from:"David Cliffe"

RE: [ActiveDir] dynamic variables within an event log entry?

2006-12-01 Thread David Cliffe

I'm glad you said that and not me!  So much great content here - one of
the last things I'd want to do is pick on grammar, as it would seem rude
and unappreciative.  Especially since never confident 100% in my own am
I.   : - )




From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Laura A.
Robinson
Sent: Friday, December 01, 2006 1:00 PM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] dynamic variables within an event log
entry?


Too bad I didn't actually put a verb in that second sentence.
:-)
 
That SHOULD have read, "When a user who is a member of the
Domain Admins group CREATES AN OBJECT, by default, the DA group is the
*owner* of the object."
 
No wonder you have a hard time following my posts. ;-)
 
Laura




From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of David Cliffe
Sent: Friday, December 01, 2006 11:30 AM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] dynamic variables within an
event log entry?


Yep, you're right...I didn't distinguish the difference
the first time around.  Good info as always.
 
Thanks!




From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Laura A.
Robinson
Sent: Friday, December 01, 2006 12:02 AM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] dynamic variables
within an event log entry?


Nope, it's not a typo- note the difference
between *owner* and *creator*. When a user who is a member of the Domain
Admins group, by default, the DA group is the *owner* of the object.
However, what is logged in the audit (security event) log does list the
specific account that was used to *create* the object. 
 
As far as changing the behavior for #2, there is
a group policy setting "System Objects: Default owner for objects
created by members of the Administrators group"  in the Computer
Configuration\Windows Settings\Local Policies\Security Options section
of group policy. That setting can be set to "Administrators group" or to
"Object creator". That may be what you're thinking of. That setting,
however, refers to system objects (thus the "system objects" predicate.
:-) ) You may also be thinking of the ability in the property sheets for
any object to set the owner of DA-owned objects to either a specific DA
account or to the group. 
 
I don't remember you misreading one of my posts;
you must have a much better memory than I do. Then again, I usually
can't remember what I ate for breakfast. :-)
 
Laura




    From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of David Cliffe
Sent: Thursday, November 30, 2006 10:34
PM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] dynamic
variables within an event log entry?


Hi Laura,
 
I know I misread one of your posts
once before, so I'm sorry in advance if I'm doing it again (!), but
aren't you making a conflicting statement in nos. 2 & 3 below?  Or is #3
supposed to say "that is NOT a member of Domain Admins..." ?
 
Also, is there a mechanism of some
sort which changes the behavior in #2 such that the actual account used
would become the object's owner (rather than DAs group)?  I remember
reading something like this once, but I could be thinking of something
else way off base :-(
 
In any case, I completely agree that
delegating the creation right is the [way!] better option here!
 
Thanks as always,
DaveC




From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Laura A.
Robinson
Sent: Thursday, November 30, 2006 9:22
PM
To:

RE: [ActiveDir] Bulk of client going to PDC

2006-12-01 Thread David Cliffe

Understood :-)   But what about the "feature" that can be used with the
more recent versions?  It's described at the bottom of the article
(you'd have to modify the registry on each applicable DC).  I wonder if
that would help in your case?
 
-DaveC




From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Kamlesh Parmar
Sent: Friday, December 01, 2006 12:29 PM
To: ActiveDir@mail.activedir.org
Subject: Re: [ActiveDir] Bulk of client going to PDC


I checked the file version of dfssvc.exe and dfs.sys on my site
DCs, they are higher than the one mentioned in the KB article. So point
in looking at that fix.
 
 
--
Kamlesh

 
    On 12/1/06, David Cliffe <[EMAIL PROTECTED]> wrote: 

Hi Kamlesh,
 
I'm not necessarily recommending this as a fix, but
wondering if you've seen it yet and if would apply?
 
http://support.microsoft.com/kb/831201/en-us 
 
-DaveC



From: [EMAIL PROTECTED]
[mailto: [EMAIL PROTECTED] On Behalf Of Kamlesh Parmar
Sent: Thursday, November 30, 2006 2:51 PM 
To: ActiveDir@mail.activedir.org
Subject: [ActiveDir] Bulk of client going to PDC




Hi Guys,

We are facing some strange issue, randomly
clients from some sites are going to PDCe for group policy refresh,along
with screensaver and wallpaper stored in netlogon.

Clients are ignoring their nearest DC, and
approaching PDCe. 

All DCs : Win2k3 SP1
All Clients: XP SP2

I verified, 
1) DNS entries for site DC are correct.
2) Netlogon and Sysvol folder of site DC are
accessible.
3) Verified the clients are authenticating with
site DC by : nltest.exe  /sc_query:DOMAIN
4) Verified DFS info for netlogon and sysvol on
clients is correct :  dfsutil.exe  /pktinfo

I am clueless where else, should I look?

-- 
Kamlesh
~ 
You teach best what you most need to learn.
~ 



This email was sent to you by Reuters, the global news
and information company. 
To find out more about Reuters visit
www.about.reuters.com <http://www.about.reuters.com/> 

Any views expressed in this message are those of the
individual sender, except where the sender specifically states them to
be the views of Reuters Ltd. 





-- 
~
You teach best what you most need to learn.
~ 



This email was sent to you by Reuters, the global news and information company. 
To find out more about Reuters visit www.about.reuters.com

Any views expressed in this message are those of the individual sender, except 
where the sender specifically states them to be the views of Reuters Ltd.

RE: [ActiveDir] dynamic variables within an event log entry?

2006-12-01 Thread David Cliffe

Yep, you're right...I didn't distinguish the difference the first time
around.  Good info as always.
 
Thanks!




From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Laura A.
Robinson
Sent: Friday, December 01, 2006 12:02 AM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] dynamic variables within an event log
entry?


Nope, it's not a typo- note the difference between *owner* and
*creator*. When a user who is a member of the Domain Admins group, by
default, the DA group is the *owner* of the object. However, what is
logged in the audit (security event) log does list the specific account
that was used to *create* the object. 
 
As far as changing the behavior for #2, there is a group policy
setting "System Objects: Default owner for objects created by members of
the Administrators group"  in the Computer Configuration\Windows
Settings\Local Policies\Security Options section of group policy. That
setting can be set to "Administrators group" or to "Object creator".
That may be what you're thinking of. That setting, however, refers to
system objects (thus the "system objects" predicate. :-) ) You may also
be thinking of the ability in the property sheets for any object to set
the owner of DA-owned objects to either a specific DA account or to the
group. 
 
I don't remember you misreading one of my posts; you must have a
much better memory than I do. Then again, I usually can't remember what
I ate for breakfast. :-)
 
Laura




    From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of David Cliffe
Sent: Thursday, November 30, 2006 10:34 PM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] dynamic variables within an
event log entry?


Hi Laura,
 
I know I misread one of your posts once before, so
I'm sorry in advance if I'm doing it again (!), but aren't you making a
conflicting statement in nos. 2 & 3 below?  Or is #3 supposed to say
"that is NOT a member of Domain Admins..." ?
 
Also, is there a mechanism of some sort which
changes the behavior in #2 such that the actual account used would
become the object's owner (rather than DAs group)?  I remember reading
something like this once, but I could be thinking of something else way
off base :-(
 
In any case, I completely agree that delegating the
creation right is the [way!] better option here!
 
Thanks as always,
DaveC




From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Laura A.
Robinson
Sent: Thursday, November 30, 2006 9:22 PM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] dynamic variables
within an event log entry?


1. This is one of the eight gazillion reasons to
discourage the use of accounts that are Domain Admins for routine
purposes that can be achieved without that level of rights.
2. By default, when a member of the Domain
Admins group creates an object in the directory, the Domain Admins group
becomes the owner of the object. That is by design. 
3. When I create an object with an account that
is a member of Domain Admins, the creator of the object shows as that
account, not as Domain Admins. Why aren't you just looking at that value
in the event logs, rather than looking at the ownership of the object?
That's why auditing allows tracking of who creates/modifies/deletes
directory objects.
 
Laura




From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Thommes,
Michael M.
Sent: Thursday, November 30, 2006 7:33
PM
To: ActiveDir@mail.activedir.org
Subject: [ActiveDir] dynamic variables
within an event log entry?



I wonder if someone could explain to me
(or point me at some reference) about what mechanism is used to populate
the information in a Windows event log entry.  The reason why I ask is
that I see in the Security log when a new user account is created by an
account which is a member of the Domain Admins group, the
_OBJECT_OWNER=XYZ\Domain Admins , not XYZ\adminacct1 .  If it is create

RE: [ActiveDir] dynamic variables within an event log entry?

2006-11-30 Thread David Cliffe

Hi Laura,
 
I know I misread one of your posts once before, so I'm sorry in
advance if I'm doing it again (!), but aren't you making a conflicting
statement in nos. 2 & 3 below?  Or is #3 supposed to say "that is NOT a
member of Domain Admins..." ?
 
Also, is there a mechanism of some sort which changes the behavior
in #2 such that the actual account used would become the object's owner
(rather than DAs group)?  I remember reading something like this once,
but I could be thinking of something else way off base :-(
 
In any case, I completely agree that delegating the creation right
is the [way!] better option here!
 
Thanks as always,
DaveC




From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Laura A.
Robinson
Sent: Thursday, November 30, 2006 9:22 PM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] dynamic variables within an event log
entry?


1. This is one of the eight gazillion reasons to discourage the
use of accounts that are Domain Admins for routine purposes that can be
achieved without that level of rights.
2. By default, when a member of the Domain Admins group creates
an object in the directory, the Domain Admins group becomes the owner of
the object. That is by design. 
3. When I create an object with an account that is a member of
Domain Admins, the creator of the object shows as that account, not as
Domain Admins. Why aren't you just looking at that value in the event
logs, rather than looking at the ownership of the object? That's why
auditing allows tracking of who creates/modifies/deletes directory
objects.
 
Laura




From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Thommes,
Michael M.
Sent: Thursday, November 30, 2006 7:33 PM
To: ActiveDir@mail.activedir.org
Subject: [ActiveDir] dynamic variables within an event
log entry?



I wonder if someone could explain to me (or point me at
some reference) about what mechanism is used to populate the information
in a Windows event log entry.  The reason why I ask is that I see in the
Security log when a new user account is created by an account which is a
member of the Domain Admins group, the _OBJECT_OWNER=XYZ\Domain Admins ,
not XYZ\adminacct1 .  If it is created by an account that is a member of
the Account Operators group, then _OBJECT_OWNER=XYZ\operacct1, not
XYZ\Account Operators .

 

This makes auditing somewhat less worthwhile.  Is this
design on purpose or a deficiency?  Any help is appreciated.  Thanks!

 

Mike Thommes


--
No virus found in this incoming message.
Checked by AVG Free Edition.
Version: 7.5.430 / Virus Database: 268.15.2/559 -
Release Date: 11/30/2006 5:07 AM



--
No virus found in this outgoing message.
Checked by AVG Free Edition.
Version: 7.5.430 / Virus Database: 268.15.2/559 - Release Date:
11/30/2006 5:07 AM




This email was sent to you by Reuters, the global news and information company. 
To find out more about Reuters visit www.about.reuters.com

Any views expressed in this message are those of the individual sender, except 
where the sender specifically states them to be the views of Reuters Ltd.

RE: [ActiveDir] Bulk of client going to PDC

2006-11-30 Thread David Cliffe

Hi Kamlesh,
 
I'm not necessarily recommending this as a fix, but wondering if
you've seen it yet and if would apply?
 
http://support.microsoft.com/kb/831201/en-us
 
-DaveC



From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Kamlesh Parmar
Sent: Thursday, November 30, 2006 2:51 PM
To: ActiveDir@mail.activedir.org
Subject: [ActiveDir] Bulk of client going to PDC


Hi Guys,

We are facing some strange issue, randomly clients from some
sites are going to PDCe for group policy refresh,along with screensaver
and wallpaper stored in netlogon.

Clients are ignoring their nearest DC, and approaching PDCe. 

All DCs : Win2k3 SP1
All Clients: XP SP2

I verified, 
1) DNS entries for site DC are correct.
2) Netlogon and Sysvol folder of site DC are accessible.
3) Verified the clients are authenticating with site DC by :
nltest.exe  /sc_query:DOMAIN
4) Verified DFS info for netlogon and sysvol on clients is
correct :  dfsutil.exe  /pktinfo

I am clueless where else, should I look?

-- 
Kamlesh
~ 
You teach best what you most need to learn.
~ 



This email was sent to you by Reuters, the global news and information company. 
To find out more about Reuters visit www.about.reuters.com

Any views expressed in this message are those of the individual sender, except 
where the sender specifically states them to be the views of Reuters Ltd.

RE: [ActiveDir] The remote computer has ended the connection.

2006-10-17 Thread David Cliffe

Is this 2003 server? What about Term
Services ? Sometimes that gets enabled/installed by mistake (because
should not be needed for simply remote admin). I can't recall, but
maybe it locks you out of those 2 sessions when it can't contact a licensing
server after a certain time period. Could you have hit
that?
If so, you should be able to remove the
service (as long as you are ONLY using this for remote admin that
is!).
-DaveC

From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Technical
SupportSent: Tuesday, October 17, 2006 12:01 PMTo:
ActiveDir@mail.activedir.org; ActiveDir@mail.activedir.orgSubject:
RE: [ActiveDir] The remote computer has ended the
connection.

Yes it doesnt happened with any other
serves but i have rebooted it more than twice. but no gud luck.
what do you guys suggest in this case?
did only rebooting second time resolved the issue for you?
It worked for me when i have disjoined
from my domain. but i am sure this has nothing to do with any GPO. Also

same thing happened for me when i joined
this to any other domain. other than the previous one.
Thanks!!!
Ravi

From: [EMAIL PROTECTED] on
behalf of Thommes, Michael M.Sent: Tue 10/17/2006 8:33
AMTo: ActiveDir@mail.activedir.orgSubject: RE:
[ActiveDir] The remote computer has ended the connection.

I have also
seen where a second reboot is necessary for RDP to work. I have not
determined the cause of this yet. It does not happen on all
servers.
Mike
Thommes

From:
[EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]
On Behalf Of Vinnie
CardonaSent: Tuesday,
October 17, 2006 10:29 AMTo:
ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] The remote
computer has ended the connection.
I have
noticed that after updating to the latest security patches and rebooting that
some (not all) of my servers had an issues with RDP. It cleared after
rebooting a second time. Root cause? Unknown at this time.
-vC

From:
[EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]
On Behalf Of Technical
SupportSent: Tuesday,
October 17, 2006 8:28 AMTo:
activedir@mail.activedir.orgSubject: [ActiveDir] The remote computer
has ended the connection.Importance: High

Hi,

I am trying to access one of my
servers using Remote Connection. I am using mstsc but its not connecting me to
the server. error "The remote computer has ended
the connection". However if i am using
mstsc /v:IP Address
/console it lets me connect to
it.

Problem is in this mode i can use
only admin id when connected like this. I want my engineers (who dont have
administrator priviledges) to access this. its not possible in this
mode.

This all happened when i rebooted
my server.

Please suggest what can be done to
normalize the things.

Thanks!!!

Ravi

This email was sent to you by Reuters, the global news and information company.
To find out more about Reuters visit www.about.reuters.com

Any views expressed in this message are those of the individual sender, except where the sender specifically states them to be the views of Reuters Ltd.

RE: [ActiveDir] How do I print out users and home folders

2006-10-12 Thread David Cliffe




I like to add that placeholder in case an object 
does not have one of those properties set...
 
so...
 
adfind -b  -f 
samaccounttype=805306368 -nodn -csv NULL samaccountname 
homedirectory
 
etc...
 
-DaveC

  
  
  From: [EMAIL PROTECTED] 
  [mailto:[EMAIL PROTECTED] On Behalf Of Almeida Pinto, 
  Jorge deSent: Thursday, October 12, 2006 1:55 PMTo: 
  ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] How do I print 
  out users and home folders
  
  
  another option is...
   
  joe's magical adfind ;-)
   
  ADFIND -b "" -f 
  "(&(objectCategory=person)(objectClass=user))" -csv sAMAccountName 
  homeDrive homeDirectory
   
  example:
  ADFIND -b 
  "OU=USERS,OU=ORG,DC=AD,DC=LAN" -f 
  "(&(objectCategory=person)(objectClass=user))" -csv sAMAccountName 
  homeDrive homeDirectory
   
  D:\TOOLS\MISC>ADFIND -b "OU=USERS,OU=ORG,DC=AD,DC=LAN" -f 
  "(&(objectCategory=person)(objectClass=user))" -csv sAMAccountName 
  homeDrive 
  homeDirectory"dn","homeDrive","homeDirectory""CN=UserNoR1001,OU=USERS,OU=ORG,DC=AD,DC=LAN","H:","\\SERVER\SHARE\UserNo1001""CN=UserNoR1002,OU=USERS,OU=ORG,DC=AD,DC=LAN","H:","\\SERVER\SHARE\UserNo1002""CN=UserNoR1003,OU=USERS,OU=ORG,DC=AD,DC=LAN","H:","\\SERVER\SHARE\UserNo1003""CN=UserNoR1004,OU=USERS,OU=ORG,DC=AD,DC=LAN","H:","\\SERVER\SHARE\UserNo1004""CN=UserNoR1005,OU=USERS,OU=ORG,DC=AD,DC=LAN","H:","\\SERVER\SHARE\UserNo1005""CN=UserNoR1006,OU=USERS,OU=ORG,DC=AD,DC=LAN","H:","\\SERVER\SHARE\UserNo1006""CN=UserNoR1007,OU=USERS,OU=ORG,DC=AD,DC=LAN","H:","\\SERVER\SHARE\UserNo1007""CN=UserNoR1008,OU=USERS,OU=ORG,DC=AD,DC=LAN","H:","\\SERVER\SHARE\UserNo1008""CN=UserNoR1009,OU=USERS,OU=ORG,DC=AD,DC=LAN","H:","\\SERVER\SHARE\UserNo1009""CN=UserNoR1010,OU=USERS,OU=ORG,DC=AD,DC=LAN","H:","\\SERVER\SHARE\UserNo1010"
   
  jorge
   
  
  
  Met vriendelijke groeten / Kind regards,
  Ing. Jorge de Almeida Pinto
  Senior Infrastructure Consultant
  MVP Windows Server - Directory Services
   
  
  LogicaCMG 
  Nederland B.V. (BU RTINC Eindhoven)
  (   Tel 
  : +31-(0)40-29.57.777
  (   Mobile : +31-(0)6-26.26.62.80
  *   E-mail : 
  
  
  From: [EMAIL PROTECTED] on 
  behalf of Steve ComeauSent: Thu 2006-10-12 18:51To: 
  ActiveDir@mail.activedir.orgSubject: [ActiveDir] How do I print out 
  users and home folders
  
  
  Anyone have a good script/utility 
  to print out all users (login names) as well as home folder?
   
  Thank you.
   
  Steve 
  Comeau
  IT 
  Manager
  Rutgers 
  Athletics
  83 Rockefeller 
  Road
  Piscataway, NJ  
  08854
  732-445-7802
  732-445-4623 
  (fax)
  www.scarletknights.com
   
  
  
  
  *** This message contains confidential information and is intended only for 
  the individual named. If you are not the named addressee you should not 
  disseminate, distribute or copy this e-mail. Please notify the sender 
  immediately by e-mail if you have received this e-mail by mistake and delete 
  this e-mail from your system. E-mail transmission cannot be guaranteed to be 
  secure or error-free as information could be intercepted, corrupted, lost, 
  destroyed, arrive late or incomplete, or contain viruses. The sender therefore 
  does not accept liability for any errors or omissions in the contents of this 
  message, which arise as a result of e-mail transmission. If verification is 
  required please request a hard-copy version. Rutgers University - DIA, 83 
  Rockafeller Road, Piscataway, NJ www.scarletknights.com ***
  

This email was sent to you by Reuters, the global news and information company. 
To find out more about Reuters visit www.about.reuters.com

Any views expressed in this message are those of the individual sender, except where the sender specifically states them to be the views of Reuters Ltd.

RE: [ActiveDir] AD Site replication settings/costs

2006-08-31 Thread David Cliffe




Laura/Steve - thanks for this - sorry I got 
tripped up :-)

  
  
  From: [EMAIL PROTECTED] 
  [mailto:[EMAIL PROTECTED] On Behalf Of Steve 
  LinehanSent: Wednesday, August 30, 2006 6:45 PMTo: 
  ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] AD Site 
  replication settings/costs
  
  
  One 
  more thing to add.  If you want to see why we are building the topology 
  the way we are you can use ADLB in verbose reporting mode and it will help you 
  determine why the selections were made.  You can of course download ADLB 
  from microsoft.com.
   
  Thanks,
   
  -Steve
  
   
   
  
  
  From: 
  [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] 
  On Behalf Of Steve LinehanSent: Wednesday, August 30, 2006 
  5:20 PMTo: ActiveDir@mail.activedir.orgSubject: RE: 
  [ActiveDir] AD Site replication 
  settings/costs
   
  The 
  following documentation describes this in detail: http://technet2.microsoft.com/WindowsServer/en/library/c238f32b-4400-4a0c-b4fb-7b0febecfc731033.mspx 
  
   
  Read-only 
  and Writable Replicas
  When 
  computing the replication topology, the KCC must consider whether a replica is 
  writable or read-only. For each potential set of replication partners in the 
  topology, the considerations are as follows:
  


  
•
  
A 
writable replica can receive updates from a corresponding writable 
replica.

  
•
  
A 
read-only replica can receive updates from a corresponding writable 
replica.

  
•
  
A 
read-only replica can receive updates from a corresponding read-only 
replica.

  
•
  
A 
writable replica cannot receive updates from a corresponding 
read-only replica.

  
 
  
  So 
  as Laura states GCs can replicate amongst themselves.
   
  Thanks,
   
  -Steve
   
  
  
  From: 
  [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] 
  On Behalf Of Laura A. RobinsonSent: Wednesday, August 30, 
  2006 5:10 PMTo: ActiveDir@mail.activedir.orgSubject: RE: 
  [ActiveDir] AD Site replication 
  settings/costs
   
  
  No. 
  GCs can replicate partitions that they don't own to other GCs. They can't 
  replicate them to DCs for the domains in question, but they *can* replicate 
  their read-only partitions to other GCs.
  
   
  
  Laura
  
 



From: 
[EMAIL PROTECTED] 
[mailto:[EMAIL PROTECTED] On Behalf Of David 
CliffeSent: Wednesday, August 30, 2006 5:40 PMTo: 
ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] AD Site 
replication settings/costs
That 
should be "GCs cannot replicate partitions they don't 
own"  right?
 



From: 
[EMAIL PROTECTED] 
[mailto:[EMAIL PROTECTED] On Behalf Of Laura A. 
RobinsonSent: Wednesday, August 30, 2006 5:05 PMTo: 
ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] AD Site 
replication settings/costs

  Is 
  it a GC? If so, then yes, that's to be expected. You may have *thought* 
  that you gave it only one replication partner, but if you're seeing 
  additional connection objects, then it has more than one replication 
  partner. When planning replication, you must be aware of every partition 
  that the DCs in a site are hosting. If you don't want that remote DC to 
  have connection objects from all of those other DCs, you're probably going 
  to need to set up connection objects for preferred DCs for it to use for 
  replication of partition data. If it's a GC, and if you have a GC that is 
  a DC for the same domain in another site, that would be a good choice to 
  set as a replication partner, because they would be able to replicate all 
  of their partitions (GCs can replicate partitions they don't own to other 
  GCs).
  
   
  
  Laura
  
 



From: 
[EMAIL PROTECTED] 
[mailto:[EMAIL PROTECTED] On Behalf Of 
Rimmerman, RussSent: Wednesday, August 30, 2006 2:52 
PMTo: ActiveDir@mail.activedir.orgSubject: RE: 
[ActiveDir] AD Site replication settings/costs
It's 
a Windows 2000 native domain, we're about 4 upgrades from having all 
Win2k3 DCs and from what I've read, that should help a lot with 
replication.
 
Automatic 
site link bridging isnt enabled, and we have 0 site link bridges.  

 
We're 
a worldwide company with 3 main hubs, but it is a mesh network in design 
(MPLS).
 
I 
guess i'm mainly confused because the DC at the slow bandwidth site in 
question only has one replication partner, yet we see connections to it 
from a large number of our DCs on a regular basis.  Is this 
normal?
 



From: 
[EMAI

RE: [ActiveDir] AD Site replication settings/costs

2006-08-30 Thread David Cliffe




That should be "GCs cannot replicate 
partitions they don't own"  right?
 



From: 
[EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] 
On Behalf Of Laura A. RobinsonSent: Wednesday, August 30, 2006 
5:05 PMTo: ActiveDir@mail.activedir.orgSubject: RE: 
[ActiveDir] AD Site replication settings/costs

  
  Is 
  it a GC? If so, then yes, that's to be expected. You may have *thought* that 
  you gave it only one replication partner, but if you're seeing additional 
  connection objects, then it has more than one replication partner. When 
  planning replication, you must be aware of every partition that the DCs in a 
  site are hosting. If you don't want that remote DC to have connection objects 
  from all of those other DCs, you're probably going to need to set up 
  connection objects for preferred DCs for it to use for replication of 
  partition data. If it's a GC, and if you have a GC that is a DC for the same 
  domain in another site, that would be a good choice to set as a replication 
  partner, because they would be able to replicate all of their partitions (GCs 
  can replicate partitions they don't own to other GCs).
   
  Laura
  


From: [EMAIL PROTECTED] 
[mailto:[EMAIL PROTECTED] On Behalf Of Rimmerman, 
RussSent: Wednesday, August 30, 2006 2:52 PMTo: 
ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] AD Site 
replication settings/costs

It's a Windows 2000 native domain, we're about 4 
upgrades from having all Win2k3 DCs and from what I've read, that should 
help a lot with replication.
 
Automatic site link bridging isnt enabled, and we have 
0 site link bridges.  
 
We're a worldwide company with 3 main hubs, but it is a 
mesh network in design (MPLS).
 
I guess i'm mainly confused because the DC at the slow 
bandwidth site in question only has one replication partner, yet we see 
connections to it from a large number of our DCs on a regular basis.  
Is this normal?


From: [EMAIL PROTECTED] 
[mailto:[EMAIL PROTECTED] On Behalf Of Laura A. 
RobinsonSent: Wednesday, August 30, 2006 11:12 AMTo: 
ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] AD Site 
replication settings/costs

Intervals vary by company, domain structure, network topology and 
latency tolerances. That said, there is nothing inherently wrong with the 
replication parameters you list below. Are they the best parameters for your 
environment? That depends. Is this a Windows 2000 environment? Is automatic 
site link bridging enabled? There's a lot to consider in determining how to 
set site link properties; what you've listed below won't really be enough 
for anybody to give you any kind of realistic advice. 
(sorry)
 
Laura

  
  
  From: [EMAIL PROTECTED] 
  [mailto:[EMAIL PROTECTED] On Behalf Of Rimmerman, 
  RussSent: Wednesday, August 30, 2006 11:59 AMTo: 
  ActiveDir@mail.activedir.orgSubject: [ActiveDir] AD Site 
  replication settings/costs
  
  We have about 80 AD sites with DCs.  All sites are set for a 
  cost of 100 on the site to site replication, and a replication interval of 
  15 minutes.  I'm presuming this is probably not a good thing.  
  
   
  One slow bandwidth site is complaining that their DC is talking to 
  every DC in the domain.  
   
  What is everyone else using as a replication interval for 
  inter-site replication?
  


  ~~This 
e-mail is confidential, may contain proprietary informationof 
Cameron and its operating Divisions and may be confidentialor 
privileged.This e-mail should be read, copied, disseminated 
and/or used onlyby the addressee. If you have received this 
message in error pleasedelete it, together with any attachments, 
from your 
system.~~

  
  
~~This 
  e-mail is confidential, may contain proprietary informationof 
  Cameron and its operating Divisions and may be confidentialor 
  privileged.This e-mail should be read, copied, disseminated 
  and/or used onlyby the addressee. If you have received this 
  message in error pleasedelete it, together with any attachments, 
  from your 
  system.~~

To find out more about Reuters visit www.about.reuters.com

Any views expressed in this message are those of the individual sender, except where the sender specifically states them to be the views of Reuters Ltd.

RE: [ActiveDir] Moving user accounts.

2006-08-30 Thread David Cliffe




Hi Jim,
 
    Yes, I have found this to be 
true...there is no "move object" delegation.  We have to use the 
create and delete.  I wonder if that will change in future (I have a 
feeling it's been mentioned here several times before, but can't 
remember).
 
-DaveC

  
  
  From: [EMAIL PROTECTED] 
  [mailto:[EMAIL PROTECTED] On Behalf Of Kennedy, 
  JimSent: Wednesday, August 30, 2006 3:17 PMTo: 
  ActiveDir@mail.activedir.orgSubject: [ActiveDir] Moving user 
  accounts.
  
  
  I am I correct that to delegate moving user accounts 
  from OU to OU I will have to allow them the ability to delete accounts. It 
  appears accounts work similar to documents, a move is really a copy then 
  delete.

To find out more about Reuters visit www.about.reuters.com

Any views expressed in this message are those of the individual sender, except where the sender specifically states them to be the views of Reuters Ltd.

RE: [ActiveDir] OT: HP disk array expansion

2006-07-26 Thread David Cliffe

Hi James,
I can tell you that I've used the method
you were suggested below [replace one disk at a time] on a DL380 G1 running
Windows 2003. I did exactly as you described, but I may have taken very
slightly different steps afterwards (it's been awhile). After the disk
swaps I think I expanded my existing array from ACU, and then ran DISKPART (in
the 2003 OS) to extend the existing volume (basic disks).
Anyway, it worked without a hitch in that
scenario.
-DaveC

From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of James
CarterSent: Wednesday, July 26, 2006 5:36 PMTo:
ActiveDir@mail.activedir.orgSubject: [ActiveDir] OT: HP disk array
expansion

Hi,
I have a HP ML370 Proliant Server. It currently has 4 x 36GB in a RAID 5
set.
I want to upgrade the disk capacity of this server. I have bought 4 x
300gb disks as replacements.
At present I have 4 x 36GB disks in the server. I was told I
could replace one disk in the RAID with a 300GB, let the raid rebuild and
do the next disk. Repeat until all of the disks are 300GB and then I can
look in the ACU and create a second logical drive that sees all that new
space.
Can this be done? Anyone know how long it would take to rebuild?
currently there is 90gb used in the current volume.
My other alternative is to buy a Tape Drive, backup, break array, create
new array and then restore but this department don't want any downtime.
Anyway shed some light as to which is the best method to take?
thanks James
__Do You
Yahoo!?Tired of spam? Yahoo! Mail has the best spam protection around
http://mail.yahoo.com

To find out more about Reuters visit www.about.reuters.com

Any views expressed in this message are those of the individual sender, except where the sender specifically states them to be the views of Reuters Ltd.

RE: [ActiveDir] Account Password Expiration Tool

2006-07-12 Thread David Cliffe

re:"Anyone who has TAMs... Start screaming now..."

Done from here.

-DaveC

-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of joe
Sent: Tuesday, July 11, 2006 5:42 PM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] Account Password Expiration Tool

A comprehensive list of attributes and values doesn't exist; I have
thought about setting up a dynamic webpage backending into a MySQL DB on
my website for a long time but just haven't done it. 

However for userAccountControl you can look at this enumeration:

http://msdn.microsoft.com/library/default.asp?url=/library/en-us/adsi/ad
si/a
ds_user_flag_enum.asp

If you go up one level from that you will find several enumerations for
some of the attributes. Keep in mind that there are some flags that
actually are valid for ADSI in general but not for LDAP, for instance,
ADS_UF_LOCKOUT works for the WinNT provider but not the LDAP provider.
Again, no comprehensive docs exist for that, it is all one offs that
people run into.
Actually that is pretty pathetic in my opinion but hey, at least we get
some info.


Now for your other specific questions... 

All user accounts that must change password at next logon, that is
handled by a combination of the pwdLastSet attribute and the domain
policy for password aging which is in the maxPwdAge attribute and the
current time/detae and the userAccountControl. If the account is set to
not expire, it won't ever force a password change, if that isn't set
then there is a combination of the password age and the maxpwdage and
the current time. The easiest way to deal with this is findexpacc. If
you just want all accounts that have never set a password or have been
forced to change password at next logon that is a little easier, you
look for pwdLastSet=0.

All computers running Win2K pro would be handled by looking at the
operatingsystem attribute. I don't recall the actual string for Windows
2000 Professional but I expect that is the string, Windows Server 2003
is Windows Server 2003, Windows XP Pro is Windows XP Professional. MSFT,
again, in their infinite wisdom currently has Vista set as Windows Vista
(copyright
symbol) Ultimate. The copyright symbol is completely moronic in there as
it blows out people trying to look for the machines with command line
tools with really efficient queries. They have no choice but to wildcard
the strings. I bugged it, it was rejected, Eric jumped into the fray and
got it going again but just the same it seems we may end up losing and
it getting out into the OEM launch. Anyone who has TAMs... Start
screaming now, that is going to be a pain if it gets out there. I refuse
to figure out a way around it and will just say that MSFT was stupid and
didn't listen when I pitched it as a bug back in Beta 1. 

For excldn, it probably didn't work due to misunderstanding or mistake,
my code is perfect. ;o)  No seriously, if you have spaces in strings
that are passed as command line parameters, you need to use quotes.
Special characters need to be escaped, this isn't an issue with oldcmp,
it is the command line interpretor interpreting things in the way you
type them instead of how you intend them and passing that to my tools.
Also if you pass multiple DNs the proper delimiter needs to be supplied
(by default I think it is ; but would have to look to be sure) or else
adfind doesn't know what you mean. I am also not good at divining intent
versus what was typed.

  joe



--
O'Reilly Active Directory Third Edition -
http://www.joeware.net/win/ad3e.htm 
 

-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Alex Alborzfard
Sent: Tuesday, July 11, 2006 5:01 PM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] Account Password Expiration Tool

Pardon my ignorance, but I have one more question: where do I get a list
of all of user or computer object attributes and values as it was used
in "(useraccountcontrol:AND:=65536)"? 
For instance if I want to enumerate all the user accounts with User Must
Change Password at Next Logon" or computers that are running WIN2K PRO.

Also I noticed the OU exclusion switch (-excldn) did not work in the
case of multiple OUs. Is it perhaps because they had space in their
names? 

TIA

Alex

-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of joe
Sent: Tuesday, July 11, 2006 3:48 PM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] Account Password Expiration Tool

This should do it

oldcmp -report -users -bit -af "(useraccountcontrol:AND:=65536)" -sh 

If you want a listing of all accounts with that set you would add -age 0

You could also use adfind to get the info. 


  joe


--
O'Reilly Active Directory Third Edition -
http://www.joeware.net/win/ad3e.htm 
 

-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Alex Alborzfard
Sent: Tuesday, July 11, 2006 2:34 PM
To: ActiveDir@mail.activedir.org
Subject: [Acti

RE: [ActiveDir] LDAP Referrals - just curious

2006-07-12 Thread David Cliffe




Thanks joe, I almost forgot about this 
post.  I found a draft of what I was originally going to submit 
which has more specifics in it, but I'm finding that your description below 
is actually right on in terms of the base specified (root) and scope 
(subtree).  Only difference was that the query was for the name of user in 
a second child domain.
 
Yes, in the trace I could see the referrals for 
all the other NCs, and I guess I wondered why the one for the child domain 
wasn't followed.  I suppose that would mean all of the other ones would 
have to be followed as well, and as you mentioned, perhaps it is by 
design because it's probably not what the calling user intended - 
and possibly the calling user has just learned a little bit more about the 
referral logic in the process!
 
-DaveC

  
  
  From: [EMAIL PROTECTED] 
  [mailto:[EMAIL PROTECTED] On Behalf Of 
  joeSent: Tuesday, July 11, 2006 11:15 PMTo: 
  ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] LDAP Referrals 
  - just curious
  
  Could you give specifics on what exactly you did, i.e. 
  the exact query?
   
  The code for adfind by default follows the Windows LDAP 
  lib's default for following referrals which is on. However I think that 
  is limited capability and I specifically chose not to add manual 
  referral chasing code because you will find that many queries that involve the 
  root domain as the base return referrals if you look at the traces. In most 
  cases those referrals are worthless to chase and would simply slow the 
  application down. 
   
  For instance, let's say you have a directory laid out 
  like
   
  domain.com
  child.domain.com
   
  then you query a DC of child.domain.com 
  with
   
  Base: domain.com
  Scope: subtree
  Query: name=someuser (which is a user object in 
  domain.com)
   
  So adfind will go to the DC you specify and issue the 
  query, that DC will throw back a referral to go to a DC of domain.com, the 
  LDAP client software will automatically chase this referral (adfind didn't do 
  anything but let wldap32.dll do what it wanted to do). It will find the object 
  and return it but also it will return referrals for 
  dc=ForestDnsZones,dc=domain,dc=com, dc=DomainDnsZones,dc=domain,dc=com, 
  dc=child,dc=domain,dc=com, and cn=configuration,dc=domain,dc=com which really 
  aren't what the person wanted here most likely. 
   
   
  
  --
  O'Reilly Active Directory Third Edition - http://www.joeware.net/win/ad3e.htm 
   
  Do 
  not read this worthless blog entry on Defending Security Infrastructures - 
  
  http://blog.joeware.net/2006/07/11/445/ ---  I'm serious, you will learn absolutely 
  
  nothing about Defending Security Infrastructures. 
  
  
  
  From: [EMAIL PROTECTED] 
  [mailto:[EMAIL PROTECTED] On Behalf Of David 
  CliffeSent: Thursday, June 29, 2006 5:43 PMTo: 
  ActiveDir@mail.activedir.orgSubject: [ActiveDir] LDAP Referrals - 
  just curious
  
  Hi,
   
      I was curious to watch some LDAP referral 
  traces (OK, so it's been a quiet day) and am seeing some results I don't 
  understand among different tools.  The queries are issued from within a 
  child domain to a DC in that same domain, searching for an object in 
  another child domain (root + two child domains total).  Not using the 
  GC.
   
  LDP chases a referral (if I turn that 
  option on) and returns an object from the other child domain in 
  the forest.  Search call type tested was ASYNC.
   
      DSQuery, after getting an initial 
   referral to the other domain, reissues the query to a root DC 
  but includes the LDAP_SERVER_DOMAIN_SCOPE_OID control in that search, so 
  then it gets no more referrals to the other child domain.  Not sure why 
  it does that?
   
      ADFind starts off looking good but unbinds and ends 
  the session after getting referral references for the other NCs.  
  Not sure why it doesn't continue to chase.
   
      I realize I should be providing more info 
  and/or traces.  I will be glad to, but just wanted to save some 
  space first and make sure I wasn't missing something 
  obvious?
   
  -DaveCTo find out more about 
  Reuters visit www.about.reuters.comAny views expressed in this message 
  are those of the individual sender, except where the sender specifically 
  states them to be the views of Reuters 
Ltd.

To find out more about Reuters visit www.about.reuters.com

Any views expressed in this message are those of the individual sender, except where the sender specifically states them to be the views of Reuters Ltd.

[ActiveDir] LDAP Referrals - just curious

2006-06-29 Thread David Cliffe




Hi,
 
    I was curious to watch some LDAP referral traces 
(OK, so it's been a quiet day) and am seeing some results I don't understand 
among different tools.  The queries are issued from within a child domain 
to a DC in that same domain, searching for an object in another child 
domain (root + two child domains total).  Not using the 
GC.
 
LDP chases a referral (if I turn that 
option on) and returns an object from the other child domain in 
the forest.  Search call type tested was ASYNC.
 
    DSQuery, after getting 
an initial  referral to the other domain, reissues the query to a root 
DC but includes the LDAP_SERVER_DOMAIN_SCOPE_OID control in that search, so 
then it gets no more referrals to the other child domain.  Not sure why it 
does that?
 
    ADFind starts off looking good but unbinds and ends 
the session after getting referral references for the other NCs.  Not 
sure why it doesn't continue to chase.
 
    I realize I should be providing more info and/or 
traces.  I will be glad to, but just wanted to save some space first 
and make sure I wasn't missing something obvious?
 
-DaveC

To find out more about Reuters visit www.about.reuters.com

Any views expressed in this message are those of the individual sender, except where the sender specifically states them to be the views of Reuters Ltd.

RE: [ActiveDir] Error dialog while modifying a mail enabled group (DL) with delegated account

2006-05-22 Thread David Cliffe




Thanks.  I suspected this when 
both DSMOD and ADMOD modified the object without error during 
testing.  We'd rather go with the principal of least 
privilege!

  
  
  From: [EMAIL PROTECTED] 
  [mailto:[EMAIL PROTECTED] On Behalf Of 
  joeSent: Monday, May 22, 2006 2:35 PMTo: 
  ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] Error dialog 
  while modifying a mail enabled group (DL) with delegated 
  account
  
  The Exchange GUIs (and many MSFT GUIs) are traditionally 
  bad with this kind of stuff. The GUIs will suprisingly often require more 
  permissions than you really need to do things because they aren't necessarilly 
  doing the work correctly. On the flip side MSFT likes to try and enforce 
  security in the GUIs at times too like for instance Exchange and mailbox 
  enabling users (in order to mailbox enable a user in ADUC with the ESM addon 
  you need Exchange view, in reality, you don't need Exchange View) or like in 
  the old user manager which wouldn't let non admins see the administrator group 
  membership but every other tool did.
   
  When you delegate, you usually want to step away from 
  using ADUC and ESM because you will end up giving out more rights than 
  necessary just to make the GUI work "normal".
   
    joe
   
   
  
  --
  O'Reilly Active Directory Third Edition - http://www.joeware.net/win/ad3e.htm 
   
   
  
  
  From: [EMAIL PROTECTED] 
  [mailto:[EMAIL PROTECTED] On Behalf Of David 
  CliffeSent: Monday, May 22, 2006 9:18 AMTo: 
  ActiveDir@mail.activedir.orgSubject: [ActiveDir] Error dialog while 
  modifying a mail enabled group (DL) with delegated 
account
  
  
  Hi,
   
      In an environment running Exchnage 2003 SP1 
  under Windows 2003 SP1...I've delegated WP (write property) on the 
  member attribute of a mail-enabled distribution list to a specific user.  
  That user is now able to modify the members of the group via ADUC (the 
  change does get applied), but a dialog pops up on the screen which 
  reads as follows:
   
  Window 
  Title = Microsoft Active Directory - Exchange Extension
  Window 
  Text  = Access denied.
     
  Facility: LDAP Provider
     
  ID no:  80070005
     
  Microsoft Active Directory - Exchange Extension
   
  In 
  addition, the DC where this change is made logs the following event in 
  the security log:
   
  Event 
  Type: Failure AuditEvent Source: SecurityEvent 
  Category: Directory Service Access Event 
  ID: 566Date:  5/19/2006Time:  4:48:52 
  PMUser:  DOMAIN\End.UserComputer: DomainControllerDescription:Object 
  Operation:  Object Server: DS  Operation 
  Type: Object Access  Object 
  Type: group  Object 
  Name: CN=DistributionList,OU=Exchange,DC=company,DC=com  Handle 
  ID: -  Primary User 
  Name: DomainController$  Primary 
  Domain: DOMAIN  Primary Logon 
  ID: (0x0,0x3E7)  Client User 
  Name: End.User  Client 
  Domain: DOMAIN  Client Logon 
  ID: (0x0,0x7C51DB79)  Accesses: Write Property 
   Properties: ---  Public 
  Information   proxyAddresses group
   
    Additional Info:   Additional 
  Info2:   Access Mask: 0x20
   
      Would anyone know why 
  this operation is trying to modify the proxyAddresses attribute in the Public 
  Infomation property set?  I was hoping to not have to grant WP on any 
  other attributes for this task.  If I use the delegated account to 
  modify the member attribute of this group 
  object using a tool other than ADUC, it is successful without 
  generating any error messages.
      I first posted this on the 
  Exchange list at Yahoo and received a good suggestion to check the backlink 
  [memberOf attribute] of the user object being modified to make sure that it 
  listed this group after a test modification.  It does.  So 
  again, seems everything works but still get the 
popup.
   
  Thanks for your time,
  DaveCTo find out more about Reuters visit 
  www.about.reuters.comAny views expressed in this message are those of 
  the individual sender, except where the sender specifically states them to be 
  the views of Reuters Ltd.

To find out more about Reuters visit www.about.reuters.com

Any views expressed in this message are those of the individual sender, except where the sender specifically states them to be the views of Reuters Ltd.

RE: [ActiveDir] Error dialog while modifying a mail enabled group (DL) with delegated account

2006-05-22 Thread David Cliffe




Most likely I'll use that "Manager can 
update" attribute and have him do this via Outlook.  The end user 
previously had ADUC for this when permissions were also 'a bit 
heavy' (!), so I didn't even have that in mind at first, and then of course 
I got curious about the errors...
 
Thanks for your comments 
guys!
-DaveC

  
  
  From: [EMAIL PROTECTED] 
  [mailto:[EMAIL PROTECTED] On Behalf Of Presley, 
  StevenSent: Monday, May 22, 2006 1:48 PMTo: 
  ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] Error dialog 
  while modifying a mail enabled group (DL) with delegated 
  account
  
  Outlook does indeed let you manage groups if, in ADUC, 
  you tick the check box "Manager can update membership list" and you define a 
  manager of the list (on the "Managed By" tab).
  


From: [EMAIL PROTECTED] 
[mailto:[EMAIL PROTECTED] On Behalf Of Al 
MulnickSent: Monday, May 22, 2006 1:21 PMTo: 
ActiveDir@mail.activedir.orgSubject: Re: [ActiveDir] Error dialog 
while modifying a mail enabled group (DL) with delegated 
account

Nothing specific, but I think you can say that the Exchange-enhanced 
ADUC is trying to do something it doesn't need to do. You have a better 
answer which is to give the user a different tool.  Trying to remember 
if the Outlook tools allow you to manage the groups (I believe they will if 
you have the rights and you use a GC from the same domain that Exchange is 
in.) 
 
ADUC for what they want to do is a bit heavy, and it looks like you 
have an unneccessary process going on in the background. You may also want 
to check that the Exchange bits are the latest available.
     
Al
 
 
On 5/22/06, David 
Cliffe <[EMAIL PROTECTED]> 
wrote: 

  
  
  
  Hi,
   
      In an 
  environment running Exchnage 2003 SP1 under Windows 2003 
  SP1...I've 
  delegated WP (write property) on the member attribute of a mail-enabled 
  distribution list to a specific user.  That user is now able to 
  modify the members of the group via ADUC (the change does get 
  applied), but a dialog pops up on the screen which reads as 
  follows:
   
  Window Title = Microsoft 
  Active Directory - Exchange Extension
  Window Text  
  = Access denied.
     
  Facility: LDAP Provider
     
  ID no:  80070005
     
  Microsoft Active Directory - Exchange Extension
   
  In addition, the DC 
  where this change is made logs the following event in the security 
  log:
   
  Event Type: Failure 
  AuditEvent Source: SecurityEvent Category: Directory 
  Service Access Event 
  ID: 566Date:  5/19/2006Time:  4:48:52 
  PMUser:  DOMAIN\End.User 
  Computer: DomainControllerDescription:Object 
  Operation:  Object Server: DS  Operation 
  Type: Object Access  Object 
  Type: group  Object 
  Name: CN=DistributionList,OU=Exchange,DC=company,DC=com  Handle 
  ID: -  Primary User 
  Name: DomainController$  Primary 
  Domain: DOMAIN  Primary Logon 
  ID: (0x0,0x3E7)  Client User 
  Name: End.User  Client 
  Domain: DOMAIN  Client Logon 
  ID: (0x0,0x7C51DB79)  Accesses: Write Property 
   Properties: ---  Public 
  Information   proxyAddresses group
   
    Additional 
  Info:   Additional Info2:   Access 
  Mask: 0x20
   
      Would anyone know why this operation is 
  trying to modify the proxyAddresses attribute in the Public Infomation 
  property set?  I was hoping to not have to grant WP on any other 
  attributes for this task.  If I use the delegated account to 
  modify the member attribute of this group object using a 
  tool other than ADUC, it is successful without generating any error 
  messages.
      I first posted this on the Exchange 
  list at Yahoo and received a good suggestion to check the backlink 
  [memberOf attribute] of the user object being modified to make sure that 
  it listed this group after a test modification.  It does.  So 
  again, seems everything works but still get the popup. 
  
   
  Thanks for your time,
  DaveCTo find out 
  more about Reuters visit www.about.reuters.com 
  Any views expressed in this message are those of the 
  individual sender, except where the sender specifically states them to be 
  the views of Reuters 
  Ltd.

To find out more about Reuters visit www.about.reuters.com

Any views expressed in this message are those of the individual sender, except where the sender specifically states them to be the views of Reuters Ltd.

[ActiveDir] Error dialog while modifying a mail enabled group (DL) with delegated account

2006-05-22 Thread David Cliffe





Hi,
 
    In an environment running Exchnage 2003 SP1 
under Windows 2003 SP1...I've delegated WP (write property) on the member 
attribute of a mail-enabled distribution list to a specific user.  That 
user is now able to modify the members of the group via ADUC (the change 
does get applied), but a dialog pops up on the screen which reads as 
follows:
 
Window 
Title = Microsoft Active Directory - Exchange Extension
Window 
Text  = Access denied.
   
Facility: LDAP Provider
   
ID no:  80070005
   
Microsoft Active Directory - Exchange Extension
 
In 
addition, the DC where this change is made logs the following event in the 
security log:
 
Event 
Type: Failure AuditEvent Source: SecurityEvent 
Category: Directory Service Access Event 
ID: 566Date:  5/19/2006Time:  4:48:52 
PMUser:  DOMAIN\End.UserComputer: DomainControllerDescription:Object 
Operation:  Object Server: DS  Operation 
Type: Object Access  Object 
Type: group  Object 
Name: CN=DistributionList,OU=Exchange,DC=company,DC=com  Handle 
ID: -  Primary User 
Name: DomainController$  Primary 
Domain: DOMAIN  Primary Logon 
ID: (0x0,0x3E7)  Client User 
Name: End.User  Client 
Domain: DOMAIN  Client Logon 
ID: (0x0,0x7C51DB79)  Accesses: Write Property 
 Properties: ---  Public 
Information   proxyAddresses group
 
  Additional Info:   Additional 
Info2:   Access Mask: 0x20
 
    Would anyone know why 
this operation is trying to modify the proxyAddresses attribute in the Public 
Infomation property set?  I was hoping to not have to grant WP on any other 
attributes for this task.  If I use the delegated account to modify the 
member attribute of this group object 
using a tool other than ADUC, it is successful without generating any error 
messages.
    I first posted this on the Exchange 
list at Yahoo and received a good suggestion to check the backlink [memberOf 
attribute] of the user object being modified to make sure that it listed this 
group after a test modification.  It does.  So again, seems 
everything works but still get the popup.
 
Thanks for your time,
DaveC

To find out more about Reuters visit www.about.reuters.com

Any views expressed in this message are those of the individual sender, except where the sender specifically states them to be the views of Reuters Ltd.

RE: [ActiveDir] ExtraColumns attribute

2006-04-20 Thread David Cliffe




Yep...understood.
 
My mistake was making the change on  
default-Display, but then not testing the view from a saved query, a 
container type with no defined custom columns.  Rather, I tested it on an 
OU (organizationalUnit-Display).  I thought that would be a good test 
because it didn't have an  extraColumns  attribute defined, 
but it seems that fact alone does not designate  
organizationalUnit-Display  as "container types that do not have any custom columns 
registered".
 
Thanks again!
-DaveC

  
  
  From: [EMAIL PROTECTED] 
  [mailto:[EMAIL PROTECTED] On Behalf Of Dean 
  WellsSent: Thursday, April 20, 2006 10:10 AMTo: Send - 
  AD mailing listSubject: RE: [ActiveDir] ExtraColumns 
  attribute
  
  I 
  believe it's trying to tell you that you cannot reduce the list, you can 
  merely extend 
  it.
  --Dean 
  WellsMSEtechnology* Email: dwells@msetechnology.comhttp://msetechnology.com
   
  


From: [EMAIL PROTECTED] 
[mailto:[EMAIL PROTECTED] On Behalf Of David 
CliffeSent: Thursday, April 20, 2006 9:31 AMTo: 
ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] ExtraColumns 
attribute

I'm not certain either.  
I modified (added a value) to the extraColumns attribute of this 
object:
 
"CN=default-Display,CN=409,CN=DisplaySpecifiers,CN=Configuration,DC=,DC=com"
 
After that, I closed/relaunched ADUC, 
picked the "OU=Domain Controllers" (for example), right clicked 
it, chose View -->Add/Remove Columns... and looked at the list of 
available columns.  That list never changed (never included the 
operatingSystem attribute for example).
 
I'm trying to interpret the last two 
statements of that article:
 
"The fixed set of 
columns cannot be changed and modifying the extraColumns attribute of 
the default-Display object will have no effect.  To display a 
custom column for all container types that do not have any custom columns 
registered, add a value for the column to the extraColumns attribute 
of the default-Display object."
 
It seems to be saying that you should be 
able to add an attribute via the  extraColumns  attr  
of  default-Display (as you proved in your test), and this will work as 
long as the container type for the object you're looking at doesn't 
already have an  extraColumns  attr defined, which  *is* 
 the case on the  organizationalUnit-display  object in 
my config partition.

  
  
  From: [EMAIL PROTECTED] 
  [mailto:[EMAIL PROTECTED] On Behalf Of Dean 
  WellsSent: Thursday, April 20, 2006 8:06 AMTo: Send 
  - AD mailing listSubject: RE: [ActiveDir] ExtraColumns 
  attribute
  
  Per my original repsonse and having just tested it, modifying the 
  default does indeed have the desired effect.  I'm uncertain as to why 
  it's not working for you.
   
  Which displaySpecifier are you modifying?
  --Dean 
  WellsMSEtechnology* Email: dwells@msetechnology.comhttp://msetechnology.com
   
  


From: [EMAIL PROTECTED] 
[mailto:[EMAIL PROTECTED] On Behalf Of David 
CliffeSent: Thursday, April 20, 2006 7:25 AMTo: 
ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] 
ExtraColumns attribute

  just an FYI - 
this time I read this article  *the whole way through* (!)  
and it answered my questions about which display specifier object(s) 
one actually needs to modify in order to add extra columns.  
Works fine.  I was modifying the default, which has no 
effect.  Thanks for your time Dean.
 
http://msdn.microsoft.com/library/default.asp?url=""> 
 
-DaveC


  
  
  From: 
  [EMAIL PROTECTED] 
  [mailto:[EMAIL PROTECTED] On Behalf Of David 
  CliffeSent: Wednesday, April 19, 2006 5:43 PMTo: 
  ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] 
  ExtraColumns attribute
  
  Whoops...I should have clarified two 
  items - sorry.
   
  1 - What suprised me was that these 
  three new "extras" don't even show up in the "available columns" 
  dialog to select them!
  2 - I haven't tested a "Saved 
  Query" view yet.  I figured that since this was default I would 
  just pick any OU or container with computer objects in it to start off 
  with.  I've tried a few different ones with no luck seeing those 
  columns as available options to add.
   
  Strange.  Thanks for your 
  replies.
  -DaveC
  


From: 
[EMAIL PROTECTED] 
[mailto:[EMAIL PROTECTED] On Behalf Of Dean 
WellsSent: Wednesday, April 19, 2006 5:28 
PMTo: Send - AD mailing l

RE: [ActiveDir] ExtraColumns attribute

2006-04-20 Thread David Cliffe




I'm not certain either.  I modified 
(added a value) to the extraColumns attribute of this 
object:
 
"CN=default-Display,CN=409,CN=DisplaySpecifiers,CN=Configuration,DC=,DC=com"
 
After that, I closed/relaunched ADUC, 
picked the "OU=Domain Controllers" (for example), right clicked it, 
chose View -->Add/Remove Columns... and looked at the list of available 
columns.  That list never changed (never included the operatingSystem 
attribute for example).
 
I'm trying to interpret the last two statements 
of that article:
 
"The fixed set of columns 
cannot be changed and modifying the extraColumns attribute of the 
default-Display object will have no effect.  To display a custom 
column for all container types that do not have any custom columns registered, 
add a value for the column to the extraColumns attribute of the 
default-Display object."
 
It seems to be saying that you should be able to 
add an attribute via the  extraColumns  attr  of  
default-Display (as you proved in your test), and this will work as long as the 
container type for the object you're looking at doesn't already have 
an  extraColumns  attr defined, which  *is*  the case 
on the  organizationalUnit-display  object in my config 
partition.

  
  
  From: [EMAIL PROTECTED] 
  [mailto:[EMAIL PROTECTED] On Behalf Of Dean 
  WellsSent: Thursday, April 20, 2006 8:06 AMTo: Send - AD 
  mailing listSubject: RE: [ActiveDir] ExtraColumns 
  attribute
  
  Per 
  my original repsonse and having just tested it, modifying the default does 
  indeed have the desired effect.  I'm uncertain as to why it's not working 
  for you.
   
  Which displaySpecifier are you modifying?
  --Dean 
  WellsMSEtechnology* Email: dwells@msetechnology.comhttp://msetechnology.com
   
  


From: [EMAIL PROTECTED] 
[mailto:[EMAIL PROTECTED] On Behalf Of David 
CliffeSent: Thursday, April 20, 2006 7:25 AMTo: 
ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] ExtraColumns 
attribute

  just an FYI - this 
time I read this article  *the whole way through* (!)  and it 
answered my questions about which display specifier object(s) 
one actually needs to modify in order to add extra columns.  Works 
fine.  I was modifying the default, which has no effect.  Thanks 
for your time Dean.
 
http://msdn.microsoft.com/library/default.asp?url=""> 
 
-DaveC


  
  
  From: [EMAIL PROTECTED] 
  [mailto:[EMAIL PROTECTED] On Behalf Of David 
  CliffeSent: Wednesday, April 19, 2006 5:43 PMTo: 
  ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] 
  ExtraColumns attribute
  
  Whoops...I should have clarified two items 
  - sorry.
   
  1 - What suprised me was that these three 
  new "extras" don't even show up in the "available columns" dialog to 
  select them!
  2 - I haven't tested a "Saved Query" 
  view yet.  I figured that since this was default I would just pick 
  any OU or container with computer objects in it to start off with.  
  I've tried a few different ones with no luck seeing those columns as 
  available options to add.
   
  Strange.  Thanks for your 
  replies.
  -DaveC
  


From: [EMAIL PROTECTED] 
[mailto:[EMAIL PROTECTED] On Behalf Of Dean 
WellsSent: Wednesday, April 19, 2006 5:28 PMTo: 
Send - AD mailing listSubject: RE: [ActiveDir] ExtraColumns 
attribute

OK, so the 1st trailing 0 says "don't show by default" ... which 
I assume is what you want on the default displaySpecifier.  You may 
also find it useful to know that when these columns do appear, they have 
a habit of initially being 0 pixels wide so you have to go dragging 
columns widths around to find them (they default to the far right column 
I believe so start there).  In addition, since you've used the 
trailing 0 mentioned above, all you've done is added these attributes to 
the list of those available in the Add/Remove columns 
dialog.
 
--Dean 
WellsMSEtechnology* Email: dwells@msetechnology.comhttp://msetechnology.com
 

  
  
  From: 
  [EMAIL PROTECTED] 
  [mailto:[EMAIL PROTECTED] On Behalf Of David 
  CliffeSent: Wednesday, April 19, 2006 5:06 PMTo: 
  ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] 
  ExtraColumns attribute
  
  Hm...that's exactly what I was 
  planning to do, and did do about 2 hours ago, but am a little 
  suprised to find it hasn't worked (waited for repl).  
  Here you can see my edits  [ "joeware automatic update 
  service" hasn't kicked in on my machine yet  : - )  
   ]
   
  I'm not sure how many pixels these 
  things need to be displayed, so I just picked a num

RE: [ActiveDir] ExtraColumns attribute

2006-04-20 Thread David Cliffe




  just an FYI - this time 
I read this article  *the whole way through* (!)  and it answered my 
questions about which display specifier object(s) one actually needs to 
modify in order to add extra columns.  Works fine.  I was modifying 
the default, which has no effect.  Thanks for your time 
Dean.
 
http://msdn.microsoft.com/library/default.asp?url=""> 
 
-DaveC


  
  
  From: [EMAIL PROTECTED] 
  [mailto:[EMAIL PROTECTED] On Behalf Of David 
  CliffeSent: Wednesday, April 19, 2006 5:43 PMTo: 
  ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] ExtraColumns 
  attribute
  
  Whoops...I should have clarified two items - 
  sorry.
   
  1 - What suprised me was that these three new 
  "extras" don't even show up in the "available columns" dialog to select 
  them!
  2 - I haven't tested a "Saved Query" view 
  yet.  I figured that since this was default I would just pick any OU or 
  container with computer objects in it to start off with.  I've tried a 
  few different ones with no luck seeing those columns as available options 
  to add.
   
  Strange.  Thanks for your 
  replies.
  -DaveC
  


From: [EMAIL PROTECTED] 
[mailto:[EMAIL PROTECTED] On Behalf Of Dean 
WellsSent: Wednesday, April 19, 2006 5:28 PMTo: Send - 
AD mailing listSubject: RE: [ActiveDir] ExtraColumns 
attribute

OK, so the 1st trailing 0 says "don't show by default" ... which I 
assume is what you want on the default displaySpecifier.  You may also 
find it useful to know that when these columns do appear, they have a habit 
of initially being 0 pixels wide so you have to go dragging columns widths 
around to find them (they default to the far right column I believe so start 
there).  In addition, since you've used the trailing 0 mentioned above, 
all you've done is added these attributes to the list of those available in 
the Add/Remove columns dialog.
 
--Dean 
WellsMSEtechnology* Email: dwells@msetechnology.comhttp://msetechnology.com
 

  
  
  From: [EMAIL PROTECTED] 
  [mailto:[EMAIL PROTECTED] On Behalf Of David 
  CliffeSent: Wednesday, April 19, 2006 5:06 PMTo: 
  ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] 
  ExtraColumns attribute
  
  Hm...that's exactly what I was planning to 
  do, and did do about 2 hours ago, but am a little suprised to find it 
  hasn't worked (waited for repl).  Here you can see my 
  edits  [ "joeware automatic update service" hasn't kicked in on my 
  machine yet  : - )   ]
   
  I'm not sure how many pixels these things 
  need to be displayed, so I just picked a number...hopefully that's not 
  holding this up?  As an additional test I modified the value in blue, 
  just to see if it would display differently,but that didn't take effect 
  either.  I must be missing something.
   
  [note - if reading in plain text, it's the 
  first 4 values of extraColumns below which contain my 
  edits]
   
  Thanks again...DC
   
   
  $ adfind -b 
  "CN=default-Display,CN=409,CN=DisplaySpecifiers,CN=Configuration,DC=,DC=com" 
  extracolumns
   
  AdFind V01.27.00cpp Joe Richards ([EMAIL PROTECTED]) November 
  2005
   
  Using server: dc.rootdomain.com:389Directory: Windows Server 
  2003
   
  dn:CN=default-Display,CN=409,CN=DisplaySpecifiers,CN=Configuration,DC=rootdomain,DC=com>extraColumns: 
  company,Compenny,0,150,0>extraColumns: operatingSystemVersion,O/S 
  Version,0,100,0>extraColumns: operatingSystemServicePack,Service 
  Pack,0,100,0>extraColumns: operatingSystem,Operating 
  System,0,100,0>extraColumns: postalCode,Zip 
  Code,0,100,0>extraColumns: textEncodedORAddress,X.400 E-Mail 
  Address,0,130,0>extraColumns: userPrincipalName,User Logon 
  Name,0,200,0>extraColumns: title,Job 
  Title,0,100,0>extraColumns: targetAddress,Target 
  Address,0,100,0>extraColumns: st,State,0,100,0>extraColumns: 
  physicalDeliveryOfficeName,Office,0,100,0>extraColumns: 
  whenChanged,Modified,0,130,0>extraColumns: sn,Last 
  Name,0,100,0>extraColumns: msExchIMMetaPhysicalURL,Instant 
  Messaging URL,0,140,0>extraColumns: msExchIMPhysicalURL,Instant 
  Messaging Home Server,0,170,0>extraColumns: givenName,First 
  Name,0,100,0>extraColumns: homeMDB,Exchange Mailbox 
  Store,0,100,0>extraColumns: mailNickname,Exchange 
  Alias,0,175,0>extraColumns: mail,E-Mail 
  Address,0,100,0>extraColumns: sAMAccountName,Pre-Windows 2000 Logon 
  Name,0,120,0>extraColumns: displayName,Display 
  Name,0,100,0>extraColumns: 
  department,Department,0,150,0>extraColumns: 
  c,Country,0,-1,0>extraColumns: l,City,0,150,0>extraColumns: 
  telephoneNumber,Business Phone,0,100,0
   
  1 Objects 
returned
   
   
  


From: [EMAIL PROTECTED] 
[mai

RE: [ActiveDir] ExtraColumns attribute

2006-04-19 Thread David Cliffe




Whoops...I should have clarified two items - 
sorry.
 
1 - What suprised me was that these three new 
"extras" don't even show up in the "available columns" dialog to select 
them!
2 - I haven't tested a "Saved Query" view 
yet.  I figured that since this was default I would just pick any OU or 
container with computer objects in it to start off with.  I've tried a few 
different ones with no luck seeing those columns as available options to 
add.
 
Strange.  Thanks for your 
replies.
-DaveC

  
  
  From: [EMAIL PROTECTED] 
  [mailto:[EMAIL PROTECTED] On Behalf Of Dean 
  WellsSent: Wednesday, April 19, 2006 5:28 PMTo: Send - 
  AD mailing listSubject: RE: [ActiveDir] ExtraColumns 
  attribute
  
  OK, 
  so the 1st trailing 0 says "don't show by default" ... which I assume is what 
  you want on the default displaySpecifier.  You may also find it useful to 
  know that when these columns do appear, they have a habit of initially being 0 
  pixels wide so you have to go dragging columns widths around to find them 
  (they default to the far right column I believe so start there).  In 
  addition, since you've used the trailing 0 mentioned above, all you've done is 
  added these attributes to the list of those available in the Add/Remove 
  columns dialog.
   
  --Dean 
  WellsMSEtechnology* Email: dwells@msetechnology.comhttp://msetechnology.com
   
  


From: [EMAIL PROTECTED] 
[mailto:[EMAIL PROTECTED] On Behalf Of David 
CliffeSent: Wednesday, April 19, 2006 5:06 PMTo: 
ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] ExtraColumns 
attribute

Hm...that's exactly what I was planning to 
do, and did do about 2 hours ago, but am a little suprised to find it 
hasn't worked (waited for repl).  Here you can see my 
edits  [ "joeware automatic update service" hasn't kicked in on my 
machine yet  : - )   ]
 
I'm not sure how many pixels these things 
need to be displayed, so I just picked a number...hopefully that's not 
holding this up?  As an additional test I modified the value in blue, 
just to see if it would display differently,but that didn't take effect 
either.  I must be missing something.
 
[note - if reading in plain text, it's the 
first 4 values of extraColumns below which contain my 
edits]
 
Thanks again...DC
 
 
$ adfind -b 
"CN=default-Display,CN=409,CN=DisplaySpecifiers,CN=Configuration,DC=,DC=com" 
extracolumns
 
AdFind V01.27.00cpp Joe Richards ([EMAIL PROTECTED]) November 
2005
 
Using server: dc.rootdomain.com:389Directory: Windows Server 
2003
 
dn:CN=default-Display,CN=409,CN=DisplaySpecifiers,CN=Configuration,DC=rootdomain,DC=com>extraColumns: 
company,Compenny,0,150,0>extraColumns: operatingSystemVersion,O/S 
Version,0,100,0>extraColumns: operatingSystemServicePack,Service 
Pack,0,100,0>extraColumns: operatingSystem,Operating 
System,0,100,0>extraColumns: postalCode,Zip 
Code,0,100,0>extraColumns: textEncodedORAddress,X.400 E-Mail 
Address,0,130,0>extraColumns: userPrincipalName,User Logon 
Name,0,200,0>extraColumns: title,Job 
Title,0,100,0>extraColumns: targetAddress,Target 
Address,0,100,0>extraColumns: st,State,0,100,0>extraColumns: 
physicalDeliveryOfficeName,Office,0,100,0>extraColumns: 
whenChanged,Modified,0,130,0>extraColumns: sn,Last 
Name,0,100,0>extraColumns: msExchIMMetaPhysicalURL,Instant Messaging 
URL,0,140,0>extraColumns: msExchIMPhysicalURL,Instant Messaging Home 
Server,0,170,0>extraColumns: givenName,First 
Name,0,100,0>extraColumns: homeMDB,Exchange Mailbox 
Store,0,100,0>extraColumns: mailNickname,Exchange 
Alias,0,175,0>extraColumns: mail,E-Mail 
Address,0,100,0>extraColumns: sAMAccountName,Pre-Windows 2000 Logon 
Name,0,120,0>extraColumns: displayName,Display 
Name,0,100,0>extraColumns: 
department,Department,0,150,0>extraColumns: 
c,Country,0,-1,0>extraColumns: l,City,0,150,0>extraColumns: 
telephoneNumber,Business Phone,0,100,0
 
1 Objects returned
 
 

  
  
  From: [EMAIL PROTECTED] 
  [mailto:[EMAIL PROTECTED] On Behalf Of Dean 
  WellsSent: Wednesday, April 19, 2006 1:42 PMTo: Send 
  - AD mailing listSubject: RE: [ActiveDir] ExtraColumns 
  attribute
  
  Try editing the extraColumns attribute on the default-Display 
  object, adding the property of your choosing as 
  follows -
   
  0 <- 
  IIRC, this is reserved and must be 0 for now.
   
  ... highlighting the Saved Query in question and selecting 
  View-->Add/Remove columns-->Add the desired 
  attribute.
   
  Does this achieve your goal?
  --Dean 
  WellsMSEtechnology* Email: dwells@msetechnology.comhttp://msetechnology.com
   
  


From: [EMAIL PROTECTED] 
[mailto:[EMAIL PROTECTED] On Behal

RE: [ActiveDir] ExtraColumns attribute

2006-04-19 Thread David Cliffe




Hm...that's exactly what I was planning to do, 
and did do about 2 hours ago, but am a little suprised to find it hasn't 
worked (waited for repl).  Here you can see my edits  [ 
"joeware automatic update service" hasn't kicked in on my machine yet  : - 
)   ]
 
I'm not sure how many pixels these things need 
to be displayed, so I just picked a number...hopefully that's not holding this 
up?  As an additional test I modified the value in blue, just to see if it 
would display differently,but that didn't take effect either.  I must be 
missing something.
 
[note - if reading in plain text, it's the first 
4 values of extraColumns below which contain my edits]
 
Thanks again...DC
 
 
$ adfind -b 
"CN=default-Display,CN=409,CN=DisplaySpecifiers,CN=Configuration,DC=,DC=com" 
extracolumns
 
AdFind V01.27.00cpp Joe Richards ([EMAIL PROTECTED]) November 2005
 
Using server: dc.rootdomain.com:389Directory: Windows Server 
2003
 
dn:CN=default-Display,CN=409,CN=DisplaySpecifiers,CN=Configuration,DC=rootdomain,DC=com>extraColumns: 
company,Compenny,0,150,0>extraColumns: operatingSystemVersion,O/S 
Version,0,100,0>extraColumns: operatingSystemServicePack,Service 
Pack,0,100,0>extraColumns: operatingSystem,Operating 
System,0,100,0>extraColumns: postalCode,Zip 
Code,0,100,0>extraColumns: textEncodedORAddress,X.400 E-Mail 
Address,0,130,0>extraColumns: userPrincipalName,User Logon 
Name,0,200,0>extraColumns: title,Job Title,0,100,0>extraColumns: 
targetAddress,Target Address,0,100,0>extraColumns: 
st,State,0,100,0>extraColumns: 
physicalDeliveryOfficeName,Office,0,100,0>extraColumns: 
whenChanged,Modified,0,130,0>extraColumns: sn,Last 
Name,0,100,0>extraColumns: msExchIMMetaPhysicalURL,Instant Messaging 
URL,0,140,0>extraColumns: msExchIMPhysicalURL,Instant Messaging Home 
Server,0,170,0>extraColumns: givenName,First 
Name,0,100,0>extraColumns: homeMDB,Exchange Mailbox 
Store,0,100,0>extraColumns: mailNickname,Exchange 
Alias,0,175,0>extraColumns: mail,E-Mail 
Address,0,100,0>extraColumns: sAMAccountName,Pre-Windows 2000 Logon 
Name,0,120,0>extraColumns: displayName,Display 
Name,0,100,0>extraColumns: 
department,Department,0,150,0>extraColumns: 
c,Country,0,-1,0>extraColumns: l,City,0,150,0>extraColumns: 
telephoneNumber,Business Phone,0,100,0
 
1 Objects returned
 
 

  
  
  From: [EMAIL PROTECTED] 
  [mailto:[EMAIL PROTECTED] On Behalf Of Dean 
  WellsSent: Wednesday, April 19, 2006 1:42 PMTo: Send - 
  AD mailing listSubject: RE: [ActiveDir] ExtraColumns 
  attribute
  
  Try 
  editing the extraColumns attribute on the default-Display object, adding the 
  property of your choosing as follows -
   
  0 <- IIRC, 
  this is reserved and must be 0 for now.
   
  ... 
  highlighting the Saved Query in question and selecting View-->Add/Remove 
  columns-->Add the desired attribute.
   
  Does 
  this achieve your goal?
  --Dean 
  WellsMSEtechnology* Email: dwells@msetechnology.comhttp://msetechnology.com
   
  


From: [EMAIL PROTECTED] 
[mailto:[EMAIL PROTECTED] On Behalf Of David 
CliffeSent: Wednesday, April 19, 2006 12:47 PMTo: 
activedir@mail.activedir.orgSubject: [ActiveDir] ExtraColumns 
attribute

Hi 
all,
 
    I am interested 
in adding values to the 'extraColumns' attribute found on objects 
in the DisplaySpecifiers container.  In particular, I'd like the option 
to display the value of OperatingSystem (etc...).
 
    The article about this attr in 
MSDN library describes it pretty well, but I'm wondering which 
DisplaySpecifier object to use in the case where you write a "Saved Query" 
(for others to import into their ADUC).
 
    At present I see that only 
the "default-Display" and "lostAndFound-Display" objects have that attr 
populated.  Should I just modify the default, or should I be more 
specific and modify another object which only applies to "Saved Queries" - 
if so, anybody know which one?  Maybe since my filter specifies only to 
computer objects, the "computer-Display" object applies?
 
    Sorry if this sounds 
silly!
 
Thanks...
DaveCTo 
find out more about Reuters visit www.about.reuters.comAny views 
expressed in this message are those of the individual sender, except where 
the sender specifically states them to be the views of Reuters 
  Ltd.

To find out more about Reuters visit www.about.reuters.com

Any views expressed in this message are those of the individual sender, except where the sender specifically states them to be the views of Reuters Ltd.

[ActiveDir] ExtraColumns attribute

2006-04-19 Thread David Cliffe




Hi 
all,
 
    I am interested 
in adding values to the 'extraColumns' attribute found on objects in 
the DisplaySpecifiers container.  In particular, I'd like the option to 
display the value of OperatingSystem (etc...).
 
    The article about this attr in MSDN 
library describes it pretty well, but I'm wondering which DisplaySpecifier 
object to use in the case where you write a "Saved Query" (for others to 
import into their ADUC).
 
    At present I see that only the 
"default-Display" and "lostAndFound-Display" objects have that attr 
populated.  Should I just modify the default, or should I be more specific 
and modify another object which only applies to "Saved Queries" - if so, anybody 
know which one?  Maybe since my filter specifies only to computer objects, 
the "computer-Display" object applies?
 
    Sorry if this sounds 
silly!
 
Thanks...
DaveC

To find out more about Reuters visit www.about.reuters.com

Any views expressed in this message are those of the individual sender, except where the sender specifically states them to be the views of Reuters Ltd.

RE: [ActiveDir] Delegation

2006-03-02 Thread David Cliffe

Title: Message



Hi Bryan,
 
    You might find these 
helpful!
 
http://www.microsoft.com/technet/prodtechnol/windowsserver2003/technologies/directory/activedirectory/actdid1.mspx
http://www.microsoft.com/downloads/details.aspx?FamilyID=29dbae88-a216-45f9-9739-cb1fb22a0642&DisplayLang=en
 
    (the second link is for the 
appendices)
 
-DaveC

  
  
  From: [EMAIL PROTECTED] 
  [mailto:[EMAIL PROTECTED] On Behalf Of Lucas, 
  BryanSent: Thursday, March 02, 2006 8:51 AMTo: 
  ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] 
  Delegation
  
  
  I’ve recently joined 
  this list and didn’t see this post.  Is there any list (official or 
  unofficial) that details what permissions are necessary to delegate certain 
  tasks?
   
  
  Bryan 
  Lucas
  Server 
  Administrator
  Texas Christian University
  (817) 
  257-6971
  
  
  
  
  From: 
  [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] 
  On Behalf Of Wyatt, 
  DavidSent: Thursday, March 
  02, 2006 5:53 AMTo: 
  ActiveDir@mail.activedir.orgSubject: [ActiveDir] 
  Delegation
   
  
  I remember seeing a posting that 
  listed the ACLs required on User objects so that a Help Desk could perform 
  duties such as resetting password, unlocking accounts 
  etc.
  
   
  
  The posting mentioned the 
  following permissions:
  
   
  
  * allow Reset Password permission 
  for user objects-grants permission to reset an account's 
  password
  
  * allow Write lockoutTime 
  permission for user objects-grants permission to unlock an 
  account
  
  * allow Write pwdLastSet 
  permission for user objects-grants permission to set User must change password 
  at next logon account property
  
  * allow Read AccountRestrictions 
  permission for user objects-grants permission to read all account 
  options
  
  Can someone explain what the last 
  permission is actually providing or allowing to be Read?  If this 
  permissions is not set I can still click the Account tab of a user account and 
  view the state of the account options.
  
   
  
   
  
  Regards
  
  David
  This 
  message contains confidential information and is intended only for the 
  individual or entity named. If you are not the named addresseeyou should 
  not disseminate, distribute or copy this e-mail. Please notify the sender 
  immediately by e-mail if you have received this e-mail by mistake and 
  delete this e-mail from your system.E-mail transmission cannot be 
  guaranteed to be secure or error-freeas information could be intercepted, 
  corrupted, lost, destroyed, arrivelate or incomplete, or contain viruses. 
  The sender therefore does notaccept liability for any errors or omissions 
  in the contents of this message which arise as a result of e-mail 
  transmission. If verification is required please request a hard-copy 
  version.This message is provided for informational purposes and should 
  notbe construed as an invitation or offer to buy or sell any securities 
  orrelated financial instruments.GAM operates in many jurisdictions and 
  is regulated or licensed in those jurisdictions as 
  required.

To find out more about Reuters visit www.about.reuters.com

Any views expressed in this message are those of the individual sender, except where the sender specifically states them to be the views of Reuters Ltd.

[ActiveDir] Mailbox permissions under Exchange 2003

2006-02-27 Thread David Cliffe




Hi,
 
    I thought I might do well to post this here while I 
wait for my subscription to one of the Exchange lists to get 
processed.  I find that I don't understand the permissions model too well 
so I will try to explain this as best I can.
 
    This is as concerns the following article -->  
http://support.microsoft.com/kb/912918/   which our TAM had advised us about because we have a 
Blackberry infrastructure in one of our domains here  ( at least we do for 
now :-D ).  This Blackberry infrastructure uses a service account 
within the domain to accomplish its tasks, so that service account is the 
trustee I'm interested in at the moment.
 
The resolution section of this article states 
that the trustee must be granted the "Send As" permission on all user 
objects.  It suggests that we apply this permission at the root of the 
domain naming context (for the sake of this discussion please ignore the 
resolution suggestion for administrative accounts).
 
    When I look at the ACL on the ORG level (top) in the 
Exchange System Manager, I can see that this service account is currently 
[already] granted "Full Control" (including "Send As"), and have confirmed that 
this permission is being inherited all the way down to the mailbox store 
level.  Best I can tell (again, sorry I'm not an Exchange person), these 
permissions map to the Config. partition in the forest, but yet some of 
them have the same names ("Send As", "Receive As") that one would see on a User 
Object in the domain partition.
 
So my primary goal here is just to determine 
whether or not the condition mentioned in this article has already been 
satisfied, or if I will still need to grant "Send As" to the user objects in the 
domain.  Another goal (personally) is to try and understand the differences 
in setting mailbox permissions from "Mailbox Rights" within ADUC (which I 
understand is a represenation of the mailbox store permissions, is that right??) 
and setting them at, for example, the server level in the config. partition (or 
from Exchange System Manager).
 
    For the second goal, any recommended reading or 
articles would be great - thanks so much for your time!
 
-DaveC

To find out more about Reuters visit www.about.reuters.com

Any views expressed in this message are those of the individual sender, except where the sender specifically states them to be the views of Reuters Ltd.

RE: [ActiveDir] NTFRS Problems

2006-02-01 Thread David Cliffe

I can tell you that I used this KB as my guide to restore the SYSVOL
state on one of our domains about 4 months ago and it worked just fine.

 http://support.microsoft.com/kb/315457/en-us

If the journals on your DCs are inconsistent with each other, this may
be the best way to correct it.  Best advice is to ensure that there are
no underlying replication issues first, otherwise you might just be
wasting your time!

-DaveC

-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Adeel Ansari
Sent: Wednesday, February 01, 2006 5:10 PM
To: ActiveDir@mail.activedir.org
Subject: [ActiveDir] NTFRS Problems

Hello AD Experts,

Recently, I noticed in-consistencies in Sysvol among my domain
controllers and PDC while promoting a new replica DC in the domain and
it stucked on sysvol after 145 out of 250 policies. To test further, I
created a .txt file in the sysvol on PDC and it also didnt replicate to
other DCs either. To make things even worse, the number of policies on
PDC are not the same as in other DCs.

After hours of troubleshooting and a phone call to M$, I was told by
Microsoft to perform burflag authoritative (D4) restore on one Domain
controller with good policy contents in Sysvol and non-authoritative
(D2) restore on all the others.

Having a luxury of a AD replica lab, I performed the operation in the
lab environment but lost both the policies, scripts folders and now the
servers dont even have Sysvols. I am not comfortable doing this
operation in the production environment.

Can anyone please share their experience with burflag restores? Any best
practices? Is there another way that I can resolve this issue without
perform burflag restore?

Any ideas / suggestions are welcomed.


Regards,
Adeel

___
Adeel Ansari - Active Directory Admin.
SLB Enterprise Services
Houston, TX USA

List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive:
http://www.mail-archive.com/activedir%40mail.activedir.org/


To find out more about Reuters visit www.about.reuters.com

Any views expressed in this message are those of the individual sender, except 
where the sender specifically states them to be the views of Reuters Ltd.

List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/

[ActiveDir] Selectively grant permission modification?

2006-01-30 Thread David Cliffe




Hi,
 
    Just wanted to double check on 
this:
 
    Is it possible to delegate someone 
the ability to modify permissions of an object, but only allow them to modify 
SOME of those permissions?  For example, an email admin who 
normally does not modify object ACLs, but who may need to grant 
the "SEND AS" object permission to random security 
principals throughout the org.
 
    Sorry if this is a repeat question 
or answer is obvious (I can take a stab at it!).
 
Thanks,
DaveC

To find out more about Reuters visit www.about.reuters.com

Any views expressed in this message are those of the individual sender, except where the sender specifically states them to be the views of Reuters Ltd.

FW: [ActiveDir] adfind question

2006-01-18 Thread David Cliffe




Whoops...sorry...and also  "-s 
base"
 

  
  
  From: [EMAIL PROTECTED] 
  [mailto:[EMAIL PROTECTED] On Behalf Of David 
  CliffeSent: Wednesday, January 18, 2006 6:07 PMTo: 
  ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] adfind 
  question
  
  Maybe you want "-h DC1" ?  Otherwise 
  I'm not sure of the arg you're passing there.
  


From: [EMAIL PROTECTED] 
[mailto:[EMAIL PROTECTED] On Behalf Of Noah 
EigerSent: Wednesday, January 18, 2006 5:27 PMTo: 
ActiveDir@mail.activedir.orgSubject: [ActiveDir] adfind 
question


Hi 
–
 
I 
am trying to write a little batch file that will report various version 
numbers to me on each DC to help monitor the W2k3 upgrade process. I am 
having trouble getting adfind to report the objectVersion of the Schema. 
When I run:
adfind –DC1 –b 
“CN=Schema,CN=Configuration,DC=myco,DC=private” 

I 
get a torrent of stuff including the attribute that I want. (That is an 
attribute right?) When I try to filter or limit the output, I don’t get what 
I want. For example,
adfind –DC1 –b 
“CN=Schema,CN=Configuration,DC=myco,DC=private” 
 objectVersion
Gives me a list of all of the objects under 
Schema.
 
How 
can I limit this? (Or, does anyone have a script that already checks all 
this stuff?)
 
Thanks.
 
-- 
nme
--No virus found in this outgoing message.Checked by 
AVG Free Edition.Version: 7.1.375 / Virus Database: 267.14.20/233 - 
Release Date: 1/18/2006To 
  find out more about Reuters visit www.about.reuters.comAny views 
  expressed in this message are those of the individual sender, except where the 
  sender specifically states them to be the views of Reuters 
Ltd.

To find out more about Reuters visit www.about.reuters.com

Any views expressed in this message are those of the individual sender, except where the sender specifically states them to be the views of Reuters Ltd.

RE: [ActiveDir] adfind question

2006-01-18 Thread David Cliffe




Maybe you want "-h DC1" ?  Otherwise 
I'm not sure of the arg you're passing there.

  
  
  From: [EMAIL PROTECTED] 
  [mailto:[EMAIL PROTECTED] On Behalf Of Noah 
  EigerSent: Wednesday, January 18, 2006 5:27 PMTo: 
  ActiveDir@mail.activedir.orgSubject: [ActiveDir] adfind 
  question
  
  
  Hi 
  –
   
  I am 
  trying to write a little batch file that will report various version numbers 
  to me on each DC to help monitor the W2k3 upgrade process. I am having trouble 
  getting adfind to report the objectVersion of the Schema. When I 
  run:
  adfind –DC1 –b 
  “CN=Schema,CN=Configuration,DC=myco,DC=private” 
  I get 
  a torrent of stuff including the attribute that I want. (That is an attribute 
  right?) When I try to filter or limit the output, I don’t get what I want. For 
  example,
  adfind –DC1 –b 
  “CN=Schema,CN=Configuration,DC=myco,DC=private” 
   objectVersion
  Gives 
  me a list of all of the objects under Schema.
   
  How 
  can I limit this? (Or, does anyone have a script that already checks all this 
  stuff?)
   
  Thanks.
   
  -- 
  nme
  --No virus found in this outgoing message.Checked by 
  AVG Free Edition.Version: 7.1.375 / Virus Database: 267.14.20/233 - 
  Release Date: 1/18/2006

To find out more about Reuters visit www.about.reuters.com

Any views expressed in this message are those of the individual sender, except where the sender specifically states them to be the views of Reuters Ltd.

RE: [ActiveDir] Strange deleted object issue

2006-01-10 Thread David Cliffe




I'm not sure about W2K, but in 2003 I look at 
the metadata of objects in the deleted objects container all the time to see 
which DC performed the last write.  If you could get that info, 
wouldn't it help you to focus on one DC?

  
  
  From: [EMAIL PROTECTED] 
  [mailto:[EMAIL PROTECTED] On Behalf Of Tom 
  KernSent: Tuesday, January 10, 2006 7:24 PMTo: 
  ActiveDir@mail.activedir.orgSubject: Re: [ActiveDir] Strange 
  deleted object issue
  
  that wont work.
  You have to restore(reanimate) the object from the Deleted Objects 
  container back into AD to run repadmin /showmeta GUID. otherwise it won't 
  work.
  i could be wrong..
   
   
  Besides this won't help me figure out who deleted it or why the audit 
  wasn't logged.
   
   
  p.s.- i have the Forestry book and think its great and well worth the 
  hefty price.
   
   
  On 1/10/06, Mark 
  Parris <[EMAIL PROTECTED]> 
  wrote: 
  If 
I recall, he reset the permissions on the ou/container which holds the 
deleted objects then you could query it with out reanimating anything. 
-Original Message-From: Tom Kern <[EMAIL PROTECTED]>Date: Tue, 10 Jan 
2006 17:03:11To:ActiveDir@mail.activedir.org 
Subject: Re: [ActiveDir] Strange deleted object issueI 
thought to do that you first have to reanimate the object from the Deleted 
Objects container before you can search on the GUID.The deletion occured 
in a Win2k forest. I think what you are talking about you can only do in a 
WIn2k3 DFL forest. Besides, that will only tell me the DC and time 
the isDeleted attrib was set. It wont tell me the user or process that 
deleted it.thats what i really need and as my DC's seem to mysteriously 
stopped logging event id 630 or 565, i'm screwed. thanks 
alotOn 1/10/06, Mark Parris <[EMAIL PROTECTED]> 
wrote: Use repadmin to check the objects metadata, can usually find the DC 
where the deletion occured and also who did it. The Active Directory 
forestry book by john craddock is an excellent resource for this type of AD 
audit.-Original Message-From: Tom Kern <[EMAIL PROTECTED] >Date: Tue, 10 
Jan 2006 15:53:18To:ActiveDir@mail.activedir.orgSubject: 
Re: [ActiveDir] Strange deleted object issueIt logged the 
creation/deletion. My question is- i've always had this policy set 
and yet an account got deleted last nite and i can't find any record of 
it.the security logs have not been cleared and are set to stay for 7 
days.still i know a user account ended up in the deleted objects 
container with a whenChanged date of 20060109202458. someone/thing 
must have deleted it and there is no entry in the event logs of any 
DC.what gives?ThanksOn 1/10/06, Coleman, Hunter 
<[EMAIL PROTECTED] > 
wrote:Create a user account, then delete it. Note which DC you're 
connected to for the delete, then check the security log on that DC. Look at 
all of the events around the time you deleted the account so that you'll 
know what is actually getting logged. From: [EMAIL PROTECTED] 
[mailto: [EMAIL PROTECTED]] 
On Behalf Of Tom Kern Sent: Tuesday, January 10, 2006 1:23 PMTo: ActiveDir@mail.activedir.orgSubject: 
Re: [ActiveDir] Strange deleted object 
issueYes.Thanks. I just have 2 issues.1. 
I don't understand why i get that error in ldp when i enter the oid control 
for deleted objects2. Most importantly, i had audit account 
management enabled for sucess and failure on my domain controllers ou and 
auditing enabled for everyone for everything on the entire domain object, 
yet when i use evencombMT to scan for an event id 630 in the security log, i 
get nothing. this account was deleted last nite so something should 
show up with this auditing enabled, no?do i have to set some other 
security policy like audit directory service access as well?I 
figured account management should cover deleting a user object. 
ThanksOn 1/10/06, Al Mulnick <[EMAIL PROTECTED]> wrote:I've 
deleted the rest of the thread already, but did you not already say you 
found him in the deleted items using ADFIND -showdel? Or did I 
misread that and you're still looking for him?On 1/10/06, 
Tom Kern <[EMAIL PROTECTED]> 
wrote:I'm just using ADUC and searching by sAMAccountName. With LDP, 
i'm looking in Deleted Objects container but this company never deletes 
users accounts, just disables them indefinetly so all i see in that 
container are linkTrackOMTEntry objects.How can i see if the user 
was renamed? I got a call from help desk that this user couldn't log 
in and they couldn't find him in AD using ADUC which i confirmed.he's 
been witht the corp for 5 years and i was assured he always had an 
account.ThanksOn 1/10/06, Al Mulnick <[EMAIL PROTECTED]> wrote:how do 
you know he's missing exactly?  I mean, are you sure the account 
wasn't changed for example

RE: [ActiveDir] [OT] Locating which OU a specific use account is in

2006-01-04 Thread David Cliffe




Sorry...just love the use of the possesive 
in the reference below!  :-D

  
  
  From: [EMAIL PROTECTED] 
  [mailto:[EMAIL PROTECTED] On Behalf Of Al 
  MulnickSent: Wednesday, January 04, 2006 12:57 PMTo: 
  ActiveDir@mail.activedir.orgSubject: Re: [ActiveDir] Locating which 
  OU a specific use account is in
  
  Script?  Have you seen Joeware.net's adfind.exe ?
  How about DSQUERY? 
   
  If you really wanted to do that in script you could.  There's likely 
  enough examples to cobble together something like that on scriptcenter 
  (technet). 
   
  Does that help? If not, can you expand on why you would want to know the 
  OU a user is in?  Do you need to write this to a file? Use it for 
  something else?  
  On 1/4/06, Navroz 
  Shariff <[EMAIL PROTECTED]> 
  wrote: 
  
Dear list,
 
Does anyone know of a script 
that, when a domain username is entered, would locate which OU the account 
is located in if, for the sake of argument, the OU structure in AD was 
designed in a way that user accounts were separated? 
 
Thanks 
advance,
 
-Nav
 
 

To find out more about Reuters visit www.about.reuters.com

Any views expressed in this message are those of the individual sender, except where the sender specifically states them to be the views of Reuters Ltd.

RE: [ActiveDir] DNS issue

2005-12-13 Thread David Cliffe




Hi Antonio,
 
    This could be a starting point for you 
-->  http://support.microsoft.com/default.aspx?scid=kb;en-us;229840

  
  
  From: [EMAIL PROTECTED] 
  [mailto:[EMAIL PROTECTED] On Behalf Of Antonio 
  ArandaSent: Tuesday, December 13, 2005 12:28 PMTo: 
  ActiveDir@mail.activedir.orgSubject: [spam] [ActiveDir] DNS 
  issue
  
  
  I have a bit of a 
  problem and I’m hoping some can help me.  The forwarding tab is grayed 
  out.  It won’t allow me to 
  add an IP for forwarding unresolved queries.  It said that forwarding is 
  not available because this is a root server.  What does this mean and how 
  can I change it?  

   
  Thanks
   
  Antonio

To find out more about Reuters visit www.about.reuters.com

Any views expressed in this message are those of the individual sender, except where the sender specifically states them to be the views of Reuters Ltd.

RE: [ActiveDir] Scripting/WMI/MONAD - was FSMO role transfer

2005-12-01 Thread David Cliffe

Subject line change noted :-D

"You know that the scriptomatic 2 HTA will create Perl script that does
WMI right"

I do now!  I have to admit that I have only skimmed (and have mostly
been avoiding) the "Script Center" because I really wanted to sit down
*away from work*  and look at its offerings.  I never digged enough to
realize this was one of them, so thanks for that!

-DaveC

-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of joe
Sent: Thursday, December 01, 2005 9:15 AM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] Scripting/WMI/MONAD - was FSMO role transfer

You know that the scriptomatic 2 HTA will create Perl script that does
WMI right

I am not a huge fan of WMI but there are times in the scripting world if
you want to stick to pure script it is in the only way to do what you
want and I will use it if I don't have time (or ability as in the case
of mailbox reconnects or getting info on what DCs are being used by
DSACCESS) to write native code to do what I need. 

If you have perl in your pocket there really is no need to learn
vbscript other than enough to look at examples which doesn't take much
learning. 

MONAD might be worth learning but I am still not sure about it. They
have scaled it back so much from what they were initially talking about
when I thought, that is seriously cool. I certainly don't feel that it
is going to turn a bunch of people into scripters by just being
released. The model will confuse the crap out of most people as it is
even more involved than vbscript which people don't want to learn
because it is too much like programming. I have made some
recommendations to folks at MS all the way up to Iain McDonald (great
guy) that all of the MS management tools should have a switch to output
MONAD code so that someone could do something once in the GUI and get a
MONAD script generated automatically that does the same thing.
Then they can tweak that to do other things. It is the only way I
visualize that MONAD will really take off like people seem to think it
will, at least over and above perl and vbscript. In other words, I don't
see anything there that will take someone who wasn't a scripter and
wasn't thinking about being a scripter to become one. You will have the
same bunch of yahoos writing scripts but they will be doing it in MONAD
instead of vbscript or VB. It is sort of like .NET in general, it
certainly didn't produce a whoosh of a zillion new coders. Some of the
folks that were already writing in other languages adopted it, some,
older school, steadfastly avoided it. Personally I might consider .NET
for a web site, other than that, not really. If it becomes ubiquitous
and MS actually starts coding low level system and kernel stuff in it I
might start looking at it. As it stands right now I feel the same way
that many of my friends do one of which has renamed .NET to .FAT which I
think is pretty funny. He even told me if I started writing my tools in
it he would refuse to use them. I expect there are others. Maybe MS
needs to rename it because I know when I hear .NET I think fat and lazy.
I don't know why, I just do. I have seen enough posts in the newsgroups
of issues and limitations and don't feel the benefits outweigh them. 


  joe


-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of David Cliffe
Sent: Wednesday, November 30, 2005 5:42 PM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] FSMO role transfer

Well, I just think that most of the people in the command line and/or
scripting "camp" like to encourage others to learn to use them simply
because they feel it's to your benefit.  I don't think they really like
to promote the "you're not a real admin..." sentiment.  Or at least I
hope not
:-)  Right now in my org, I'm in the minority using the CLI.  I just
prefer working that way and don't knock my colleagues for their methods,
but rather show them other ways to get at the info they need.

CLI and scripting fosters your knowledge of what's happening in the
background, helps you learn the product and truly is a great way to
automate tasks!  (if not THE way)

For the longest time I've been meaning to learn VBscript, but haven't
devoted enough time to go for it yet.  From what I've seen so far, it
scares me  :-P  but I still intend to give it a shot.  I've been getting
by with Perl and CMD shell for now (I came from a KSH/*nix background).
Have you seen some of the sample command shell scripts Dean has put
together?  Or the stuff that Alain Lissoir can do with WMI?  Wow!

Anyway, this topic has drifted further now, but I'm going to resist the
urge to change the subject line.  The last time I did that, we had a
little side bit just on the fact that the subject line changed! :-D

-DaveC

-Original

RE: [ActiveDir] FSMO role transfer

2005-11-30 Thread David Cliffe

Well, I just think that most of the people in the command line and/or
scripting "camp" like to encourage others to learn to use them simply
because they feel it's to your benefit.  I don't think they really like
to promote the "you're not a real admin..." sentiment.  Or at least I
hope not :-)  Right now in my org, I'm in the minority using the CLI.  I
just prefer working that way and don't knock my colleagues for their
methods, but rather show them other ways to get at the info they need.

CLI and scripting fosters your knowledge of what's happening in the
background, helps you learn the product and truly is a great way to
automate tasks!  (if not THE way)

For the longest time I've been meaning to learn VBscript, but haven't
devoted enough time to go for it yet.  From what I've seen so far, it
scares me  :-P  but I still intend to give it a shot.  I've been getting
by with Perl and CMD shell for now (I came from a KSH/*nix background).
Have you seen some of the sample command shell scripts Dean has put
together?  Or the stuff that Alain Lissoir can do with WMI?  Wow!

Anyway, this topic has drifted further now, but I'm going to resist the
urge to change the subject line.  The last time I did that, we had a
little side bit just on the fact that the subject line changed! :-D

-DaveC

-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Rocky Habeeb
Sent: Wednesday, November 30, 2005 5:18 PM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] FSMO role transfer

Susan,

"THANK YOU

!!!"

There are a >LOT< of people on this list that do not believe that real
Admins use the GUI.  Some believe that you're not a real Admin if you
do.  I do.  I have to.  I can't allocate time to learn scripting right
now because I'm overworked as is.  I'll just leave it at that.

RH
__

-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] Behalf Of Susan Bradley,
CPA aka Ebitz - SBS Rocks [MVP]
Sent: Wednesday, November 30, 2005 4:09 PM
To: ActiveDir@mail.activedir.org
Subject: Re: [ActiveDir] FSMO role transfer

If the task is that trivial
If the benefit is so great
Why isn't it part of the AD snap ins as a one button task?

David Adner wrote:
> I'm not debating the effort it takes to make the change.  I'm saying I
don't
> see the point in devoting whatever amount of effort it takes for 
> something that's going to provide benefit only, IMO, an extremely rare

> case.  And if that case happened, the corrective action is also a 
> trivial process.  And again, I'm not saying I don't see your point; I
just don't agree with it.
>
>
>> -Original Message-
>> From: [EMAIL PROTECTED]
>> [mailto:[EMAIL PROTECTED] On Behalf Of Bahta 
>> Nathaniel V Contractor NASIC/SCNA
>> Sent: Wednesday, November 30, 2005 12:32 PM
>> To: ActiveDir@mail.activedir.org
>> Subject: RE: [ActiveDir] FSMO role transfer
>>
>> That process is trivial in itself.  It does not take much to transfer

>> the roles before you conduct maintenance on a server.  Why not do it?

>> It will save you cleaning up metadata after you seize a role of a 
>> failed operations master.  Sounds like a stitch in nine saves time 
>> concept to me.  I do not intend on taking every proactive measure 
>> either, but when it comes to the small and quickly implemented 
>> measures that could save plenty of time, I try to utilize all of them

>> available.
>>
>> Is that agreeable?
>>
>> Nathaniel Vincent Bahta
>>
>> -Original Message-
>> From: [EMAIL PROTECTED]
>> [mailto:[EMAIL PROTECTED] On Behalf Of David Adner
>> Sent: Wednesday, November 30, 2005 1:24 PM
>> To: ActiveDir@mail.activedir.org
>> Subject: RE: [ActiveDir] FSMO role transfer
>>
>> Any proper maintenance plan has a backout plan and a recovery plan, 
>> so I am preparing for the possibility of an unexpected problem.  If 
>> I'm pulled into a dark room because something goes wrong then I 
>> should feel confident I'll leave that room with my hide mostly 
>> intact; it may be slightly singed, but I can live with that.  If 
>> management isn't the reasonable type then that's a different issue.
>>
>> If your philosophy is to take every proactive measure ahead of time 
>> possible, then that's fine.  I just don't see the point with regards 
>> to FSMO roles when the recovery action is a relatively trivial 
>> process.  This is obviously a matter of personal preference so I'm 
>> not trying to convince others to change.  I just found the concept 
>> unusual so I thought I'd share.
>>
>>
>>> -Original Message-
>>> From: [EMAIL PROTECTED]
>>> [mailto:[EMAIL PROTECTED] On Behalf Of 
>>> [EMAIL PROTECTED]
>>> Sent: Wednesday, November 30, 2005 10:16 AM
>>> To: ActiveDir@mail.activedir.org
>>> Subject: RE: [ActiveDir] FSMO role transfer
>>>
>>> I would rather, as stated earlier, assess the risk and then act 
>>> ap

RE: [ActiveDir] [Slightly OT] Protecting objects not covered by AdminSDHolder

2005-11-16 Thread David Cliffe

nually for all my protected objects and thus cause sdprop to re-ACL 
>these objects. [see above]
>
>Our preferred approach right now is to simply place the 'protected'
>objects inside a special OU and hide/protect those objects with 
>appropriate perms. I shall investigate Jorge's suggestion too, though, 
>since that ensures that the perms are enforced and refreshed on an 
>hourly basis. [I shall also test the admincount change mechanism just 
>for completeness :) ]
>
>Thanks again,
>neil
>
>
>-Original Message-
>From: [EMAIL PROTECTED]
>[mailto:[EMAIL PROTECTED] On Behalf Of Almeida Pinto,

>Jorge de
>Sent: 16 November 2005 07:31
>To: ActiveDir@mail.activedir.org; ActiveDir@mail.activedir.org
>Subject: RE: [ActiveDir] [Slightly OT] Protecting objects not covered 
>by AdminSDHolder
>
>Morning all, (at least here it is)
>
>When users or groups are protected by the adminSDholder object they 
>"just" end up with the DACL from it where inheritance is disabled so 
>the objects don't get any DACL from a parent OU
>
>Another approach is:
>When it is possible to have those custom users/groups in a same OU 
>without any other object, do that and configure strong protective DACL 
>on the OU those to-be-protected-users/groups are in.
>
>You can ask yourself: why are those groups you want to protect in the 
>OU where stuff has been delegated? If they are protected the delegates 
>will not be able to manage them, so you might as well put them in a 
>separate OU configure other DACL.
>
>Remember that an OU structure is based upon three things:
>(1) Delegation of control
>(2) Hidding objects
>(3) Applying GPOs
>
>The groups you want to protect could fit in (1) and/or (2)
>
>So if you have the possible to do what I have mentioned here, it is 
>preferred to do that instead of what I have said earlier
>
>Cheers.
>
>Jorge
>
>
>
>From: [EMAIL PROTECTED] on behalf of Almeida Pinto, 
>Jorge de
>Sent: Tue 11/15/2005 11:13 PM
>To: ActiveDir@mail.activedir.org
>Subject: RE: [ActiveDir] [Slightly OT] Protecting objects not covered 
>by AdminSDHolder
>
>
>To make a protected member of a protected group a NON-PROTECTED object 
>you need to:
>* remove his membership from the protected group
>* enable inheritance again on the object
>* set the admincount attribute to 0 or to 
>
>What is said is that by removing the member from a protected group, 
>inheritance will not be changed automatically and the admincount 
>attribute will also not be changed automatically. All must be changed 
>manually and when reverting the object back to a non-protected oject it

>is best to do all three!
>
>So, yes I also agree with those recommendations
>
>Jorge
>
>
>
>From: [EMAIL PROTECTED] on behalf of David Cliffe
>Sent: Tue 11/15/2005 9:56 PM
>To: ActiveDir@mail.activedir.org
>Subject: RE: [ActiveDir] [Slightly OT] Protecting objects not covered 
>by AdminSDHolder
>
>
>Jorge --> "The group membership of a protected group is the criteria 
>the process looks at, not the attribute value of 1. The admincount 
>attribute is just an administrative measure for the process that says 
>"been here", nothing else."
>
> This implies that if you later go back and remove a user from any 
>protected groups, you can then go set his ACL back to what you want, 
>and not have to worry about the admincount attribute still having a 
>value of 1, right?  Only reason I ask is because I could have sworn 
>I've seen recommendations on this list to set that attribute back to 0 
>after removing all protected group memberships, so just double
checking.
>Maybe there were other factors involved in those previous 
>recommendations which I didn't read close enough!
>
> Also, interesting approach to the original poster's question.
>Thanks!
>
>-DaveC
>
>
>
>
>   From: [EMAIL PROTECTED]
>[mailto:[EMAIL PROTECTED] On Behalf Of Almeida Pinto,

>Jorge de
>   Sent: Tuesday, November 15, 2005 3:22 PM
>   To: ActiveDir@mail.activedir.org
>   Subject: RE: [ActiveDir] Protecting objects not covered by 
>AdminSDHolder
>
>
>   That sounds logical. However the adminsdholder process only
looks at 
>users and groups that are defined in AD as protected objects.
>As mentioned in MS-KBQ817433 - "Delegated permissions are not available

>and inheritance is automatically disabled" it is possible to include or

>exclude some of the default admin groups (account operators, print 
>operators ,etc.) The process that checks obje

RE: [ActiveDir] [Slightly OT] Protecting objects not covered by AdminSDHolder

2005-11-15 Thread David Cliffe

Title: RE: [ActiveDir] Protecting objects not covered by AdminSDHolder



Jorge --> "The group membership of a 
protected group is the criteria the process looks at, not the attribute value of 
1. The admincount attribute is just an administrative measure for the process 
that says "been here", nothing else."
 
    This implies that if you later go 
back and remove a user from any protected groups, you can then 
go set his ACL back to what you want, and not have to worry about the 
admincount attribute still having a value of 1, right?  Only reason I ask 
is because I could have sworn I've seen recommendations on this list to set that 
attribute back to 0 after removing all protected group memberships, so just 
double checking.  Maybe there were other factors involved in those previous 
recommendations which I didn't read close enough!
 
    Also, interesting approach to 
the original poster's question.  Thanks!
 
-DaveC

  
  
  From: [EMAIL PROTECTED] 
  [mailto:[EMAIL PROTECTED] On Behalf Of Almeida Pinto, 
  Jorge deSent: Tuesday, November 15, 2005 3:22 PMTo: 
  ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] Protecting 
  objects not covered by AdminSDHolder
  
  
  That sounds logical. However the 
  adminsdholder process only looks at users and groups that are defined in 
  AD as protected objects. As mentioned in MS-KBQ817433 - "Delegated permissions 
  are not available and inheritance is automatically disabled" it is possible to 
  include or exclude some of the default admin groups (account operators, print 
  operators ,etc.) The process that checks object against the adminSDHolder 
  object only looks at that definition of protected objects and in case of 
  groups it will also look at its members. It resets the DACL to match the DACL 
  of the adminSDHolder object and sets the admincount attribute to 1. The group 
  membership of a protected group is the criteria the process looks at, not the 
  attribute value of 1. The admincount attribute is just an administrative 
  measure for the process that says "been here", nothing else.
  So, to add custom groups as 
  protected groups in AD, MS should see if it is interesting to implement in 
  Longhorn.
  There is a way however to implement your 
  own protected groups. (I think it will work)
  How to do that?
  * Take a protected group (weakest one 
  possible)
  * Create a distribution group with a name 
  like "Custom_Protected_Groups_Definition" and make that a member of the actual 
  protected group
  * Put all custom users and groups 
  directly into the distribution group that need to be protected by 
  adminSDHolder
   
  Now what will happen?
  The adminSDHolder process sees the 
  memberships (transitive included) and protects them.
  When a user logs on, he will be a member 
  of the distribution group "Custom_Protected_Groups_Definition" but the SID of 
  the actual (security) protected group will not be in the access token of the 
  user.
  If a distribution group is a member of a 
  security group, the members of the distribution group will not be transitive 
  security members of the security protected group as the distribution group 
  blocks the security group membership
   
  There is a catch however!  -> DO NOT EVER CONVERT THE 
  DISTRIBUTION GROUP TO A SECURITY GROUP! (doing this will lift the security 
  group membership block and the users/group will suddendly get the SID of the 
  protected security group in their access token!)
   
  I agree with Al you should be very careful changing the 
  configuration of the DACL of the adminSDHolder object! Remember that object 
  protects the default (very strong) users and groups!
  Cheers,
  Jorge
  (cool: I think I just wrote something nice for my blog)
  
  
  
  From: 
  [EMAIL PROTECTED] on behalf of Al MulnickSent: Tue 
  11/15/2005 7:04 PMTo: 
  ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] Protecting 
  objects not covered by AdminSDHolder
  
  That's interesting.  As far as I can tell, the 
  adminsdholder is just aprocess that runs on the PDCe that wakes up and 
  checks for all objects thathave admincount set to 1.  For each it 
  finds, it ensures that they reflectthe permissions set according to the 
  adminsdholder reference.My first pass at this would be to do likewise 
  with a custom app vs. tryingto piggy back on the adminsdholder 
  routine.  The reason I say this is that Iwouldn't want any kind of 
  confusion in the settings and it's generally not arecommended solution to 
  modify the adminsdholder.  Can be very bad if you doso 
  incorrectly.Any reason a script or other app wouldn't be a 
  choice?  I realize you'relooking for apps that already exist first, 
  but just curious what theboundaries are. :)Al>From: 
  <[EMAIL PROTECTED]>>Reply-To: 
  ActiveDir@mail.activedir.org>To: 
  >Subject: [ActiveDir] Protecting 
  objects not covered by AdminSDHolder>Date: Tue, 15 Nov 2005 16:16:24 
  ->>[I appreciate and understand the role of adminsdholder

RE: [ActiveDir] some users do not have allow "inheritable permissions" set

2005-11-10 Thread David Cliffe




Hi Ben,
 
    Putting aside AdminSDHolder for a 
momentmaybe you were looking for the  /P:N  option instead?  
Of course this may increase the number of ACEs on the object more than what 
you'd like, but I saw the  /I:T  thing and thought that's more 
applicable to the parent object, rather than the leaf object.  Hopefully I 
understood correctly...
 
-DaveC

  
  
  From: [EMAIL PROTECTED] 
  [mailto:[EMAIL PROTECTED] On Behalf Of Steve 
  LinehanSent: Thursday, November 10, 2005 1:19 AMTo: 
  ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] some users do 
  not have allow "inheritable permissions" set
  
  Just out of curiosity when you go back an hour later is 
  the box unchecked?  This really sounds like the work of AdminSDHolder and 
  the users in question are likely members of protected groups.  If you 
  have not looked at the following Knowledge Base article you may 
  want to see if this is what you are running into: http://support.microsoft.com/default.aspx?scid=kb;en-us;817433.
   
  Thanks,
   
  -Steve
  
  
  From: [EMAIL PROTECTED] 
  [mailto:[EMAIL PROTECTED] On Behalf Of Ben D. 
  KusaSent: Wednesday, November 09, 2005 7:17 PMTo: 
  ActiveDir@mail.activedir.orgSubject: [ActiveDir] some users do not 
  have allow "inheritable permissions" set
  
  
  some 
  users do not have allow "inheritable permissions" set. The only way I have 
  found to reset that setting is to open each user and check that option 
  off.
   
  I 
  have tried running dsacls OU=ou,DC=dc,DC=dc /I:T and it seems to go through ok 
  but does not reset that option. Should that work? Or does anyone know any 
  other way to set that option on multiple users
   
  Thanks
  Ben 
  
   
   

To find out more about Reuters visit www.about.reuters.com

Any views expressed in this message are those of the individual sender, except where the sender specifically states them to be the views of Reuters Ltd.

RE: [ActiveDir] Authenticated drive mapping via .vbs

2005-10-13 Thread David Cliffe




Hi Devon,
 
    Assuming that the client machine is a 2000/XP 
domain member, it should sync time on its own [with a local DC] via the w32time 
service.  Apologies if not a domain member...will have to defer that one to 
the VBers then :-)
 
-DaveC

From: [EMAIL PROTECTED] 
[mailto:[EMAIL PROTECTED] On Behalf Of Harding, 
DevonSent: Thursday, October 13, 2005 3:24 PMTo: 
ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] Authenticated 
drive mapping via .vbs

  
  
  Quotes work.  
  Now I just need to be able to sync time with my local DC via 
  .vbs.
   
  In my batch file, I 
  have the standard: 
   
  net time 
  /domain:mydomain /set /yes > nul
   
  How would this work 
  in _vbscript_?
   
  -Devon
   
  
  
  
  
  From: 
  [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] 
  On Behalf Of Crawford, 
  ScottSent: Thursday, October 
  13, 2005 1:59 PMTo: 
  ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] Authenticated 
  drive mapping via .vbs
   
  Sorry, 
  username and password need to be in quotes.
   
  
  
  
  
  From: 
  [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] 
  On Behalf Of Harding, DevonSent: Thursday, October 13, 2005 12:04 
  PMTo: ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] Authenticated 
  drive mapping via .vbs
   
  I seem 
  to getting a syntax error on the comma or space after the 
  username.
   
  
  
  
  
  
  From: 
  [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] 
  On Behalf Of Crawford, 
  ScottSent: Thursday, October 
  13, 2005 11:49 AMTo: 
  ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] Authenticated 
  drive mapping via .vbs
   
  Set objNet = 
  CreateObject("Wscript.Network")
  MsgBox “Mapping Drive 
  letter for IPCC Access”
  objNet.RemoveNetworkDrive 
  “I:”
  objNet.MapNetworkDrive "I:", “\\10.1.0.103\DESKTOP_CFG”, 
  False, ipccuser, password
   
  I’ve attached the script I use for 
  mapping drives on all our clients.  It’s a little customized for our 
  environment, but it allows you to map based on group (included nested) 
  membership as well as characteristics of the IP 
  address.
   
  
  
  
  
  
  From: 
  [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] 
  On Behalf Of Harding, DevonSent: Thursday, October 13, 2005 10:10 
  AMTo: ActiveDir@mail.activedir.orgSubject: [ActiveDir] Authenticated drive 
  mapping via .vbs
   
  What would be the correct way to 
  convert this batch file to a .vbs? 
   
  Echo Mapping 
  Drive letter for IPCC Access
  if exist i:\ 
  net use i: /delete
  net use i: 
  \\10.1.0.103\DESKTOP_CFG password  /user:ipccuser 
  /PERSISTENT:NO
   
  Devon 
  Harding
  Windows 
  Systems Engineer
  Southern 
  Wine & Spirits - BSG
  954-602-2469
   
  
  
  
  
  __This 
  message and any attachments are solely for the intended 
  recipientand 
  may contain confidential or privileged information. If you are 
  notthe 
  intended recipient, any disclosure, copying, use or distribution 
  ofthe 
  information included in the message and any attachments 
  isprohibited. 
  If you have received this communication in error, 
  pleasenotify 
  us by reply e-mail and immediately and permanently delete 
  thismessage 
  and any attachments. Thank You. 
  

-
Visit our Internet site at http://www.reuters.com

To find out more about Reuters Products and Services visit http://www.reuters.com/productinfo 

Any views expressed in this message are those of  the  individual
sender,  except  where  the sender specifically states them to be
the views of Reuters Ltd.

RE: [ActiveDir] oldcmp

2005-10-10 Thread David Cliffe




Assuming you've chosen to output OLDCMP's report 
switch to CSV format, you could start with something like below.  
In this example, "oldcmp.txt" is the name of the output file you've generated 
with OLDCMP.
 
Hope it helps give you some ideas...probably not 
really the polished version  : - )
-DaveC
 
 
# perl
 
# Set up an output 
file...open ( OUT , "> oldcmp-sams.txt" ) ;
 
# Read in the existing CSV/TXT 
file...open ( LOG , "@a =  ;close LOG 
;
 
# Get rid of all lines that 
don't begin with a DN...for $i ( @a ) {    push ( @b , $i ) if ( $i =~ 
/^cn=/ ) ;}
 
# Keep just the 
samaccountname, which is the 3rd field in joe's output in this case...for $j ( @b ) { push ( @c , ( split ( 
/;/ , $j ) ) [2] ) ;}
 
# Write out that last array to 
a file...print OUT join ( "\n" , @c ) ;close OUT ;
 
# End!

  
  
  From: [EMAIL PROTECTED] 
  [mailto:[EMAIL PROTECTED] On Behalf Of Tom 
  KernSent: Monday, October 10, 2005 4:21 AMTo: 
  ActiveDir@mail.activedir.orgSubject: [spam] Re: [ActiveDir] 
  oldcmp
  
  i'm trying to get rid of all those fields except sAMAccountName with 
  perl.
   
  any ideas?
   
  can oldcmp take as input the same file it created to disable 
  accounts?
   
  anyway, i'd like to know how to parse that file in perl and get rid of 
  all the fields except that one and use that file as input to oldcmp or ds* 
  commands with For, to disable just some accounts that oldcmp finds. 
   
  thanks 
  On 10/9/05, joe 
  <[EMAIL PROTECTED]> 
  wrote: 
  
Noyup
 
 


From: [EMAIL PROTECTED] [mailto: 
[EMAIL PROTECTED]] On Behalf Of Tom 
KernSent: Sunday, October 09, 2005 9:10 AMTo: 
activedirectorySubject: [ActiveDir] 
oldcmp 


is there anyway to just dump the sAMAccountName from oldcmp for 
inactive computers to csv?
I want to filter all the default fields 
out(pwdLastSet,dn,cn,etc).
thanks

-
Visit our Internet site at http://www.reuters.com

To find out more about Reuters Products and Services visit http://www.reuters.com/productinfo 

Any views expressed in this message are those of  the  individual
sender,  except  where  the sender specifically states them to be
the views of Reuters Ltd.

RE: [ActiveDir] Modifying Domain Admins & Administrators Group

2005-10-06 Thread David Cliffe

Hi joe...I've seen you make this reference in the past and can't
remember if you've elaborated on it as well (sorry for not searching -
feel free to refer me...getting late here).  Since we use the same idea
mentioned by Diane below, but *do* use LDAP as the method...

...should we be using "net user" [or some distant cousin of it]
additionally to catch memberships not returned by LDAP?  Was that it?

Thanks!
-DaveC

-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of joe
Sent: Thursday, October 06, 2005 8:24 PM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] Modifying Domain Admins & Administrators Group

How does it work? Do you use LDAP to look at the membership? If so, you
probably have a whole in the implementation.
 

-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Ayers, Diane
Sent: Thursday, October 06, 2005 2:20 PM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] Modifying Domain Admins & Administrators Group 

We run a simple process that monitors the members of elevated privilege
groups.  Any changes trigger a notification.  Doesn't address the
prevention but will allow you to capture the occurrence and deal with it
appropriately.

Diane 

-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Devan Pala
Sent: Thursday, October 06, 2005 10:00 AM
To: ActiveDir@mail.activedir.org
Subject: [ActiveDir] Modifying Domain Admins & Administrators Group 

Hi,

We have about 7 domain administrators in a particular child domain. I
just found out someone added the DBA Group to part of the Administrators
group in this domain. Not necessary, not required nor is it a policy.
Event logs have obviously been overwritten therefore I would like to
know the simplest method to avoid this scenario from ever happening
again.

What are my options?

Thank you so much.


List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive:
http://www.mail-archive.com/activedir%40mail.activedir.org/

List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive:
http://www.mail-archive.com/activedir%40mail.activedir.org/

List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive:
http://www.mail-archive.com/activedir%40mail.activedir.org/


-
Visit our Internet site at http://www.reuters.com

To find out more about Reuters Products and Services visit 
http://www.reuters.com/productinfo 

Any views expressed in this message are those of  the  individual
sender,  except  where  the sender specifically states them to be
the views of Reuters Ltd.

List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/

RE: [ActiveDir] Decrypt the Pwdlastset value

2005-09-08 Thread David Cliffe




Hi Yann,
 
    Before I knew about joe's ADFIND (with the 
nice  -tdc  switch!), I used to use  w32tm /ntte   for 
doing that :-)
 
-DaveC
Reuters IS&T Service 
Delivery


From: [EMAIL PROTECTED] 
[mailto:[EMAIL PROTECTED] On Behalf Of TIROA 
YANNSent: Thursday, September 08, 2005 1:30 PMTo: 
ActiveDir@mail.activedir.orgSubject: [ActiveDir] Decrypt the 
Pwdlastset value


Hello everybody :o)Glad to come 
again to this list ;o)Is there a way to decrypt the Pwdlastset value 
into readable formatother than uses the acctinfo.dll ?I'd like to 
import users via csvde and dump the pwdlastset attribute,but i don't 
understand the format :(Ex : pwdLastSet = 
127705607715645384Yann
 


 

-
Visit our Internet site at http://www.reuters.com

To find out more about Reuters Products and Services visit http://www.reuters.com/productinfo 

Any views expressed in this message are those of  the  individual
sender,  except  where  the sender specifically states them to be
the views of Reuters Ltd.

RE: [ActiveDir] NNTP

2005-09-07 Thread David Cliffe




Here I thought maybe it was just too many acronyms :)  Good to 
know.  Thanks Michael!
 
-DaveC
Reuters IS&T Service 
Delivery


From: [EMAIL PROTECTED] 
[mailto:[EMAIL PROTECTED] On Behalf Of Michael B. 
SmithSent: Wednesday, September 07, 2005 1:15 PMTo: 
ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] 
NNTP


http://blogs.technet.com/exchange/archive/2004/06/07/150295.aspx
 
It would be required in 
order to get the NNTP snap-in. It’s part of the 
adminpack.
 




From: 
[EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] 
On Behalf Of David 
CliffeSent: Wednesday, 
September 07, 2005 1:06 PMTo: 
ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] 
NNTP
 
Sorry this doesn't answer the NNTP 
question, but are you sure that it is required for the Exchange 2003 
management tools??  I've only found that SMTP is required for 
those...not sure why NNTP would be!
 
-DaveC
Reuters IS&T Service 
Delivery
 



From: 
[EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] 
On Behalf Of rubix 
cubeSent: Wednesday, September 
07, 2005 12:37 PMTo: 
ActiveDir@mail.activedir.orgSubject: [ActiveDir] 
NNTP

Hello 
I 
am facing the same problem but with Windows XP SP2, when I go to Add/Remove 
Windows Components, and choose teh IIS, inside I can't see the NNTP, I can see 
the common files, SMTP, WWW, all others but not NNTP, I tried to remove all the 
IIS and re-install with no use, re-installed SP2 then IIS no use, of course I 
have teh Widnows 2003 Admin Pack, and the Windows 2003 service pack1 admin pack, 
which was supposed to install the NNTP as the documents say, but it didn't, 
removed and reinstalled admin pack, and can't get NNTP yet, no NNTP services in 
the services, if I try to create a virtual NNTP it says there is no NNTP 
serivce, if I try net start nntpsvc it says the service doesn't exist, I need to 
install the exchange 2003 managment tools and I can't without the NNTP, any help 
will be appreciated , 
thanks 
,
-Visit 
our Internet site at http://www.reuters.comTo find out more about 
Reuters Products and Services visit http://www.reuters.com/productinfo 
Any views expressed in this message are those of the 
individualsender, except where the sender specifically states them to 
bethe views of Reuters Ltd.

-
Visit our Internet site at http://www.reuters.com

To find out more about Reuters Products and Services visit http://www.reuters.com/productinfo 

Any views expressed in this message are those of  the  individual
sender,  except  where  the sender specifically states them to be
the views of Reuters Ltd.

RE: [ActiveDir] NNTP

2005-09-07 Thread David Cliffe




Sorry this doesn't answer the NNTP question, but are you sure 
that it is required for the Exchange 2003 management tools??  I've 
only found that SMTP is required for those...not sure why NNTP 
would be!
 
-DaveC
Reuters IS&T Service 
Delivery


From: [EMAIL PROTECTED] 
[mailto:[EMAIL PROTECTED] On Behalf Of rubix 
cubeSent: Wednesday, September 07, 2005 12:37 PMTo: 
ActiveDir@mail.activedir.orgSubject: [ActiveDir] 
NNTP


Hello 

I am facing the same 
problem but with Windows XP SP2, when I go to Add/Remove Windows Components, and 
choose teh IIS, inside I can't see the NNTP, I can see the common files, SMTP, 
WWW, all others but not NNTP, I tried to remove all the IIS and re-install with 
no use, re-installed SP2 then IIS no use, of course I have teh Widnows 2003 
Admin Pack, and the Windows 2003 service pack1 admin pack, which was supposed to 
install the NNTP as the documents say, but it didn't, removed and reinstalled 
admin pack, and can't get NNTP yet, no NNTP services in the services, if I try 
to create a virtual NNTP it says there is no NNTP serivce, if I try net start 
nntpsvc it says the service doesn't exist, I need to install the exchange 2003 
managment tools and I can't without the NNTP, any help will be appreciated 
, 

thanks ,

-
Visit our Internet site at http://www.reuters.com

To find out more about Reuters Products and Services visit http://www.reuters.com/productinfo 

Any views expressed in this message are those of  the  individual
sender,  except  where  the sender specifically states them to be
the views of Reuters Ltd.

RE: [ActiveDir] OT: UPDATE: Questions about hotfix 903235 (MS05-037)

2005-08-31 Thread David Cliffe




Just an update here (FYI) -
 
    A Microsoft tech. on the forums pointed out to me that 
the IE Cumulative Update 896727 from bulletin MS05-038 supersedes the hotfix 
903235 in MS05-037.  Once the cumulative update is applied, MBSA v2 no 
longer reports on the former.  Forty lashes to me for not reading more 
carefully first :-)
 
-DaveC
Reuters IS&T Service 
Delivery


From: [EMAIL PROTECTED] 
[mailto:[EMAIL PROTECTED] On Behalf Of David 
CliffeSent: Thursday, August 25, 2005 3:26 PMTo: 
ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] OT: Questions 
about hotfix 903235 (MS05-037)

Thanks Rick/Deji.
 
Interesting that your MBSA v2 is reporting on it OK.  Maybe I am the 
only one  :-o
 
I have worked around issues (2) and (3) [below] for 
now, and will take a moment to offer my opinion on 
(1).
 
Here we have a hotfix/bulletin that has been given a critical 
rating, as have many other hotfixes before and after it.  From 
a customer's viewpoint, I would like some consistency in the manner in 
which these hotfixes are reported as being installed.  This has gotten 
better by the way, but I don't find  903235 to be a good 
example.
 
During the time when I am reporting on installed instances, the 
technical details about each hotfix (what it does/how it does it) are not 
important to me.  I want to verify it's been 
installed and I want to rely on a consistent method to do 
so.
 
In this particular case, if there are OS/SP specific reasons why one reg 
key has to be used in favor of another, then so be it, but then I suggest 
there may be an error in the documented bulletin, where at least the XP SP2 
section should direct us to the "Installed Components" subkey, rather than 
the "ActiveX Compatibility" subkey. 
 
-DaveC
Reuters IS&T Service 
Delivery


From: [EMAIL PROTECTED] 
[mailto:[EMAIL PROTECTED] On Behalf Of Rick 
KingslanSent: Thursday, August 25, 2005 2:11 PMTo: 
ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] OT: Questions 
about hotfix 903235 (MS05-037)


Inline…….
 




From: 
[EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] 
On Behalf Of David 
CliffeSent: Thursday, August 
25, 2005 11:34 AMTo: 
ActiveDir@mail.activedir.orgSubject: [ActiveDir] OT: Questions about 
hotfix 903235 (MS05-037)
 

Hi 
-

 

    I've posted this 
elsewhere, but thought maybe not a bad idea to run it past this list for those 
that don't mind (thanks).  I've seen the following behavior 
with regard to this hotfix 903235:

 

(1) The bulletin MS05-037 
states to check here for its existence (post 
installation):

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet 
Explorer\ActiveX 
Compatibility\{03D9F3F2-B0E3-11D2-B081-006008039BF0}  In the past, the 
'norm' for IExpress-type patches has been here:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Active 
Setup\Installed 
Components\{8ade8c02-8da6-4ec1-a9ee-ec00ff73ce98}  [note: 
GUID above is specific to this hotfix]  Why this change in documentation?
 
[RTK]  Not a 
change in documentation.  The hotfix sets bits in the running of the actual 
component, so the compatibility flags are manipulated, rather than new moving 
parts.  I acknowledge that the location changes, but this is due to how the 
hotfix effects the installed component, JView Profiler. 

(2) I find that the SRVINFO 
tool does NOT identify this hotfix on SP1 (XP) and SP4 (2000) machines.  
Was expecting to see it under the 
"Internet Explorer 6" subheading of the SRVINFO output for these 
O/S.
 
[RTK] Can’t confirm or 
deny this one…..  Don’t have SRVINFO currently on 
anything
(3) I find that MBSA 
v.2  neither identifies it as installed nor identifies it as missing on 
SP1/2 (XP) and SP4 (2000) machines.  Can anyone else corrorborate these 
findings?  I'm told by our TAM that nobody else has reported 
this yet.
 
[RTK]  MBSA on my 
systems detect that it is either 
installed or not installed.
Thanks!

 
-DaveC
Reuters IS&T Service 
Delivery
-Visit 
our Internet site at http://www.reuters.comTo find out more about 
Reuters Products and Services visit http://www.reuters.com/productinfo 
Any views expressed in this message are those of the 
individualsender, except where the sender specifically states them to 
bethe views of Reuters Ltd.-Visit 
our Internet site at http://www.reuters.comTo find out more about 
Reuters Products and Services visit http://www.reuters.com/productinfo 
Any views expressed in this message are those of the 
individualsender, except where the sender specifically states them to 
bethe views of Reuters Ltd.

-
Visit our Internet site at http://www.reuters.com

To find out more about Reuters Products and Services visit http://www.reuters.com/productinfo 

Any views expressed in this message are those of  the  individual
sender,  except  where  the sender specifically states them to be
the views of

RE: [ActiveDir] OT: Questions about hotfix 903235 (MS05-037)

2005-08-25 Thread David Cliffe




Thanks Rick/Deji.
 
Interesting that your MBSA v2 is reporting on it OK.  Maybe I am the 
only one  :-o
 
I have worked around issues (2) and (3) [below] for 
now, and will take a moment to offer my opinion on 
(1).
 
Here we have a hotfix/bulletin that has been given a critical 
rating, as have many other hotfixes before and after it.  From 
a customer's viewpoint, I would like some consistency in the manner in 
which these hotfixes are reported as being installed.  This has gotten 
better by the way, but I don't find  903235 to be a good 
example.
 
During the time when I am reporting on installed instances, the 
technical details about each hotfix (what it does/how it does it) are not 
important to me.  I want to verify it's been 
installed and I want to rely on a consistent method to do 
so.
 
In this particular case, if there are OS/SP specific reasons why one reg 
key has to be used in favor of another, then so be it, but then I suggest 
there may be an error in the documented bulletin, where at least the XP SP2 
section should direct us to the "Installed Components" subkey, rather than 
the "ActiveX Compatibility" subkey. 
 
-DaveC
Reuters IS&T Service 
Delivery


From: [EMAIL PROTECTED] 
[mailto:[EMAIL PROTECTED] On Behalf Of Rick 
KingslanSent: Thursday, August 25, 2005 2:11 PMTo: 
ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] OT: Questions 
about hotfix 903235 (MS05-037)


Inline…….
 




From: 
[EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] 
On Behalf Of David 
CliffeSent: Thursday, August 
25, 2005 11:34 AMTo: 
ActiveDir@mail.activedir.orgSubject: [ActiveDir] OT: Questions about 
hotfix 903235 (MS05-037)
 

Hi 
-

 

    I've posted this 
elsewhere, but thought maybe not a bad idea to run it past this list for those 
that don't mind (thanks).  I've seen the following behavior 
with regard to this hotfix 903235:

 

(1) The bulletin MS05-037 
states to check here for its existence (post 
installation):

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet 
Explorer\ActiveX 
Compatibility\{03D9F3F2-B0E3-11D2-B081-006008039BF0}  In the past, the 
'norm' for IExpress-type patches has been here:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Active 
Setup\Installed 
Components\{8ade8c02-8da6-4ec1-a9ee-ec00ff73ce98}  [note: 
GUID above is specific to this hotfix]  Why this change in documentation?
 
[RTK]  Not a 
change in documentation.  The hotfix sets bits in the running of the actual 
component, so the compatibility flags are manipulated, rather than new moving 
parts.  I acknowledge that the location changes, but this is due to how the 
hotfix effects the installed component, JView Profiler. 

(2) I find that the SRVINFO 
tool does NOT identify this hotfix on SP1 (XP) and SP4 (2000) machines.  
Was expecting to see it under the 
"Internet Explorer 6" subheading of the SRVINFO output for these 
O/S.
 
[RTK] Can’t confirm or 
deny this one…..  Don’t have SRVINFO currently on 
anything
(3) I find that MBSA 
v.2  neither identifies it as installed nor identifies it as missing on 
SP1/2 (XP) and SP4 (2000) machines.  Can anyone else corrorborate these 
findings?  I'm told by our TAM that nobody else has reported 
this yet.
 
[RTK]  MBSA on my 
systems detect that it is either 
installed or not installed.
Thanks!

 
-DaveC
Reuters IS&T Service 
Delivery
-Visit 
our Internet site at http://www.reuters.comTo find out more about 
Reuters Products and Services visit http://www.reuters.com/productinfo 
Any views expressed in this message are those of the 
individualsender, except where the sender specifically states them to 
bethe views of Reuters Ltd.

-
Visit our Internet site at http://www.reuters.com

To find out more about Reuters Products and Services visit http://www.reuters.com/productinfo 

Any views expressed in this message are those of  the  individual
sender,  except  where  the sender specifically states them to be
the views of Reuters Ltd.

[ActiveDir] OT: Questions about hotfix 903235 (MS05-037)

2005-08-25 Thread David Cliffe




Hi -
 
    I've posted this 
elsewhere, but thought maybe not a bad idea to run it past this list for those 
that don't mind (thanks).  I've seen the following behavior with regard to this hotfix 903235:
 
(1) The 
bulletin MS05-037 states to check 
here for its existence (post installation):
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\ActiveX 
Compatibility\{03D9F3F2-B0E3-11D2-B081-006008039BF0}  
In the past, the 'norm' for IExpress-type patches has been here:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Active Setup\Installed 
Components\{8ade8c02-8da6-4ec1-a9ee-ec00ff73ce98}  [note: GUID above is specific to this 
hotfix]  Why this change in 
documentation?(2) I find that the SRVINFO tool does NOT identify 
this hotfix on SP1 (XP) and SP4 (2000) machines.  Was expecting to see it 
under the "Internet Explorer 6" subheading of the SRVINFO output for these 
O/S.(3) I find that MBSA v.2  neither identifies it 
as installed nor identifies it as missing on 
SP1/2 (XP) and SP4 (2000) machines.  Can 
anyone else corrorborate these findings?  I'm told by our TAM that 
nobody else has reported this yet.Thanks!
 
-DaveC
Reuters IS&T Service 
Delivery

-
Visit our Internet site at http://www.reuters.com

To find out more about Reuters Products and Services visit http://www.reuters.com/productinfo 

Any views expressed in this message are those of  the  individual
sender,  except  where  the sender specifically states them to be
the views of Reuters Ltd.

RE: [ActiveDir] OT: HP disk upgrade..

2005-08-24 Thread David Cliffe




I 
didn't see mention of RAID controller or O/S version, but do they support 
logical drive extension?  If so, how about this?  (though probably not 
much faster!)
 
- 
Backup data (if important enough...as you said this already is a 
backup)
- 
Remove one physical drive from the enclosure
- 
Replace it with a 300GB drive and let it rebuild 
completely
- 
Repeat this sequence 3 more times until all drives are 300GB
- 
Extend logical drive to full capacity via array config. 
utility
- 
Do same under O/S (Win 2003 "dispart" utility is good for 
this)
 
Just a thought.
 
-DaveC
Reuters IS&T Service 
Delivery


From: [EMAIL PROTECTED] 
[mailto:[EMAIL PROTECTED] On Behalf Of Al 
MulnickSent: Tuesday, August 23, 2005 8:18 AMTo: 
ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] OT: HP disk 
upgrade..


I believe that since they are backups, you 
have some flexibility.  For one thing, you can move the data around and 
store it on just one disk if you wanted to ([EMAIL PROTECTED] ~216GB vs. one 300GB disk) and then 
after the upgrade, move it back.  I'm sure there are other 
variations.
 
It would seem a little odd to backup a 
backup in order to accomplish this.  You pretty much just need some 
temporary space while you do this. 
 
 
 
Al


From: [EMAIL PROTECTED] on 
behalf of Frank AbagnaleSent: Tue 8/23/2005 4:04 AMTo: 
ActiveSubject: [ActiveDir] OT: HP disk upgrade..

Hi,
Sorry for the OT, I have a HP server with an MSA enclosure attached which 
is complete with 14 x 72gb disks. The enclosure uses 4 x 
72gb disks in a RAID5 set which are used to store backups. I need to 
upgrade these 4 disks with new 300gb disks. The disks are not used for any 
other purpose besides storing backups.
 
My initial thought was to do the following:
 
Backup the drive
Break the array
Remove existing disks
Insert new disks
Create new Array
 
Is there a better way to do it, or should this method work?
 
thanks
 - Frank
__Do You Yahoo!?Tired 
of spam? Yahoo! Mail has the best spam protection around 
http://mail.yahoo.com 

-
Visit our Internet site at http://www.reuters.com

To find out more about Reuters Products and Services visit http://www.reuters.com/productinfo 

Any views expressed in this message are those of  the  individual
sender,  except  where  the sender specifically states them to be
the views of Reuters Ltd.

RE: [spam] [ActiveDir] w2k domain - sp3 to sp4

2005-08-17 Thread David Cliffe

We ran into an unusual problem with the Nortel Contivity VPN client
v.4.65 for this upgrade.  I won't waste space here, but you're welcome
to get me offlist for more info. if it applies (or if anyone else cares
:D ).

-DaveC
Reuters IS&T Service Delivery

-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Al Lilianstrom
Sent: Wednesday, August 17, 2005 1:20 PM
To: ActiveDir@mail.activedir.org
Subject: [spam] [ActiveDir] w2k domain - sp3 to sp4

Our AD is based on Windows 2000 sp3 machines. With the advent of the
ms05-039 worms our computer security people are requiring that all
Windows systems have the patch applied or lose network access. Since the
patch isn't available for sp3 we want to apply sp4 (and patches). Is
there anything we should watch for in doing this?

tia, al
-- 

Al Lilianstrom
CD/CSS/CSI
[EMAIL PROTECTED]
List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive:
http://www.mail-archive.com/activedir%40mail.activedir.org/


-
Visit our Internet site at http://www.reuters.com

To find out more about Reuters Products and Services visit 
http://www.reuters.com/productinfo 

Any views expressed in this message are those of  the  individual
sender,  except  where  the sender specifically states them to be
the views of Reuters Ltd.

List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/

RE: [ActiveDir] user dump

2005-08-15 Thread David Cliffe

Please don't get me wrong, I find REPADMIN extremely useful, but
sometimes I wish the help syntax were a little clearer.  Possibly this
is because this single command can do so many things!

For example, with regard to syntax below, I didn't realize that /subtree
and /filter had to be used together.  I was about to write that I could
not get it to enumerate users either, but then realized I forgot the
filter, so thanks for pointing that out!

Sometimes it's hard to distinguish from the help syntax when a parameter
is required or optional.  Is this just me?  When it requires an
argument, I'm usually pretty clear on that.

-DaveC
Reuters IS&T Service Delivery

-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Dean Wells
Sent: Monday, August 15, 2005 11:30 AM
To: Send - AD mailing list
Subject: RE: [ActiveDir] user dump

For example -

repadmin /viewlist odyssey.mset.local ncobj:domain: /subtree
/filter:"(objectcategory=person)" 

--
Dean Wells
MSEtechnology
* Email: [EMAIL PROTECTED]
http://msetechnology.com


-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Medeiros, Jose
Sent: Monday, August 15, 2005 11:16 AM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] user dump

Hi Bryan, 

I checked Repadmin and could not find the switch for a dump of the
account list. What is the corect syntax?
---

RepAdmin syntax

Open command prompt now.

repadmin command arguments [/u:[domain\]user /pw:{password|*}]

Parameters
command
Represents one of the commands listed below. 
arguments
Specifies the arguments applying to command. 
/u:[domain\]user
Specifies an optional user (from an optional domain) as the
administrator.
If the user name and password are not specified, RepAdmin uses the
credentials of the currently logged-on user. 
/pw:{password|*}
Specifies the password of the user specified by the /u: switch. If the
user name and password are not specified, RepAdmin uses the credentials
of the currently logged-on user. 
Commands and arguments
These are the commands supported by RepAdmin, followed by the arguments
for each one.

/sync Naming_Context Destination_DSA Source_DSA_UUID [/force] [/async]
[/full] [/addref] [/allsources] Starts a replication event for the
specified naming context between the source and destination domain
controllers. The source DSA UUID can be determined when viewing the
replication partners with the repadmin /showreps command. 
/force
Overrides the normal replication schedule. 
/async
Starts the replication event, but RepAdmin does not wait for the
replication event to complete. 
/full
Forces a full replication of all objects from the destination DSA. 
/syncall Destination_DSA [Naming_Context] [Flags] /kcc [DSA] [/async]
/async RepAdmin does not wait for the replication event to complete. 
/bind [DSA]
/propcheck Naming_Context Originating_DSA_Invocation_ID Originating_USN
[DSA_from_which_to_enumerate_host_DSAs]
/getchanges Naming_Context [Source_DSA] [/cookie:file]
- Or -
/getchanges Naming_Context [Destination_DSA] Source_DSA_UUID [/verbose]
[/statistics] /showreps [Naming_Context] [DSA [Source_DSA_UUID]]
[/verbose] [/unreplicated] [/nocache] Displays the replication partners
(RepsFrom and
RepsTo) for each naming context that is held on the specified domain
controller. Enumerating each RepsFrom and each RepsTo for each domain
controller can help the administrator to visualize the replication
topology for each naming context. The output also indicates whether the
domain controller is also a Global Catalog server. 
/showvector Naming_Context [DSA] [/nocache] Displays the up-to-datedness
information for a specified naming context. This vector indicates how up
to date a replica is with its replication partners. 
/showmeta Object_DN [DSA] [/nocache]
Displays the replication metadata for any object stored in Active
Directory such as attribute ID, version number, originating and local
Update Sequence Number (USN), and originating DSA's GUID and date/time
stamp. By comparing the replication metadata for the same object on
different domain controllers, an administrator can determine whether
replication has taken place. 
/showtime [Windows_2000_Directory_Service_Time_Value]
With no arguments displays the current system time in both the directory
service format and string format. The string format displays both the
local and UTC time zones. Alternatively, Showtime accepts a directory
service time value and converts it to string format for both the local
and the UTC time zones. 
/showmsg Win32_error_number
Takes as an argument the Win32 error number and displays the Win32 error
text. 
/showism [Transport_DN] [/verbose]
Must be executed locally. 
/showsig [DSA]
/showconn [DSA] [{Container_DN | DSA_UUID}] Default is local site. 
/showcert [DSA]
/showctx [DSA] [/nocache]
/queue [DSA]
/failcache [DSA]
Terminology
In the command and argument listings, these terms are used:

RE: [ActiveDir] Lots of issues

2005-08-12 Thread David Cliffe

Replying off-list...

-DaveC
Reuters IS&T Service Delivery

-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Tom Kern
Sent: Friday, August 12, 2005 7:19 PM
To: ActiveDir@mail.activedir.org
Subject: Re: lots of issues

ok. i can reboot it. but linux boot disk doesn't work.
any other ideas besides parellel os install?
thanks

On 8/12/05, Tom Kern <[EMAIL PROTECTED]> wrote:
> no.
> they only got DA access to child domain from legal.
> this server was a root domain dc that was demoted to a member server.
> the only logon possible is local sam.its running dhcp/dns so they 
> don't want to reboot it. and they're afraid it will never come up too.
> 
> the info i'd really like are the dns zone files and dhcp config which 
> i can't get without local admin access.
> 
> 
> i guess i'm outta luck.
> 
> On 8/12/05, ASB <[EMAIL PROTECTED]> wrote:
> > Beyond that issue, have they no legal recourse?
> >
> > -ASB
> >
> > On 8/12/05, Tom Kern <[EMAIL PROTECTED]> wrote:
> > > This company is in a jam i've yet to have seen.
> > >
> > > They outsourced AD/Exchange and when they tried to get it back, 
> > > the outsource firm demoted their DC's that are phyisically present

> > > at the company. some of these former DC's dhcp and dns.
> > > now no one knows the local admin password and connectivity between

> > > the root has been severed.
> > > no one wants to go the linux pw disk route because they can't
reboot the server.
> > > there's no way i can get local system access to this server that i
can think of.
> > >
> > > is there any other way to change or get the local admin password 
> > > of what is now essentially a stand alone server?
> > > i know this is bodering on "hacking" so i understand if i get no
response.
> > > just curious if there is a way to do this without a server reboot.
> > > thanks a lot.
> > List info   : http://www.activedir.org/List.aspx
> > List FAQ: http://www.activedir.org/ListFAQ.aspx
> > List archive: 
> > http://www.mail-archive.com/activedir%40mail.activedir.org/
> >
>
List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive:
http://www.mail-archive.com/activedir%40mail.activedir.org/


-
Visit our Internet site at http://www.reuters.com

To find out more about Reuters Products and Services visit 
http://www.reuters.com/productinfo 

Any views expressed in this message are those of  the  individual
sender,  except  where  the sender specifically states them to be
the views of Reuters Ltd.

List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/

RE: [ActiveDir] last scripting question, I promise :)

2005-08-12 Thread David Cliffe

Nah - I regret that last line...I know you're under the gun a bit right
now.  Sorry for being a sarcastic b-- !

-DaveC
Reuters IS&T Service Delivery

-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Tom Kern
Sent: Friday, August 12, 2005 10:59 AM
To: ActiveDir@mail.activedir.org
Subject: Re: [ActiveDir] last scripting question, I promise :)

gotcha.
sorry for being lazy.
thanks

On 8/12/05, David Cliffe <[EMAIL PROTECTED]> wrote:
> For the DHCP context under an XP system...
> 
> netsh add helper dhcpmon.dll
> 
> After this, hopefully it should work.  A little research Tom  :-D
> 
> -DaveC
> Reuters IS&T Service Delivery
> 
> -Original Message-
> From: [EMAIL PROTECTED]
> [mailto:[EMAIL PROTECTED] On Behalf Of Tom Kern
> Sent: Friday, August 12, 2005 10:33 AM
> To: ActiveDir@mail.activedir.org
> Subject: Re: [ActiveDir] last scripting question, I promise :)
> 
> why is it when i type "netsh dhcp server" or "netsh dhcp", i get 
> command not found?
> I'm running this on a win xp sp2 box.
> 
> thanks
> 
> On 8/12/05, Almeida Pinto, Jorge de
> <[EMAIL PROTECTED]> wrote:
> > try NETSH
> >
> > http://www.microsoft.com/resources/documentation/windows/xp/all/prod
> > do
> > cs/en-us/netsh_dhcp.mspx
> > http://www.microsoft.com/technet/prodtechnol/windowsserver2003/libra
> > ry /ServerHelp/09e89260-0759-4d6a-8fca-cf98b34cb1cd.mspx
> >
> > http://www.windowsitpro.com/Windows/Article/ArticleID/4/4.ht
> > ml
> >
> > Jorge
> >
> >
> > 
> >
> > From: [EMAIL PROTECTED] on behalf of Tom Kern
> > Sent: Fri 8/12/2005 3:43 PM
> > To: activedirectory
> > Subject: [ActiveDir] last scripting question, I promise :)
> >
> >
> >
> > This is one I could'nt find any resource on- How can I script 
> > assigning DHCP scopes and options to WIn2k DHCP servers?
> >
> > We have a ton of scopes here and manually doing it is a huge pain.
> > can this be scripted via WMI or some other way in windows 2000?
> >
> > thanks guys
> > List info   : http://www.activedir.org/List.aspx
> > List FAQ: http://www.activedir.org/ListFAQ.aspx
> > List archive:
> > http://www.mail-archive.com/activedir%40mail.activedir.org/
> >
> >
> >
> > This e-mail and any attachment is for authorised use by the intended
> recipient(s) only. It may contain proprietary material, confidential 
> information and/or be subject to legal privilege. It should not be 
> copied, disclosed to, retained or used by, any other party. If you are

> not an intended recipient then please promptly delete this e-mail and 
> any attachment and all copies and inform the sender. Thank you.
> >
> >
> List info   : http://www.activedir.org/List.aspx
> List FAQ: http://www.activedir.org/ListFAQ.aspx
> List archive:
> http://www.mail-archive.com/activedir%40mail.activedir.org/
> 
> 
> -
>Visit our Internet site at http://www.reuters.com
> 
> To find out more about Reuters Products and Services visit 
> http://www.reuters.com/productinfo
> 
> Any views expressed in this message are those of  the  individual 
> sender,  except  where  the sender specifically states them to be the 
> views of Reuters Ltd.
> 
> List info   : http://www.activedir.org/List.aspx
> List FAQ: http://www.activedir.org/ListFAQ.aspx
> List archive: 
> http://www.mail-archive.com/activedir%40mail.activedir.org/
>
List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive:
http://www.mail-archive.com/activedir%40mail.activedir.org/


-
Visit our Internet site at http://www.reuters.com

To find out more about Reuters Products and Services visit 
http://www.reuters.com/productinfo 

Any views expressed in this message are those of  the  individual
sender,  except  where  the sender specifically states them to be
the views of Reuters Ltd.

List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/

RE: [ActiveDir] last scripting question, I promise :)

2005-08-12 Thread David Cliffe

For the DHCP context under an XP system...

netsh add helper dhcpmon.dll

After this, hopefully it should work.  A little research Tom  :-D

-DaveC
Reuters IS&T Service Delivery

-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Tom Kern
Sent: Friday, August 12, 2005 10:33 AM
To: ActiveDir@mail.activedir.org
Subject: Re: [ActiveDir] last scripting question, I promise :)

why is it when i type "netsh dhcp server" or "netsh dhcp", i get command
not found?
I'm running this on a win xp sp2 box.

thanks

On 8/12/05, Almeida Pinto, Jorge de
<[EMAIL PROTECTED]> wrote:
> try NETSH
> 
> http://www.microsoft.com/resources/documentation/windows/xp/all/proddo
> cs/en-us/netsh_dhcp.mspx 
> http://www.microsoft.com/technet/prodtechnol/windowsserver2003/library
> /ServerHelp/09e89260-0759-4d6a-8fca-cf98b34cb1cd.mspx
> 
> http://www.windowsitpro.com/Windows/Article/ArticleID/4/4.html
> 
> Jorge
> 
> 
> 
> 
> From: [EMAIL PROTECTED] on behalf of Tom Kern
> Sent: Fri 8/12/2005 3:43 PM
> To: activedirectory
> Subject: [ActiveDir] last scripting question, I promise :)
> 
> 
> 
> This is one I could'nt find any resource on- How can I script 
> assigning DHCP scopes and options to WIn2k DHCP servers?
> 
> We have a ton of scopes here and manually doing it is a huge pain.
> can this be scripted via WMI or some other way in windows 2000?
> 
> thanks guys
> List info   : http://www.activedir.org/List.aspx
> List FAQ: http://www.activedir.org/ListFAQ.aspx
> List archive: 
> http://www.mail-archive.com/activedir%40mail.activedir.org/
> 
> 
> 
> This e-mail and any attachment is for authorised use by the intended
recipient(s) only. It may contain proprietary material, confidential
information and/or be subject to legal privilege. It should not be
copied, disclosed to, retained or used by, any other party. If you are
not an intended recipient then please promptly delete this e-mail and
any attachment and all copies and inform the sender. Thank you.
> 
>
List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive:
http://www.mail-archive.com/activedir%40mail.activedir.org/


-
Visit our Internet site at http://www.reuters.com

To find out more about Reuters Products and Services visit 
http://www.reuters.com/productinfo 

Any views expressed in this message are those of  the  individual
sender,  except  where  the sender specifically states them to be
the views of Reuters Ltd.

List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/

RE: [ActiveDir] Preferred Bridgeheads

2005-08-09 Thread David Cliffe




Thanks for your comments David A. and Dean :-)
 
You may have surmised my reason for asking.  We have a few sites 
where a single preferred BH has been designated and although it puzzled me, I 
never really questioned it before.  Our enivornment is such that this seems 
unnecessary, so it's time to dig a little deeper.
 
Thanks again.
 
-DaveC
Reuters IS&T Service 
Delivery


From: [EMAIL PROTECTED] 
[mailto:[EMAIL PROTECTED] On Behalf Of Dean 
WellsSent: Tuesday, August 09, 2005 10:04 AMTo: Send - AD 
mailing listSubject: RE: [ActiveDir] Preferred 
Bridgeheads

The 
other David pretty much covered it with perhaps the exception of Virtual DCs; in 
the past I've tended to avoid placing intersite load on Virtual DCs though 
I prefer to achieve such a result using staging/lag/latent (or whichever 
term you prefer) sites assuming the customer in question fully grasps the 
purpose and importance of the extra site(s) ... even that to some extent depends 
on the perf. characteristics of the Virtual DC though.  

 
Outside of that, the only additional comment I'd make is that, in my 
experience, preferred bridgeheads are more frequently used to designate who's 
not a bridgehead rather than who is ... thought that worth a 
mention.
 
One 
final and somewhat related comment, manual designation of the ISTG can prove to 
be a much more valuable exercise in larger environments than manual designation 
of bridgeheads since the ISTG process itself is computationally expensive and 
warrants placement on suitably (proc. & memory wise) high-performance 
hardware.  This is a lesser concern these days due to the exponential leaps 
in performance we've seen over the past few years but, obviously, the scale and 
complexity of the forest and its replication topology impact the validity of 
that statement.  It may also become necessary to manipulate the failover 
detection timers to prevent the role from being inadvertently moved during 
scheduled downtime.
 
--Dean WellsMSEtechnology* Email: dwells@msetechnology.comhttp://msetechnology.com
 


From: [EMAIL PROTECTED] 
[mailto:[EMAIL PROTECTED] On Behalf Of David 
CliffeSent: Monday, August 08, 2005 9:20 PMTo: 
ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] Preferred 
Bridgeheads

In the same spirit - but on the other side of the coin :) - I wouldn't 
mind hearing a brief elaboration on your earlier 
statement:
 
"I've found only a few scenarios in which they proved 
valuable"
 
Perhaps one reason might be when one of 
the servers in a site is underpowered/waiting to be upgraded, 
etc..?
 
-DaveC
Reuters IS&T Service 
Delivery


From: [EMAIL PROTECTED] 
[mailto:[EMAIL PROTECTED] On Behalf Of Dean 
WellsSent: Monday, August 08, 2005 6:14 PMTo: Send - AD 
mailing listSubject: RE: [ActiveDir] Preferred 
Bridgeheads

Without wishing to labor the point Russ, what aspect of replication 
'speed' was thought to be improved?  I ask as I often lecture on AD (and 
related technologies) and am interested to understand some of the 
misconceptions.
--Dean WellsMSEtechnology* Email: dwells@msetechnology.comhttp://msetechnology.com
 


From: [EMAIL PROTECTED] 
[mailto:[EMAIL PROTECTED] On Behalf Of Rimmerman, 
RussSent: Monday, August 08, 2005 6:08 PMTo: 
ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] Preferred 
Bridgeheads

We thought it would "help" with replication speed.  I 
guess it was more of a WAG.


From: [EMAIL PROTECTED] 
[mailto:[EMAIL PROTECTED] On Behalf Of Dean 
WellsSent: Monday, August 08, 2005 2:13 PMTo: Send - AD 
mailing listSubject: RE: [ActiveDir] Preferred 
Bridgeheads

If you 
constrain the list of bridgeheads you may be incapable of replicating an app. NC 
in and out of a site since in order to replicate a particular 
partition, the bridgehead in question must hold a copy of it ... if the 
preferred list contains only 2K DCs, that can't happen .. for the most part 
... a 2K3 ISTG will override your choices and allocate a suitable 
bridgehead for you, it will however whine and whine and whine and ... you get 
the idea.
 
I've 
found only a few scenarios in which they proved valuable ... may I ask why 
you're using 
them?
--Dean WellsMSEtechnology* Email: dwells@msetechnology.comhttp://msetechnology.com
 


From: [EMAIL PROTECTED] 
[mailto:[EMAIL PROTECTED] On Behalf Of Rimmerman, 
RussSent: Monday, August 08, 2005 3:03 PMTo: 
ActiveDir@mail.activedir.orgSubject: [ActiveDir] Preferred 
Bridgeheads

We're almost all 
Win2k3 Domain Controllers, have a few left to upgrade.
 
Question is, we have 
at least one DC at each site configured as a preferred bridgehead for IP.  
Is this not a good idea?  Is it best to not prefer any bridgeheads and let 
AD do its job?  I'm seeing a lot of event ID 1567's about it as 
well.
 
Thanks

  
  
~~This 
  e-mail is confidential, may contain proprietary informationof the 
  Cooper Cameron Corporation and its operating Divisionsand may be 
  confidential or privile

RE: [ActiveDir] Preferred Bridgeheads

2005-08-08 Thread David Cliffe




In the same spirit - but on the other side of the coin :) - I wouldn't 
mind hearing a brief elaboration on your earlier 
statement:
 
"I've found only a few scenarios in which they proved 
valuable"
 
Perhaps one reason might be when one of 
the servers in a site is underpowered/waiting to be upgraded, 
etc..?
 
-DaveC
Reuters IS&T Service 
Delivery


From: [EMAIL PROTECTED] 
[mailto:[EMAIL PROTECTED] On Behalf Of Dean 
WellsSent: Monday, August 08, 2005 6:14 PMTo: Send - AD 
mailing listSubject: RE: [ActiveDir] Preferred 
Bridgeheads

Without wishing to labor the point Russ, what aspect of replication 
'speed' was thought to be improved?  I ask as I often lecture on AD (and 
related technologies) and am interested to understand some of the 
misconceptions.
--Dean WellsMSEtechnology* Email: dwells@msetechnology.comhttp://msetechnology.com
 


From: [EMAIL PROTECTED] 
[mailto:[EMAIL PROTECTED] On Behalf Of Rimmerman, 
RussSent: Monday, August 08, 2005 6:08 PMTo: 
ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] Preferred 
Bridgeheads

We thought it would "help" with replication speed.  I 
guess it was more of a WAG.


From: [EMAIL PROTECTED] 
[mailto:[EMAIL PROTECTED] On Behalf Of Dean 
WellsSent: Monday, August 08, 2005 2:13 PMTo: Send - AD 
mailing listSubject: RE: [ActiveDir] Preferred 
Bridgeheads

If you 
constrain the list of bridgeheads you may be incapable of replicating an app. NC 
in and out of a site since in order to replicate a particular 
partition, the bridgehead in question must hold a copy of it ... if the 
preferred list contains only 2K DCs, that can't happen .. for the most part 
... a 2K3 ISTG will override your choices and allocate a suitable 
bridgehead for you, it will however whine and whine and whine and ... you get 
the idea.
 
I've 
found only a few scenarios in which they proved valuable ... may I ask why 
you're using 
them?
--Dean WellsMSEtechnology* Email: dwells@msetechnology.comhttp://msetechnology.com
 


From: [EMAIL PROTECTED] 
[mailto:[EMAIL PROTECTED] On Behalf Of Rimmerman, 
RussSent: Monday, August 08, 2005 3:03 PMTo: 
ActiveDir@mail.activedir.orgSubject: [ActiveDir] Preferred 
Bridgeheads

We're almost all 
Win2k3 Domain Controllers, have a few left to upgrade.
 
Question is, we have 
at least one DC at each site configured as a preferred bridgehead for IP.  
Is this not a good idea?  Is it best to not prefer any bridgeheads and let 
AD do its job?  I'm seeing a lot of event ID 1567's about it as 
well.
 
Thanks

  
  
~~This 
  e-mail is confidential, may contain proprietary informationof the 
  Cooper Cameron Corporation and its operating Divisionsand may be 
  confidential or privileged.This e-mail should be read, copied, 
  disseminated and/or used onlyby the addressee. If you have received 
  this message in error pleasedelete it, together with any attachments, 
  from your 
  system.~~

  
  
~~This 
  e-mail is confidential, may contain proprietary informationof the 
  Cooper Cameron Corporation and its operating Divisionsand may be 
  confidential or privileged.This e-mail should be read, copied, 
  disseminated and/or used onlyby the addressee. If you have received 
  this message in error pleasedelete it, together with any attachments, 
  from your 
  system.~~

-
Visit our Internet site at http://www.reuters.com

To find out more about Reuters Products and Services visit http://www.reuters.com/productinfo 

Any views expressed in this message are those of  the  individual
sender,  except  where  the sender specifically states them to be
the views of Reuters Ltd.

RE: [ActiveDir] computer description in AD vs. computer description in My Computer/Properties

2005-07-14 Thread David Cliffe

One is the description for the browse list, while the other is the AD
description seen in ADUC, etc...

I usually set them both to be the same thing [manually], but I suppose
you're asking if one "tool" can set them both at the same time?
Possibly can script it with ADMOD for the AD side and "net config
server" for the browse list.  That might not be exactly what you're
after, and I also think there was an old "gotcha" to configuring
LANMANSERVER using that 'net' command.  Can't think of it at the moment.

-DaveC
Reuters IS&T Service Delivery

-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Thommes,
Michael M.
Sent: Thursday, July 14, 2005 5:34 PM
To: ActiveDir@mail.activedir.org
Subject: [spam] [ActiveDir] computer description in AD vs. computer
description in My Computer/Properties

These two descriptions seem to be unrelated to each other.  Has anyone
ever tried to tie them together?

Mike Thommes
List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive:
http://www.mail-archive.com/activedir%40mail.activedir.org/


-
Visit our Internet site at http://www.reuters.com

To find out more about Reuters Products and Services visit 
http://www.reuters.com/productinfo 

Any views expressed in this message are those of  the  individual
sender,  except  where  the sender specifically states them to be
the views of Reuters Ltd.

List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/

RE: [ActiveDir] DSQUERY & DSGET provide inconsistent results - help

2005-07-11 Thread David Cliffe




Could it be that one of your DCs is out of sync with the rest?  
Would this happen if you used the '-s' option to explicitly connect to the same 
server each time?  (not that *that* would solve a DC out of sync, but at 
least you'd understand why)
 
-DaveC
Reuters IS&T Service 
Delivery


From: [EMAIL PROTECTED] 
[mailto:[EMAIL PROTECTED] On Behalf Of Dan 
HolmeSent: Monday, July 11, 2005 3:15 PMTo: 
ActiveDir@mail.activedir.orgSubject: [ActiveDir] DSQUERY & DSGET 
provide inconsistent results - help


A 
client is using DSQUERY is to dump a list of the Domain Admins group every 15 
minutes or so.  They’re finding that it ‘misses’ some members—they’ll be 
there in one query, gone the next, then reappear.   Has anyone seen 
this behavior with this command?
 
dsquery group -name "%GRP%" | 
dsget group –members
 
We’re 
going to look at ADFind or just VBS to solve the problem 
too!!
 
Thanks!
 
 
Dan

-
Visit our Internet site at http://www.reuters.com

To find out more about Reuters Products and Services visit http://www.reuters.com/productinfo 

Any views expressed in this message are those of  the  individual
sender,  except  where  the sender specifically states them to be
the views of Reuters Ltd.

RE: [ActiveDir] Ds commands

2005-07-03 Thread David Cliffe

Tom,

Maybe your original question is stemming from the installation
source of the DS tools themselves?  I'm going to be a bit lazy about
verifying this right now (sorry!), but I'm pretty sure you had to
install the Windows 2000 Administration Tools in order to get them on a
2000 Pro machine, and perhaps now they ship with the base XP O/S?  Mine
are currently in %systemroot%\system32, but I can't remember if the
Admin Tools pack put them there.  Certainly, they ship with the base
server O/S that you've installed on your laptop, so maybe you just
*thought*  they required Win2003?

-DaveC
Reuters IS&T Service Delivery

-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Rick Kingslan
Sent: Saturday, July 02, 2005 9:49 PM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] Ds commands

Or a Windows XP against Win2k.

Rick

-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Almeida Pinto,
Jorge de
Sent: Saturday, July 02, 2005 2:48 PM
To: ActiveDir@mail.activedir.org; ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] Ds commands

executing the DS commands on a w2k3 box against a w2k AD domain will
work
 
Cheers,
#JORGE#



From: [EMAIL PROTECTED] on behalf of Kern, Tom
Sent: Sat 7/2/2005 9:16 PM
To: ActiveDir@mail.activedir.org
Subject: Re: [ActiveDir] Ds commands



I'm sorry. I wasn't being clear. 
I just wanted to know if you could use those commands on a pure win2k
domain. 
It wasn't a reason to move to win2k3. 

We'll be moving there soon. 
I'm pretty aware of all the improvements to AD and windows. 
They speak for themselevs. 

As to OS of choice, I haven't seen one of those yet. 
Maybe a combo of Monad and not having the GDI built into the kernel(more
like X windows) and some of the improvements of Novell(I know they've
been in the ldap dir game longer so its not totally fair) directory
would make an
OS of choice.  

Depending on what you're doing, of course. 
But right now, windows 2k3 is pretty sweet. 

Thanks
--
Sent from my BlackBerry Wireless Handheld (www.BlackBerry.net) 

List info   : http://www.activedir.org/List.aspx 
List FAQ: http://www.activedir.org/ListFAQ.aspx 
List archive:
http://www.mail-archive.com/activedir%40mail.activedir.org/ 



This e-mail and any attachment is for authorised use by the intended
recipient(s) only. It may contain proprietary material, confidential
information and/or be subject to legal privilege. It should not be
copied, disclosed to, retained or used by, any other party. If you are
not an intended recipient then please promptly delete this e-mail and
any attachment and all copies and inform the sender. Thank you.
List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive:
http://www.mail-archive.com/activedir%40mail.activedir.org/

List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive:
http://www.mail-archive.com/activedir%40mail.activedir.org/


-
Visit our Internet site at http://www.reuters.com

To find out more about Reuters Products and Services visit 
http://www.reuters.com/productinfo 

Any views expressed in this message are those of  the  individual
sender,  except  where  the sender specifically states them to be
the views of Reuters Ltd.

List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/

RE: [ActiveDir] Ds commands

2005-07-01 Thread David Cliffe

This is obviously not the technical answer, but these tools should try
to find the nearest DC in the same way that ADUC would attach itself to
the nearest DC when you launch it.  Of course if you use '-s' with an
argument that provides a valid DC, it will use that one for you.  I
don't think it matters what OS that DC is running.  ADFIND works the
same way - unless you tell it to use a specific DC, it will find the
closest.

As to the "not" portion of your question, I was referring to a switch
such as '-inactive', which only works against Win 2003.

To sum up - it really doesn't matter (especially since joe's tools give
you more options and better output when looking for "inactive" accounts
anyway!)

-DaveC
Reuters IS&T Service Delivery

-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Kern, Tom
Sent: Friday, July 01, 2005 6:57 PM
To: ActiveDir@mail.activedir.org
Subject: [spam] Re: [ActiveDir] Ds commands

How do the DS commands figure out how not to work against a win2k dc or
does it matter?
If I just type "dsquery...", will it hit a win2k dc or try to find a
win2k3 dc?

Thanks.
Sorry to hear about your job fiasco, Rick.
They lost a good engineer.

--
Sent from my BlackBerry Wireless Handheld (www.BlackBerry.net)

List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive:
http://www.mail-archive.com/activedir%40mail.activedir.org/


-
Visit our Internet site at http://www.reuters.com

To find out more about Reuters Products and Services visit 
http://www.reuters.com/productinfo 

Any views expressed in this message are those of  the  individual
sender,  except  where  the sender specifically states them to be
the views of Reuters Ltd.

List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/

RE: [ActiveDir] Ds commands

2005-07-01 Thread David Cliffe

Hi Tom -

I don't think there is any dependency on domain functional level
to use those.  A few switches may only work against 2K3, but in general
I believe they should work fine.veC
Reuters IS&T Service Delivery

-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Kern, Tom
Sent: Friday, July 01, 2005 6:04 PM
To: ActiveDir@mail.activedir.org
Subject: [spam] [ActiveDir] Ds commands

What domain functional level do I have to be in to use the DS commands?
Thanks
--
Sent from my BlackBerry Wireless Handheld (www.BlackBerry.net)

List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive:
http://www.mail-archive.com/activedir%40mail.activedir.org/


-
Visit our Internet site at http://www.reuters.com

To find out more about Reuters Products and Services visit 
http://www.reuters.com/productinfo 

Any views expressed in this message are those of  the  individual
sender,  except  where  the sender specifically states them to be
the views of Reuters Ltd.

List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/

RE: [ActiveDir] Cannot Contact Domain over External Trust

2005-06-23 Thread David Cliffe

This smells like WINS to me.  Sorry I can't offer much more, but I would
check and double check 1B/1C name registrations and any applicable
NetBIOS configs. (IP stack, LMOHSTS, etc...)

-DaveC
Reuters

-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Salandra,
Justin A.
Sent: Thursday, June 23, 2005 5:03 PM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] Cannot Contact Domain over External Trust

Nope, this trust worked for weeks if not months and just poof stopped.

-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Thommes,
Michael M.
Sent: Thursday, June 23, 2005 5:00 PM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] Cannot Contact Domain over External Trust

Justin,
   Are any of the ports required by trusts
(http://www.microsoft.com/technet/prodtechnol/windowsserver2003/library/
TechRef/108124dd-31b1-4c2c-9421-6adbc1ebceca.mspx) blocked?

Mike Thommes

-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Salandra,
Justin A.
Sent: Thursday, June 23, 2005 3:50 PM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] Cannot Contact Domain over External Trust

No error, just that it says the domain cannot be contacted but I am able
to ping the servers and domain controllers in that domain via DNS, WINS
and IP

-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Jorge de
Almeida Pinto
Sent: Thursday, June 23, 2005 3:35 PM
To: Salandra, Justin A.; '[EMAIL PROTECTED] ';
'ActiveDir@mail.activedir.org '
Subject: RE: [ActiveDir] Cannot Contact Domain over External Trust

what error do you get?

#JORGE#

-Original Message-
From: [EMAIL PROTECTED]
To: ActiveDir@mail.activedir.org
Sent: 6/23/2005 8:56 PM
Subject: [ActiveDir] Cannot Contact Domain over External Trust

I have a trust that has been working and all of a sudden with zero
errors it has stopped.

I have a NT 4 and a 2000 Domain with an external trust setup so that I
can grant permissions to groups from the 2000 domain to resources on the
NT 4 domain.  When I go to the 2000 domain from the NT 4 domain I am not
able to see a listing of groups or users.  It cannot find the domain.  

DNS, WINS and the trust are all working and validated.

What could be the problem?

Justin A. Salandra
MCSE Windows 2000 & 2003
Network and Technology Services Manager
Catholic Healthcare System
212.752.7300 - office
917.455.0110 - cell
[EMAIL PROTECTED]


List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive:
http://www.mail-archive.com/activedir%40mail.activedir.org/


This e-mail and any attachment is for authorised use by the intended
recipient(s) only. It may contain proprietary material, confidential
information and/or be subject to legal privilege. It should not be
copied, disclosed to, retained or used by, any other party. If you are
not an intended recipient then please promptly delete this e-mail and
any attachment and all copies and inform the sender. Thank you.
List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive:
http://www.mail-archive.com/activedir%40mail.activedir.org/
List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive:
http://www.mail-archive.com/activedir%40mail.activedir.org/


List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive:
http://www.mail-archive.com/activedir%40mail.activedir.org/
List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive:
http://www.mail-archive.com/activedir%40mail.activedir.org/


 
Visit our Internet site at http://www.reuters.com

To find out more about Reuters Products and Services visit 
http://www.reuters.com/productinfo 

Any views expressed in this message are those of  the  individual
sender,  except  where  the sender specifically states them to be
the views of Reuters Ltd.

List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/

RE: [ActiveDir] GroupBy type queries in LDAP

2005-05-20 Thread David Cliffe

Hey...just FYI...a bunch of posts came through a couple of days ago
about KDC event 11, which reminded me that I've got some myself.  I've
been using Dean's nifty little script here to identify the objects with
duplicate serviceprincipalname attrs.  Working great.

Thanks Dean!

-DaveC
Reuters IS&T Service Delivery

-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Dean Wells
Sent: Wednesday, April 06, 2005 6:18 PM
To: Send - AD mailing list
Cc: [EMAIL PROTECTED]
Subject: RE: [ActiveDir] GroupBy type queries in LDAP

Since a solution hasn't manifested itself to date, I got intrigued and
tried to put this together in a simple and relatively fast shell script
... which I've enclosed as a text file (if memory serves I am able to
enclose small text files).

The script requires two args; a QUOTED "DN" and the LDAP name of the
attribute to look at.

Hope this serves your purpose, if not, I'm certain it will serve me at
some point in the future :)

Dean

--
Dean Wells
MSEtechnology
* Email: [EMAIL PROTECTED]
http://msetechnology.com


-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Jeremy
Palenchar
Sent: Monday, April 04, 2005 5:23 PM
To: ActiveDir@mail.activedir.org
Subject: [ActiveDir] GroupBy type queries in LDAP

OK, LDAP evangelists,

I need to query our customer-facing AD for a list of all the users who
share a particular attribute. Let's call that attribute "Attribute1."

So, if two people have the same value in Attribute1, I need their DN.

The trick is, that I want the results for all possible values of
Attribute1.

In SQL, I would use group by Attribute1 having count(Attribute1) >1 to
get a list of all Attribute1 values where more than one object had the
same value.
I would then join that back to the table to get a list of all the DN's
with those values of Attribute1.

Is there a way to do this with an LDAP query.

Please note that the directory contains millions of objects and
iterating through them will be painful.


-Jeremy
List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive:
http://www.mail-archive.com/activedir%40mail.activedir.org/



-
Visit our Internet site at http://www.reuters.com

To find out more about Reuters Products and Services visit 
http://www.reuters.com/productinfo 

Any views expressed in this message are those of  the  individual
sender,  except  where  the sender specifically states them to be
the views of Reuters Ltd.

List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/

RE: [ActiveDir] Adfind and GUID

2005-05-17 Thread David Cliffe

Good thing you spotted this thread.  I had a feeling my answer needed
some "tweaking"  :-)

-DaveC
Reuters IS&T Service Delivery

-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of joe
Sent: Tuesday, May 17, 2005 1:55 PM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] Adfind and GUID

You will want to add -base to that if the GUID refers to a container
type object. Basically what happens is that you are only setting a base
DN for the search and by default, adfind will do a objectclass=* query
from that base. 

So for instance, if you enter the GUID for an OU with a bunch of
objects, you will end up dumping the OU attributes as well as all of the
objects in that OU. It could be quite a surprise if you are expecting
only a single object. :o)


   joe 


 

-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of David Cliffe
Sent: Tuesday, May 17, 2005 1:02 PM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] Adfind and GUID

A thread similar to this subject appeared on this list not too long ago.

One nice way of doing that was with this syntax:

adfind -b ""

-DaveC
Reuters

-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Hutchins, Mike
Sent: Tuesday, May 17, 2005 12:10 PM
To: ActiveDir@mail.activedir.org
Subject: [spam] [ActiveDir] Adfind and GUID

OK, so am I missing something here? Following the directions for adfind,
I am trying to locate an object by GUID. Here is my cmd line. What am I
missing?

adfind -binenc -f
objectguid={{GUID:9AD0431B-B677-4BF9-A63E-DD29036123FF}}

Help?
List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive:
http://www.mail-archive.com/activedir%40mail.activedir.org/


-
Visit our Internet site at http://www.reuters.com

To find out more about Reuters Products and Services visit
http://www.reuters.com/productinfo 

Any views expressed in this message are those of  the  individual
sender, except  where  the sender specifically states them to be the
views of Reuters Ltd.

List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive:
http://www.mail-archive.com/activedir%40mail.activedir.org/

List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive:
http://www.mail-archive.com/activedir%40mail.activedir.org/


-
Visit our Internet site at http://www.reuters.com

To find out more about Reuters Products and Services visit 
http://www.reuters.com/productinfo 

Any views expressed in this message are those of  the  individual
sender,  except  where  the sender specifically states them to be
the views of Reuters Ltd.

List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/

RE: [ActiveDir] Adfind and GUID

2005-05-17 Thread David Cliffe

A thread similar to this subject appeared on this list not too long ago.

One nice way of doing that was with this syntax:

adfind -b ""

-DaveC
Reuters

-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Hutchins, Mike
Sent: Tuesday, May 17, 2005 12:10 PM
To: ActiveDir@mail.activedir.org
Subject: [spam] [ActiveDir] Adfind and GUID

OK, so am I missing something here? Following the directions for adfind,
I am trying to locate an object by GUID. Here is my cmd line. What am I
missing?

adfind -binenc -f
objectguid={{GUID:9AD0431B-B677-4BF9-A63E-DD29036123FF}}

Help?
List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive:
http://www.mail-archive.com/activedir%40mail.activedir.org/


-
Visit our Internet site at http://www.reuters.com

To find out more about Reuters Products and Services visit 
http://www.reuters.com/productinfo 

Any views expressed in this message are those of  the  individual
sender,  except  where  the sender specifically states them to be
the views of Reuters Ltd.

List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/

RE:[ActiveDir] Living without WINS

2005-05-11 Thread David Cliffe




Much as I would like to see it go away too, I think there are still too 
many applications that require it.  I'm not a programmer, so may be stating 
this wrong, but I believe a lot of apps. still use the NetBIOS API calls for 
name resolution, and so would fail without some type of NBNS on a routed 
network.  Outlook/Exchange even fall into this, right?
 
-DaveC
Reuters


From: [EMAIL PROTECTED] 
[mailto:[EMAIL PROTECTED] On Behalf Of Peter 
JessopSent: Wednesday, May 11, 2005 3:44 PMTo: 
ActiveDir@mail.activedir.orgSubject: [spam] [ActiveDir] Living without WINS
Good evening (morning or night) to you all.We have a AD structure with the following setup.DCs and servers W2K3 AND W2K.PCs NT4, 
W2K and XP.Name Resolutions    DNS Server (with WINS lookup)    WINSAll clients have DNS name resolution activated.Some (older clients have both WINS and DNS)Most NT 4.0 clients 
have AD client.Obviously the NT 4.0 client do not ddns.We also have 2 
clusters with Windows 2000.My question is the following.If I create 
static DNS records for the NT4 clients, can I do without WINS? What pitfalls and 
issues are there?Thanks (in advance) for your help.Peter 
Jessop

-
Visit our Internet site at http://www.reuters.com

To find out more about Reuters Products and Services visit http://www.reuters.com/productinfo 

Any views expressed in this message are those of  the  individual
sender,  except  where  the sender specifically states them to be
the views of Reuters Ltd.

RE: [ActiveDir] (Slightly OT) GC's

2005-04-20 Thread David Cliffe

Curious to know how useful  /removelingeringobjects  would be if this
were 2003 forest.  Could I run that on every GC against a reliable
source in the other NCs to try and clear up "lingerers"?  Also a fairly
lengthy prospect, but would you consider it better than the fully
removing every GC at once option?

-DaveC
Reuters CIO Infrastructure

-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Jorge de
Almeida Pinto
Sent: Wednesday, April 20, 2005 1:48 PM
To: 'Kern, Tom '; '[EMAIL PROTECTED] ';
'ActiveDir@mail.activedir.org '
Subject: RE: [ActiveDir] GC's

When you need to rebuild all GCs you'll have to be carefull how you do
that.
If you rebuild GCs one by one the problem (wrong data like non-existing
objects) most likely will not be solved. This is true if a GC uses
another GC as inbound replication partner. I don't know what your
situation is, but if the wrong data is only in the GCs demoting all GCs
at once is the "best way" and promoting again. In a large environment
this sounds like "hell on earth". If the "wrong data" is only in a
certain domain partition you could remove that NC from the GCs in the
other domains using REPADMIN. With the latter the GC keeps advertising
itself while the NC is being removed and later on rebuild. Also with
this one you need to be sure which replication partner is chosen

If you can provide more details, maybe I can give you a more helpfull
answer

Jorge

-Original Message-
From: [EMAIL PROTECTED]
To: ActiveDir@mail.activedir.org
Sent: 4/20/2005 5:48 PM
Subject: RE: [ActiveDir] GC's

Actually, I did want to know the other stuff as wel :) Also, what
exactly is "occupancy level".

I had some EA's that saw a issue in AD where there were objects that
were deleted in AD but were still present in the GC(for months).
They called MS and MS told them this will snowball into a serious issue.
So,after much chatting, MS recommended for them to rebuild every GC in
the forest.
They did this by unchecking the GC tab on the ntds object, waiting a
while and then checking it back. This is in a win2k2p4 forest. Only the
root domain is in native mode.

So, yeah, I'd like to know exactly what it means when you uncheck(and
thats all), wait and check again...
Thanks

Dean Wells wrote:
> Only sort of wrong, there's a particular interface (NSPI/Named Service

> Provider Interface) exposed by GCs that is used by Exchange.  This 
> interface wasn't exposed on new GCs until they had been rebooted (that

> has been addressed for 2K3), the other aspects of the GC take effect 
> according to something known as the "occupancy level".
> 
> In the event I've misunderstood and you are actually asking what 
> happens if you click-it-on and then straight back off again ... well, 
> that depends on a few other clicks but I don't really think that's 
> what you wanted to know.

List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive:
http://www.mail-archive.com/activedir%40mail.activedir.org/

This e-mail and any attachment is for authorised use by the intended
recipient(s) only. It may contain proprietary material, confidential
information and/or be subject to legal privilege. It should not be
copied, disclosed to, retained or used by, any other party. If you are
not an intended recipient then please promptly delete this e-mail and
any attachment and all copies and inform the sender. Thank you.
List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive:
http://www.mail-archive.com/activedir%40mail.activedir.org/

-
Visit our Internet site at http://www.reuters.com

To find out more about Reuters Products and Services visit 
http://www.reuters.com/productinfo 

Any views expressed in this message are those of  the  individual
sender,  except  where  the sender specifically states them to be
the views of Reuters Ltd.

List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/

RE: [ActiveDir] Using "net time"

2005-04-13 Thread David Cliffe

Personally...I don't use NET TIME at all.  I wish they'd either do away
with it or make some kind of statement about its uselessness (my opinion
-sorry!).  Use  W32TM  to test your 2000 (and up) machines.

You should sync your forest root PDCe to whatever device you have as
your reliable time source (XP, hardware clock, etc...), and let the
other machines default to the hierarchcical sync. scheme (DOMHIER).

I've seen this question asked A LOT on this list, and I think it is one
of the easiest answers.  Sync ONE machine (the PDC of the forest) to a
reliable time source, and leave every other machine in the forest alone
(unless special case has tighter requirements than Kerberos/Windows).
Done!

-DaveC
Reuters CIO Infrastructure

-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Abbiss, Mark
Sent: Wednesday, April 13, 2005 10:33 AM
To: ActiveDir@mail.activedir.org
Subject: [ActiveDir] Using "net time"

Following on from my earlier question about time synchronisation, can
anyone please tell me, when you type in the command "net time", just
where exactly how does the client determine where to pull this
information from ? I ask because I assumed it would be querying its
logon server by default, however in my case it is querying a DC from a
sub-domain ?!?! Why on Earth is that ? The DC in question is not
configured as a reliable time source (The "AnnounceFlags" value is 10
and not 4)

I am confused and bewildered.

Thanks again for any help.

-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Abbiss, Mark
Sent: Wednesday, April 13, 2005 4:15 PM
To: ActiveDir@mail.activedir.org
Subject: [ActiveDir] Time synchronisation in a W2K domain


I was recently handed a new hardware clock to install into our domain.
As the device needs to be placed in an area with good radio reception I
decided to install it onto a PC. Our server farm is located in a secure
bunker with no reception at all.

I know the usual time sync model is for DC's to get the time from the
PDC role holder and then the time filters down from there to members
servers and workstations. However, my PC is running Windows XP. 

So the question is, is it possible to set the XP workstation (with
hardware connected) as the reliable primary source for time in the
domain ? Should the Windows Time service be disabled on the PC ? What
changes need to be nmade to the PDC Role holder and other DC's in the
domain to make sure they are forced to sync with the XP workstation. Or
is it just not possible to use an XP workstation ?

I have noticed that some of my machines are synching with the PC but
others are not and I have not as yet determine why there is this erratic
behviour. If I use the "w32tm /resync" command then on some machines it
works and on others it doesn't.

Do I need to manually configure all DC's t point to the XP machine ? Do
members servers need special configuration ? Why are general user
workstations not showing the same time as the Time PC ?

Any advice greatly appreciated.
List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive:
http://www.mail-archive.com/activedir%40mail.activedir.org/
List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive:
http://www.mail-archive.com/activedir%40mail.activedir.org/


-
Visit our Internet site at http://www.reuters.com

To find out more about Reuters Products and Services visit 
http://www.reuters.com/productinfo 

Any views expressed in this message are those of  the  individual
sender,  except  where  the sender specifically states them to be
the views of Reuters Ltd.

List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/

RE: [spam] Re: [ActiveDir] alias not working

2005-04-08 Thread David Cliffe

Not sure if you've seen/referenced this?

 http://support.microsoft.com/default.aspx?scid=kb;en-us;281308

I used it on one of my servers here a while ago and seems OK.

-DaveC
Reuters CIO Infrastructure

-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of
[EMAIL PROTECTED]
Sent: Friday, April 08, 2005 5:10 PM
To: ActiveDir@mail.activedir.org
Cc: ActiveDir@mail.activedir.org; [EMAIL PROTECTED]
Subject: [spam] Re: [ActiveDir] alias not working

Hi Jeff

This is because when I access a server it verifies that the server that
I am requesting matches the netbios name on the server itself.  Aliases,
A records and WINS / LMHosts will not fix this in any configuration we
have tried.  The access denied is server name does not match.

Regards;

James R. Day
Active Directory Core Team
Office of the Chief Information Officer
National Park Service
(202) 354-1464 (direct)
(202) 371-1549 (fax)
[EMAIL PROTECTED]


|-+-->
| |   "Cothern Jeff D. Team  |
| |   EITC"  |
| |   <[EMAIL PROTECTED]>|
| |   Sent by:   |
| |   [EMAIL PROTECTED]|
| |   tivedir.org|
| |  |
| |  |
| |   04/08/2005 04:33 PM AST|
| |   Please respond to  |
| |   ActiveDir  |
|-+-->
 
>---
---|
  |
|
  |   To:   
|
  |   cc:   (bcc: James Day/Contractor/NPS)
|
  |   Subject:  [ActiveDir] alias not working
|
 
>---
---|




Ok for some reason 2003 and xp machines that are locked down with
policies are not working with an alias that was created within DNS for a
server.

To shortin the length of a server name for share purposes we created an
alias.

IE.  Fileserver1   alias  FS1.

If you go onto the machine and type in \\fs1 you get an access denied
message.  If you type \\Fileserver1  it takes you right into the server.
Anyone have a clue on which policies may be affecting this.

Jeff


List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive:
http://www.mail-archive.com/activedir%40mail.activedir.org/


List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive:
http://www.mail-archive.com/activedir%40mail.activedir.org/


-
Visit our Internet site at http://www.reuters.com

To find out more about Reuters Products and Services visit 
http://www.reuters.com/productinfo 

Any views expressed in this message are those of  the  individual
sender,  except  where  the sender specifically states them to be
the views of Reuters Ltd.

List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/

RE: [ActiveDir] GUID resolution

2005-04-07 Thread David Cliffe

Yikes...I completely botched that question because I left out a big
chunk (that's what happens when you're about to walk out the door -
sorry!)  Let's try again:

>> Seems you can also use that syntax  as the argument to -b
in ADFIND, which makes sense, and is nice to know, espcially because I
couldn't figure out how to get DSQUERY to do the same.

>> How come you can't query for the objectGUID as a filter (e.g. -->
&objectGUID=x--xxx ) - is this because that attribute's syntax
is an octet string?  I'm just curious...not knowing too much about the
way these things are stored!

I think the "server-side intelligence" bit would have answered my next
question anyway.  Thanks.

-DaveC
Reuters CIO Infrastructure

-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Dean Wells
Sent: Thursday, April 07, 2005 5:54 PM
To: Send - AD mailing list
Subject: RE: [ActiveDir] GUID resolution

I'm guessing you mean "octet string" ... if so and if I understand what
you're asking, not really ...  and  are little more than
hard-coded bits of server-side intelligence ... am I even answering your
question?

--
Dean Wells
MSEtechnology
* Email: [EMAIL PROTECTED]
http://msetechnology.com


-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of David Cliffe
Sent: Thursday, April 07, 2005 5:45 PM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] GUID resolution

Seems you can also use that syntax  as the argument to -b in
ADFIND, which makes sense, and is nice to know.

Is this because that attribute's syntax is an Octal string?  I'm just
curious...not knowing too much about the way these things are stored!

Thanks!

-DaveC
Reuters CIO Infrastructure

-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Dean Wells
Sent: Thursday, April 07, 2005 5:22 PM
To: Send - AD mailing list
Subject: RE: [ActiveDir] GUID resolution

Noticed you said you're using 2K ... dashes are of no concern, at least
to
2K3 ... don't have 2K directory handy to test right now.  Either way,
can't even remember if the  base is supported on 2K ...
assuming it is, you missed the http://msetechnology.com


-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Kern, Tom
Sent: Thursday, April 07, 2005 5:05 PM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] GUID resolution

Do I leave in the dashes? I pulled the guid from an error i've been
getting in the Directory Services log on a DC.
When i enter the guid in ldp, I get this-

ldap_search_s(ld, "<1825a294808e4036adae51144dee742f>", 0,
"(objectclass=*)", attrList,  0, &msg)
Error: Search: Naming Violation. <64>
Result <64>: 0057: LdapErr: DSID-0C090563, comment: Error processing
name, data 0, v893 Matched DNs: 
Getting 0 entries:

I get the same thing when I leave in the dashes.-

ldap_search_s(ld, "<1825a294-808e-4036-adae-51144dee742f>", 1,
"(objectclass=*)", attrList,  0, &msg)
Error: Search: Naming Violation. <64>
Result <64>: 0057: LdapErr: DSID-0C090563, comment: Error processing
name, data 0, v893 Matched DNs: 
Getting 0 entries:





Thanks



Dean Wells wrote:
> 1. Run LDP
> 2. Connect and BIND
> 3. Select Search
> 4. Enter Base DN of...  include the
> angled brackets
> 5. Populate other dialogs accordingly, enter and run

List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive:
http://www.mail-archive.com/activedir%40mail.activedir.org/



List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive:
http://www.mail-archive.com/activedir%40mail.activedir.org/


-
Visit our Internet site at http://www.reuters.com

To find out more about Reuters Products and Services visit
http://www.reuters.com/productinfo 

Any views expressed in this message are those of  the  individual
sender, except  where  the sender specifically states them to be the
views of Reuters Ltd.

List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive:
http://www.mail-archive.com/activedir%40mail.activedir.org/



List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive:
http://www.mail-archive.com/activedir%40mail.activedir.org/


-
Visit our Internet site at http://www.reuters.com

To find out more about Reuters Products and Services visit 
http://www.reuters.com/productinfo 

Any views expressed in this message are those of  the  individual
sender,  except  where  the s

RE: [ActiveDir] GUID resolution

2005-04-07 Thread David Cliffe

Seems you can also use that syntax  as the argument to -b in
ADFIND, which makes sense, and is nice to know.

Is this because that attribute's syntax is an Octal string?  I'm just
curious...not knowing too much about the way these things are stored!

Thanks!

-DaveC
Reuters CIO Infrastructure

-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Dean Wells
Sent: Thursday, April 07, 2005 5:22 PM
To: Send - AD mailing list
Subject: RE: [ActiveDir] GUID resolution

Noticed you said you're using 2K ... dashes are of no concern, at least
to
2K3 ... don't have 2K directory handy to test right now.  Either way,
can't even remember if the  base is supported on 2K ...
assuming it is, you missed the http://msetechnology.com

-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Kern, Tom
Sent: Thursday, April 07, 2005 5:05 PM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] GUID resolution

Do I leave in the dashes? I pulled the guid from an error i've been
getting in the Directory Services log on a DC.
When i enter the guid in ldp, I get this-

ldap_search_s(ld, "<1825a294808e4036adae51144dee742f>", 0,
"(objectclass=*)", attrList,  0, &msg)
Error: Search: Naming Violation. <64>
Result <64>: 0057: LdapErr: DSID-0C090563, comment: Error processing
name, data 0, v893 Matched DNs: 
Getting 0 entries:

I get the same thing when I leave in the dashes.-

ldap_search_s(ld, "<1825a294-808e-4036-adae-51144dee742f>", 1,
"(objectclass=*)", attrList,  0, &msg)
Error: Search: Naming Violation. <64>
Result <64>: 0057: LdapErr: DSID-0C090563, comment: Error processing
name, data 0, v893 Matched DNs: 
Getting 0 entries:

Thanks

Dean Wells wrote:
> 1. Run LDP
> 2. Connect and BIND
> 3. Select Search
> 4. Enter Base DN of...  include the
> angled brackets
> 5. Populate other dialogs accordingly, enter and run

List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive:
http://www.mail-archive.com/activedir%40mail.activedir.org/

List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive:
http://www.mail-archive.com/activedir%40mail.activedir.org/

-
Visit our Internet site at http://www.reuters.com

To find out more about Reuters Products and Services visit 
http://www.reuters.com/productinfo 

Any views expressed in this message are those of  the  individual
sender,  except  where  the sender specifically states them to be
the views of Reuters Ltd.

List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/

RE: [ActiveDir] Win 2003 DNS issues

2005-04-01 Thread David Cliffe

I've been wondering if anyone else out there would ever describe this
issue.  Yes, we have seen similar here, Russ.  Disabling EDN0 did not
make a difference, and tracking this down has been difficult, because it
has been very intermittent and random.  MS provided us with debug
modules, and we have given them traces, logs, etc...with no true
satisfactory results.  The latest pre-SP1 module we have from them is
v.5.2.3790.196  (the SP1 version is  5.2.3790.1830).  This 196 version
has been tested here on a few DNS (both with debugging on and off) and
has not yet exhibited the cache problem we were seeing (described as
best I can below), so we may roll it out until we can fully test SP1.
However, we are still not 100% sure this is the fix, or what the problem
is.

The only workaround I was able to find (besides a restart of the
service), is to clear the cache.  I had noticed that the cache for a
given zone on a DNS [during the problem] would contain an NS record for
that zone, perhaps an SOA, but no associated A (or glue) record.  If I
cleared the cache, the full set of records would reappear, and the
server would begin resolving again for that zone.  We do not use
forwarders on most of our internal DNS, choosing instead to go with root
hints.  I noticed this problem occuring on random DNS, within random
zones, almost immediately upon upgrading to Windows 2003, and have been
frustrated by it since.  The TTLs for the NS and A records on the root
servers were examined and found to be set to 1 day (86400), which I
believe is "typical".  It's almost as if the A records in the cache on
the 2003 DNS were timing out, but the server continued to "believe" it
still had them cached.  Does that make sense?  I am no DNS cache expert,
so I don't know what normal behavior is, other than to examine the cache
on a zone that is working normally.  To me, if a zone has an NS, but no
associated A, how can it resolve anything for that zone without going
back to the root?

Anyway, I would be curious to know if yours exhibit similar symptoms?

-DaveC
Reuters CIO Infrastructure

-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Rimmerman, Russ
Sent: Friday, April 01, 2005 9:37 AM
To: ActiveDir@mail.activedir.org
Subject: [ActiveDir] Win 2003 DNS issues


We're experiencing intermittent DNS outages ever since we upgraded our
domain controllers (which are all running DNS) to Windows 2003.  We know
we're having a problem because users see "Applying security settings"
for an extended length of time when booting up.  Then if we do nslookups
on the DNS server having issue, it times out.  If we restart DNS, it
works fine.

We applied hotfix KB830381 and thought it fixed it because it didn't
happen for awhile, but it happened again finally.  Has anyone else been
experiencing this?


~~
This e-mail is confidential, may contain proprietary information of the
Cooper Cameron Corporation and its operating Divisions and may be
confidential or privileged.

This e-mail should be read, copied, disseminated and/or used only by the
addressee. If you have received this message in error please delete it,
together with any attachments, from your system.
~~
List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive:
http://www.mail-archive.com/activedir%40mail.activedir.org/


-
Visit our Internet site at http://www.reuters.com

To find out more about Reuters Products and Services visit 
http://www.reuters.com/productinfo 

Any views expressed in this message are those of  the  individual
sender,  except  where  the sender specifically states them to be
the views of Reuters Ltd.

List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/

RE: [ActiveDir] 2003 SP1 RTM

2005-03-31 Thread David Cliffe

Hm...I installed the production SP1 on a test VM earlier today and have
not seen the CPU issue yet.  Then again, this guest O/S isn't really
doing anything at the moment either!  It is a DC attached only to the
internal network, and there are two other guest O/S's running right now
(one is another Win2003 DC with no SP, and one is a 2003 server (not DC)
with no SP).

If there's any way I can help you reproduce, let me know!

-DaveC
Reuters CIO Infrastructure

-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Bernard, Aric
Sent: Thursday, March 31, 2005 2:03 PM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] 2003 SP1 RTM

I have a specific problem related in some way to SP1.

I have several test environments.  In each I use Virtual Server 2005.
Each environment is 100% Windows Server 2003.  After upgrading any of
the VMs with SP1, the upgraded VM runs at nearly 100% CPU consistently. 

Removing and reinstalling the VM Additions has no affect.

Removing SP1 also removes the visible problem.

You might understand that I have an apprehension towards installing SP1
in production, especially on those systems running as VMs.

Any ideas?

Regards,

Aric Bernard 

-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Eric Fleischman
Sent: Thursday, March 31, 2005 10:27 AM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] 2003 SP1 RTM

Dave can you quantify this statement please? I ask out of curiosity, not
disagreement.

Specifically:
1) You referred to SP1 having "too many changes." How did you make this
determination? What is the threshold where we cross in to too many?
2) What steps will you be going through between now and when you do
install it? What will you do between now and deployment to give you the
confidence level you need to fire it up on a box and see how it goes?

Interested, so we can perhaps think through ways to make that less
painful going forward.
~Eric


-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Dave A. Marquis
Sent: Thursday, March 31, 2005 8:37 AM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] 2003 SP1 RTM

I am certainly going to be waiting to install this one for a
while to many changes to jump right into it.

David A. Marquis
Computer Systems Administrator

-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of joe
Sent: Thursday, March 31, 2005 6:48 AM
To: ActiveDir@mail.activedir.org
Subject: [ActiveDir] 2003 SP1 RTM

FYI. Windows Server 2003 SP1 went RTM yesterday

http://www.microsoft.com/downloads/details.aspx?familyid=22CFC239-337C-4
D81-
8354-72593B1C1F43&displaylang=en

List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive:
http://www.mail-archive.com/activedir%40mail.activedir.org/

This e-mail message, including all attachments, is for the sole use of
the intended recipients(s) and may contain confidential and privileged
information. You may NOT use, disclose, copy, or disseminate this
information. If you are not the intended recipient, please contact the
sender by reply e-mail immediately. Please destroy all copies of the
original message and all attachments.

List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive:
http://www.mail-archive.com/activedir%40mail.activedir.org/
List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive:
http://www.mail-archive.com/activedir%40mail.activedir.org/
List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive:
http://www.mail-archive.com/activedir%40mail.activedir.org/


-
Visit our Internet site at http://www.reuters.com

To find out more about Reuters Products and Services visit 
http://www.reuters.com/productinfo 

Any views expressed in this message are those of  the  individual
sender,  except  where  the sender specifically states them to be
the views of Reuters Ltd.

List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/

RE: [spam] RE: [ActiveDir] DHCP on a DC

2005-03-31 Thread David Cliffe

Just an FYI, I wanted to mention that the DHCP service credentials can
be configured graphically in Windows 2003 - on the Advanced Tab of the
DHCP server's properties.

And as an aside, I have not been able to convince anyone here that our
DHCP services should not be running on DCs, hence...we've just been
plain lucky so far.

-DaveC
Reuters CIO Infrastructure

-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Kern, Tom
Sent: Thursday, March 31, 2005 10:47 AM
To: ActiveDir@mail.activedir.org
Subject: [spam] RE: [ActiveDir] DHCP on a DC

No. I only meant dns records. sorry(of course, its running as
localsystem on a DC which is never a good idea if you can avoid it and
i'm sure this can be exploited in ways i don't know about...)

A dc would not be the logical place because of the inherent power of
dc's. A dhcp server running on a dc would inherit that power- the abilty
to delete any record in dns(among many many other things). this could
occur due to a misconfiguration or someone hijacking the dhcp service
and going haywire on your forest. you don't want to open up that kind of
hole. it wouldn't be able to do such damage on a member server as
memeber servers only have power over themseleves locally and not the
whole forest(unless they were trusted for delegation, which is not the
default unlike dc's) to be on the safe side, if you have to install dhcp
on a dc, make sure you run the dhcp service under a dediacted account.
as i said, you do this using the netsh.exe command shell.
this "issue" still exists in win2k3(and do NOT use the dnsupdateproxy
group as that is insecure by nature.

i hope i'm clear and this helps...




Rocky Habeeb wrote:
> Tom,
> 
> Thank you for responding.  Do you really mean "any record"?  So it 
> could just decide to delete the Domain Controllers OU?  Or do you mean

> any record in DNS, which is where I would expect it to operate?
> I simply can't understand why (logically) a DC would not be the 
> optimum place for this.  A proxy agent (member server) is still going 
> to have and require the requisite authority to update records so where

> is the security vulnerability?  I didn't mention that this is 
> happening on W2K3 server.  Does this vulnerability still apply?
> 
> Thanks
> 
> RH
> ___
> 
> 
> 
> 
> -Original Message-
> From: [EMAIL PROTECTED]
> [mailto:[EMAIL PROTECTED] Behalf Of Kern, Tom
> Sent: Thursday, March 31, 2005 9:55 AM
> To: ActiveDir@mail.activedir.org
> Subject: RE: [ActiveDir] DHCP on a DC
> 
> 
> You can install it on a DC but its not recommended.
> When you install a dhcp server on a DC it runs in the security context

> of the DC. Every DC has full control over all the zones and records in

> AD. So by proxy, so does the dhcp service running on a DC.
> This means it can delete or modify any record in AD,including those 
> created by domain memebers and DC's.
> 
> Thats a lot of power and potential for abuse and screw ups in dns and 
> consquently, your AD forest.
> If you do run it on a DC, I think MS recommends you create a seperate 
> dedicated account for the dhcp service to run under using netsh.exe
> 
> 
> 
> Rocky Habeeb wrote:
>> People,
>> 
>> Please consider helping me with this question.  We are getting ready 
>> to switch to DHCP.  Reading a document from MSDN entitled "Chapter 2 
>> Deploying DHCP" there is a section that states "If DHCP will perform 
>> DNS dynamic updates, do not install it on a domain controller.
>> Instead, install DHCP on a member server.  When DHCP is installed on 
>> a DC and is configured to perform dynamic updates on behalf of 
>> clients in DNS zones that are configured to allow only secure dynamic

>> update, specify a user account to update the DNS records."
>> 
>> Well, this statement is ambiguous.  Can it be installed on a DC 
>> (which we would prefer to do for reasons of economy) or not?  Is 
>> there a problem with doing it?
>> 
>> Thank you people in advance.
>> 
>> RH
>> 
>> _
>> 
>> Rocky Habeeb
>> Microsoft Systems Administrator
>> James W. Sewall Company
>> Old Town, Maine
>> Voice: 207.827.4456  Ext. 387
>> Email: [EMAIL PROTECTED]
>> www.jws.com
>> _
>> 
>> 
>> List info   : http://www.activedir.org/List.aspx
>> List FAQ: http://www.activedir.org/ListFAQ.aspx
>> List archive:
>> http://www.mail-archive.com/activedir%40mail.activedir.org/
> 
> List info   : http://www.activedir.org/List.aspx
> List FAQ: http://www.activedir.org/ListFAQ.aspx
> List archive:
> http://www.mail-archive.com/activedir%40mail.activedir.org/
> 
> 
> 
> 
> List info   : http://www.activedir.org/List.aspx
> List FAQ: http://www.activedir.org/ListFAQ.aspx
> List archive:
> http://www.mail-archive.com/activedir%40mail.activedir.org/

List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive:
http://www.mail-archive.com/acti

RE: [ActiveDir] Bridgehead in a single-server site

2005-03-29 Thread David Cliffe

Thanks everyone.  All replies (opinions) were consistent and are summed
up effectively by the latest from Todd below.

For those interested --> Some brief detective work here has revealed
that, historically, there were some valid reasons for manually selecting
a BH in several sites.  At the time of my post I had thought EVERY site
here was configured that way, and so thought this was the norm
("assumption" once again a foolish path!).  The MS documentation and
your recent replies indicate we should consider a change, especially
since none of those old reasons apply anymore.  Thanks again!

-DaveC
Reuters CIO Infrastructure

-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Myrick, Todd
(NIH/CC/DNA)
Sent: Tuesday, March 29, 2005 6:54 AM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] Bridgehead in a single-server site

There are two reasons why you select preferred BHS.

1.  You have some security / political requirement to direct traffic to
a particular server.  (Firewall, Core service DC vs child domain).

2.  You don't want the other servers to be targets as BHS.
(Underpowered box, etc.)

Todd Myrick

-Original Message-
From: Santhosh Sivarajan [mailto:[EMAIL PROTECTED]
Sent: Monday, March 28, 2005 4:18 PM
To: ActiveDir@mail.activedir.org
Subject: Re: [ActiveDir] Bridgehead in a single-server site

I completely agree with Gil's comment.  Let KCC to handle the BH
selection.  Otherwise you have to manually select the BH server(s). 
You can manually select more than one BH servers if you want.

Santhosh Sivarajan
MCSE(W2K3/W2K/NT4),MCSA(W2K3/W2K/MSG),CCNA,Network+
Houston, TX

On Mon, 28 Mar 2005 13:52:41 -0700, Gil Kirkpatrick <[EMAIL PROTECTED]>
wrote:
> Is there a good reason to NOT let the KCC pick the BH for you
automatically?
> That way you get some failover if it craps out for some reason. 
> Otherwise you'll have to watch the DC constantly to reset the BH to 
> make sure replication continues to work. In Windows 2003, the KCC is 
> pretty good
about
> picking the best server as a BH.
>  
> -gil
> 
> From: [EMAIL PROTECTED]
> [mailto:[EMAIL PROTECTED] On Behalf Of David Cliffe
> Sent: Monday, March 28, 2005 1:44 PM
> To: ActiveDir@mail.activedir.org
> Subject: [ActiveDir] Bridgehead in a single-server site
> 
> 
> Hi guys,
>  
> Just curious...any opinions on denoting a server as a bridgehead 
> in a site where it is currently the only defined server?  We were 
> thinking that it then wouldn't be necessary down the road when other 
> DCs are added.  Is there any harm in this?  Is there any good in this?

> ; - )
>  
> (Forest and domain functional levels are Win2003)
>  
> -DaveC
> Reuters CIO Infrastructure
>  
> 
> -
> Visit our Internet site at http://www.reuters.com
> 
> To find out more about Reuters Products and Services visit 
> http://www.reuters.com/productinfo
> 
> Any views expressed in this message are those of the individual 
> sender, except where the sender specifically states them to be the 
> views of Reuters Ltd.
>
List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive:
http://www.mail-archive.com/activedir%40mail.activedir.org/
List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive:
http://www.mail-archive.com/activedir%40mail.activedir.org/

-
Visit our Internet site at http://www.reuters.com

To find out more about Reuters Products and Services visit 
http://www.reuters.com/productinfo 

Any views expressed in this message are those of  the  individual
sender,  except  where  the sender specifically states them to be
the views of Reuters Ltd.

List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/

[ActiveDir] Bridgehead in a single-server site

2005-03-28 Thread David Cliffe




Hi 
guys,
 
    Just curious...any opinions on denoting a server as a bridgehead in 
a site where it is currently the only defined server?  We were thinking 
that it then wouldn't be necessary down the road when other DCs are 
added.  Is there any harm in this?  Is there any good in 
this?  ; - )
 
(Forest and domain 
functional levels are Win2003)
 
-DaveC
Reuters CIO 
Infrastructure
 

-
Visit our Internet site at http://www.reuters.com

To find out more about Reuters Products and Services visit http://www.reuters.com/productinfo 

Any views expressed in this message are those of  the  individual
sender,  except  where  the sender specifically states them to be
the views of Reuters Ltd.

RE: [ActiveDir] Machine Account Passwords - How often do they res et

2005-03-22 Thread David Cliffe




Yes.  I sent an email that implied it was domain dependent, which is 
wrong.  Sorry 'bout that!
 
-DaveC
Reuters CIO 
Infrastructure


From: [EMAIL PROTECTED] 
[mailto:[EMAIL PROTECTED] On Behalf Of Jorge de Almeida 
PintoSent: Monday, March 21, 2005 7:45 PMTo: 
ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] Machine Account 
Passwords - How often do they res et

Just to be sure it is OS 
dependent and not domain dependent! What I mean is: an NT4 system in a W2K3 AD 
domain will still change its machine account password each 7 days. Its actually 
the domain member that initiates the password change and not the 
DC
 
Cheers,
Jorge


From: [EMAIL PROTECTED] 
[mailto:[EMAIL PROTECTED] On Behalf Of Free, 
BobSent: Wednesday, March 16, 2005 17:47To: 
ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] Machine Account 
Passwords - How often do they reset

2000 and above interval is 30 days by default, NT 
default was 7. It can be disabled or the interval changed in GPO or 
registry.  Search for MaximumPasswordAge and 
DisablePasswordChange


From: [EMAIL PROTECTED] 
[mailto:[EMAIL PROTECTED] On Behalf Of 
[EMAIL PROTECTED]Sent: Wednesday, March 16, 2005 8:30 
AMTo: ActiveDir@mail.activedir.orgSubject: [ActiveDir] 
Machine Account Passwords - How often do they reset


Quick question – Does anyone know 
how often machine accounts reset their secure channel passwords, or do the passwords remain static until manually reset?
 
We’re thinking this happens every 30 
days, however we’re having an issue with SMS.
 
Thanks, 
 
-J 
 This 
e-mail, and any attachment, is intended only for the person or entity to which 
it is addressed and may contain confidential and/or privileged material. Any 
review, re-transmission, copying, dissemination or other use of this information 
by persons or entities other than the intended recipient is prohibited. If you 
received this in error, please contact the sender and delete the material from 
any computer. The contents of this message may contain personal views which are 
not the views of Discovery Communications, Inc. (DCI).This e-mail 
and any attachment is for authorised use by the intended recipient(s) only. It 
may contain proprietary material, confidential information and/or be subject to 
legal privilege. It should not be copied, disclosed to, retained or used by, any 
other party. If you are not an intended recipient then please promptly delete 
this e-mail and any attachment and all copies and inform the sender. Thank you.

-
Visit our Internet site at http://www.reuters.com

To find out more about Reuters Products and Services visit http://www.reuters.com/productinfo 

Any views expressed in this message are those of  the  individual
sender,  except  where  the sender specifically states them to be
the views of Reuters Ltd.

RE: [ActiveDir] User Migration...twice

2005-03-18 Thread David Cliffe




Raymond, I apologize in advance for...
 
    a) not answering your question
    b) selfishly replying with another question for my own 
benefit
 
Along 
these lines, is the premise behind  sidHistory  that it should be 
somewhat temporary in nature?  Shouldn't the organization go back and redo 
all ACLs (if possible!) and then clean out  sidHistory  
afterwards?  Or have I got the concept all wrong and the notion of fixing 
up so many ACLs absurd?
 
Thanks!
 
-DaveC
Reuters CIO 
Infrastructure
 


From: [EMAIL PROTECTED] 
[mailto:[EMAIL PROTECTED] On Behalf Of 
[EMAIL PROTECTED]Sent: Friday, March 18, 2005 1:59 
PMTo: ActiveDir@mail.activedir.orgSubject: [ActiveDir] 
User Migration...twice
Has anyone successfully migrated 
user accounts twice, while maintaining SID history both times?   
We had a group of users migrated from an NT 
domain to a W2K domain (with SID history, Quest Migrator).  We now need to 
migrate them again from the (now) W2K3 domain to another W2K3 domain.  Can 
we keep both SIDs as SID History? Thanks, rb 


-
Visit our Internet site at http://www.reuters.com

To find out more about Reuters Products and Services visit http://www.reuters.com/productinfo 

Any views expressed in this message are those of  the  individual
sender,  except  where  the sender specifically states them to be
the views of Reuters Ltd.

RE: [ActiveDir] Can you expire a computer account in AD

2005-03-17 Thread David Cliffe

I remove computer accounts that are stale for 6 months or longer.
Period.  That is usually sufficient to cover most maternity leaves,
etc...   I can't be sure that they are getting virus pattern file
updates or hotfixes if they're off for such a long period, so agree that
longer than that is  ridiculous.  If there is a vaild reason, a deskside
tech. can always put them back in the domain when they return.  These
occurences are rare enough that it's more worth it to remove them.

Just my two cents!

-DaveC
Reuters CIO Infrastructure

-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Mulnick, Al
Sent: Thursday, March 17, 2005 9:22 AM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] Can you expire a computer account in AD

I suppose the limitations should be pointed out, so here goes.

The reason you wouldn't want just lastlogontimestamp is something that
was discussed here a little while back.  Basically, it's that as a
datapoint, it's not enough information to accurately figure out which
objects are not being used. To make it worse, LLTStamp is a replicated
and latent attribute.
Put another way, it's accuracy is only within 7 days which is the
replication schedule for that attribute.  Comp accounts are 30 day
intervals, but you run the risk of disabling/removing something that is
a valid account if you rely on this soley.  Using this in conjunction
with password last set should reduce the error rate exponentially as
it's yet another indicator of activity.  Keep in mind that a valid
computer account neither has to log on nor change their password on that
schedule to be valid.  Consider laptops as an example, especially
laptops that stay off the network for long periods of time (year at a
time?).  

I can honestly say that I think it's ridiculous to have a corporate
resource that stays off the network for extended periods, but they do
exist and have to be accounted for in some fashion.  I believe that's
why the requirement to disable vs. remove entirely came into the
picture. 

Just something to be aware of when using this information.  

Al

-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of John Singler
Sent: Thursday, March 17, 2005 9:01 AM
To: ActiveDir@mail.activedir.org
Subject: Re: [ActiveDir] Can you expire a computer account in AD

it is in oldcmp:

oldcmp -llts

[EMAIL PROTECTED] wrote:
> I read this somewhere and had to confirm.  Looks like if you're 2003 
> domain functional - lastLogonTimestamp works for computers as well.
> Unfortunately, it's not exposed in tools like DSGET.  Maybe joe will 
> add this as a switch to oldcmp - as well as user accounts.
> 
> -m
> 
> -Original Message-
> From: [EMAIL PROTECTED]
> [mailto:[EMAIL PROTECTED] On Behalf Of P West
> Sent: Tuesday, March 15, 2005 3:24 PM
> To: ActiveDir@mail.activedir.org
> Subject: Re: [ActiveDir] Can you expire a computer account in AD
> 
> That's exacctly what i intend to do. Disable those suckers.
> 
> 
> thanks all
> - Original Message -
> From: "Mulnick, Al" <[EMAIL PROTECTED]>
> To: 
> Sent: Tuesday, March 15, 2005 2:44 PM
> Subject: RE: [ActiveDir] Can you expire a computer account in AD
> 
> 
> 
>>Because it derives from the User class, I can't think of a reason why
> 
> you
> 
>>couldn't set that value.  I'm not sure (and have no way to test at the
>>moment) if that value would be valid for what you're doing however.
>>
>>You could just disable the computer accounts vs. expire them.  That's 
>>available from the GUI if you want to access it that way else it's 
>>scriptable.
>>
>>al
>>
>>-Original Message-
>>From: [EMAIL PROTECTED]
>>[mailto:[EMAIL PROTECTED] On Behalf Of P West
>>Sent: Tuesday, March 15, 2005 2:28 PM
>>To: ActiveDir@mail.activedir.org
>>Subject: Re: [ActiveDir] Can you expire a computer account in AD
>>
>>thanks AL
>>thanks Tom
>>
>>
>>
>>Ok i used oldcmp. among others and the pwdlastset (oldcmp works great)
> 
> came
> 
>>back feb 2000 even though the password expiration says march 20 2005.
>>
>>i dont think theres an issue with locating old accounts with
> 
> pwdlastset
> the
> 
>>thing is what's up with a password expiration date of march 20 2005 if
> 
> the
> 
>>pwdlastset is feb 2000. this password for pc account should get reset
> 
> every
> 
>>30 days.
>>
>>The ping was a great idea, we were planning on doing it.  But our dns 
>>records are not so clean so u can ping a pc and get a response but its
> 
> a
> 
>>different pc name when you ping -a ip address.  DNS scavenging is
> 
> getting
> 
>>turned on , but i think the issue may still exist.
>>
>>One last point.  Can u or cant you expire a computer account in ad? i
> 
> dont
> 
>>think you can , i tried to google it , next im callin ms to ask ,.but
> 
> wanted
> 
>>to know what u folks opinion on it was.
>>- Original Message -
>>From: "Mulnick, Al" <[EMAIL PROTECTED]>
>>To: 
>>Sent: Tuesday, March 15, 2005 2:10 PM
>>Subject: RE: [A

FW: [ActiveDir] Machine Account Passwords - How often do they reset

2005-03-16 Thread David Cliffe




Whoops.  My badIt was 7 days in an NT domain.  30 days in 
2000 or 2003.  Sorry about that.
 
-DaveC
Reuters CIO 
Infrastructure


From: David Cliffe Sent: Wednesday, 
March 16, 2005 11:42 AMTo: 
'ActiveDir@mail.activedir.org'Subject: RE: [ActiveDir] Machine Account Passwords - How often do they reset

By default, I believe it is 30 days in a 2003 domain...and possibly 7 
days in a 2000 domain.  Even if I am wrong about the actual days or O/S, I 
can tell you it is NOT static.
 
-DaveC
Reuters CIO 
Infrastructure


From: [EMAIL PROTECTED] 
[mailto:[EMAIL PROTECTED] On Behalf Of 
[EMAIL PROTECTED]Sent: Wednesday, March 16, 2005 11:30 
AMTo: ActiveDir@mail.activedir.orgSubject: [ActiveDir] 
Machine Account Passwords - How often do they reset


Quick question – Does anyone know 
how often machine accounts reset their secure channel passwords, or do the passwords remain static until manually reset?
 
We’re thinking this happens every 30 
days, however we’re having an issue with SMS.
 
Thanks, 
 
-J 
 This e-mail, and any attachment, is 
intended only for the person or entity to which it is addressed and may contain 
confidential and/or privileged material. Any review, re-transmission, copying, 
dissemination or other use of this information by persons or entities other than 
the intended recipient is prohibited. If you received this in error, please contact the sender and delete the material from any computer. The contents of 
this message may contain personal views which are not the views of Discovery 
Communications, Inc. (DCI).

-
Visit our Internet site at http://www.reuters.com

To find out more about Reuters Products and Services visit http://www.reuters.com/productinfo 

Any views expressed in this message are those of  the  individual
sender,  except  where  the sender specifically states them to be
the views of Reuters Ltd.

RE: [ActiveDir] Machine Account Passwords - How often do they reset

2005-03-16 Thread David Cliffe




By default, I believe it is 30 days in a 2003 domain...and possibly 7 
days in a 2000 domain.  Even if I am wrong about the actual days or O/S, I 
can tell you it is NOT static.
 
-DaveC
Reuters CIO 
Infrastructure


From: [EMAIL PROTECTED] 
[mailto:[EMAIL PROTECTED] On Behalf Of 
[EMAIL PROTECTED]Sent: Wednesday, March 16, 2005 11:30 
AMTo: ActiveDir@mail.activedir.orgSubject: [ActiveDir] 
Machine Account Passwords - How often do they reset


Quick question – Does anyone know 
how often machine accounts reset their secure channel passwords, or do the passwords remain static until manually reset?
 
We’re thinking this happens every 30 
days, however we’re having an issue with SMS.
 
Thanks, 
 
-J 
 This e-mail, and any attachment, is 
intended only for the person or entity to which it is addressed and may contain 
confidential and/or privileged material. Any review, re-transmission, copying, 
dissemination or other use of this information by persons or entities other than 
the intended recipient is prohibited. If you received this in error, please contact the sender and delete the material from any computer. The contents of 
this message may contain personal views which are not the views of Discovery 
Communications, Inc. (DCI).

-
Visit our Internet site at http://www.reuters.com

To find out more about Reuters Products and Services visit http://www.reuters.com/productinfo 

Any views expressed in this message are those of  the  individual
sender,  except  where  the sender specifically states them to be
the views of Reuters Ltd.

RE: [spam] RE: [ActiveDir] Workstation Add User

2005-03-14 Thread David Cliffe


I have found the security log to be the most reliable source for this type of 
info.  Of course if you're not using MOM, or some other event log mining 
utility, it makes this particular solution kind of difficult.

The alternate way (not pleasing either):

dsquery * "cn=ComputerName,dc=company,dc=com" -attr ms-ds-creatorsid

This should spit out the SID of the security principal that created the object. 
 It only does this in HEX though. The last two bytes are the RID of the user, 
which, after making into WORD order and then changing to decimal, you then 
prepend with your domain SID in order to translate into a user name!  (the 
domain SID is in the output too, but hopefully that is already known to you)

Sorry that the last paragraph is a mess!  I can try to clarify with an example, 
but maybe Joe's ADFIND already goes one or two better than this and does some 
translating?  I haven't had a chance to play with it yet.

-DaveC
Reuters CIO Infrastructure

-Original Message-
From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Douglas M. Long
Sent: Monday, March 14, 2005 2:43 PM
To: ActiveDir@mail.activedir.org
Subject: [spam] RE: [ActiveDir] Workstation Add User

Owner of the computer? I see no such attribute, what am I missing?


-Original Message-
From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Thorbjörn Sjövold
Sent: Monday, March 14, 2005 2:14 PM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] Workstation Add User

When the computer object is created the Owner of the computer object is the 
user that added the computer, but of course this is a value that can be changed 
if someone have the correct permissions. And another thing that might spoil 
your statistics is that if a member of Domain Admins add the computer then 
Domain Admins is the owner and not the specific administrator.


Thorbjörn Sjövold
Special Operations Software
www.specopssoft.com
thorbjorn.sjovold a t specopssoft.com

Specops Deploy,
Takes Group Policy Based Software Deployment to the next level



-Original Message-
From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Douglas M. Long
Sent: Monday, March 14, 2005 7:54 PM
To: ActiveDir@mail.activedir.org
Subject: [ActiveDir] Workstation Add User

Is there a way to tell who added a machine to the domain? I would like to do 
this to get some statistics on who is actually adding machines. 
List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/

List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/


-
Visit our Internet site at http://www.reuters.com

To find out more about Reuters Products and Services visit 
http://www.reuters.com/productinfo 

Any views expressed in this message are those of  the  individual
sender,  except  where  the sender specifically states them to be
the views of Reuters Ltd.

List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/

FW: [ActiveDir] OT: Command shell under RUNAS

2005-03-09 Thread David Cliffe

Whoops.  Apologies!  Check that...only the continuous PING is a vaild
example so far.  I am able to CTRL-BREAK from w32tm.  There may be
others, but I'd better double check myself first!

-DaveC
Reuters AITS Infrastructure

-Original Message-
From: David Cliffe 
Sent: Wednesday, March 09, 2005 5:22 PM
To: 'ActiveDir@mail.activedir.org'
Subject: RE: [ActiveDir] OT: Command shell under RUNAS

To give two examples...I started a continuous ping within one of them
and a "w32tm -stripchart" in the other.

Since I didn't specify a finite count in either, they ran forever, and
CTRL-C or CTRL-BREAK had no effect.

-DaveC
Reuters AITS Infrastructure

-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Mulnick, Al
Sent: Wednesday, March 09, 2005 5:11 PM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] OT: Command shell under RUNAS

I do this, but I hadn't notice that behavior.  What situation are you
seeing this with?  Any particular app?

Al 

-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of David Cliffe
Sent: Wednesday, March 09, 2005 4:18 PM
To: ActiveDir@mail.activedir.org
Subject: [ActiveDir] OT: Command shell under RUNAS

For those that run command shells under different security contexts with
RUNAS...(XP SP2)
 
...do you notice that interrupt handling does not work as expected
(CTRL-C/BREAK)?
 
-DaveC
Reuters Infrastructure
 


-
Visit our Internet site at http://www.reuters.com

To find out more about Reuters Products and Services visit
http://www.reuters.com/productinfo 

Any views expressed in this message are those of the individual sender,
except where the sender specifically states them to be the views of
Reuters Ltd.

List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive:
http://www.mail-archive.com/activedir%40mail.activedir.org/


-
Visit our Internet site at http://www.reuters.com

To find out more about Reuters Products and Services visit 
http://www.reuters.com/productinfo 

Any views expressed in this message are those of  the  individual
sender,  except  where  the sender specifically states them to be
the views of Reuters Ltd.

List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/

RE: [ActiveDir] OT: Command shell under RUNAS

2005-03-09 Thread David Cliffe

To give two examples...I started a continuous ping within one of them
and a "w32tm -stripchart" in the other.

Since I didn't specify a finite count in either, they ran forever, and
CTRL-C or CTRL-BREAK had no effect.

-DaveC
Reuters AITS Infrastructure

-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Mulnick, Al
Sent: Wednesday, March 09, 2005 5:11 PM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] OT: Command shell under RUNAS

I do this, but I hadn't notice that behavior.  What situation are you
seeing this with?  Any particular app?

Al 

-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of David Cliffe
Sent: Wednesday, March 09, 2005 4:18 PM
To: ActiveDir@mail.activedir.org
Subject: [ActiveDir] OT: Command shell under RUNAS

For those that run command shells under different security contexts with
RUNAS...(XP SP2)
 
...do you notice that interrupt handling does not work as expected
(CTRL-C/BREAK)?
 
-DaveC
Reuters Infrastructure
 


-
Visit our Internet site at http://www.reuters.com

To find out more about Reuters Products and Services visit
http://www.reuters.com/productinfo 

Any views expressed in this message are those of the individual sender,
except where the sender specifically states them to be the views of
Reuters Ltd.

List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive:
http://www.mail-archive.com/activedir%40mail.activedir.org/


-
Visit our Internet site at http://www.reuters.com

To find out more about Reuters Products and Services visit 
http://www.reuters.com/productinfo 

Any views expressed in this message are those of  the  individual
sender,  except  where  the sender specifically states them to be
the views of Reuters Ltd.

List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/

RE: [Spam] [ActiveDir] FW: Delivery failure

2005-03-09 Thread David Cliffe

I had gotten one earlier.  Doesn't answer your REAL question, but just
to verify for you!

-DaveC
Reuters AITS Infrastructure

-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Myrick, Todd
(NIH/CC/DNA)
Sent: Wednesday, March 09, 2005 4:10 PM
To: ActiveDir@mail.activedir.org
Subject: [Spam] [ActiveDir] FW: Delivery failure

Is everyone getting this messages?

If so, is there a way to unsubscribe this guy from the list?

Thanks,

Todd

-Original Message-
From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]
Sent: None
To: Myrick, Todd (NIH/CC/DNA)
Subject: Delivery failure

Message from yahoo.com.
Unable to deliver message to the following address(es).

<[EMAIL PROTECTED]>:
Sorry your message to [EMAIL PROTECTED] cannot be delivered. This
account has been disabled or discontinued [#102].

--- Original message follows.

The original message is over 5K. Message truncated.

Authentication-Results: mta126.mail.dcn.yahoo.com
  from=mail.activedir.org; domainkeys=neutral (no sig)
X-Originating-IP: [212.71.32.210]
Return-Path: <[EMAIL PROTECTED]>
Received: from 212.71.32.210  (EHLO outgate.nesma.net.sa)
(212.71.32.210)
  by mta126.mail.dcn.yahoo.com with SMTP; Wed, 09 Mar 2005 13:01:58
-0800
Received: from [192.168.10.39] (HELO scan1.nesma.net.sa)
  by outgate.nesma.net.sa (CommuniGate Pro SMTP 4.2.6)
  with ESMTP id 5669924; Thu, 10 Mar 2005 00:01:55 +0300
Received: from [85.129.164.168] (HELO mainserver.HQ.COM)
  by scan1.nesma.net.sa (CommuniGate Pro SMTP 4.2.8)
  with ESMTP id 20126513; Thu, 10 Mar 2005 00:01:54 +0300
Received: from mainserver.HQ.COM ([192.168.1.1]) by mainserver.HQ.COM
with Microsoft SMTPSVC(5.0.2195.6713);
 Thu, 10 Mar 2005 00:02:23 +0300
Received: by mainserver.HQ.COM (Microsoft Connector for POP3 Mailboxes
5.00.2195) with SMTP (Individual POP3 Download)
 id [EMAIL PROTECTED] for
<[EMAIL PROTECTED]>; Thu, 10 Mar 2005 00:00:29 +0300
Return-Path: <[EMAIL PROTECTED]>
Received: from mail.activedir.org (ftp.activedir.org [12.168.66.190])
by straw.propagation.net (8.11.6p2/8.11.6) with ESMTP id
j29KY6W20253
for <[EMAIL PROTECTED]>; Wed, 9 Mar 2005 14:34:06 -0600
Received: from NIHHUBIMS2.hub.nih.gov [128.231.90.112] by
mail.activedir.org with ESMTP
  (SMTPD32-8.11) id ABBD45F100D6; Wed, 09 Mar 2005 15:25:33 -0500
Received: by nihhubims2.hub.nih.gov with Internet Mail Service
(5.5.2658.27)
id ; Wed, 9 Mar 2005 15:25:32 -0500
Message-ID:
<[EMAIL PROTECTED]>
From: "Myrick, Todd (NIH/CC/DNA)" <[EMAIL PROTECTED]>
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] Can I set "power options" through Group Policy?
Date: Wed, 9 Mar 2005 15:25:27 -0500
MIME-Version: 1.0
X-Mailer: Internet Mail Service (5.5.2658.27)
Content-Type: multipart/alternative;
boundary="_=_NextPart_001_01C524E6.21C542EC"
Precedence: bulk
Sender: [EMAIL PROTECTED]
Reply-To: ActiveDir@mail.activedir.org
Status:   
X-OriginalArrivalTime: 09 Mar 2005 21:02:23.0312 (UTC)
FILETIME=[4A57F500:01C524EB]

This message is in MIME format. Since your mail reader does not
understand this format, some or all of this message may not be legible.

--_=_NextPart_001_01C524E6.21C542EC
Content-Type: text/plain

http://www.energystar.gov/index.cfm?c=power_mgt.pr_pm_ez_gpo
 

 

It appears they have a free utility for Power Management via GPO's.

 

Todd

 

  _  

From: Myrick, Todd (NIH/CC/DNA)
Sent: Wednesday, March 09, 2005 3:16 PM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] Can I set "power options" through Group Policy?

 

By default I don't believe so.  There are some published ways to control
power on PC's using a GPO, You will have to search for them; I would
check out the EPA's website.  Also some of the third-party GPO companies
have solutions.  I know for a fact Desktop Standard has one.  You might
also check out Quest's and Full-Armor / NetIQ's offerings.  What you are
looking for is a client side extension that allows you to manage these
settings.

 

Todd Myrick

 

  _  

From: Jason B [mailto:[EMAIL PROTECTED]
Sent: Wednesday, March 09, 2005 3:10 PM
To: ActiveDir@mail.activedir.org
Subject: [ActiveDir] Can I set "power options" through Group Policy?

 

We have a lot of computers that have (apparently) had the power options
set to turn the computers to "standby" mode after a few hours.  This is
problematic for off-hours processes.  All these machines run WinXP Pro
SP2.
Is there a setting in a GPO that can change this to turn off
standy/hibernate modes?  If not, any other options?


--_=_NextPart_001_01C524E6.21C542EC
Content-Type: text/html
Content-Transfer-Encoding: quoted-printable










 Can I prevent a single user from adding another workstation simply by pushing his value for 
this control over the threshold?
 
Humor me here and forget about ACLs, rights, 
and the obvious easier ways to accomplish this!  I appreciate it.  
Thanks!
    

-DaveC
Reuters AITS Infrastructure
 -Visit 
our Internet site at http://www.reuters.comGet closer to the financial 
markets with Reuters Messaging - for moreinformation and to register, visit 
http://www.reuters.com/messagingAny views expressed in this message are 
those of the individualsender, except where the sender specifically states 
them to bethe views of Reuters Ltd.

-
Visit our Internet site at http://www.reuters.com

Get closer to the financial markets with Reuters Messaging - for more
information and to register, visit http://www.reuters.com/messaging

Any views expressed in this message are those of  the  individual
sender,  except  where  the sender specifically states them to be
the views of Reuters Ltd.

[ActiveDir] (Similar topic) Add Computer to Domain

2005-02-22 Thread David Cliffe




Hi 
all,
 
On 9 Feb. there was a discussion about 
adding computers to a domain during which Jorge mentioned the user right 
"Add workstations to domain" (authenticated users being granted this right 
by default), and Justin mentioned KB 251335.
 
A few questions about that right for anyone 
that is inclined:
 
- How is it 
enforced?  Is there an attribute or control somewhere that holds a value 
for the user account (or maybe the machine accounts he/she 
owns)?
- Am I interpreting 
this snippet below properly [from that KB]?   http://support.microsoft.com/kb/251335/EN-US/    Is it indicating that a given user 
account must be associated with (somehow) or is the owner of at least X active objects in order for it to be enforced?  That 
"concurrently" is throwing me off.  In other words, the limit would not 
apply if a user created a machine object, had it deleted, created it again, had 
it deleted, etc...?
    In the Edit 
Attribute box, type a number. This number represents the number of workstations that you want users to be able to maintain 
concurrently.
- I 
suppose this all leads to --> Can I prevent a single user from adding another workstation simply by pushing his value for 
this control over the threshold?
 
Humor me here and forget about ACLs, rights, 
and the obvious easier ways to accomplish this!  I appreciate it.  
Thanks!
    

-DaveC
Reuters AITS Infrastructure
 

-
Visit our Internet site at http://www.reuters.com

Get closer to the financial markets with Reuters Messaging - for more
information and to register, visit http://www.reuters.com/messaging

Any views expressed in this message are those of  the  individual
sender,  except  where  the sender specifically states them to be
the views of Reuters Ltd.

RE: [ActiveDir] Change the Computer container in a "real" OU

2005-02-22 Thread David Cliffe

Hi,

I think you would like to apply policy to the "Computers"
container?  As you may know, this is a container, not an OU, and cannot
be assigned policy.  However, in 2003 it is possible to redirect that
container to an OU, etc...

Please see KB 324949  for more info. that will help.  Hopefully
I haven't misunderstood your question.  Apologies if I have!

-DaveC
Reuters America

-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Paul Wilkinson
Sent: Tuesday, February 22, 2005 1:46 PM
To: ActiveDir@mail.activedir.org
Subject: Re: [ActiveDir] Change the Computer container in a "real" OU

You can apply a new policy to the domain level or by editing the default
domain policy.  If you want the policy to only apply to computers
container, you'd have to use a WMI filter on the policy.

Paul Wilkinson
865-974-0649
2422 Dunford Hall
OIT Lab Services
University of TN, Knoxville

Francis Ouellet wrote:

>Hi folks,
> 
>I need to apply a GPO to the Computers container in our domain. We're 
>running Windows 2003 Functional level. I know this can be done has I 
>have seen it myself in the past but I don't recall the required 
>steps/magic.
> 
>Any idea?
> 
>Thanks!
>Francis Ouellet
>MS MVP
>
>  
>
List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive:
http://www.mail-archive.com/activedir%40mail.activedir.org/

-
Visit our Internet site at http://www.reuters.com

Get closer to the financial markets with Reuters Messaging - for more
information and to register, visit http://www.reuters.com/messaging

Any views expressed in this message are those of  the  individual
sender,  except  where  the sender specifically states them to be
the views of Reuters Ltd.

List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/

RE: [ActiveDir] Startup Scripts?

2005-02-17 Thread David Cliffe




"user account" and "startup script" 
?
 
Try the computer account in the OU.  Startup 
scripts apply to computers  :-)
 
-DaveC
Reuters America


From: [EMAIL PROTECTED] 
[mailto:[EMAIL PROTECTED] On Behalf Of Harding, 
DevonSent: Thursday, February 17, 2005 5:02 PMTo: 
ActiveDir@mail.activedir.orgSubject: [spam] [ActiveDir] Startup Scripts?


I can’t seem to get a startup script 
to create a local account on all domain computers.  I’ve created an OU, 
dragged the user account into that OU applied a GPO for that OU to have a startup script which contain the following:
 
echo Adding local Consulting account
net user consulting temp1234 /add
 
Devon 
Harding
Windows Systems 
Engineer
Southern Wine & Spirits 
- GSD
954-602-2469
 

-
Visit our Internet site at http://www.reuters.com

Get closer to the financial markets with Reuters Messaging - for more
information and to register, visit http://www.reuters.com/messaging

Any views expressed in this message are those of  the  individual
sender,  except  where  the sender specifically states them to be
the views of Reuters Ltd.

RE: [ActiveDir] Using GPO to install an MSI package - Slightly Off Topic

2005-02-15 Thread David Cliffe




Ah..."the business".  It's a pretty wild circle 
huh?
 
- 
IT doesn't want apps that aren't written properly, but...
- 
"the business" doesn't care and wants it anyway, so...
- 
IT can't put the kind of pressure they would like upon the company developing 
the bad apps, so...
- 
bad company makes their money anyway, and...
- 
"business" is happy, because...
- 
IT "made it work"
 
So we all three [groups] still have jobs.  
Hmm...
 
By the way...love the "smoldering pile of crap" adjective.  Beautiful!
 
-DaveC
Reuters America


From: [EMAIL PROTECTED] 
[mailto:[EMAIL PROTECTED] On Behalf Of Darren 
Mar-EliaSent: Tuesday, February 15, 2005 4:37 PMTo: ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] Using GPO to 
install an MSI package - Slightly Off Topic

Dave-
Hallelujah! I'm with you here. Can we start some kind of 
movement? I'm thinking a web site like dontwritestupidwindowsapps.org? Maybe 
hold some rallies outside of offending software company's headquarters where we 
burn their shrinkwrap? I'm serious. This used to bug the holy heck out of me 
when I lived in the IT world. But of course "the business" would always say, 
"well we absolutely must have this huge smoldering pile of crap application and 
there is only one vendor in Upper East Moldoria that provides it so we don't care if its not 'Windows compliant'." 
 
Darren "Logo or Die" Mar-Elia
 
 


From: [EMAIL PROTECTED] 
[mailto:[EMAIL PROTECTED] On Behalf Of David 
CliffeSent: Tuesday, February 15, 2005 8:39 AMTo: 
ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] Using GPO to 
install an MSI package - Slightly Off Topic

You guys gave some great suggestions to this tough question, and made 
some good points.  For what it's worth, mine is a bit less realistic - STOP purchasing software from a company that can't get this right (regardless of excuse or reason).
 
Perhaps the same can be said of applications that use NetBIOS 
calls.  If we ever really want to get that out of the Windows world (do 
we?), then the application providers need to STOP using it.
 
If we don't buy it, they can't make it...right?  Sorry if this is a 
bit simplistic!
 
-DaveC
Reuters America
 



From: 
[EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] 
On Behalf Of Jason BSent: Tuesday, February 15, 2005 10:44 
AMTo: ActiveDir@mail.activedir.orgSubject: [ActiveDir] 
Using GPO to install an MSI package

Okay, our environment is that all our clients are 
running Windows XP SP2, and our servers are Windows 2003.  The situation is 
that our Accounting department uses Quickbooks, and about 70 of our employees 
need to use an application that comes with Quickbooks called "QB Timer".  
It's free for use for our employees and it integrates with Quickbooks without 
requiring a Quickbooks install on each machine.  Now, the quandry:  
according to Intuit/Quickbooks, the program requires at least Power User 
permissions to install and run.  Neither I, nor our CIO are willing to give 
local Power User permissions for these users, as that opens things up to too 
many potential problems, but our CFO and COO are REQUIRING the use of this application, or a similar one that integrates with Quickbooks.  Now, the 
QBTimer is free, which is good, so that's the *preferred* app to use.  It 
comes as an exe with a few other files, so I used WinInstall LE 2003 on a clean 
XP SP2 machine to package it into an MSI file.  That worked well, and I can 
install it/assign it through GPO - even if the user doesn't have local Power User privs.  However, true to form with Intuit products, it won't run 
if the logged on user doesn't have local admin or PU privs.  If I grant PU 
privs to the user, it runs fine.  I feel like I am --> <-- this close 
to getting this done, but I ran out of ideas to get this to work.  I tried 
looking at the reg file that was made when I ran WinInstall and gave the users 
full rights to the specific areas in the registry to see if that did anything; 
which it didn't.
 
Does anyone else have any siggestions, or am I 
stuck with Intuit's "users must have >= Power User privs" to run that app?
 
ANY help or suggestions are GREATLY 
appreciated!
 
--Jason-Visit 
our Internet site at http://www.reuters.comGet closer to the financial 
markets with Reuters Messaging - for moreinformation and to register, visit 
http://www.reuters.com/messagingAny views expressed in this message are 
those of the individualsender, except where the sender specifically states 
them to bethe views of Reuters Ltd.

-
Visit our Internet site at http://www.reuters.com

Get closer to the financial markets with Reuters Messaging - for more
information and to register, visit http://www.reuters.com/messaging

Any views expressed in this message are those of  the  individual
sender,  except  where  the sender specifically states them to be
the views of Reuters Ltd.

RE: [ActiveDir] Using GPO to install an MSI package - Slightly Off Topic

2005-02-15 Thread David Cliffe




You guys gave some great suggestions to this tough question, and made 
some good points.  For what it's worth, mine is a bit less realistic - STOP purchasing software from a company that can't get this right (regardless of excuse or reason).
 
Perhaps the same can be said of applications that use NetBIOS 
calls.  If we ever really want to get that out of the Windows world (do 
we?), then the application providers need to STOP using it.
 
If we don't buy it, they can't make it...right?  Sorry if this is a 
bit simplistic!
 
-DaveC
Reuters America
 



From: 
[EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] 
On Behalf Of Jason BSent: Tuesday, February 15, 2005 10:44 
AMTo: ActiveDir@mail.activedir.orgSubject: [ActiveDir] 
Using GPO to install an MSI package

Okay, our environment is that all our clients are 
running Windows XP SP2, and our servers are Windows 2003.  The situation is 
that our Accounting department uses Quickbooks, and about 70 of our employees 
need to use an application that comes with Quickbooks called "QB Timer".  
It's free for use for our employees and it integrates with Quickbooks without 
requiring a Quickbooks install on each machine.  Now, the quandry:  
according to Intuit/Quickbooks, the program requires at least Power User 
permissions to install and run.  Neither I, nor our CIO are willing to give 
local Power User permissions for these users, as that opens things up to too 
many potential problems, but our CFO and COO are REQUIRING the use of this application, or a similar one that integrates with Quickbooks.  Now, the 
QBTimer is free, which is good, so that's the *preferred* app to use.  It 
comes as an exe with a few other files, so I used WinInstall LE 2003 on a clean 
XP SP2 machine to package it into an MSI file.  That worked well, and I can 
install it/assign it through GPO - even if the user doesn't have local Power User privs.  However, true to form with Intuit products, it won't run 
if the logged on user doesn't have local admin or PU privs.  If I grant PU 
privs to the user, it runs fine.  I feel like I am --> <-- this close 
to getting this done, but I ran out of ideas to get this to work.  I tried 
looking at the reg file that was made when I ran WinInstall and gave the users 
full rights to the specific areas in the registry to see if that did anything; 
which it didn't.
 
Does anyone else have any siggestions, or am I 
stuck with Intuit's "users must have >= Power User privs" to run that app?
 
ANY help or suggestions are GREATLY 
appreciated!
 
--Jason

-
Visit our Internet site at http://www.reuters.com

Get closer to the financial markets with Reuters Messaging - for more
information and to register, visit http://www.reuters.com/messaging

Any views expressed in this message are those of  the  individual
sender,  except  where  the sender specifically states them to be
the views of Reuters Ltd.

RE: [ActiveDir] Add Computer to Domain

2005-02-14 Thread David Cliffe

Just FYI -

We redirected our default "computer creation" OU.  The nice side
effect being that we can now apply policy to that OU (as opposed to the
built-in container, where you cannot).

Thanks...

-DaveC
Reuters America

-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Salandra,
Justin A.
Sent: Monday, February 14, 2005 10:20 AM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] Add Computer to Domain

That is also a possibility, however I have multiple domains and
workstations exist in different OU's.  If I was to go through the
process of creating an OU and delegating authority, why not just remove
authenticated users, add in the group I want into the DDC GPO and then
modify the quota so they create accounts in the computer container.
Either way the computer accounts still have to be moved.

Thanks for your help.

Justin A. Salandra
MCSE Windows 2000 & 2003
Network and Technology Services Manager
Catholic Healthcare System
212.752.7300 - office
917.455.0110 - cell
[EMAIL PROTECTED]

-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Jorge de
Almeida Pinto
Sent: Monday, February 14, 2005 10:11 AM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] Add Computer to Domain

 
Yep, that's one way to do it. I myself would prefer to remove
Authenticated Users from the DDC GPO, create a group and assign that
group permissions on the OU where the accounts should remain and
additionally (if needed) redirect computer account creation to that one
OU (as mentioned in
http://www.microsoft.com/resources/documentation/WindowsServ/2003/all/de
ploy
guide/en-us/Default.asp?url=/resources/documentation/windowsserv/2003/al
l/de
ployguide/en-us/dssbf_upwn_pyog.asp)

Cheers
jorge
-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Salandra,
Justin A.
Sent: maandag 14 februari 2005 15:47
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] Add Computer to Domain

I could follow method three couldn't I?  I could remove Authenticated
Users and add in my Helpdesk Staff Security Group into the DDC GPO
Policy and then modify this default setting to enable them to add many
computers to the domain.  

Someone please check my logic here.  Thanks

http://support.microsoft.com/kb/251335/EN-US/


Method 3: Override the Default Limit of the Number of Computers an
Authenticated User Can Join to a Domain You can override the default
limit, using either of the following
methods: * Use the Ldp (Ldp.exe) tool included in the Microsoft Windows
2000 Resource Kit. 
* Use an Active Directory Services Interface (ADSI) script to increase
or decrease the value of the Active Directory ms-DS-MachineAccountQuota
attribute. To do this:1. Install the Windows 2000 Support tools if they
have not already been installed. To install these tools, run Setup.exe
from the Support\Tools folder on the Windows 2000 Server or the Windows
2000 Professional CD-ROM.  
2. Run Adsiedit.msc as an administrator of the domain.  
3. Expand the Domain NC node. This node contains an object that begins
with "DC=" and reflects the correct domain name. Right-click this
object, and then click Properties. 
4. In the Select which properties to view box, click Both.  
5. In the Select a property to view box, click
ms-DS-MachineAccountQuota. 
6. In the Edit Attribute box, type a number. This number represents the
number of workstations that you want users to be able to maintain
concurrently. 
7. Click Set, and then click OK.  


-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Jorge de
Almeida Pinto
Sent: Sunday, February 13, 2005 5:27 PM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] Add Computer to Domain

To delegate the permissions -> yes

I would, however, consider removing authenticated users from the
privilege "add workstations to domain" in the DDC GPO

Greetz
Jorge 

-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Salandra,
Justin A.
Sent: Friday, February 11, 2005 16:53
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] Add Computer to Domain

So I would have to use the delegation wizard at the OU level to add
workstations to the domain and ignore the user rights assignments at the
DC Level?

-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Jorge de
Almeida Pinto
Sent: Thursday, February 10, 2005 3:53 AM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] Add Computer to Domain


Justin,

The "Add workstations to domain" user right (configured at DC level) by
default assigns each authenticated user the right to add 10 computers
(default configured quota for this) to the domain. Those computers will
be placed in the COMPUTERS CONTAINER and the default owner is "Domain
Admins".
However users can be granted an unlimited number of computers they can
add to the domain if the permission

95 matches

Mail list logo