInstance.Properties_(State).Value = Running) Then Set oOutParam = oInstance.ExecMethod_(StopService) If oOutParam.ReturnValue = 0 Then fileTxt.WriteLine(oInstance.Name stopped successfully) Else fileTxt.WriteLine(oInstance.Name failed to stop) Select Case oOutParam.ReturnValue Case 1 fileTxt.WriteLine(The request is not supported.) Case 2 fileTxt.WriteLine(The user did not have the necessary access.) Case 3 fileTxt.WriteLine(The service cannot be stopped because other _ services that are running are dependent on it.) Case 4 fileTxt.WriteLine(The requested control code is not valid, or _ it is unacceptable to the service.) Case 5 fileTxt.WriteLine(The requested control code cannot be sent to _ the service because the state of the service.) Case 6 fileTxt.WriteLine(The service has not been started.) Case 7 fileTxt.WriteLine(The service did not respond to the stop request _ in a timely fashion.) Case 8 fileTxt.WriteLine(Unknown failure when stopping the service.) Case 9 fileTxt.WriteLine(The directory path to the service executable was not found.) Case 10 fileTxt.WriteLine(The service is already stopped) Case 11 fileTxt.WriteLine(The service database is locked.) Case 12 fileTxt.WriteLine(A dependency which this service relies on _ has been removed from the system.) Case 13 fileTxt.WriteLine(The service failed to find the service needed _ from a dependent service.) Case 14 fileTxt.WriteLine(The service has been disabled from the system.) Case 15 fileTxt.WriteLine(The service does not have the correct authentication _ to run on the system.) Case 16 fileTxt.WriteLine(This service is being removed from the system.) Case 17 fileTxt.WriteLine(There is no execution thread for the service.) Case 18 fileTxt.WriteLine(There are circular dependencies when stopping the service.) Case 19 fileTxt.WriteLine(There is a service running under the same name.) Case 20 fileTxt.WriteLine(There are invalid characters in the name of the service.) Case 21 fileTxt.WriteLine(Invalid parameters have been passed to the service.) Case 22 fileTxt.WriteLine(The account, which this service is to run under is _ either invalid or lacks the permissions to run the service.) Case 23 fileTxt.WriteLine(The service exists in the database of services _ available from the system.) Case 24 fileTxt.WriteLine(The service is currently paused in the system.) End Select End If Do ' state will be Stop Pending until Stopped. ' Adjust sleep as necessary, but do *not* remove it! WScript.Sleep 1000 Set oInstance = GetObject(winmgmts:{impersonationLevel=impersonate}// sComputer _ /root/cimv2:Win32_Service= Chr(34) sService Chr(34)) 'fileTxt.WriteLine( ServiceState = oInstance.Properties_(State).Value Stopped = False if oInstance.Properties_(State) = Stopped Then 'fileTxt.WriteLine( sService : oInstance.Properties_(State).Value Stopped = True end if Loop until Stopped End If Next -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL
RE: [ActiveDir] AD computer accounts being removed
Look at netdom.exe -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of AdamT Sent: Wednesday, January 18, 2006 3:03 PM To: ActiveDir@mail.activedir.org Subject: Re: [ActiveDir] AD computer accounts being removed On 1/18/06, Crawford, Scott [EMAIL PROTECTED] wrote: For example, if the domain box shows MICROSOFT, change it to Microsoft.com or vice-versa. This seems to trigger a domain rejoin without having to join the workgroup. snip On a side-note - is there a command line utility which will allow a workstation to be renamed/joined to a domain? I'm aware of a way of creating a computer account using the NET command, but this has to be done from the server, and ideally, I'm hoping there's a way of joining from the NT4/2kpro/XP workstations. -- AdamT Maidenhead is *not* in Kent List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
RE: [ActiveDir] adfind question
Try it as adfind -h DC1 -b "cn=schema,cn=configuration,dc=myco,dc=private" -s base objectVersion From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Noah EigerSent: Wednesday, January 18, 2006 3:27 PMTo: ActiveDir@mail.activedir.orgSubject: [ActiveDir] adfind question Hi I am trying to write a little batch file that will report various version numbers to me on each DC to help monitor the W2k3 upgrade process. I am having trouble getting adfind to report the objectVersion of the Schema. When I run: adfind DC1 b CN=Schema,CN=Configuration,DC=myco,DC=private I get a torrent of stuff including the attribute that I want. (That is an attribute right?) When I try to filter or limit the output, I dont get what I want. For example, adfind DC1 b CN=Schema,CN=Configuration,DC=myco,DC=private objectVersion Gives me a list of all of the objects under Schema. How can I limit this? (Or, does anyone have a script that already checks all this stuff?) Thanks. -- nme --No virus found in this outgoing message.Checked by AVG Free Edition.Version: 7.1.375 / Virus Database: 267.14.20/233 - Release Date: 1/18/2006
RE: [ActiveDir] ADUC updates - Was Expired Accounts
Maybe the ability to change the security context for certain operations within a session? Like a task-specific run-as. I haven't thought this all the way through in terms of security implications, but usually when I fire up ADUC it's with a non-privileged account, and then I have to go back with a different account or different tool in a privileged context if I need to make a change. -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of joe Sent: Friday, January 13, 2006 8:00 AM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] ADUC updates - Was Expired Accounts Only three people with issues with ADUC? Or did these three fine folks describe accurately everyone's pain? I am asking because I will summarize and wrap this up after it is done, I pinged the developer and he is looking forward to seeing the email with the details. This isn't going through multiple layers of PSS like you may be used to putting requests through, this is going into the MVP feedback system and being sent separately to one of the guys writing the source code for it. joe -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Lee, Wook Sent: Thursday, January 12, 2006 10:44 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] ADUC updates - Was Expired Accounts Here are some of my ADUC pet peeves and wish-list items. Let's have an expert's mode where we don't change the names of the attributes things that are user-friendly like calling samAccountName User logon name (pre-Windows 2000), Kind of a cross between ADUC and ADSIedit or like that E55 admin utility in RAW mode. Allow ADUC to handle larger numbers of objects in a container without running like a snail. I'd like to be able to multi-select a bunch of objects and have a UI to change all the common attributes that are modifiable. I'd like an interface that will allow me to query for where a particular security principal is referred to in an explicit ACE on an ACL. I'd like an extension of the Advanced Security dialog that allowed me to specify a security principal, highlight a right and click a button to find out how/why that principal has that right. I'd like an easy way to search by managedBy that didn't require full DNs. I'd like to be able to specify the canonical name and have it figure out the DN for me. That's because canonical name is copy-able from the UI. Use the disabled account icon for disabled accounts that show up in the find object dialog results pane. Wook -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of [EMAIL PROTECTED] Sent: Thursday, January 12, 2006 8:18 AM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] ADUC updates - Was Expired Accounts Your starter for 10: [Dean will explain this, joe :) ] Add context menu options below out of the box: 1. Unlock User (user context menu) 2. Unlock all users (OU context menu) neil -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of joe Sent: 12 January 2006 15:22 To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] ADUC updates - Was Expired Accounts Well, ok, lets do this. Everyone who has an idea for a change to ADUC post to the ideas to this thread. Don't be shy, you may have thought of something no one else would think of that once seeing it would go this is very cool. Then when the thread seems to die (or some point after that when I catch up :oP ) I will summarize to make sure I understand and then post to LadyBug as improvements that could be made. Also, you may or may not be shocked to hear that many of the folks working on the stuff in Redmond actually watch this list on a regular basis too so they may see it directly. I know the conversation we had previously about suggested improvements to AD was watched pretty closely and generated several DCRs without me even arguing with anyone. So let's hear it. First item on the table is different icons flagging accounts (and I am stating this generically) that are not currently live. This includes disabled, locked, expired passwords, expired accounts? Would this be better to add maybe as additional columns that you could tell the GUI to sort on? Or the icons are best? Note to Dean: This is D's bailywick now isn't it? I think I recall us having this conversation at BB. joe -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Thommes, Michael M. Sent: Thursday, January 12, 2006 9:18 AM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Expired Accounts I believe it would be helpful if different icons could be used for disabled accounts, expired account, expired password, etc. Mike Thommes -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of joe Sent: Thursday, January 12, 2006 7:51 AM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Expired Accounts Philosophical
RE: [ActiveDir] Find date Computer object was deleted and created
Turn up auditing and then parse the Security event logs on your domain controllers. There are a variety of ways to partially or fully automate this, including EventComb and scripting. -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Nigel Glasgow Sent: Friday, January 13, 2006 8:47 AM To: ActiveDir@mail.activedir.org Subject: [ActiveDir] Find date Computer object was deleted and created Hi all, I am trying to determine if and when a Sysadmin with domain admin pass deleted and recreated a computer object in the domain. This info will useful to any IT manager or SysAdmin who is having doubts about what is being reported when computer objects are suddenly absent, then they reappear in the domain computer listing next day. Any help out there? Thanks. List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
RE: [ActiveDir] NT and AD Permissions
Where are the C$/D$ shares? On the PDC, BDC, member server? What happens when you put the migrated account directly in the NT4 Local Administrators group and bypass the nested group config? From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Chandra BurraSent: Wednesday, January 11, 2006 10:41 AMTo: ActiveDir@mail.activedir.orgSubject: [ActiveDir] NT and AD Permissions Hi, we have a NT domain and a new 2003 AD domainMigrated a domain admin account, but after migration, that account can not connect to admin shares like C$ or D$.. is there any quick fix.. I have the Domain Admins group on AD as a member of Local Administrators group on the NT Domain...is there something i am missing?? Thanks in advance... Regards, Chandra
RE: [ActiveDir] Strange deleted object issue
Try adfind with the -showdel flag From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Tom KernSent: Tuesday, January 10, 2006 8:11 AMTo: activedirectorySubject: [ActiveDir] Strange deleted object issue I have this weird issue- A user object is missing from my win2k native mode domain. I know because this user has complained that he can't log in and i can't find the object anywhere in AD. I've checked the deleted objects container in AD with ldp and he is not in there as well. He's not in the Lost and Found container either. His exchange mailbox is oprhaned in ESM. Sometime last nite this user was deleted but i have no way of finding him. we don't have auditing turned on for that but i figured if an object was deleted it would definetely be in the deleted objects container. is there anyway to bypass that? where else can i look? Any help would be great because this is just plain bizzare. Thanks
RE: [ActiveDir] Strange deleted object issue
Create a user account, then delete it. Note which DC you're connected to for the delete, then check the security log on that DC. Look at all of the events around the time you deleted the account so that you'll know what is actually getting logged. From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Tom KernSent: Tuesday, January 10, 2006 1:23 PMTo: ActiveDir@mail.activedir.orgSubject: Re: [ActiveDir] Strange deleted object issue Yes. Thanks. I just have 2 issues. 1. I don't understand why i get that error in ldp when i enter the oid control for deleted objects 2. Most importantly, i had "audit account management" enabled for sucess and failure on my domain controllers ou and auditing enabled for "everyone" for everything on the entire domain object, yet when i use evencombMT to scan for an event id 630 in the security log, i get nothing. this account was deleted last nite so something should show up with this auditing enabled, no? do i have to set some other security policy like "audit directory service access" as well? I figured account management should cover deleting a user object. Thanks On 1/10/06, Al Mulnick [EMAIL PROTECTED] wrote: I've deleted the rest of the thread already, but did you not already say you found him in the deleted items using ADFIND -showdel? Or did I misread that and you're still looking for him? On 1/10/06, Tom Kern [EMAIL PROTECTED] wrote: I'm just using ADUC and searching by sAMAccountName. With LDP, i'm looking in Deleted Objects container but this company never deletes users accounts, just disables them indefinetly so all i see in that container are linkTrackOMTEntry objects. How can i see if the user was renamed? I got a call from help desk that this user couldn't log in and they couldn't find him in AD using ADUC which i confirmed. he's been witht the corp for 5 years and i was assured he always had an account. Thanks On 1/10/06, Al Mulnick [EMAIL PROTECTED] wrote: how do you know he's missing exactly? I mean, are you sure the account wasn't changed for example? Maybe renamed somehow? When you search, how are you searching exactly? On 1/10/06, Tom Kern [EMAIL PROTECTED] wrote: I have this weird issue- A user object is missing from my win2k native mode domain. I know because this user has complained that he can't log in and i can't find the object anywhere in AD. I've checked the deleted objects container in AD with ldp and he is not in there as well. He's not in the Lost and Found container either. His exchange mailbox is oprhaned in ESM. Sometime last nite this user was deleted but i have no way of finding him. we don't have auditing turned on for that but i figured if an object was deleted it would definetely be in the deleted objects container. is there anyway to bypass that? where else can i look? Any help would be great because this is just plain bizzare. Thanks
RE: [ActiveDir] OT: DEC 2006
Oh no, there was no mention of civility anywhere :-) From: Brian Desmond [mailto:[EMAIL PROTECTED] On Behalf Of Brian DesmondSent: Friday, January 06, 2006 7:39 PMTo: ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] OT: DEC 2006 Oh you mean you witnessed them being civil to each other? That doesn't happen too often,especially after hours. Thanks, Brian Desmond [EMAIL PROTECTED] c - 312.731.3132 From: [EMAIL PROTECTED] on behalf of Fuller, StuartSent: Fri 1/6/2006 5:30 PMTo: ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] OT: DEC 2006 Aimed at both Hunter and I are "average" AD admins and have found it very useful. The best part is sitting aroundat night talking with Joe and Dean.:-) _Stuart Fuller From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of mike klineSent: Friday, January 06, 2006 1:34 PMTo: ActiveDir@mail.activedir.orgSubject: Re: [ActiveDir] OT: DEC 2006 Looks like DEC is a great event and a lot of the heavy hitters and MVP's from this list will be there. Just wondering about it, is this a good conference for the average AD admin/designer or is this aimed at the advanced experts. I think my company will send some of us so I'm trying to get a feelfor the target audience. Thanks Mike On 1/6/06, Lee, Wook [EMAIL PROTECTED] wrote: I'm doing my regular lounge act at DEC. I don't know if I'll be able to make it to DEC 07 if I have to pay to play (the DEC that will live in Infamy if they make us pay, haha). Maybe they'll let me come if I volunteer to help set up or maybe do janitorial work on the side. I know Stella and Christine are always looking for "volunteers". :-P ;-) Wook P.S. Haikus and Jingles have been done. Do we dare do Limericks? "The 7 Limericks of Identity Management" does have a certain ring to it. Higgledy-Piggledy? Sonnets would be too high-brow for this crowd. From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]] On Behalf Of Almeida Pinto, Jorge deSent: Friday, January 06, 2006 2:05 AMTo: ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] OT: DEC 2006 damn I knew there was a catch! ;-)) jorge From: [EMAIL PROTECTED] on behalf of Gil KirkpatrickSent: Fri 2006-01-06 00:48To: ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] OT: DEC 2006 Jorge, you're speaking at DEC. You already get a free pass.We're not going to make speakers pay for their tickets, at least not until after 2007. :) -g-Original Message-From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]] On Behalf Of Almeida Pinto, Jorge deSent: Thursday, January 05, 2006 3:51 PM To: ActiveDir@mail.activedir.org; ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] OT: DEC 2006can I get a free pass?jorgeFrom: [EMAIL PROTECTED] on behalf of Gil KirkpatrickSent: Thu 2006-01-05 23:36To: ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] OT: DEC 2006Well, I'm going. But I get a free pass... :)-gil From: [EMAIL PROTECTED] [ mailto:[EMAIL PROTECTED]] On Behalf Of Mark ParrisSent: Thursday, January 05, 2006 3:17 PMTo: ActiveDir@mail.activedir.orgSubject: [ActiveDir] OT: DEC 2006Of the list how many people are going to DEC this year? www.directoryexpertsconference.com http://www.directoryexpertsconference.com/Tomorrow is the last day for the early bird registrations if anyone wants to day some $£EUR's.MarkThis e-mail and any attachments may contain confidential and privileged information. If you are not the intended recipient, please notify thesender immediately by return e-mail, delete this e-mail and destroy anycopies. Any dissemination or use of this information by a person other than the intended recipient is unauthorized and may be illegal.This e-mail and any attachment is for authorised use by the intended recipient(s) only. It may contain proprietary material, confidential information and/or be subject to legal privilege. It should not be copied, disclosed to, retained or used by, any other party. If you are not an intended recipient then please promptly delete this e-mail and any attachment and all copies and inform the sender. Thank you. List info : http://www.activedir.org/List.aspxList FAQ : http://www.activedir.org/ListFAQ.aspxList archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/List.aspxList FAQ : http://www.activedir.org/ListFAQ.aspxList archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
RE: [ActiveDir] Exchange store size
Check the application event logs on the exchange servers for ESE 220. Text of those should show the size of each store as the backup of the store begins. Given a list of your Exchange servers, you could script that up to check them all and dump out the results to a file. From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Tom KernSent: Friday, January 06, 2006 12:29 PMTo: activedirectorySubject: [ActiveDir] Exchange store size Is there any quick easy way to get the size of all your Exchange 2k mailbox/public stores in your Org? Thanks
RE: [ActiveDir] OT: DEC 2006
You're saying you don't take your laptop bag to the gym? :-) -Original Message- From: [EMAIL PROTECTED] on behalf of Mark Parris Sent: Thu 1/5/2006 3:56 PM To: ActiveDir@mail.activedir.org Cc: Subject: RE: [ActiveDir] OT: DEC 2006 Just a thought: As most people already have a laptop bag – can we have a bag that we can say use for the gym this year or is it too late? I always get laptop bags (average 6 a year) and they sit in cupboard (closet) until I have too many or my wife goes ape (mad) and I have to dispose of them. _ From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Gil Kirkpatrick Sent: 05 January 2006 22:37 To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] OT: DEC 2006 Well, I'm going. But I get a free pass... :) -gil _ From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Mark Parris Sent: Thursday, January 05, 2006 3:17 PM To: ActiveDir@mail.activedir.org Subject: [ActiveDir] OT: DEC 2006 Of the list how many people are going to DEC this year? www.directoryexpertsconference.com http://www.directoryexpertsconference.com/ Tomorrow is the last day for the early bird registrations if anyone wants to day some $£€’s. Mark This e-mail and any attachments may contain confidential and privileged information. If you are not the intended recipient, please notify the sender immediately by return e-mail, delete this e-mail and destroy any copies. Any dissemination or use of this information by a person other than the intended recipient is unauthorized and may be illegal. winmail.dat
RE: [ActiveDir] DHCP(ot)
Ask your company what problem they hope to solve, or what added functionality they hope to get, by going with a 3rd party product. Then ask them if that problem/functionality is worth the purchase and implementation cost. From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Tom KernSent: Monday, December 19, 2005 8:08 AMTo: activedirectorySubject: [ActiveDir] DHCP(ot) My company wants to use 3rd party dhcp product like Bluecat's Adonis 500 or 1000 instead of Windows DHCP. Is there really any compelling reason to dump or not dump Windows DHCP? We are running a Win2k3 Forest FFL Win2k3 with all our clients Win2k pro at the moment and Exchange 2k3. We do have a lot of Solaris servers running Sybase and other backendnetwork services as well. I'm just wondering why the pros or cons are of moving away from Windows DHCP in this area. I think the pros of WIN DHCP is its free and the abilty to prevent rouge DHCP servers(if they're running win2k and above, of course). I think most DHCP servers can do DDNS these days on behalf of the client so that's probably not an issue. Most can also give clients additionally info in the scope options like dns ip,domain name,etc. So, i was wondering if i'm missing anything. Also, has anyone used Bluecat's DHCP product in their network? Thanks alot
RE: [ActiveDir] Fully Own a User
You've hit the masterAccountSID problem that crops up when a mailbox-enabled account gets disabled. http://support.microsoft.com/default.aspx?scid=kb;en-us;278966 From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Noah EigerSent: Wednesday, December 14, 2005 5:45 PMTo: ActiveDir@mail.activedir.orgSubject: [ActiveDir] Fully Own a User Hi I have about 10 users that left the company. Their AD accounts are disabled. I would like to use Exmerge to archive their email to PST and then delete them. However, Exmerge kicks back an error: Error opening message store (MSEMS). These accounts have the same permissions as the users for whom Exmerge worked fine. I tried enabling one of the accounts, logged in as that user, and then tried to configure Outlook to use the account. This last step (Outlook) got rejected saying the user did not have permission to access the mailbox. So, how can I completely own this account and give my admin account full control? Thanks. --No virus found in this outgoing message.Checked by AVG Free Edition.Version: 7.1.371 / Virus Database: 267.13.13/199 - Release Date: 12/13/2005
RE: [ActiveDir] ADMT Request
It's been ages since we ran our migration, but at the time we scripted it using the sample scripts that accompanied ADMT. If you go that route, you can have multiple log files that are uniquely named and not run into the session confusion. You'll also get much more consistent results from the scripts, as you won't have mischecked options or typos that seem inevitable in lots of point/click scenarios. Hunter -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of [EMAIL PROTECTED] Sent: Monday, December 12, 2005 3:47 PM To: ActiveDir@mail.activedir.org Subject: [ActiveDir] ADMT Request Hi All I am not sure anybody that can do anything with this listens on this list but we have been using ADMT v.3 with great success for a very large scale migration. The multi session ability has been a huge benefit to us. We are running into a problem keeping multiple sessions straight. How hard would it be to include a description field that you can fill in when you start the session that would then show up in the title bar for the session (something like Session DENVER, California, etc) Just a wish. James R. Day Active Directory Core Team Office of the Chief Information Officer National Park Service 202-230-2983 [EMAIL PROTECTED] List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
RE: [ActiveDir] Found bug in Active Directory DNS (integrated)
You're sure that it wasn't your client cache returning the value after the initial query? From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of ADSent: Wednesday, December 07, 2005 7:36 AMTo: ActiveDir@mail.activedir.orgSubject: [ActiveDir] Found bug in Active Directory DNS (integrated) Ok, this is the scenario.I needed to create 123 DNS entries really quick so I decided to use DNSCMD. It ended it being a big mistake. The mandatory parameters for DNSCMD /RECORDADD are the following: servername /RecordAdd Zone NodeName RRType RRData [command parameters] So I typed in the following: (entered it on different lines for easy readibiltiy). ncdc01 /RecordAdd myDomain.com hostA.myDomain.com A 192.168.1.2 The command completes with a "Command Completed Successfuly". Great. Only one problem. It does not show up in the DNS management console. I can see it in the directory but not in the DNS snapin. When I do a NsLookup on that record it comes up as hostA.myDomain.com.myDomain.com. Ok so I figured out that you do not need to specify the domain name for the NodeName parameter of the command. I go ahead and delete the entry in ADUC because I can't see it in DNS console, clear the DNS cache on the server and clear the cache on my client. When I run NsLookup on the host again it shows up as hostA.myDomain.com.myDomain.com. That is impossible right? The only way I was able to clear this entry from the server cache was to restart DNS on the DC. Not a feasible solution when you have 20 DC across the country. Has anyone seen this before? Thanks Yves
RE: [ActiveDir] Exporting Mailbox rights
The reference is on line 155 of the script. Go to Alain's site (www.lissware.net) and scroll down to the link for "Script Kit of Volume 2". Download that and extract the whole thing...you should get a directory structure, and themain script is in \Volume_2_ScriptKits\Chapter_04\Sample 4.02 to 4.13. You should also see a \Functions directory, which is where the SecurityInclude.vbs script (and others) reside. To run it against all of the mailboxes in an OU, you'll need to wrap Alain's script with code that queries the OU for all mailboxes, and then pipes the CN for each mailbox to the WMIManageSD.Wsf code. Hunter From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Amy HunterSent: Monday, December 05, 2005 5:41 AMTo: ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] Exporting Mailbox rights Hi Alain, thanks for your response, it all looks very clever. I have tried running the following command: WMIManageSD.Wsf /E2KMailbox:"cn=POTrust,ou=group mailboxes,OU=,DC=spinnaker,DC=org" /adsi WMIManageSD.Wsf /E2KMailbox:"cn=POTrust,ou=group mailboxes,OU=,DC=spinnaker,DC=org" /decipher I receive this error "c:\WMIManageSD.Wsf(155, 39) Windows Script Host: Cannot retrieve referenced URL : ..\Functions\SecurityInclude.vbs" when I open this script, i can't see any reference to this Also, How can I run this against all group mailboxes in an OU any ideas? Amy ;-) Ps...sorry if I sound lame, scripting is not an area I spent too much time with Yet. /DIV Alain Lissoir [EMAIL PROTECTED] wrote: You can look at http://www.lissware.net, volume 2, Sample 4.02 to 4.13 - WMIManageSD.Wsf (and associated sub-functions in the Functions folder). Syntax to use in red below (the script supports Filesystem, Share, ADObject with Extended Rights, Exchange Mailbox, Registry Key, WMI namespace). Microsoft (R) Windows Script Host Version 5.6Copyright (C) Microsoft Corporation 1996-2001. All rights reserved. Usage: WMIManageSD.Wsf [/FileSystem:value] [/Share:value] [/ADObject:value] [/E2KMailbox:value] [/E2KStore[+|-]] [/RegistryKey:value] [/WMINameSpace:value] [/ViewSD[+|-]] [/Owner:value] [/Group:value] [/SDControls:value] [/AddAce[+|-]] [/DelAce[+|-]] [/Trustee:value] [/ACEMask:value] [/ACEType:value] [/ACEFlags:value] [/ObjectType:value] [/InheritedObjectType:value] [/SACL[+|-]] [/Decipher[+|-]] [/ADSI[+|-]] [/SIDResolutionDC[+|-]] [/Machine:value] [/User:value] [/Password:value] Options: FileSystem : Get the security descriptor of the specified file or directory path.Share : Get the security descriptor of the specified share name.ADObject : Get the security descriptor of the specified distinguished name AD object.E2KMailbox : Get the security descriptor of the Exchange 2000 mailbox specified by AD user distinguished name.E2KStore : Specify if th e security descriptor must come from the Exchange 2000 store.RegistryKey : Get the security descriptor of the specified registry key.WMINameSpace : Get the security descriptor of the specified WMI Name space.ViewSD : Decipher the security descriptor.Owner : Set the security descriptor owner.Group : Set the security descriptor group.SDControls : Set the security descriptor control flags.AddAce : Add a new ACE to the ACL.DelAce : Remove an existing ACE from the ACL.Trustee : Specify the ACE mask (granted user, group or machine account).ACEMask : Specify the ACE mask (granted rights).ACEType : Specify the ACE type (allow or deny the ACE mask).ACEFlags : Specify the ACE flags (ACE mask inheritance).ObjectType : Specify which object type, property set, or property an ACE refers to.InheritedObjectType : Specify the GUID of an object that will inherit the ACE.SACL : Manage the System ACL (auditing) (default=Discretionary ACL).Decipher : Decipher the security descriptor.ADSI : Retrieve the security descriptor with ADSI.SIDResolutionDC : Domain Controller to use for SID resolution.Machine : Determine the WMI system to connect to. (default=LocalHost)User : Determine the UserID to perform the remote connection. (default=none)Password : Determine the password to perform the remote connection. (default=none)Examples: Viewing Security descriptors ... Files and Folders --- WMIManageSD.Wsf /FileSystem:C:\MyDirectory /Decipher+ WMIManageSD.Wsf /FileSystem:C:\MyDirectory /Decipher+ /ADSI+ WMIManageSD.Wsf /FileSystem:C:\MyDirectory\MyFile.Txt /Decipher+ WMIManageSD.Wsf /FileSystem:C:\MyDirectory\MyFile.Txt /Decipher+ /ADSI+ Share --- WMIManageSD.Wsf /Share:MyDirectory /Decipher+ AD object
RE: [ActiveDir] Exporting Mailbox rights
http://msdn.microsoft.com/library/default.asp?url="">(watch the URL wrap) There's a section in there that covers the mailbox permissions. Hunter From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Amy HunterSent: Friday, December 02, 2005 3:17 AMTo: ActiveDir@mail.activedir.orgSubject: [ActiveDir] Exporting Mailbox rights Hi everyone, Thankyou everyone for your responses to my other post, everything went smoothly. I am looking for a way to export Exchange 2003Mailbox Permission access to a .csv or .txt for all mailboxes in active directory Does anyone know of a script or tool which will give me the same information as the Exchange Advanced Tab Mailbox Rights for all users and groups. I want to view the mailboxes to see who has access to what. Kind Regards, Amy ;-) How much free photo storage do you get? Store your holiday snaps for FREE with Yahoo! Photos. Get Yahoo! Photos
RE: [ActiveDir] When is a domain Admin not a domain Admin?
Well, if they truly have full control over all objects, then they could add themselves into the Domain Admins group. Moot point... From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Morley, ScottSent: Monday, November 28, 2005 12:59 PMTo: ActiveDir@mail.activedir.orgSubject: [ActiveDir] When is a domain Admin not a domain Admin? All, For reasons too long and boring to mention, I have been asked about the following scenario: Create a regular normal everyday user Give that user full control over all objects in the domain The user is NOT part of the Domain Admins group Does the membership of the domain Admins group provide some additional rights/functionality to a user? Or is full access to all objects equivalent to domain admin rights? Scott Morley Active Directory Manager MSCE 2000, CCNA, CNE, CNI "Human beings, who are almost unique in having the ability to learn from the experience of others, are also remarkable for their apparent disinclination to do so. " - Douglas Adams (1952-2001) This electronic message transmission contains information from the Company that may be proprietary, confidential and/or privileged. The information is intended only for the use of the individual(s) or entity named above. If you are not the intended recipient, be aware that any disclosure, copying or distribution or use of the contents of this information is prohibited. If you have received this electronic transmission in error, please notify the sender immediately by replying to the address listed in the "From:" field.
RE: [ActiveDir] Renaming AD accounts en masse
Probably the easiest thing to do is save the spreadsheet into a delimitted text file (tab-delimitted in the code below), then open the file and read each line: Const ForReading = 1 strSourceFile = "yourFile.txt" Set objFSO = CreateObject("Scripting.FileSystemObject")Set objSourceFile = objFSO.OpenTextfile(strSourceFile, ForReading) Do Until objSourceFile.AtEndOfStreamstrLine = objSourceFile.ReadLinearrTemp = Split(strLine, VBTab) rest of your code here Loop From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Rimmerman, RussSent: Thursday, November 17, 2005 2:20 PMTo: ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] Renaming AD accounts en masse Oh very cool that worked. Sorry, i'm not very _vbscript_ savvy. Now if I can figure out how to modify one of RLMuellers scripts to pull the info in from a spreadsheet I'll have it made. Any hints appreciated! Thanks From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Almeida Pinto, Jorge deSent: Thursday, November 17, 2005 3:06 PMTo: ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] Renaming AD accounts en masse the link to script I mailed you is to rename the common name attribute (CN) using the movehere method. if you want to change the sAMAccountName attribute you can use the following code: Set objADObject = GetObject("LDAP://DC-NAME/CN=JORGE,OU=IT-DEPARTMENT,DC=DOMAIN,DC=LOCAL")objADObject.Put "sAMAccountName", "new samaccountname"objADObject.SetInfo Jorge From: [EMAIL PROTECTED] on behalf of Rimmerman, RussSent: Thu 11/17/2005 9:44 PMTo: ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] Renaming AD accounts en masse I don't see a username option in DSMOD. Every other blank appears to be modifyable except for the username (sAMAccountName) From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Bernard, AricSent: Thursday, November 17, 2005 2:16 PMTo: ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] Renaming AD accounts en masse Another command line option would DSMOD. From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Almeida Pinto, Jorge deSent: Thursday, November 17, 2005 12:08 PMTo: ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] Renaming AD accounts en masse you can use the example as explained at: http://www.microsoft.com/technet/scriptcenter/resources/qanda/dec04/hey1214.mspx although a group is used as example you can do it with users also. Modifying the script to use an input file would to the "en masse" thing cheers, Jorge From: [EMAIL PROTECTED] on behalf of Tony MurraySent: Thu 11/17/2005 8:28 PMTo: ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] Renaming AD accounts en masse You can create with CSVDE but not modify, so it wouldnt be suitable for renaming. A script or LDIFDE would be the obvious alternatives. Tony From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Phil RenoufSent: Friday, 18 November 2005 6:17 a.m.To: ActiveDir@mail.activedir.orgSubject: Re: [ActiveDir] Renaming AD accounts en masse CSVDE is probably a good bet since you have the information in Excel already: http://www.microsoft.com/technet/prodtechnol/windowsserver2003/library/ServerHelp/1050686f-3464-41af-b7e4-016ab0c4db26.mspx Phil On 11/17/05, Rimmerman, Russ [EMAIL PROTECTED] wrote: What's the easiest and quickest way to rename a large (1000+) number of AD user accounts? LDIFDE? AD.NET? Or is there something easier? I'm going to be importing 1000+ AD accounts that are first.last for the username and will want to rename them to a specific username listed in an excel spreadsheet. ~~This e-mail is confidential, may contain proprietary informationof the Cooper Cameron Corporation and its operating Divisions and may be confidential or privileged.This e-mail should be read, copied, disseminated and/or used onlyby the addressee. If you have received this message in error pleasedelete it, together with any attachments, from your system. ~~ This communication, including any attachments, is confidential. If you are not the intended recipient, you should not read it - please contact me immediately, destroy it, and do not copy or use any part of this communication or disclose anything about it. Thank you. Please note that this communication does not designate an information system for the purposes of the Electronic Transactions Act 2002. ~~This e-mail is confidential, may contain proprietary informationof the Cooper Cameron Corporation and its operating Divisionsand may be confidential or privileged.This e-mail should be read, copied, disseminated and/or used onlyby the addressee. If you have received this message in error
RE: [ActiveDir] Recommendations for a DOD wipe of a RAID Array?
We've used Boot and Nuke, which has several options for number of 0/1 write passes. http://dban.sourceforge.net/ I'm not sure what Joe's -safe option would be on something like this :-) -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Al Mulnick Sent: Wednesday, November 16, 2005 7:03 AM To: ActiveDir@mail.activedir.org Subject: Re: [ActiveDir] Recommendations for a DOD wipe of a RAID Array? Jose, you might want to check with the Symantec support site to find something that meets DoD spec. If not, there are lots of inexpensive options such as http://www.stompsoft.com/drivewasher2.html that claim to meet that standard. Pretty much, it means many passes of writing 1's and 0's to all sectors on the media, so you *could* even do this yourself if you really really wanted to. I think there should be a joeware tool for it g -ajm From: Jose Medeiros [EMAIL PROTECTED] Reply-To: ActiveDir@mail.activedir.org To: ActiveDir@mail.activedir.org Subject: Re: [ActiveDir] Recommendations for a DOD wipe of a RAID Array? Date: Wed, 16 Nov 2005 00:32:06 -0800 Thanks for the reply Brian, I suggested that as well. These servers are being donated to a non profit and have had sensitive payroll data on them. The policy at the company now that they are Sarbanes Oxley compliant is that we will do a DOD wipe of all discarded data. Jose - Original Message - From: Brian Desmond [EMAIL PROTECTED] To: ActiveDir@mail.activedir.org Sent: Tuesday, November 15, 2005 7:14 PM Subject: RE: [ActiveDir] Recommendations for a DOD wipe of a RAID Array? I don't work for HP, but, I usually find the System Erase utility on the SmartStart disk sufficient. Thanks, Brian Desmond [EMAIL PROTECTED] c - 312.731.3132 -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Medeiros, Jose Sent: Tuesday, November 15, 2005 9:31 PM To: ActiveDir@mail.activedir.org Subject: [ActiveDir] Recommendations for a DOD wipe of a RAID Array? Greetings, I am trying to use Symantecs Gdisk with a /DODWIPE option to do a security wipe of a Compaq 7000's Raid Array, however using a dos boot disk will not allow me to access the disk array. My work around on this was that I created a 32 bit bootable CD-Rom using Bart's PE and I added the server's 32bit Raid controller driver which now allows me to access the disk array. However since it is running a 32bit OS, gdisk will not work as it is only a 16bit program. When I try and use Symantec's Gdisk32 which will run, the /DODWIPE option is not available. Does anyone know if Symantec has an updated version of GDISK32 that supports a DODWIPE? Does any one have any prefered tools other then GDISK that they can recommend that will work with my Raid Array? Since there are some HP employees on this list, does HP have a recommended tool they provide there customers to use on Proliant servers before decommisioning them? Sincerely, Jose Medeiros ADP | National Account Services ProBusiness Division | Information Services 925.737.7967 | 408-449-6621 CELL MCP+I, MCSE, NT4 MCT www.ntea.net www.tvnug.org www.sfntug.org List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
RE: [ActiveDir] strGrooup?
Your post got me to wondering where I had screwed up, and it turns out I made two incorrect assumptions. First, I thought that VBScript was consistent with other environments where False=0 and True=1. Not so, as apparently they decided that True=-1. Second, I assumed that in the If statement, if your check evaluated to True (or -1, as I see now) then the code following Then would execute, and if the check evaluated to False (or 0) then the code following Then would not execute. Turns out that is the case from a logical standpoint, but in the implementation if your check evaluates to anything other than 0, then the code following Then will execute. Kind of subtle, but it could produce unexpected results, at least for me :-) Hunter -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Harding, Devon Sent: Monday, November 14, 2005 7:03 PM To: ActiveDir@mail.activedir.org; ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] strGrooup? I found the problem. It seems that my constants were not lower case, thats why it was not mapping. I also added 'On Error GoTo 0' after the removal of the drives to show errors. The drives mapped with the original If,Then statements (without the 0). Thanks All... From: [EMAIL PROTECTED] on behalf of Coleman, Hunter Sent: Mon 11/14/2005 6:36 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] strGrooup? OK, looking at this a bit closer than my first reply, if the user is in Windows_Group and/or any of the other groups, what are the odds that that group will happen to be first in the strGroup string? InStr will return the position of the first occurrance, so unless it happens to be the first group in strGroup you're going to get something greater than 1. Your If statements are looking for something that evaluates to 0 or 1 (False or True). So you need to change your evaluation to something like If (InStr(strGroup, Windows_group) 0) Then End If But that's not why you were getting the drives mapped. You have Option Explicit set at the start, then you have On Error Resume Next. When you try to use strGrooup (that isn't defined), the script errors but then continues on to the next line. Get rid of the On Error Resume Next and change your If statements, and you should be set. If you want to do some error checking, you can put the On Error Resume Next back in but check to see what Err.Number is after your If statements. As long as it is zero, you can continue with the drive mapping. Hunter From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Harding, Devon Sent: Monday, November 14, 2005 4:05 PM To: ActiveDir@mail.activedir.org Subject: [ActiveDir] strGrooup? I cannot figure this one out. Why doesn't the following script work when I use 'strGroup', instead, it works (maps drives) when I use strGrooup. strGrooup isn't even defined. Option Explicit Dim objNetwork, objUser, CurrentUser, objFSO Dim strGroup Const Windows_Group = BSG - IS Windows Systems Const Pricing_Group = gs-ssd-pricing Const IPCC_Group = IPCCGroup Const IXOS_Group = IXOS_ScanPost_Common Set objNetwork = CreateObject(WScript.Network) ' Forces script to skip errors (rem below line to see errors) on error resume next Dim WshNetwork Set WshNetwork = WScript.CreateObject(WScript.Network) ' Set all drives to be removed here. WshNetwork.RemoveNetworkDrive e: WshNetwork.RemoveNetworkDrive f: Set objUser = CreateObject(ADSystemInfo) Set CurrentUser = GetObject(LDAP:// objUser.UserName) strGroup = LCase(Join(CurrentUser.MemberOf)) if instr(strGrooup, Windows_Group) then objNetwork.MapNetworkDrive s:, \\gsfps2\siteshare objNetwork.MapNetworkDrive u:, \\gsfps2\users end if if instr(strGroup, IXOS_Group) then objNetwork.MapNetworkDrive e:, \\gsimage2\IXOS_ScanPost_Common\Late Archive objNetwork.MapNetworkDrive f:, \\gsimage2\IXOS_ScanPost_Common\Common Post objNetwork.MapNetworkDrive i:, \\gsimage2\IXOS_ScanPost_Common\Normal objNetwork.MapNetworkDrive j:, \\gsimage2\IXOS_ScanPost_Common\Demand objNetwork.MapNetworkDrive k:, \\gsimage2\IXOS_ScanPost_Common\Emergency end if Devon Harding Windows Systems Engineer Southern Wine Spirits - BSG 954-602-2469 __ This message and any attachments are solely for the intended recipient and may contain confidential or privileged information. If you are not the intended recipient, any disclosure, copying, use or distribution of the information included in the message and any attachments is prohibited. If you have received this communication in error, please notify us by reply e-mail and immediately and permanently delete this message and any attachments. Thank You. List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com
RE: [ActiveDir] strGrooup?
Comment out your "on error resume next" line and run the script. What errors show up? Hunter From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Harding, DevonSent: Monday, November 14, 2005 4:05 PMTo: ActiveDir@mail.activedir.orgSubject: [ActiveDir] strGrooup? I cannot figure this one out. Why doesnt the following script work when I use strGroup, instead, it works (maps drives) when I use strGrooup. strGrooup isnt even defined. Option Explicit Dim objNetwork, objUser, CurrentUser, objFSO Dim strGroup Const Windows_Group = "BSG - IS Windows Systems" Const Pricing_Group = "gs-ssd-pricing" Const IPCC_Group = "IPCCGroup" Const IXOS_Group = "IXOS_ScanPost_Common" Set objNetwork = CreateObject("WScript.Network") ' Forces script to skip errors (rem below line to see errors) on error resume next Dim WshNetwork Set WshNetwork = WScript.CreateObject("WScript.Network") ' Set all drives to be removed here. WshNetwork.RemoveNetworkDrive "e:" WshNetwork.RemoveNetworkDrive "f:" Set objUser = CreateObject("ADSystemInfo") Set CurrentUser = GetObject("LDAP://" objUser.UserName) strGroup = LCase(Join(CurrentUser.MemberOf)) if instr(strGrooup, Windows_Group) then objNetwork.MapNetworkDrive "s:", "\\gsfps2\siteshare" objNetwork.MapNetworkDrive "u:", "\\gsfps2\users" end if if instr(strGroup, IXOS_Group) then objNetwork.MapNetworkDrive "e:", "\\gsimage2\IXOS_ScanPost_Common\Late Archive" objNetwork.MapNetworkDrive "f:", "\\gsimage2\IXOS_ScanPost_Common\Common Post" objNetwork.MapNetworkDrive "i:", "\\gsimage2\IXOS_ScanPost_Common\Normal" objNetwork.MapNetworkDrive "j:", "\\gsimage2\IXOS_ScanPost_Common\Demand" objNetwork.MapNetworkDrive "k:", "\\gsimage2\IXOS_ScanPost_Common\Emergency" end if Devon Harding Windows Systems Engineer Southern Wine Spirits - BSG 954-602-2469 __This message and any attachments are solely for the intended recipientand may contain confidential or privileged information. If you are notthe intended recipient, any disclosure, copying, use or distribution ofthe information included in the message and any attachments isprohibited. If you have received this communication in error, pleasenotify us by reply e-mail and immediately and permanently delete thismessage and any attachments. Thank You.
RE: [ActiveDir] strGrooup?
OK, looking at this a bit closer than my first reply, if the user is in Windows_Group and/or any of the other groups, what are the odds that that group will happen to be first in the strGroup string? InStr will return the position of the first occurrance, so unless it happens to be the first group in strGroup you're going to get something greater than 1. Your If statements are looking for something that evaluates to 0 or 1 (False or True). So you need to change your evaluation to something like If (InStr(strGroup, Windows_group) 0) Then End If But that's not why you were getting the drives mapped. You have Option Explicit set at the start, then you have On Error Resume Next. When you try to use strGrooup (that isn't defined), the script errors but then continues on to the next line. Get rid of the On Error Resume Next and change your If statements, and you should be set. If you want to do some error checking, you can put the On Error Resume Next back in but check to see what Err.Number is after your If statements. As long as it is zero, you can continue with the drive mapping. Hunter From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Harding, DevonSent: Monday, November 14, 2005 4:05 PMTo: ActiveDir@mail.activedir.orgSubject: [ActiveDir] strGrooup? I cannot figure this one out. Why doesnt the following script work when I use strGroup, instead, it works (maps drives) when I use strGrooup. strGrooup isnt even defined. Option Explicit Dim objNetwork, objUser, CurrentUser, objFSO Dim strGroup Const Windows_Group = "BSG - IS Windows Systems" Const Pricing_Group = "gs-ssd-pricing" Const IPCC_Group = "IPCCGroup" Const IXOS_Group = "IXOS_ScanPost_Common" Set objNetwork = CreateObject("WScript.Network") ' Forces script to skip errors (rem below line to see errors) on error resume next Dim WshNetwork Set WshNetwork = WScript.CreateObject("WScript.Network") ' Set all drives to be removed here. WshNetwork.RemoveNetworkDrive "e:" WshNetwork.RemoveNetworkDrive "f:" Set objUser = CreateObject("ADSystemInfo") Set CurrentUser = GetObject("LDAP://" objUser.UserName) strGroup = LCase(Join(CurrentUser.MemberOf)) if instr(strGrooup, Windows_Group) then objNetwork.MapNetworkDrive "s:", "\\gsfps2\siteshare" objNetwork.MapNetworkDrive "u:", "\\gsfps2\users" end if if instr(strGroup, IXOS_Group) then objNetwork.MapNetworkDrive "e:", "\\gsimage2\IXOS_ScanPost_Common\Late Archive" objNetwork.MapNetworkDrive "f:", "\\gsimage2\IXOS_ScanPost_Common\Common Post" objNetwork.MapNetworkDrive "i:", "\\gsimage2\IXOS_ScanPost_Common\Normal" objNetwork.MapNetworkDrive "j:", "\\gsimage2\IXOS_ScanPost_Common\Demand" objNetwork.MapNetworkDrive "k:", "\\gsimage2\IXOS_ScanPost_Common\Emergency" end if Devon Harding Windows Systems Engineer Southern Wine Spirits - BSG 954-602-2469 __This message and any attachments are solely for the intended recipientand may contain confidential or privileged information. If you are notthe intended recipient, any disclosure, copying, use or distribution ofthe information included in the message and any attachments isprohibited. If you have received this communication in error, pleasenotify us by reply e-mail and immediately and permanently delete thismessage and any attachments. Thank You.
RE: [ActiveDir] scripting file move issue(OT)
Yes, this is scriptable. Perl vs VBS? Either will work, so I'd go with whatever you are most comfortable with. How quickly are your source directories going to refill, and how quickly are is your destination directory going to get cleaned up by the different process? From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Tom KernSent: Wednesday, November 09, 2005 11:30 AMTo: activedirectorySubject: [ActiveDir] scripting file move issue(OT) I'm having a problem trying to figure out how to script or batch file something. I want to move N number of files from a series of sudirectories to another dir and then wait to make sure a different process that is running will remove the files i just moved from the other dir, before moving more N number of files from a series of subdirectories to that dir and continuing the process in this manner until the seires of subdirectories are empty. can i script something like this? would perl be better at this than _vbscript_? can i do this with Robocopy? I read the docs and don't really think so but maybe someone else more familliar with it would know thanks
RE: [ActiveDir] scripting file move issue(OT)
Rich has outlined what you'll need to do. I'd probably include an initial check of the destination folder to make sure it's empty before starting any of the copies/moves. http://www.microsoft.com/technet/scriptcenter/scripts/storage/files/default.mspxhas links to snippets that will show you how to list all files in a folder (and thus get a count), as well as how to move or copy files. Hunter From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Tom KernSent: Wednesday, November 09, 2005 1:00 PMTo: ActiveDir@mail.activedir.orgSubject: Re: [ActiveDir] scripting file move issue(OT) thanks i think i might need a little more assistance here. i'm a little out of my depth On 11/9/05, Rich Milburn [EMAIL PROTECTED] wrote: Tom, Suggest you use FSO.MoveFile or Folder.MoveHere in _vbscript_ to do the moving rather than xcopy. You could enumerate files, have a for each loop with a counter, and move files until the counter is divisible by 1000 (or = 1000 and reset), sleep for 15-20 seconds, and continue. After your sleep you could check that the destination folder is empty and if not then sleep again. I'm assuming some familiarity with the _vbscript_ I'm talking about, if you need more specifics just ask. Rich --- Rich Milburn MCSE, Microsoft MVP - Directory ServicesSr Network Analyst, Field Platform Development Applebee's International, Inc.4551 W. 107th StOverland Park, KS 66207 913-967-2819 -- "I am always doing that which I can not do, in order that I may learn how to do it." - Pablo Picasso From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]] On Behalf Of Tom KernSent: Wednesday, November 09, 2005 12:58 PMTo: ActiveDir@mail.activedir.orgSubject: Re: [ActiveDir] scripting file move issue(OT) the source dirs take awhile to refill as they are being filled by xcopy. it copies about 4gig a batch. The destination dir empties in about 10-15secs. also the destinantion dir can only handle 1000 files at a time before being emptied. thanks On 11/9/05, Coleman, Hunter [EMAIL PROTECTED] wrote: Yes, this is scriptable. Perl vs VBS? Either will work, so I'd go with whatever you are most comfortable with. How quickly are your source directories going to refill, and how quickly are is your destination directory going to get cleaned up by the different process? From: [EMAIL PROTECTED] [mailto: [EMAIL PROTECTED]] On Behalf Of Tom KernSent: Wednesday, November 09, 2005 11:30 AMTo: activedirectorySubject: [ActiveDir] scripting file move issue(OT) I'm having a problem trying to figure out how to script or batch file something. I want to move N number of files from a series of sudirectories to another dir and then wait to make sure a different process that is running will remove the files i just moved from the other dir, before moving more N number of files from a series of subdirectories to that dir and continuing the process in this manner until the seires of subdirectories are empty. can i script something like this? would perl be better at this than _vbscript_? can i do this with Robocopy? I read the docs and don't really think so but maybe someone else more familliar with it would know thanks ---APPLEBEE'S INTERNATIONAL, INC. CONFIDENTIALITY NOTICE--- PRIVILEGED / CONFIDENTIAL INFORMATION may be contained in this message or any attachments. This information is strictly confidential and may be subject to attorney-client privilege. This message is intended only for the use of the named addressee. If you are not the intended recipient of this message, unauthorized forwarding, printing, copying, distribution, or using such information is strictly prohibited and may be unlawful. If you have received this in error, you should kindly notify the sender by reply e-mail and immediately destroy this message. Unauthorized interception of this e-mail is a violation of federal criminal law. Applebee's International, Inc. reserves the right to monitor and review the content of all messages sent to and from this e-mail address. Messages sent to or from this e-mail address may be stored on the Applebee's International, Inc. e-mail system.
RE: [ActiveDir] Exchange now supported on virtual hardware
"It depends..." We're running some production Exchange front-end servers on ESX and they perform as well as others that we have on physical hardware. Connector servers are also good candidates. Heavily loaded mailbox servers...I agree with you there. Hunter From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of [EMAIL PROTECTED]Sent: Friday, October 28, 2005 7:53 AMTo: ActiveDir@mail.activedir.org; [EMAIL PROTECTED]Cc: [EMAIL PROTECTED]Subject: Re: [ActiveDir] Exchange now supported on virtual hardware I couldn't agree more with Tony -- Exchange is a resource hog and should not be done on VMWare except for testing purposes. Just because you can doesn't mean you should Chuck Gafford Systems Architect Unisys Mobile: (405) 819-6766 -Original Message-From: Medeiros, Jose [EMAIL PROTECTED]To: ActiveDir@mail.activedir.org; [EMAIL PROTECTED]Cc: # Jose Medeiros-IBM (E-mail) [EMAIL PROTECTED]Sent: Thu, 27 Oct 2005 15:39:35 -0700Subject: [ActiveDir] Exchange now supported on virtual hardware Hi Tony, I have to respond to this. Many IT managers think you can just virtualize any application because of all the marketing hype. Be very careful, I/O is critical to Exchange and any other database application which may make running it on VMWARE or VIRTUAL SERVER unpractical not to mention Exchange is also very resource intensive and will take whatever it can. Now I am sure if you have a very small environment that it may make sense, but with Microsoft Small Business server why would you want to? Any body else car to throw in there two cents? Sincerely, Jose Medeiros ADP | National Account Services ProBusiness Division | Information Services 925.737.7967 | 408-449-6621 CELL -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] Behalf Of Tony Murray Sent: Thursday, October 27, 2005 2:49 PM To: ActiveDir@mail.activedir.org Subject: [ActiveDir] [OT] Exchange now supported on virtual hardware Microsoft has introduced support for Exchange 2003 SP2 and later on Virtual Server 2005 R2. This article has just been released. http://support.microsoft.com/default.aspx?scid=kb;en-us;320220 I guess this means we can now run a DC and Exchange on the same physical hardware without any of the previous limitations. Tony List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
RE: [ActiveDir] Exchange now supported on virtual hardware
Typically 20GB and 800 users per store, with 3 stores per server. From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of [EMAIL PROTECTED]Sent: Friday, October 28, 2005 10:17 AMTo: ActiveDir@mail.activedir.orgSubject: Re: [ActiveDir] Exchange now supported on virtual hardware What's your sizing of mail stores and mailboxes there -- Chuck -Original Message-From: Coleman, Hunter [EMAIL PROTECTED]To: ActiveDir@mail.activedir.orgSent: Fri, 28 Oct 2005 08:35:27 -0600Subject: RE: [ActiveDir] Exchange now supported on virtual hardware "It depends..." We're running some production Exchange front-end servers on ESX and they perform as well as others that we have on physical hardware. Connector servers are also good candidates. Heavily loaded mailbox servers...I agree with you there. Hunter From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of [EMAIL PROTECTED]Sent: Friday, October 28, 2005 7:53 AMTo: ActiveDir@mail.activedir.org; [EMAIL PROTECTED]Cc: [EMAIL PROTECTED]Subject: Re: [ActiveDir] Exchange now supported on virtual hardware I couldn't agree more with Tony -- Exchange is a resource hog and should not be done on VMWare except for testing purposes. Just because you can doesn't mean you should Chuck Gafford Systems Architect Unisys Mobile: (405) 819-6766 -Original Message-From: Medeiros, Jose [EMAIL PROTECTED]To: ActiveDir@mail.activedir.org; [EMAIL PROTECTED]Cc: # Jose Medeiros-IBM (E-mail) [EMAIL PROTECTED]Sent: Thu, 27 Oct 2005 15:39:35 -0700Subject: [ActiveDir] Exchange now supported on virtual hardware Hi Tony, I have to respond to this. Many IT managers think you can just virtualize any application because of all the marketing hype. Be very careful, I/O is critical to Exchange and any other database application which may make running it on VMWARE or VIRTUAL SERVER unpractical not to mention Exchange is also very resource intensive and will take whatever it can. Now I am sure if you have a very small environment that it may make sense, but with Microsoft Small Business server why would you want to? Any body else car to throw in there two cents? Sincerely, Jose Medeiros ADP | National Account Services ProBusiness Division | Information Services 925.737.7967 | 408-449-6621 CELL -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] Behalf Of Tony Murray Sent: Thursday, October 27, 2005 2:49 PM To: ActiveDir@mail.activedir.org Subject: [ActiveDir] [OT] Exchange now supported on virtual hardware Microsoft has introduced support for Exchange 2003 SP2 and later on Virtual Server 2005 R2. This article has just been released. http://support.microsoft.com/default.aspx?scid=kb;en-us;320220 I guess this means we can now run a DC and Exchange on the same physical hardware without any of the previous limitations. Tony List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
RE: [ActiveDir] exchange confusion(OT)
IIRC, you have a dedicated SMTP connector for servername.journaldomain.com or journaldomain.com. You can try going to the Advanced tab of this SMTP connector and checking the box to "Send HELO instead of EHLO," which should drop the extended verb attempts from your side. From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Tom KernSent: Wednesday, October 12, 2005 8:29 PMTo: ActiveDir@mail.activedir.orgSubject: Re: [ActiveDir] exchange confusion(OT) no difference. i get back all the esmtp verbs including the MS ones. In a net trace all i see is "tcp retransmission" on port 25 to that server. i'm sending them about 2,000 emails in my queue but i only see about 3 connections in the trace. in the protocol log, i see my server give a xexch50, then their servr responds with a "need to auth first", then my server issues a bdat, then nothing- no quit or rset or anything. thanks alot On 10/12/05, Coleman, Hunter [EMAIL PROTECTED] wrote: Network trace is probably the way to go, but lacking that...if you telnet to port 25 on the remote corp's mail host, and issue an ehlo command, do you get back a list of supported verbs? What are they, or if not, what do you get back? Do that from your workstation and also from the Exchange server that's trying to deliver the mail to see if there are any differences or firewall restrictions. From: [EMAIL PROTECTED] [mailto: [EMAIL PROTECTED]] On Behalf Of Tom KernSent: Wednesday, October 12, 2005 6:04 PM To: ActiveDir@mail.activedir.orgSubject: Re: [ActiveDir] exchange confusion(OT) its 2 seperate orgs. that seems to be about 2 servers in the same org. i think the issue rests with the xexch50 esmtp verb. everytime my exchange server issues it, things just hang. the remote corp is using a pix firewall with an smtp proxy but not Mailguard. I know mailguard can cause issues. do you know of any problems with some MS specific esmtp verbs like xexch50 and pix firewalls? thanks alot On 10/11/05, Al Mulnick [EMAIL PROTECTED] wrote: This was what I was thinking of http://support.microsoft.com/default.aspx?scid=kb;EN-US;288175 But it's possible you have another issue going on. Can you capture the trace via netmon? Do you have it available? Ethereal is fine as well, but... Whichever you use, filter the conversation to those two servers so you can see everything going on. Also, do you end up getting a NDR? If so, what is it? Unable to relay? You didn't set up any recip policies with journaldomain.com by any chancedid you? -Original Message-From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]] On Behalf Of Tom KernSent: Tuesday, October 11, 2005 2:41 PMTo: ActiveDir@mail.activedir.org Subject: Re: [ActiveDir] exchange confusion(OT) Both servers are exchange 2k The conversation goes something like this- ehlo mail from: rcpt to: on my mailserver's side. all these get 250 smtp response codes from the journal server. then, my mail server tries to send a xexch50 which gets a "need to auth first" response from their server. now i assume thats just normal exchange routing/mapi info stuff but they're not in the same ORG so thats a normal response. then the last thing i see is a bdat from my server and thats all she wrote. i never see a quit or the conversation end. this is in the smtp protocol logs on my bridgehead server. in ethereal i just get "tcp retransmission" everytime i see the ip of the journal server. maybe this is the GRE tunnel and i should play with the PMTUD on the bridgehead? The thing you say about contacts having an internal address is new to me. i've never worked at a company that gave their contacts internal proxy addys or ever seen it written that you should do that. every place i've worked just used contacts as an object to represent external addys in the GAL. isn't this their point? why would you need an addy pointing back to you for an external contact? i'm not disagreeing with you, mind you, i'd just like to know why and I know you know :) also, can you elaborate as to the "weird results" from having a recipient pol point to a FQDN that indicates itself(not sure if thats the way they set it up). thanks. sorry for all the questions(and OT as they are). On 10/11/05, Al Mulnick [EMAIL PROTECTED] wrote: One thing Exchange 2000x doesn't do well is deal with hosting a FQDN that indicates
RE: [ActiveDir] Adding users to local Admin group
Title: Adding users to local Admin group The restricted groups setting falls under the Computer Config section of the GPO, so it's not going to apply to all machines they log into. It's only going to apply to the computers that receive the GPO. Put the computers that are going to be used in the Cisco class into a temporary OU, and apply the restricted groups GPO to that temporary OU. From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Jake StablSent: Thursday, October 13, 2005 8:16 AMTo: ActiveDir@mail.activedir.org; [EMAIL PROTECTED]; techcoords@listserv.osn.state.oh.usSubject: [ActiveDir] Adding users to local Admin group I am using Active Directory and I need to know how to add certain people to the local admin group only on certain computers. I know I can do this under restricted groups but that makes thoses users local admin on all machines they log into. Specificly I have a cisco class I need to give admin rights to but only on those computers they use. Any one have a suggestion? -- Jacob Stabl Network Engineer Plain Local School District http://www.plainlocal.org Office: 330.492.3500 Cell : 330.704.1278 IP Phone: 4466
RE: [ActiveDir] Adding Helpdesk Group to Local Admin Group
Title: Message That won't work, since the restricted groups setting is under the Computer Config part of the GPO. Hunter From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of CHIANESE, DAVIDSent: Thursday, October 13, 2005 9:49 AMTo: ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] Adding Helpdesk Group to Local Admin Group Open up the GPO properties and in the security tab add the Helpdesk group. Give them read and apply group policy for that policy. remove apply group policy from any other group you do not want to get the policy, I.E. Authenticated Users. Regards, David Chianese -Original Message-From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Salandra, Justin A.Sent: Thursday, October 13, 2005 11:12 AMTo: ActiveDir@mail.activedir.orgSubject: [ActiveDir] Adding Helpdesk Group to Local Admin Group How would I utilize Restriced Groups in a GPO to add in a Helpdesk Group that I have for my helpdesk staff to have administrative rights on a local PC with out having to touch each PC and without screwing up the local admin group? Justin A. Salandra MCSE Windows 2000 2003 Network and Technology Services Manager Catholic Healthcare System 646.505.3681 - office 917.455.0110 - cell [EMAIL PROTECTED]
RE: [ActiveDir] exchange confusion(OT)
What do the SMTP conversation and network traces look like from their side? From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Tom KernSent: Thursday, October 13, 2005 10:03 AMTo: ActiveDir@mail.activedir.orgSubject: Re: [ActiveDir] exchange confusion(OT) I disabled ehlo on the smtp connector and i still get a full unreachable queue- "connection was dropped by remote host" In ethereal, i get "tcp retransmission" and "tcp zero window" during the conversation between my mail server and theirs. does this point to the IPsec tunnel and mtu? My side? Their side? Thanks alot. On 10/13/05, Tom Kern [EMAIL PROTECTED] wrote: mismatched on my side or theirs? I was wrong, its an IPsec tunnel NOT a gre tunnel. The mtu size on my side is the default for a cisco 2600 router(i think thats the setting of the media being used in the router- etherenet=1500,etc). Thanks On 10/13/05, Michael B. Smith [EMAIL PROTECTED] wrote: Honestly, that looks like a mismatched MTU to me. It's worth checking. If you turn off EHLO, as someone else suggested, that should limit the maximum size of the TCP packet rather dramatically... From: [EMAIL PROTECTED] [mailto: [EMAIL PROTECTED]] On Behalf Of Tom KernSent: Thursday, October 13, 2005 10:29 AM To: ActiveDir@mail.activedir.orgSubject: Re: [ActiveDir] exchange confusion(OT) thanks. i don't think they are running mailguard as when i telnet to the server and issue a ehlo, i get all the esmtp verbs including the MS ones. when i try to issue an "xexch50", the server replies with a "need to authenticate first". after which i can still happily issue a data or bdat still in my sniffer, all i get is "tcp retransmission". In the smtp logs on my bridgehead, i just get a bdat issued by my server and then nothing- no quit or rset. in ESM, my queue to the journal server is backed up and says "connection dropped by remote host". eventualy the mail in this queue gets put into the "messages with unreachable destination" queue. strange.. On 10/13/05, Candee Vaglica [EMAIL PROTECTED] wrote: Try searching for the SMTP fixup http://www.cisco.com/en/US/products/hw/vpndevc/ps2030/products_security_notice09186a0080265e37.html On 10/13/05, Tom Kern [EMAIL PROTECTED] wrote: Thanks. I know there were issues with Cisco's Mailguard feature on a PIX but i can't seem to find any articles on their website. Thanks again On 10/13/05, Al Mulnick [EMAIL PROTECTED] wrote: Actually, there are some knownissues with pix and Exchange. You should check the cisco support and kb articles to see if yours is a match, although I would have thought your journaling company would have figured it out by now.Similar symptoms. The article I sent you had to do with the configuration and you'll possibly see issues regardless of the ORG you're in. -Original Message-From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]] On Behalf Of Tom Kern Sent: Wednesday, October 12, 2005 10:29 PMTo: ActiveDir@mail.activedir.org Subject: Re: [ActiveDir] exchange confusion(OT) no difference. i get back all the esmtp verbs including the MS ones. In a net trace all i see is "tcp retransmission" on port 25 to that server. i'm sending them about 2,000 emails in my queue but i only see about 3 connections in the trace. in the protocol log, i see my server give a xexch50, then their servr responds with a "need to auth first", then my server issues a bdat, then nothing- no quit or rset or anything. thanks alot On 10/12/05, Coleman, Hunter [EMAIL PROTECTED] wrote: Network trace is probably the way to go, but lacking that...if you telnet to port 25 on the remote corp's mail host, and issue an ehlo command, do you get back a list of supported verbs? What are they, or if not, what do you get back? Do that from your workstation and also from the Exchange server that's trying to deliver the mail to see if there are any differences or firewall restrictions.
RE: [ActiveDir] Design Question
Unless there are different requirements at various branches for domain-wide settings, like password policies, or there are political obstacles, I would go with as few domains as possible. Start with a single domain, and then increase that number only if you run into circumstances that require multiple domains (password stuff, kerberos policies, certificate stuff, etc). Hunter From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Noah EigerSent: Wednesday, October 12, 2005 11:47 AMTo: ActiveDir@mail.activedir.orgSubject: [ActiveDir] Design Question Hi - I am designing a new domain structure what will have a HQ and then roughly 10 branch offices, less than 200 users total. The Microsoft Branch Office Deployment guide shows a single forest with three domains: root, hq, and branches (and oodles of domain controllers). Allen, Minasi, etc etc etc all say to try to limit yourself to a single domain if possible. My inclination is to go with the latter (single domain) model. With this size organization is there a need for multiple domains? An empty root? Thanks. -- nme
RE: [ActiveDir] exchange confusion(OT)
Network trace is probably the way to go, but lacking that...if you telnet to port 25 on the remote corp's mail host, and issue an ehlo command, do you get back a list of supported verbs? What are they, or if not, what do you get back? Do that from your workstation and also from the Exchange server that's trying to deliver the mail to see if there are any differences or firewall restrictions. From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Tom KernSent: Wednesday, October 12, 2005 6:04 PMTo: ActiveDir@mail.activedir.orgSubject: Re: [ActiveDir] exchange confusion(OT) its 2 seperate orgs. that seems to be about 2 servers in the same org. i think the issue rests with the xexch50 esmtp verb. everytime my exchange server issues it, things just hang. the remote corp is using a pix firewall with an smtp proxy but not Mailguard. I know mailguard can cause issues. do you know of any problems with some MS specific esmtp verbs like xexch50 and pix firewalls? thanks alot On 10/11/05, Al Mulnick [EMAIL PROTECTED] wrote: This was what I was thinking of http://support.microsoft.com/default.aspx?scid=kb;EN-US;288175 But it's possible you have another issue going on. Can you capture the trace via netmon? Do you have it available? Ethereal is fine as well, but... Whichever you use, filter the conversation to those two servers so you can see everything going on. Also, do you end up getting a NDR? If so, what is it? Unable to relay? You didn't set up any recip policies with journaldomain.com by any chancedid you? -Original Message-From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]] On Behalf Of Tom KernSent: Tuesday, October 11, 2005 2:41 PMTo: ActiveDir@mail.activedir.org Subject: Re: [ActiveDir] exchange confusion(OT) Both servers are exchange 2k The conversation goes something like this- ehlo mail from: rcpt to: on my mailserver's side. all these get 250 smtp response codes from the journal server. then, my mail server tries to send a xexch50 which gets a "need to auth first" response from their server. now i assume thats just normal exchange routing/mapi info stuff but they're not in the same ORG so thats a normal response. then the last thing i see is a bdat from my server and thats all she wrote. i never see a quit or the conversation end. this is in the smtp protocol logs on my bridgehead server. in ethereal i just get "tcp retransmission" everytime i see the ip of the journal server. maybe this is the GRE tunnel and i should play with the PMTUD on the bridgehead? The thing you say about contacts having an internal address is new to me. i've never worked at a company that gave their contacts internal proxy addys or ever seen it written that you should do that. every place i've worked just used contacts as an object to represent external addys in the GAL. isn't this their point? why would you need an addy pointing back to you for an external contact? i'm not disagreeing with you, mind you, i'd just like to know why and I know you know :) also, can you elaborate as to the "weird results" from having a recipient pol point to a FQDN that indicates itself(not sure if thats the way they set it up). thanks. sorry for all the questions(and OT as they are). On 10/11/05, Al Mulnick [EMAIL PROTECTED] wrote: One thing Exchange 2000x doesn't do well is deal with hosting a FQDN that indicates itself. It causes weird results. So if their internal server primary dns suffix is journaldomain.com and they have a recip policy of servername.journaldomain.com then they'll have some strange results over time. One thing you might want to look for is the verbs being passed back and forth between the servers. If Exchange 2K3 and Exchange 2K are trading messages, they can talk ESMTP with Microsoft specific verbs assuming nothing is between the two. A network trace is the easiest way to troubleshoot this. Look at the successful and failed conversations to see what's going on. At least it's recreatable. Oh. Your mail-enabled contact should have an internal address as well. It's a good idea to have it, vs. a requirement, but it's not really mail-enabled if it's just a Windows contact and doesn't have both an internal and an external address (primary of course). -ajm -Original Message-From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]] On Behalf Of Tom KernSent: Tuesday, October 11, 2005 11:30 AMTo: activedirectorySubject: Re: [ActiveDir]
RE: [ActiveDir] Forest prep/domain prep in a MT root Domain
Title: RE: [MVP-Directory Services] October MVP Awards John- Some more details please... What do you have in place now, in terms of Active Directory and Exchange (versions, layout, etc)? Or is this a brand new install of everything? Are you talking about Exchange forestprep/domainprep, or Win 2003 adprep forestprep/domainprep? From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of ZAD Forum for Active DirectorySent: Tuesday, October 11, 2005 9:55 AMTo: ActiveDir@mail.activedir.orgSubject: [ActiveDir] Forest prep/domain prep in a MT root Domain Hey everyone, long time reading hereI'm confused as I'm new to AD and doing my research for our conversion..so here is my question we are gong to have an MT root domain and a sub ( if that the correct term) domain where we are going to put exchange, let call the root domain "AD.sdccd" and the sub domain admin. What is the proper procedure for running Forest prep and Domain Prep? From all my reading I don't think I run forest prep on the sub domain but do run domain prep on the MT root and on the sub domain. Am I correct john
RE: [ActiveDir] Question about Delegation Object Owner.
If you create an object, you are the owner of the object and have full control over it. Seems like your options include removing their create/delete OU rights and making them go through you, or setting up a proxied system (e.g. web page) that will do the creation for them. You could run a script that takes ownership of all OUs and resets permissions on them, but that will be reactive and you may still end up with user accounts or other things that the admins created manually inbetween runs of the script. Hunter From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of TIROA YANNSent: Thursday, October 06, 2005 12:09 PMTo: ActiveDir@mail.activedir.orgSubject: [ActiveDir] Question about Delegation Object Owner. Hello, In my university, I had succesfully delegated to each adminsresponsible oftheir OU the following tasks: - Creste.delete groups. - Create/delete computers - Create/delete OUs.. - Only Modify Users properties: Adminshave no right tocreate/delete users because this task is done by our MIIS 2003. BUT, i noiticed that in some OUs, users are still created manually, and after searching, it was due to the fact that admins have the rights to create child OUs, they become automaticallythe owner of theirOUso theycan easily modify the ACLs to have full control .. :( So my question :is there a way to grant them create/delete OU without having themto be theowner of their OU ? I did not find a set of properties in dssec.dat concerning my needs. Thanks for input. Cheers, Yann
RE: [ActiveDir] Maximum distinguished name length?
From AD's perspective, the RDN is Some User (or cn=Some User). It does not include anything beyond that, such as OU or container paths. -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Chuck Chopp Sent: Thursday, September 29, 2005 9:54 PM To: ActiveDir@mail.activedir.org Subject: Re: [ActiveDir] Maximum distinguished name length? Steve Patrick wrote: There is no hardcoded limitation on DN - there is a max 255 RDN length. And just to verify how the term RDN is defined w/respect to AD [as opposed to how it's defined w.r.t. eDirectory], the RDN value is the partial distinguished name of an object that is relative to the AD domain in which it is located. So, if the object's CN is Some User and is located in an OU named Our Users located within the domain DC=MyDomain,DC=MyCompany,DC=COM, then the RDN is CN=Some User,OU=Our Users. Or, to put it another way, the RDN is all components of the name from the CN up to but not including the first occurrence of a DC component in the DN. This is correct, yes? -- Chuck Chopp ChuckChopp (at) rtfmcsi (dot) com http://www.rtfmcsi.com RTFM Consulting Services Inc. 864 801 2795 voice voicemail 103 Autumn Hill Road 864 801 2774 fax Greer, SC 29651 Racing to save lives The Leukemia Lymphoma Society - Team in Training http://www.active.com/donate/tntsc/tntscCChopp Do not send me unsolicited commercial email. List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
RE: [ActiveDir] 2 exchange public folder questions
If you have a folder and subfolders that need to maintain the same set of permissions, grant the permissions to a group at the top foler and propagate them down; then manage the group membership to grant/revoke permissions. From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Tom KernSent: Friday, September 30, 2005 3:24 AMTo: ActiveDir@mail.activedir.orgSubject: Re: [ActiveDir] 2 exchange public folder questions thanks but i'm more interested in client perms not inheriting. not admin perms. if a user takes someone out of a PF in outlook, i'd like to propagate downward or be given the choice like ntfs... thanks On 9/30/05, Katherine Coombs [EMAIL PROTECTED] wrote: Hi Tom,For question number two check out http://support.microsoft.com/?id=815916 Cheers,Katherine-Original Message-From: [EMAIL PROTECTED] [mailto: [EMAIL PROTECTED]] On Behalf Of Coleman, HunterSent: 29 September 2005 21:47To: ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] 2 exchange public folder questions Don't know on 1, but for 2 get PFDavAdmin which is either in the Exchange Resource Kit or downloadable from Microsoft. It will let you set permissions on a folder and then propagate them down to subfolders.-Original Message-From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] ] On Behalf Of Kern, TomSent: Thursday, September 29, 2005 7:38 AMTo: ActiveDir@mail.activedir.orgSubject: [ActiveDir] 2 exchange public folder questions1. When I attach a shortcut to a public folder item(word doc) as an attachment to an email, many users cannot open the attachement but just click on the shortcut and nothing happens.they all have appropriate rights to the folder. is this some OLE issue on the client?by what mechanism does this occur?2. Is there anyway to set inheritance on a public folder? There doesn't seem to be an "inheritance" tab in Outlook or under "client permissions" tab in ESM. How can i set a user to have say, reviewer role or create items right for all folders and/or items underneath a public folder or future folders created underneath said folder?or block that right?Thanks alot. .BövrzÊryiList info : http://www.activedir.org/List.aspxList FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspxList archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
RE: [ActiveDir] OT: Microsoft MOM Mailing list?
http://www.listleague.com/ Go to "View Hosted Lists by Interest", then Microsoft Management, then MOM From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Harding, DevonSent: Friday, September 30, 2005 8:46 AMTo: ActiveDir@mail.activedir.orgSubject: [ActiveDir] OT: Microsoft MOM Mailing list? Off Topic: Does anyone know if there is a MOM 2005 mailing list out there? Devon Harding Windows Systems Engineer Southern Wine Spirits - BSG 954-602-2469 __This message and any attachments are solely for the intended recipientand may contain confidential or privileged information. If you are notthe intended recipient, any disclosure, copying, use or distribution ofthe information included in the message and any attachments isprohibited. If you have received this communication in error, pleasenotify us by reply e-mail and immediately and permanently delete thismessage and any attachments. Thank You.
RE: [ActiveDir] 2 exchange public folder questions
Don't know on 1, but for 2 get PFDavAdmin which is either in the Exchange Resource Kit or downloadable from Microsoft. It will let you set permissions on a folder and then propagate them down to subfolders. -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Kern, Tom Sent: Thursday, September 29, 2005 7:38 AM To: ActiveDir@mail.activedir.org Subject: [ActiveDir] 2 exchange public folder questions 1. When I attach a shortcut to a public folder item(word doc) as an attachment to an email, many users cannot open the attachement but just click on the shortcut and nothing happens. they all have appropriate rights to the folder. is this some OLE issue on the client? by what mechanism does this occur? 2. Is there anyway to set inheritance on a public folder? There doesn't seem to be an inheritance tab in Outlook or under client permissions tab in ESM. How can i set a user to have say, reviewer role or create items right for all folders and/or items underneath a public folder or future folders created underneath said folder? or block that right? Thanks alot. .BövrzÊryi List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
RE: [ActiveDir] GPO filtering by properties of User Object
I think the way I'd approach it is to build a script that checks users for roaming profiles, and puts them in a security group if they do. Schedule the script to run on a regular basis. Then use the security group for GPO filtering. From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of nelson yongSent: Tuesday, September 27, 2005 2:04 AMTo: ActiveDir@mail.activedir.orgSubject: [ActiveDir] GPO filtering by properties of User Object Hi Gurus, I m trying to create some GPO that will filter only those users who have roaming profiles. How can I achieve this? Do I use WMI filters? Any resources on that? I have tried searching but out of all the hits, not useful enough. Thanks alot in advance for any help/input. CONFIDENTIALITY DISCLAIMER CAUTION: This communication is confidential and is intended for use only by the addressee. If you are not the addressee, you should not disseminate, distribute or copy this communication. If you have received this communication in error, please notify us immediately by return email and delete the original message. Kindly note that email communications are not secured, and therefore are susceptible to alteration. Kuok (Singapore) Limited will not accept legal responsibility for the contents of this message. Thank you.
RE: [ActiveDir] exchange one more time(ot)
Why should Exchange not think that servername.domain.tld is a domain? Can you resolve servername.domain.tld from the Exchange server? How about from the smarthost? From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Tom KernSent: Monday, September 26, 2005 5:32 PMTo: ActiveDir@mail.activedir.orgSubject: Re: [ActiveDir] exchange one more time(ot) when i had the smtp connector point to dns, it failed with "remote host did not respond". when pointing to a smarthost it worked. maybe exchange while sending to [EMAIL PROTECTED], thinks servername.domain.tld is a domain and when it gets a nxdomain from domain.tld, it fails? no? sillier things have been know to occur with exchange... thanks On 9/26/05, joe [EMAIL PROTECTED] wrote: From my experience it should work fine. It doesn't have to know if the right hand side is a domain or host IP, it simply needs to try and look it up in DNS. I believe it will try an MX lookup and failing that, fall back to a host record lookup. A simple test would be to enable SMTP on some machine in your domain, make sure there is a host record for the given name and then send a message to it, you should see the message hit your configured drop folder. joe From: [EMAIL PROTECTED] [mailto: [EMAIL PROTECTED]] On Behalf Of Tom KernSent: Saturday, September 24, 2005 2:12 AM To: ActiveDir@mail.activedir.orgSubject: Re: [ActiveDir] exchange one more time(ot) how does it figure out its a literal addy and not a domain? how does it know the RHS is not a domain name and fail trying to look it up? or does it fail and then go up the list to the other part of the name? I'd like to know because i can't find any exchange docs on it. there's nothing in the app log. i'll turn up diag logging.. mail didn't start flowing untill i changed the connector to point to a smart host rather than dns. until then, it just sat in the queue. the error in the queue was "remote destatination did not respond". Thanks On 9/23/05, Al Mulnick [EMAIL PROTECTED] wrote: Exchange should be able to deliver to a literal address as long as it is not its own. That's a valid and a common address in SMTP. Check the logs to see what the failure is. There's a lot of possibilities as to why it may not get to its destination. Al From: [EMAIL PROTECTED] [mailto: [EMAIL PROTECTED]] On Behalf Of Tom KernSent: Friday, September 23, 2005 3:07 PMTo: activedirectorySubject: [ActiveDir] exchange one more time(ot) If i set up a contact with the server name in the addy as in [EMAIL PROTECTED], will the message get delivered or will exchange think " servername.domain.tld " is the domain name and throw an error? Just a question i'm throwing out because an archive solution is giving me that kind of contact to send mail to and its not getting there. I have a feeling its because of that and i should just create a connector to forward to that addy as a smarthost but i want to confirm with you guys that i can't write an address in that form and expect exchange(or any smtp server?) to deliver the mail. thanks
RE: [ActiveDir] exchange one more time(ot)
Does "servername.domain.tld" have MX and A records in DNS? Is this one of your servers, or does domain.tld belong to someone else? What happens when you try to telnet on port 25 from your Exchange server to servername.domain.tld? From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Tom KernSent: Saturday, September 24, 2005 12:12 AMTo: ActiveDir@mail.activedir.orgSubject: Re: [ActiveDir] exchange one more time(ot) how does it figure out its a literal addy and not a domain? how does it know the RHS is not a domain name and fail trying to look it up? or does it fail and then go up the list to the other part of the name? I'd like to know because i can't find any exchange docs on it. there's nothing in the app log. i'll turn up diag logging.. mail didn't start flowing untill i changed the connector to point to a smart host rather than dns. until then, it just sat in the queue. the error in the queue was "remote destatination did not respond". Thanks On 9/23/05, Al Mulnick [EMAIL PROTECTED] wrote: Exchange should be able to deliver to a literal address as long as it is not its own. That's a valid and a common address in SMTP. Check the logs to see what the failure is. There's a lot of possibilities as to why it may not get to its destination. Al From: [EMAIL PROTECTED] [mailto: [EMAIL PROTECTED]] On Behalf Of Tom KernSent: Friday, September 23, 2005 3:07 PMTo: activedirectorySubject: [ActiveDir] exchange one more time(ot) If i set up a contact with the server name in the addy as in [EMAIL PROTECTED], will the message get delivered or will exchange think " servername.domain.tld " is the domain name and throw an error? Just a question i'm throwing out because an archive solution is giving me that kind of contact to send mail to and its not getting there. I have a feeling its because of that and i should just create a connector to forward to that addy as a smarthost but i want to confirm with you guys that i can't write an address in that form and expect exchange(or any smtp server?) to deliver the mail. thanks
RE: [ActiveDir] Applications that extend the schema...
My preference would be that the application vendor include a set of LDIF files. That way all of the schema mods are in plain view and AD service owners (domain admins, schema admins) can see what is getting changed. Unless the schema mods were well documented by the vendor, I wouldn't run an application that performed the mods. Even if they were well documented, I still might not run that application...too much of a black-box situation. I wouldn't even consider running an app with a service account that had schema admin rights, which is what you would need in the first scenario you mention. Those aren't really AD-specific concerns, but more directory operational practices/preferences. -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Chuck Chopp Sent: Friday, September 23, 2005 8:30 AM To: ActiveDir@mail.activedir.org Subject: [ActiveDir] Applications that extend the schema... Given the # of variations that may exist in AD deployments, anywhere from a small business with a single forest/tree/domain all the way up to a large enterprise with multiple forests each containing multiple trees with each tree having numerous domains, there may be many differences of opinion on the part of administrators regarding schema extensions and applications the create them. I'm interested in hearing those opinions in regards to an enterprise type of resource provisioning application that will run primarily as a service under a specific domain account, with the caveat that the application does require some schema extensions in order to run properly. In particular, the question pertains to whether or not the main application should attempt to perform the schema extension work when it detects that they are not present, and if so, should it want/need to do so under it's own set of credentials used to perform the service logon by the service control manager when the service is started, or should the application's UI request an elevated set of credentials in order to perform the schema extension. Alternatively, should the schema extension be performed using an additional program provided with the application so that it would be relatively easy for an administrator to logon, run the schema extension tool, and then be done with their part so that the application's owner could continue with the installation configuration of the application. I'm familiar with many of the issues in terms of Novell's eDirectory, but with AD there may be some other concerns due to differences in the two directory services and how they are implmented. It's the AD-specific concerns that interest me. TIA, Chuck -- Chuck Chopp ChuckChopp (at) rtfmcsi (dot) com http://www.rtfmcsi.com RTFM Consulting Services Inc. 864 801 2795 voice voicemail 103 Autumn Hill Road 864 801 2774 fax Greer, SC 29651 Racing to save lives The Leukemia Lymphoma Society - Team in Training http://www.active.com/donate/tntsc/tntscCChopp Do not send me unsolicited commercial email. List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
RE: [ActiveDir] Domain Controller Security
Fred- This is not possible. While you can make it more difficult for the user to do things you don't want him to, if you give him either physical access to the DC or the ability to log on to the DC, he is in a position to elevate his permissions to the point of owning your forest. If you can move the files and shares to another machine, then restricting him to only be able to change passwords within a particular OU is easy by either setting the OU security directly or going through the Delegation of Control Wizard. Hunter From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of van Donk, FredSent: Tuesday, September 20, 2005 2:52 PMTo: ActiveDir@mail.activedir.orgSubject: [ActiveDir] Domain Controller Security I have a contractor in a remote site. There is only 1 server in that site which is a DC. He needs to administer that server. -Create shares -Make file/share permissions -Change user passwords in the User OU for that site. He is not allowed to log on to any other server is the domain. When I make him a "Server Operator" he can logon to any server in the domain. Any idea on how to lock him down to that one server and then how to lock him down on that one OU where he should only be allowed to change the passwords of the users. Thanks! Fred
RE: [ActiveDir] disabling users
http://www.unix.org.ua/orelly/perl/sysadmin/ch06_05.htmwould be a good start From: Kern, Tom [mailto:[EMAIL PROTECTED] On Behalf Of Kern, TomSent: Wednesday, September 21, 2005 2:30 PMTo: ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] disabling users I only have time to learn one scripting lang. i figured perl is the better way to go as i have to work with linux and solaris as well. know of any good docs,books,sites on perl and COM+ or adsi? something that will teach you both like the _vbscript_ resources do? i really think there is a market for perl and AD/win32 out there that is untapped. O'reilly has let most of their win32 perl books become outdated and stop at Win NT as has Dave Roth. I'm not a programmer and i don't have time to learn multipe scripting langs, so i always thought perl would be the best way to go. I find it as approachable as _vbscript_ but unlike _vbscript_, I don't find many rescources for using it on win32 systems. I'm afraid learning perl and working with windows might be an uphill battle. are there resources for teaching you how to use perl with cdo,wmi,adsi,ado,etc? i'm not a total newbie to perl, i've used it on linux but i've never really done much on windows with activestate. and as i've said, i'm not a programmer and i didn''t major in comp sci, so a lot of this stuff is not second nature to me and hasn't been pounded in for years. so jumping from lang to lang for me is not really an option. thanks -Original Message- From: Brian Desmond [mailto:[EMAIL PROTECTED] Sent: Wed 9/21/2005 2:46 PM To: ActiveDir@mail.activedir.org Cc: Subject: RE: [ActiveDir] disabling users
RE: [ActiveDir] OT: SAN Assessment
If you have the time, pick up a copy of Pierre Bijaoui's Scaling Microsoft Exchange 2000. I don't think it's been updated for Exchange 2003, but most everything he covers in there carries forward. It's very good information on building storage infrastructure for Exchange, including SANs. It may not replace a consulting engagement, but it will give you enough background to understand (and question) any recommendations. -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Devan Pala Sent: Wednesday, September 21, 2005 4:00 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] OT: SAN Assessment Well we don't have a preferred vendor. We're looking at all the obvious choices: HP, EMC, StorageTek (SUN) etc. Right now its more important to just get an independent (non-vendor specific) assessment carried out. Thanks, Firefox - Rediscover the web Original Message Follows From: Bernard, Aric [EMAIL PROTECTED] Reply-To: ActiveDir@mail.activedir.org To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] OT: SAN Assessment Date: Wed, 21 Sep 2005 14:25:57 -0400 Yep, lots of consulting firms do his sort of work. Who is the SAN vendor? Typically they will be happy to come out and help with this kind of activity as it usually means additional sales now or in the future. Aric -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Brian Desmond Sent: Wednesday, September 21, 2005 10:45 AM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] OT: SAN Assessment I work for a consulting firm that does these sorts of things, so, yes I know people utilize consulting firms to do this stuff. :) Thanks, Brian Desmond [EMAIL PROTECTED] c - 312.731.3132 -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Devan Pala Sent: Wednesday, September 21, 2005 11:04 AM To: ActiveDir@mail.activedir.org Subject: [ActiveDir] OT: SAN Assessment Hi, We're in the process of planning to migrate from Notes to Exchange and one the dependenices of this migration is a SAN environment. Has anyone utilized the services of any independent consulting bodies to carry out a SAN assessment. Essentially, helping in the process of determining requirements and laying out a path to successful deployment with considerations for high availability, scalability and future considerations. Thanks, List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
RE: [ActiveDir] GPO on XP 2000 Pro
I'd create the Workstations OU and the Servers OU. Then write a script that looks at each of the machines in the computers container, and based on what you find in the operatingSystem attribute have the script move the object to the appropriate OU. I'd also not leave new computer objects in the computers container. -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Harding, Devon Sent: Wednesday, August 24, 2005 4:04 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] GPO on XP 2000 Pro I have over 2000 machines in my computers containers. Is there any other way? -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Darren Mar-Elia Sent: Wednesday, August 24, 2005 5:53 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] GPO on XP 2000 Pro WMI filters aren't processed by Win2K so that won't work on that platform. Your best bet is probably to put all the XP win2k machines in one security group and then security filter the GPO based on that group (i.e. remove the Authenticated Users ACE from the sec. filter on that GPO and add the new group with Read and Apply GP permissions). -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Harding, Devon Sent: Wednesday, August 24, 2005 2:40 PM To: ActiveDir@mail.activedir.org Subject: [ActiveDir] GPO on XP 2000 Pro How can I get a GPO to only run on all Windows XP and 2000 Pro. machines in a domain? WMI Filter is applied to 2000 machines so it'll run on 2000 server if I filter by OS type. Devon Harding Windows Systems Engineer Southern Wine Spirits - BSG 954-602-2469 - __ This message and any attachments are solely for the intended recipient and may contain confidential or privileged information. If you are not the intended recipient, any disclosure, copying, use or distribution of the information included in the message and any attachments is prohibited. If you have received this communication in error, please notify us by reply e-mail and immediately and permanently delete this message and any attachments. Thank You. List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
RE: [ActiveDir] Database Corruption
I'd also look at running hardware diagnostics, particularly on the disk subsystem and controller. No point in restoring or repromoting if there is an unresolved hardware problem. -Original Message- From: [EMAIL PROTECTED] on behalf of Steve Linehan Sent: Fri 8/19/2005 8:18 PM To: ActiveDir@mail.activedir.org Cc: Subject: RE: [ActiveDir] Database Corruption Well the first thing I always recommend is to try an offline defrag as it is possible that the corruption is in an index, i.e. metadata, that can be rebuilt. If the offline defrag fails then restoring from backup or repromoting will be your next step. Thanks, -Steve _ From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Ayers, Diane Sent: Friday, August 19, 2005 6:43 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Database Corruption My preferred approach would be to demote the box to member server and re-promote to a domain controller to ensure a good fresh copy of the DIT. YMMV as the specific requirements at your location may prevent this. We have only run into this once early in our AD days and this was the approach we used with good success. Diane _ From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Alex Fontana Sent: Friday, August 19, 2005 3:29 PM To: ActiveDir@mail.activedir.org Subject: [ActiveDir] Database Corruption Started getting the error below a few weeks ago on one of our DCs. My first reaction is to run a non-auth restore from a day before this started happening and let replication take care of everything else. Any reason NOT to do this? I’m concerned that this may happen again and wasn’t able to find anything specific to the error below. Besides calling PSS any thing else I should look into before restoring? This box holds all FSMO roles, Win2k3, server for NIS. TIA -alex Event Type: Error Event Source:NTDS ISAM Event Category: Database Page Cache Event ID: 475 Date:8/19/2005 Time:2:00:24 PM User:N/A Computer: DC Description: NTDS (528) NTDSA: The database page read from the file C:\WINNT\NTDS\ntds.dit at offset 665067520 (0x27a42000) for 8192 (0x2000) bytes failed verification due to a page number mismatch. The expected page number was 81184 (0x00013d20) and the actual page number was 2349964126 (0x8c119b5e). The read operation will fail with error -1018 (0xfc06). If this condition persists then please restore the database from a previous backup. This problem is likely due to faulty hardware. Please contact your hardware vendor for further assistance diagnosing the problem. winmail.dat
RE: [ActiveDir] HP teaming
What problem do you have (or are trying to prevent) that makes you want to set up teaming? I only ask because you will be adding complexity to your environment that may not be justified by the perceived benefit. On the other hand, maybe it will... Hunter -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Tom Kern Sent: Wednesday, August 17, 2005 7:51 AM To: ActiveDir@mail.activedir.org Subject: Re: [ActiveDir] HP teaming They are member servers right now with no teaming. About to become DC's. Do you have anything against switch assisted load balancing? Also, which model catalyst did you have an issue with? Thanks a lot! On 8/17/05, Francis Ouellet [EMAIL PROTECTED] wrote: I've had great success using nic teaming on all my DCs running on hp Proliant hardware. They were all configured for FT. Make sure the network side of things fully supports it though, we had to upgrade a few catalyst switches for this to work correctly (I think it was an ARP issue) I'd suggest trying it on a member server first to make sure your networking hardware is capable of supporting it correctly. One last thing, are those DCs currently in place or you're considering nic teaming for future deployments? Thanks, Francis -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Tom Kern Sent: August 17, 2005 9:24 AM To: activedirectory Subject: [ActiveDir] HP teaming Any for or against Hp nic teaming on DC's? Also which type would you use(if any)? Fault tolerence or load balancing? thanks List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
RE: [ActiveDir] exchange weirdeness
No. You're running into the msExchMasterAccountSID problem. http://support.microsoft.com/default.aspx?scid=kb;en-us;555410 has information, and points to the NoMAS tool. You can also handle this by setting the attributes manually or via script. -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Tom Kern Sent: Wednesday, August 17, 2005 12:48 PM To: activedirectory Subject: Re: [ActiveDir] exchange weirdeness update- i enabled the user account about 30mins ago and updated the RUS. stilll i get denied trying to log on via outlook and an event id 9548 gets logged on the exchange server everytime i try logging on, stating that the account is still disabled... replication issue? dns is up and running. the only known issue is no connectivity to the root. but the root has no users or mailservers. strange On 8/17/05, Tom Kern [EMAIL PROTECTED] wrote: I have mailbox enabled users in AD that have been disabled. However in ESM, they are not marked as such. When i run the cleanup agent, they are still not marked as disabled. When i try to Exmerge the box, I get an access denied error(i have full exchange admin rights inherited from the org and full mailbox right on the user). Also, i can't open their box via outlook as well. My situation at this firm is as such- we have no network connectivity to the root(for about 2 wks. don't ask, long story..). The users are all in my child domain as are their mailboxes. the root is empty. We are also running with netbios/tcp disabled forest wide. i know there are some issues with netbios being disabled and exmerge and ESM and outlook. Could this be a cause? I don't know the exact error you would get. I don't think having no connectivity to the root should be an issue. We have 4 dc's, 3 of which are gc's in the child domain. any advice would be great. thanks List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
RE: [ActiveDir] exchange weirdeness
For folks who have already left, I'd go with granting Self full mailbox access. I haven't tested it, but if the account has already been disabled then I don't think that setting it to expire on a date in the past will restore the necessary mailbox permissions for you to access it. For future departures, I think the ideal thing is to have some sort of deprovisioning utility that handles disabling the account, possibly moving it to a different OU, sets the Self mailbox access, and any other rules that your business processes dictate. You could have that as a script or front-end it with a web page. -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Tom Kern Sent: Wednesday, August 17, 2005 2:06 PM To: ActiveDir@mail.activedir.org Subject: Re: [ActiveDir] exchange weirdeness so, what is a good practice to deal with user's who have left and their mailboxes? Should you just expire the account to a date in the past and then you can access their box? or can you give Self full mailbox access to a disabled account and then access the box? which way works? thanks alot On 8/17/05, Coleman, Hunter [EMAIL PROTECTED] wrote: No. You're running into the msExchMasterAccountSID problem. http://support.microsoft.com/default.aspx?scid=kb;en-us;555410 has information, and points to the NoMAS tool. You can also handle this by setting the attributes manually or via script. -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Tom Kern Sent: Wednesday, August 17, 2005 12:48 PM To: activedirectory Subject: Re: [ActiveDir] exchange weirdeness update- i enabled the user account about 30mins ago and updated the RUS. stilll i get denied trying to log on via outlook and an event id 9548 gets logged on the exchange server everytime i try logging on, stating that the account is still disabled... replication issue? dns is up and running. the only known issue is no connectivity to the root. but the root has no users or mailservers. strange On 8/17/05, Tom Kern [EMAIL PROTECTED] wrote: I have mailbox enabled users in AD that have been disabled. However in ESM, they are not marked as such. When i run the cleanup agent, they are still not marked as disabled. When i try to Exmerge the box, I get an access denied error(i have full exchange admin rights inherited from the org and full mailbox right on the user). Also, i can't open their box via outlook as well. My situation at this firm is as such- we have no network connectivity to the root(for about 2 wks. don't ask, long story..). The users are all in my child domain as are their mailboxes. the root is empty. We are also running with netbios/tcp disabled forest wide. i know there are some issues with netbios being disabled and exmerge and ESM and outlook. Could this be a cause? I don't know the exact error you would get. I don't think having no connectivity to the root should be an issue. We have 4 dc's, 3 of which are gc's in the child domain. any advice would be great. thanks List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
RE: [ActiveDir] exchange weirdeness
Inline... -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Tom Kern Sent: Wednesday, August 17, 2005 2:15 PM To: ActiveDir@mail.activedir.org Subject: Re: [ActiveDir] exchange weirdeness If self has FC and associate mbox with external account, i can then access the box with an account that has FC on the mbox and run exmerge? Yes, allowing for the mailbox permissions cache that Michael mentioned Also, is nomas avaiable for download or do i have to go thru PSS? PSS, but I think it's a no-charge call if that's all you are asking for. If you have a support agreement your TAM should be able to get it for you as well. thanks a lot. you really helped me out here! On 8/17/05, Tom Kern [EMAIL PROTECTED] wrote: so, what is a good practice to deal with user's who have left and their mailboxes? Should you just expire the account to a date in the past and then you can access their box? or can you give Self full mailbox access to a disabled account and then access the box? which way works? thanks alot On 8/17/05, Coleman, Hunter [EMAIL PROTECTED] wrote: No. You're running into the msExchMasterAccountSID problem. http://support.microsoft.com/default.aspx?scid=kb;en-us;555410 has information, and points to the NoMAS tool. You can also handle this by setting the attributes manually or via script. -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Tom Kern Sent: Wednesday, August 17, 2005 12:48 PM To: activedirectory Subject: Re: [ActiveDir] exchange weirdeness update- i enabled the user account about 30mins ago and updated the RUS. stilll i get denied trying to log on via outlook and an event id 9548 gets logged on the exchange server everytime i try logging on, stating that the account is still disabled... replication issue? dns is up and running. the only known issue is no connectivity to the root. but the root has no users or mailservers. strange On 8/17/05, Tom Kern [EMAIL PROTECTED] wrote: I have mailbox enabled users in AD that have been disabled. However in ESM, they are not marked as such. When i run the cleanup agent, they are still not marked as disabled. When i try to Exmerge the box, I get an access denied error(i have full exchange admin rights inherited from the org and full mailbox right on the user). Also, i can't open their box via outlook as well. My situation at this firm is as such- we have no network connectivity to the root(for about 2 wks. don't ask, long story..). The users are all in my child domain as are their mailboxes. the root is empty. We are also running with netbios/tcp disabled forest wide. i know there are some issues with netbios being disabled and exmerge and ESM and outlook. Could this be a cause? I don't know the exact error you would get. I don't think having no connectivity to the root should be an issue. We have 4 dc's, 3 of which are gc's in the child domain. any advice would be great. thanks List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
RE: [ActiveDir] ok, last one really
Watch for line wraps; you'll want to put your code between a While/Wend loop. Dim fso, ts Const ForReading = 1 Set fso = CreateObject(Scripting. FileSystemObject) Set ts = fso.OpenTextFile(c:\test.txt, ForReading, True) While NOT ts.AtEndOfStream strComputer = ts.ReadLine() rest of your code goes here Wend ts.Close() -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Tom Kern Sent: Friday, August 12, 2005 2:32 PM To: ActiveDir@mail.activedir.org Subject: Re: [ActiveDir] ok, last one really how would you write that to loop thru every line in a file? thanks On 8/12/05, Alain Lissoir [EMAIL PROTECTED] wrote: On MSDN, you can find some sample scripts to read from a file. See at http://msdn.microsoft.com/library/en-us/script56/html/sgWorkingWithFil es.asp For instance, Dim fso, ts Const ForReading = 1 Set fso = CreateObject(Scripting. FileSystemObject) Set ts = fso.OpenTextFile(c:\test.txt, ForReading, True) strComputer = ts.ReadLine() ts.Close() Depending on the format of your file, you can read a single line and split the comma separated computer names or You can loop and read lines one-by-one if you have a computer name per line. Your call ... For a book on scripting and WMI, you can always have a look at my web site ;) http://www.lissware.net -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Tom Kern Sent: Friday, August 12, 2005 7:46 AM To: activedirectory Subject: [ActiveDir] ok, last one really How can i change this script so i can just feed it a file of computer names so i can automate the changing of dns servers in the client properties? SCRIPT- On Error Resume Next strComputer = . arrNewDNSServerSearchOrder = Array(192.168.0.1, 192.168.0.2) Set objWMIService = GetObject(winmgmts: _ {impersonationLevel=impersonate}!\\ strComputer \root\cimv2) Set colNicConfigs = objWMIService.ExecQuery _ (SELECT * FROM Win32_NetworkAdapterConfiguration WHERE IPEnabled = True) WScript.Echo VbCrLf Computer: strComputer For Each objNicConfig In colNicConfigs WScript.Echo VbCrLf Network Adapter objNicConfig.Index WScript.Echo DNS Server Search Order - Before: If Not IsNull(objNicConfig.DNSServerSearchOrder) Then For Each strDNSServer In objNicConfig.DNSServerSearchOrder WScript.Echo strDNSServer Next End If intSetDNSServers = _ objNicConfig.SetDNSServerSearchOrder(arrNewDNSServerSearchOrder) If intSetDNSServers = 0 Then WScript.Echo Replaced DNS server search order list. Else WScript.Echo Unable to replace DNS server search order list. End If Next WScript.Echo VbCrLf String(80, -) Set colNicConfigs = objWMIService.ExecQuery _ (SELECT * FROM Win32_NetworkAdapterConfiguration WHERE IPEnabled = True) For Each objNicConfig In colNicConfigs WScript.Echo VbCrLf Network Adapter objNicConfig.Index WScript.Echo DNS Server Search Order - After: If Not IsNull(objNicConfig.DNSServerSearchOrder) Then For Each strDNSServer In objNicConfig.DNSServerSearchOrder WScript.Echo strDNSServer Next End If Next END OF SCRIPT also, can anyone recommend a good VBscript book for Windows admining so i can leave you guys alone? thanks List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
RE: [ActiveDir] user dump
Adfind will let you dump the profile location. Just include profilePath in the list of attributes that you want returned: Adfind -b dc=sub,dc=domain,dc=com -s subtree -f (objectCategory=person) name profilePath -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Freddie Coleman III Sent: Wednesday, August 10, 2005 9:15 PM To: ActiveDir@mail.activedir.org Subject: Re: [ActiveDir] user dump thanks, i need it to dump the profile locations also. is this possible w/ these tools? know anything about add user? dsquery/dsget will do the trick as well. Phil On 8/10/05, Coleman, Hunter [EMAIL PROTECTED] wrote: ADFind: http://www.joeware.net/win/free/tools/adfind.htm Example 6 from the command line help (adfind.exe /?) should be a good starting point for you. -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Freddie Coleman III Sent: Wednesday, August 10, 2005 8:19 PM To: ActiveDir@mail.activedir.org Subject: [ActiveDir] user dump how can i dump a list of all of my ad users? List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
RE: [ActiveDir] account operators
I expect they lack Exchange View Only Admin permissions (or higher). -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Tom Kern Sent: Thursday, August 11, 2005 8:27 AM To: activedirectory Subject: [ActiveDir] account operators is there any reason an account operator could create a user but not a mailbox for that user? thanks List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
RE: [ActiveDir] account operators
Yes. Regardless of the rights they have on the user object, they will also need rights within Exchange (or proxied rights via a web page or provisioning code). -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Tom Kern Sent: Thursday, August 11, 2005 8:57 AM To: ActiveDir@mail.activedir.org Subject: Re: [ActiveDir] account operators I thought AO had complete rights to the user object which would include exchange attribs. i guess they still need rights to the store? is that it? thanks On 8/11/05, Coleman, Hunter [EMAIL PROTECTED] wrote: I expect they lack Exchange View Only Admin permissions (or higher). -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Tom Kern Sent: Thursday, August 11, 2005 8:27 AM To: activedirectory Subject: [ActiveDir] account operators is there any reason an account operator could create a user but not a mailbox for that user? thanks List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
RE: [ActiveDir] one more silly question(OT exchange)
Yes, but you will also need to grant Reviewer rights on your mailbox to the user, and they will have to open it as a secondary mailbox or create a shortcut to it instead of File-Open other user's folder-(Calendar from drop-down list) -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Tom Kern Sent: Thursday, August 11, 2005 2:37 PM To: activedirectory Subject: [ActiveDir] one more silly question(OT exchange) Is it possible to create a new calender folder in your inbox and delegate access to that? Outlook lets me do it but when a user tries to open it, the only choices they get is the default calender. thanks List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
RE: [ActiveDir] one more silly question(OT exchange)
Yes, thanks Doug. Note that by granting Reviewer permissions at the mailbox level, you aren't necessarily giving out access to the contents of your inbox, sent items, etc. It only lets someone view those folders. You'd need to assign permissions on those folders, such as the created calendar folder, so that the person could view appointments on that calendar. -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Douglas M. Long Sent: Thursday, August 11, 2005 7:25 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] one more silly question(OT exchange) http://support.microsoft.com/kb/195781/en-us In order to share other than the five default Mailbox folders, Contacts, Inbox, Journal, Notes, and Tasks, you must share the entire Mailbox. This will give access to subfolders as well as the five primary folders. -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Tom Kern Sent: Thursday, August 11, 2005 8:08 PM To: ActiveDir@mail.activedir.org Subject: Re: [ActiveDir] one more silly question(OT exchange) what i'm saying is the new calender is not listed as an option. it just lists the default folders in your mailbox. the user has reviewer rights on the new calender. i don't think thats what Hunter meant. if it were just the basic open other users folder, i wouldn't be so furstrated. thanks On 8/11/05, Douglas M. Long [EMAIL PROTECTED] wrote: I believe he means: Right click on the mailbox-- Open other folder-- Other user's folder... With a user that you give review rights. -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Tom Kern Sent: Thursday, August 11, 2005 6:40 PM To: ActiveDir@mail.activedir.org Subject: Re: [ActiveDir] one more silly question(OT exchange) for secondary mailbox, you mean give them full control to the user's inbox and have them login that way with a second profile? how do you create a shortcut to just the second calender? do you do it within outlook for the other user? how does that work? thanks On 8/11/05, Coleman, Hunter [EMAIL PROTECTED] wrote: Yes, but you will also need to grant Reviewer rights on your mailbox to the user, and they will have to open it as a secondary mailbox or create a shortcut to it instead of File-Open other user's folder-(Calendar from drop-down list) -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Tom Kern Sent: Thursday, August 11, 2005 2:37 PM To: activedirectory Subject: [ActiveDir] one more silly question(OT exchange) Is it possible to create a new calender folder in your inbox and delegate access to that? Outlook lets me do it but when a user tries to open it, the only choices they get is the default calender. thanks List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
RE: [ActiveDir] user dump
ADFind: http://www.joeware.net/win/free/tools/adfind.htm Example 6 from the command line help (adfind.exe /?) should be a good starting point for you. -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Freddie Coleman III Sent: Wednesday, August 10, 2005 8:19 PM To: ActiveDir@mail.activedir.org Subject: [ActiveDir] user dump how can i dump a list of all of my ad users? List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
RE: [ActiveDir] Adding custom fields to AD
...or ADAM. These kinds of requests have a tendency to creep beyond the original scope, which can have unintended consequences if the upfront planning falls short. Hunter -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Rick Kingslan Sent: Tuesday, August 09, 2005 10:41 AM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Adding custom fields to AD Certainly it is possible. And, it's not overly difficult to DO, but the upfront planning that SHOULD be done can be tedious. Remember - this is the schema. My opinion - and it seems to be free today (as if I've ever been afraid to give it...) - This is a job that just screams SQL server. I can't imagine WHY AD would be a better choice in this case. As long as the apps are all able to connect via a SQL provider in some method (and goodness knows Microsoft has made a lot of them available), this should be no pain at all. Rick -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Steve Shaff Sent: Tuesday, August 09, 2005 11:16 AM To: ActiveDir@mail.activedir.org Subject: [ActiveDir] Adding custom fields to AD Group, My manager wanted me to check, even though, I don't think that it is possible, but, I will present the question. He would like to add some custom fields, about 30, to AD. He would like to add bio information into AD to be pulled by Sharepoint and other applications for people to read. I think that this is a waste of time, space and effort. However, it is not my call and if this is what he wants What are everyone's thoughts on the topic? Thanks S List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/