RE: [ActiveDir] Who Am I request
ADAM (starting from ADAM 1.0) and AD (starting from Longhorn) support WhoAmI extended operation per RFC. In addition, they support rootDSE/tokenGroups attribute, which is exactly what you need to check self group membership. If you have pre-LH AD, then what you can do is read tokenGroups off the user object (which you can find using %USERDOMAIN% and %USERNAME% vars if you have an interactive session, or by looking up user SID from the token). Note tokenGroups value can vary slightly depending on which DC you connect to. If you want deterministic results, read tokenGroupsGlobalAndUniversal (which excludes domain local groups). -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Alexandr Kara Sent: Monday, January 22, 2007 6:46 AM To: ActiveDir@mail.activedir.org Subject: [ActiveDir] Who Am I request Hello everybody, I am trying to get the CN of a user currently connected to Active Directory (using a 3rd party library). I tried the Who am I? extended operation from RFC 4532, but I got an error 120 or 0x78 (I don't know if it is useful). Do you know of another method to get the CN? I need it to find out if the user is part of a group. Thanks a lot, Alexandr List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.activedir.org/ma/default.aspx List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.activedir.org/ma/default.aspx
RE: [ActiveDir] AD Schema - adding an attribute
Third, consider privacy. All data in AD is readable by default (unless you mark the attribute as confidential). Would you want everybody to know everybody else's age? -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Brian Desmond Sent: Tuesday, January 09, 2007 9:09 AM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] AD Schema - adding an attribute Well, first off - birthDate already exists - can you take advantage of it? Second you need to register a prefix and OID tree with Microsoft on MSDN. This is how you will get a starting point for OIDs. You'll also get a prefix so it would be ewu-birthMonth or something. Don't use oidgen. Thanks, Brian Desmond [EMAIL PROTECTED] c - 312.731.3132 -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Matt Brown Sent: Tuesday, January 09, 2007 10:56 AM To: ActiveDir@mail.activedir.org Subject: [ActiveDir] AD Schema - adding an attribute How do I add an attribute to AD? I'd like to add birthMonth, birthDay, birthYear to my Active Directory Schema for extra data to store for my users. Looking in MMC - Schema, I see I can add an attribute, but it wants an Object ID (OID). I know there's a oidgen program somewhere (haven't found it yet). but is that the best way to do it? Thanks, -- Matt Brown [EMAIL PROTECTED] Sr. Consultant for Student Technology Fee website: http://techfee.ewu.edu/ +--+ | 509.359.6972 ph. - 509.359.7087 fx | 307 MONROE HALL | Cheney, WA 99004 +--+ List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.activedir.org/ma/default.aspx List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.activedir.org/ma/default.aspx List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.activedir.org/ma/default.aspx
RE: [ActiveDir] OT: Vista Stuck on Completing Upgrade
Something installed on your XP machine is confusing setup/upgrade. Get a hold of the logs, you can do this after reboot, or perhaps even during setup (IIRC Shift-F10 still works). Look for setupact.log and perhaps something called migration log. There are a couple of folders setup creates in the root of the system drive -- they will likely be there. If cannot find, try searching the files with latest timestamps. Looks at the logs -- there might be clues there. If nothing helps, call PSS and open a case. I am not sure they are up the speed in Vista yet, but I guess they have to find somebody to resolve your issue anyway... -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Harding, Devon Sent: Thursday, November 30, 2006 8:57 AM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] OT: Vista Stuck on Completing Upgrade Anyone? -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Harding, Devon Sent: Wednesday, November 29, 2006 7:52 AM To: ActiveDir@mail.activedir.org Subject: [ActiveDir] OT: Vista Stuck on Completing Upgrade I know it's not AD realated but have anyone had any issues upgrading XP to Vista RTM and got stuck on 'Completing Upgrade (64%)...'? I've removed all AV burning related software it has been stuck at this position for over 12 hours now. When I force reboot, it rolls back to Windows XP. Any Ideas? btw: is there another mailing list for these type of questions? -Devon This message (including any attachments) is intended only for the use of the individual or entity to which it is addressed and may contain information that is non-public, proprietary, privileged, confidential, and exempt from disclosure under applicable law or may constitute as attorney work product. If you are not the intended recipient, you are hereby notified that any use, dissemination, distribution, or copying of this communication is strictly prohibited. If you have received this communication in error, notify us immediately by telephone and (i) destroy this message if a facsimile or (ii) delete this message immediately if this is an electronic communication. Thank you. List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir@mail.activedir.org/ This message (including any attachments) is intended only for the use of the individual or entity to which it is addressed and may contain information that is non-public, proprietary, privileged, confidential, and exempt from disclosure under applicable law or may constitute as attorney work product. If you are not the intended recipient, you are hereby notified that any use, dissemination, distribution, or copying of this communication is strictly prohibited. If you have received this communication in error, notify us immediately by telephone and (i) destroy this message if a facsimile or (ii) delete this message immediately if this is an electronic communication. Thank you. List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir@mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir@mail.activedir.org/
RE: [ActiveDir] ADAM silent install
Since the current user is not an ADAM admin, he is not able to import LDIF files (since ldifde is launched in current users context). To get around the problem, you must specify SourceUsername and SourcePassword parameters in the unattend file. Another option is to import the LDIFs manually or from script, after ADAM install completes. Dmitri From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of [EMAIL PROTECTED] Sent: Thursday, November 23, 2006 1:01 AM To: ActiveDir@mail.activedir.org Subject: [ActiveDir] ADAM silent install Hi I am trying to install ADAM unattended to be used for publishing Oracle DB's. I would like to grant administrators from the local computer as ADAM administrator and I would like to import some of the accompanying LDF files. ; Specifies the Administrators within the AD\AM instance. Administrator=MYCOMPUTER\Administrators ; The following line specifies the .ldf files to import into the ADAM schema. ImportLDIFFiles=MS-InetOrgPerson.ldf MS-User.ldf However the installs fails when I specify both options. The error message is that the user have to be administrator to import .ldf files. But the user installing the ADAM instance is already member of administrators. My current workaround is to comment out the ImportLDIFFiles statement and import them after the instance has been created. Just wondered if this was a known problem. /kkh List info : http://www.activedir.org/List.aspx List FAQ : http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir@mail.activedir.org/
RE: [ActiveDir] ADAM-ADSIEDIT and adam-user-based administration.. (ADAM SP1)
Until Longhorn, ADAM-ADSIEdit will not support simple binds, sorry. LDP is your only option. Second -- you cannot protect *anything* on a joined machine from an AD admin. If you don't trust them, leave the domain. That's the only way. For example, a builtin admin on the machine can bind to ADAM instance, take ownership of an object and update its security descriptor to grant herself any rights she needs. Even if we were to lock ADAM down, she would still be able to debug the adam service, and still do anything she wants. Dmitri -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of F. Javier Jarava Sent: Tuesday, October 24, 2006 10:27 AM To: ActiveDir@mail.activedir.org Subject: [ActiveDir] ADAM-ADSIEDIT and adam-user-based administration.. (ADAM SP1) Hi all!! I'm (trying to) get up to speed with AD/AM, but I seem to be hitting some glitch. So, please, if I'm doing something stupid, please do tell me: As of ADAM SP1, it's possible to create ADAM users in the config. partition, thus making it possible for an ADAM user to be the administrator of a replica set. In this wey, it'd be possible to maintain some role separation between the users of the Domain and ADAM roles/users. (I'm interested in using ADAM to store security-related data, so I'd love to be able to have a securuty admin that is not an AD admin, but I digress)... The thing is, I manage to add an ADAM user as per the instructions on the ADAM docs, and I can bind using LDP and simple security. The problem is that I haven't been able to do the same with ADAM-ADSIEDIT... Do anybody knows how you can set advanced connection options or, barring that, what you have to do to get ADAM-ADSIEDIT to use an ADADM user to logon? Of course, I know that it ought to be possible to do all admin. tasks from LDP, but it's a bit... Not too user friendly ;) Thanks a lot in advance. Best Regards Javier Jarava List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir@mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir@mail.activedir.org/
RE: [ActiveDir] AD/AM replica instances and ADAM user-based admin..
You can only promote a replica using windows creds. There's no point it trying to lock ADAM out of windows users. See my other post. -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of F. Javier Jarava Sent: Tuesday, October 24, 2006 11:30 AM To: ActiveDir@mail.activedir.org Subject: [ActiveDir] AD/AM replica instances and ADAM user-based admin.. Hi all! On my attempt to get familiar with ADAM, I am running into something that (might) become a bit of a showstopper for what I'm trying to do: I have an ADAM SP1 instance with one app. partition. I have created a user in the config. partition (CN=adamadmin,CN=Roles,CN=Configuration,CN={GUID}), with a password and userPrincipalName=adamadmin (yes, not stretching my mind here ;). The user is a member of the Administrators group of the config. partition. To implement role splitting between AD users and ADAM users, the Windows account that was part of the Administrators group has been removed (I haven't deleted the link in CN=ForeignSecurityPrincipals,CN=Configuration, only removed the account from the Administrators group). In this way, I can log-on using ldp and other apps, and things seem to work fine. The problem arises when I try to set up a new ADAM replica instance. The new instance wizard in one of the steps asks for the credentials of a user that is administrator of the original instance. I've tried providing the adamadmin credentials, but it complains that I have to qualify the user account with a computer account name. I have created a second adam administrator (CN=adadmsyncuser,CN=Roles...) user whose userPrincipalName is of the form [EMAIL PROTECTED], but to no avail.. So my question is: Is it *necessary* for a Windows user account to be an Administrator in ADAM to be able to replicate the instances? Thanks a lot. Best regards, Javier Jarava [EMAIL PROTECTED] List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir@mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir@mail.activedir.org/
RE: [ActiveDir] OT: A short and sweet KB
Do you mind writing a KB with the following content: Whatever you are trying to do is not supported. It would be a great KB to refer folks to. I really need it quite often. I would memorize the KB number. Hell, I would include it into my signature. From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of joe Sent: Tuesday, October 10, 2006 2:21 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] OT: A short and sweet KB LOL that is great... I have thought about using my MVP Super Powers to write small KBs like that in the past so I could point at it for people to read when I said something simple that isn't specifically documented but they wanted to see documents on Microsoft's site stating what I said... In the end I didn't do it because, well it just doesn't seem right. ;) joe -- O'Reilly Active Directory Third Edition - http://www.joeware.net/win/ad3e.htm From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Al Mulnick Sent: Tuesday, October 10, 2006 9:37 AM To: ActiveDir@mail.activedir.org Subject: Re: [ActiveDir] OT: A short and sweet KB It's tough to decide what to do with so much information. The symptoms or introduction section really does overload one's information bucket. :) On 10/9/06, Susan Bradley, CPA aka Ebitz - SBS Rocks [MVP] [EMAIL PROTECTED] wrote: Do not run a service by using a service account that belongs to a different domain: http://support.microsoft.com/?kbid=925099 -- Letting your vendors set your risk analysis these days? http://www.threatcode.com If you are a SBSer and you don't subscribe to the SBS Blog... man ... I will hunt you down... http://blogs.technet.com/sbs List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.activedir.org/ml/threads.aspx
RE: [ActiveDir] Using an LDIF to set ACLs
Yeah, Joes correct, dsacls or scripting is your best bet. SDDL+encoding is also possible, but it would replace the whole SD value, which is rarely what you really want. Usually you just need to add or remove an ACE, right? This would require reading the old value, which is not possible with LDIF. At some point, I looked at trying to expose the SD value as a multi-valued string attribute, each value representing an individual ACE (e.g. in SDDL). This is approximately what iPlanet and OpenLdap do. Unfortunately, it never went further than that. Would have been pretty cool, and very much LDIFable. Alas From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of joe Sent: Friday, October 06, 2006 1:54 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Using an LDIF to set ACLs I think you could but it would be non-trivial, I agree with Al, use a different tool. dsacls or scripting is the standard. Theoretically, and Dmitri or Eric can correct me if I am off, you could create yourSecurity Descriptorin SDDL format, convert that to the binary form, then mime encode it, then try to apply that string for the ntSecurityDescriptor attribute. You will likely have to do it as an Administrator or else you will get an error since non-admins have to set special controls to update the security descriptor and I don't think LDIFDE will do it. joe -- O'Reilly Active Directory Third Edition - http://www.joeware.net/win/ad3e.htm From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Al Mulnick Sent: Friday, October 06, 2006 4:36 PM To: ActiveDir@mail.activedir.org Subject: Re: [ActiveDir] Using an LDIF to set ACLs There's no provision in the ldif standard that I'm aware of that would allow this. LDIFDE might have something with it, but I haven't seen it. You'd be better off using a different tool in my opinion. Al On 10/6/06, Isenhour, Joseph [EMAIL PROTECTED] wrote: Does anyone know if it's possible to set Directory ACLs using an LDIF? I'm trying to enforce a process for setting ACLs that is similar to the process we have for making Schema extensions. List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.activedir.org/ml/threads.aspx
RE: [ActiveDir] ADAM on XP Pro
ADAM on XP is no different from ADAM on w2k3 security-wise. The big differences are that it is throttled somewhat perf-wise, and also there's no auditing. I do not see any serious security problems with this approach. Unless you are thinking that somebody steals the laptop, cracks the DIT open and brute-forces the pwd hashes? Store the DIT on an EFS volume then. In any case, these are ADAM users, not windows... The only problem will be replication -- instances will complain that they are unable to replicate when in offline mode. Perhaps this can be resolved by creating a separate site for every instance and setting up manual links to the hub instance. Hmm. Not sure. I guess it depends on how long they'll stay offline. KCC is not really optimized to work well in such scenarios. -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Tony Murray Sent: Wednesday, October 04, 2006 7:34 PM To: [EMAIL PROTECTED] Subject: [ActiveDir] ADAM on XP Pro I've been talking to a vendor about an application they are developing. It involves running ADAM instances on XP Pro machines (laptops) that replicate with a centralised ADAM instance running on W2K3. I don't have further details at this stage, but I believe the they are planning to use the local ADAM instance to authenticate laptop users to an application when they are off-line. In addition to security concerns with this approach, I'm not really comfortable with the idea of ADAM instances on laptops being part of a configuration set. I had always understool ADAM on XP to be used for a personal data store (http://technet2.microsoft.com/WindowsServer/en/library/29fb059e-544c-45 77-bf7c-ba4b08df48431033.mspx?mfr=true). Any thoughts on this? Tony Sent via the WebMail system at mail.activedir.org List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.activedir.org/ml/threads.aspx List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.activedir.org/ml/threads.aspx
RE: [ActiveDir] ADAM with Domain
Something else that you can do to connect the two is to set up (perhaps mutual) external crossrefs. Then, they would appear as a contiguous LDAP space, and will issue referrals to each other as needed. -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Joe Kaplan Sent: Friday, September 29, 2006 10:29 AM To: ActiveDir@mail.activedir.org Subject: Re: [ActiveDir] ADAM with Domain ADAM integrates with the domain in a few ways. When an ADAM server is a domain member, then ADAM can be used to authenticate domain users via LDAP authentication (using secure bind or simple bind with bind proxies). ADAM will also get its password policy from the machine password policy applied by the DC if it is a domain member. The other important consideration with ADAM as a domain member (in my view) is that if you will have replicating ADAM instances, it is a bit ugly to get the RPC security working for replication if you aren't using domain member servers. You end up having to do a hackish thing of having shadowed accounts with the same name and password on each machine to get it to work, and that is a management hassle. The actual ADAM LDAP directory doesn't have anything to do with the AD LDAP directory. The only way to get AD objects into ADAM (or vice versa) is with some sort of a sync process. They do not replicate or share any directory data. You can definitely use the full range of X500 naming styles with ADAM instead of just the DNS-based root naming convention that AD requires (DC=domain,DC=com and such), so you can likely accomplish your goal. HTH, Joe K. - Original Message - From: Matt Brown [EMAIL PROTECTED] To: ActiveDir@mail.activedir.org Sent: Friday, September 29, 2006 11:25 AM Subject: [ActiveDir] ADAM with Domain How does ADAM integrate with a domain? Will they be completely separate directories or can they somehow be joined together? I'm wanting to use an X.500 name for the ADAM instance. Thanks in advanced for the help provided, -- Matt Brown IT System Specialist Eastern Washington University List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.activedir.org/ml/threads.aspx List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.activedir.org/ml/threads.aspx List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.activedir.org/ml/threads.aspx
RE: [ActiveDir] [OT] mSDS-Approx-Immed-Subordinates - How does it work?
Brett, correct me please. Apparently, the estimate is performed by looking at the couple top levels of the B-tree representing one of the indexes that span all records. Ive been told by Jet guys that these estimates are correct within two orders of magnitude. On the bright side, they are very fast. From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of joe Sent: Thursday, September 21, 2006 5:18 AM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] [OT] mSDS-Approx-Immed-Subordinates - How does it work? It would be better if the likes of Eric or Brett responded to the details here, I will simply give my experiences. Asthe attribute says and as I mentioned in the previous post it is an approximate mostly to give you scale info. The raw number will be off generally more and more (in a one by one counting scheme) as the numbers get bigger but rough scale should be close. Liken it to the hit count you get when using a search engine like google or MSN or something, it will say you have 50,000 pages that match and when you view the 500th one it says there are no more. So it is more accurate than that at least. :) -- O'Reilly Active Directory Third Edition - http://www.joeware.net/win/ad3e.htm From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Paul Williams Sent: Thursday, September 21, 2006 6:51 AM To: ActiveDir@mail.activedir.org Subject: Re: [ActiveDir] [OT] mSDS-Approx-Immed-Subordinates - How does it work? Joe, How is the DS calculating these values? The reason I ask is I've always found it to be way off. For example, take a look at the following output against one of my ADAM instances: D:\dev\dotnet\vb\dsadfind -h .:5 -b ou=people,dc=test-lab,dc=com -s one -f |(objectcategory=organizationalunit)(objectcategory=container) msDS-Approx-Immed-Subordinates AdFind V01.31.00cpp Joe Richards ([EMAIL PROTECTED]) March 2006 Using server: adlds01.test-lab.com:5 Directory: Active Directory Application Mode dn:OU=Test-Batch-01,OU=People,DC=test-lab,DC=com msDS-Approx-Immed-Subordinates: 2742 dn:OU=Test-Batch-02,OU=People,DC=test-lab,DC=com msDS-Approx-Immed-Subordinates: 37507 dn:OU=Test-Batch-03,OU=People,DC=test-lab,DC=com msDS-Approx-Immed-Subordinates: 52809 3 Objects returned D:\dev\dotnet\vb\dsadfind -h .:5 -b ou=test-batch-02,ou=people,dc=test-lab,dc=com -s one -c AdFind V01.31.00cpp Joe Richards ([EMAIL PROTECTED]) March 2006 Using server: adlds01.test-lab.com:5 Directory: Active Directory Application Mode 5 Objects returned D:\dev\dotnet\vb\dsadfind -h .:5 -b ou=test-batch-03,ou=people,dc=test-lab,dc=com -s one -c AdFind V01.31.00cpp Joe Richards ([EMAIL PROTECTED]) March 2006 Using server: adlds01.test-lab.com:5 Directory: Active Directory Application Mode 75000 Objects returned Thanks, --Paul From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of joe Sent: 18 September 2006 16:12 To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Ad Reporting Tools -enabled is definitely on the list to be added to oldcmp. I will have to thinkabout the summary switch... So you just want counts... I have something in my script repository that is probably pretty close to what you want... I used it for some testing once. It is perl, but you are welcome to convert it to what you need or modify as you see fit... # #* ObjSum.PL * #*==* #* Author : [EMAIL PROTECTED] (Joe Richards) * #* Version: V01.00.00 * #* Modification History: * #* V01.00.00 2004.01.15 joe Original Version * #*--* #* This script counts objects matching a filter + approx children of each container/OU * #*--* #* Notes: * #* This script will output the container DN, container name, an approximate guess at the* #* number of child objects in the container and then an exact count of the objects in * #* the container for the filter specified. If a base is not selected, the default NC * #* of the default DC will be used. If a filter is not specified, the filter * #* objectclass=* will be utilized. * # # # #* Packages: *
RE: [ActiveDir] memberOf and member link breaking
Such links are removed by the phantom cleanup task, which is run by the infrastructure master in the domain where your group lives. Make sure IM is placed on a non-GC machine (it cant run otherwise). IM is set up to do a cleanup run once every 12 hours, iirc. You can trigger it manually via a rootDSE mod (checkPhantoms=1) on the IM holder. From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Presley, Steven Sent: Friday, August 11, 2006 6:18 AM To: ActiveDir@mail.activedir.org Subject: [ActiveDir] memberOf and member link breaking I have seen this a few times now (Windows 2003 Sp1) where someone will remove a user from a distribution group and it will update the memberOf attribute of the user, but not the member attribute of the group. The user object is in a different domain then the group if that matters. It does not appear to be replication related as things are replicating just fine in my testing. Has anyone seen this before or have any suggestions on what it might be? When looking at the groups membership list in ADUC, the icon of the unlinked user object that is listed on the members tab is actually kind of grayed out, but Im sure I could just manually delete it, but Id like to find out what is causing this and fix it. Any suggestions would be awesome. Best regards, Steven
RE: [ActiveDir] Read-Only Domain Controller and Server Core
The set of passwords that *can* be sent down to the RODC is controlled by password replication policy. The passwords are sent down by RODCs request, but the hub also checks whether the user (whose pwd is being requested) actually attempted to authenticate at RODC (the hub can induce this info from the traffic is sees). The pwd hash is sent down only if both are satisfied: pwd policy allows it and the user actually attempted to logon there. Pwd policy is empty by default, i.e. nobody is in allowed to reveal list. It is admins responsibility to populate this list. We might have some UI that helps with this process. Once the hash is sent down, theres no way to remove it from RODC, basically because we do not trust that RODC will remove it, even if instructed to do so. Therefore, the only way to expire the hash is to change the password. We store the list of passwords that were sent down to RODC in an attribute on the RODC computer object (the hub DC updates the list when it sends a pwd). So, if the RODC is stolen, you can enumerate whose passwords were down there, and make these users reset their passwords. Theres a constructed attribute that returns only the users whose *current* passwords appear to be on the RODC. WRT what data is sent down currently, we send everything, sans a handful of secret attributes, which are controlled by pwd replication policy. Theres a DCR to be able to configure the list of attributes that can go down to RODC (aka RODC PAS), but it is not yet clear if we will get it done or not. Note that the client data access story on RODC becomes quite convoluted because you dont know if you are seeing the whole object or only a subset of it. We do not normally issue referrals due to partial reads. From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of [EMAIL PROTECTED] Sent: Friday, July 28, 2006 8:22 AM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Read-Only Domain Controller and Server Core RODC stores password hashes only for a pre defined list of users and they are not stored on a permanent basis. [I'm unclear how the latter is achieved.] The goal is such that if the RODC were removed from the office then no password secrets could be extracted from that machine. neil From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Al Mulnick Sent: 28 July 2006 16:08 To: ActiveDir@mail.activedir.org Subject: Re: [ActiveDir] Read-Only Domain Controller and Server Core The part that makes me wonder about the story is if it stores no secrets is the server doing anything for me?Is there a point to deploying the server in a remote office other than just being able to point to it in the closet and say, see, I do toearn my paycheck! I'm sure there's more, but I don't yet know which parts are public information and which are NDA. Can you tell I'm concerned about the story being created? I like stories; don't get me wrong. But I'm concerned that the story being spun up might be missing the mark and lead a few people astray. Safe to note that there are some features that differentiate the RODC from a NT4 BDC and that make it appealing in some cases. But if it actually does not store anything locally, ever, then I'm not sure it's worth the time to deploy one now is it? Al On 7/27/06, Susan Bradley, CPA aka Ebitz - SBS Rocks [MVP] [EMAIL PROTECTED] wrote: FYI: http://blogs.msdn.com/jolson/archive/2006/07/27/679801.aspx Read-Only Domain Controller and Server Core List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.activedir.org/ml/threads.aspx PLEASE READ: The information contained in this email is confidential and intended for the named recipient(s) only. If you are not an intended recipient of this email please notify the sender immediately and delete your copy from your system. You must not copy, distribute or take any further action in reliance on it. Email is not a secure method of communication and Nomura International plc ('NIplc') will not, to the extent permitted by law, accept responsibility or liability for (a) the accuracy or completeness of, or (b) the presence of any virus, worm or similar malicious or disabling code in, this message or any attachment(s) to it. If verification of this email is sought then please request a hard copy. Unless otherwise stated this email: (1) is not, and should not be treated or relied upon as, investment research; (2) contains views or opinions that are solely those of the author and do not necessarily represent those of NIplc; (3) is intended for informational purposes only and is not a recommendation, solicitation or offer to buy or sell securities or related financial instruments. NIplc does not provide investment services to private
RE: [ActiveDir] ldp in ADAM-SP1
Thanks Guido, Nice requests, but not small. So, no promises for LH, it is getting late. I'll get these filed. -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Grillenmeier, Guido Sent: Friday, July 28, 2006 1:06 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] ldp in ADAM-SP1 Dmitri, first of all, I should have added to this thread that there are actually already a couple of nice changes in DSACLS in Longhorn, which I am glad do exist: - it can now be used to set Control Access rights on attributes (for example with confidential attributes) - it allows to use SIDs and FQDNs to set/remove ACLs (SID is a major benefit) - it supports setting the new OWNER RIGHTS permissions (which can't be set via the UI right now) However, the thing I think is still extremely annoying is that you can't remove single permissions - you always have to remove ALL permissions for a specific security principal (on the object that you're processing). This makes it extremely difficult to automate removal of permissions, as I first need to check all the permissions that an sec prin has, then remove the one permission that I'd like to remove and at least re-apply all the permissions that I didn't want to remove. Quite a pain - would be great to fix this. At last, it would be nice to combine the feature of DSACLS with that of DSREVOKE. The latter is useful to report on ACLs for a single sec prins in a whole tree (and to remove them) - however, it is incapable of doing so for well-known-security-principals such as Authenticated Users or built-in ones such as Administrators. Would be lovely to see these changes in B3 ;-) /Guido -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Dmitri Gavrilov Sent: Thursday, July 27, 2006 7:46 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] ldp in ADAM-SP1 Guido, which changes to you want to see in dsacls in B3? -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Grillenmeier, Guido Sent: Tuesday, July 25, 2006 6:22 AM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] ldp in ADAM-SP1 well, for Win2000 and Win2003 AD that tool is DSACLS for 95% of what you should need to do. You've already tripped over some of it's limitations especially around handling the confidential bit - however, I have not seen many customers that actually leverage the confidential bit yet for anything else but OS features (for example for PKI credential roaming). It would be nice to leverage it for many more lockdown scenarios, but you can't use it for the base schema attributes (category 1), which includes almost all of the interesting attributes you may want to restrict access to. Ofcourse you can use it for your own schema extensions. For file-system ACLing that tool is CALS or XCACLS - probably for 99% of what you need to do. Note for the FS you may also want to check out the betas of either Windows Longhorn or the current Windows 2003 SP2 = they include a new commandline ACLing tool called Icacls.exe, which can be used to reset the account control lists (ACL) on files from Recovery Console, and to back up ACLs. It can also handle replacement of ACLs (much like subinacl) and works well with either names or SIDs. At last, unlike Cacls.exe, Icacles.exe preserves canonical ordering of ACEs and thus correctly propagates changes to and creation of inherited ACLs. DSACLs has only been updated slightly in LH, but I hope to see some more changes prior to beta 3. At last, depending on your requirements, you may also need to look into changing the default security descriptor of some of the objects (for example, check out all the default write permissions, which every user is granted on it's own object via the SELF security principal; many companies are still unaware of this). You can check these rights most easily via the schema mgmt mmc (check properties of a class object, such as user and click on the Default Security tab). So it's fair to say that although handling ACLs remains to be a complex topic, you can get most of the things done with existing commandline tools from MSFT. Sometimes it will simply be more appropriate to use the UI for a few settings. And there is always the option to script setting ACLs if you really have special requirements. As for your delegation model = I would not have the goal to teach your delegated admins how to do ACLing inside AD. I'm fine with a delegated admin doing the security on a file-server that he completely manages on his own. But AD security should be kept in the hand of domain and enterprise admins (partly because it is rather complex and you only want few folks to fiddle around with it, partly because it is plain risky to do it otherwise). The critical piece for most delegation models to succeed is to build a centrally controlled OU structure (ideally standardized for your different delegated admin units as I like
RE: [ActiveDir] ldp in ADAM-SP1
Guido, which changes to you want to see in dsacls in B3? -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Grillenmeier, Guido Sent: Tuesday, July 25, 2006 6:22 AM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] ldp in ADAM-SP1 well, for Win2000 and Win2003 AD that tool is DSACLS for 95% of what you should need to do. You've already tripped over some of it's limitations especially around handling the confidential bit - however, I have not seen many customers that actually leverage the confidential bit yet for anything else but OS features (for example for PKI credential roaming). It would be nice to leverage it for many more lockdown scenarios, but you can't use it for the base schema attributes (category 1), which includes almost all of the interesting attributes you may want to restrict access to. Ofcourse you can use it for your own schema extensions. For file-system ACLing that tool is CALS or XCACLS - probably for 99% of what you need to do. Note for the FS you may also want to check out the betas of either Windows Longhorn or the current Windows 2003 SP2 = they include a new commandline ACLing tool called Icacls.exe, which can be used to reset the account control lists (ACL) on files from Recovery Console, and to back up ACLs. It can also handle replacement of ACLs (much like subinacl) and works well with either names or SIDs. At last, unlike Cacls.exe, Icacles.exe preserves canonical ordering of ACEs and thus correctly propagates changes to and creation of inherited ACLs. DSACLs has only been updated slightly in LH, but I hope to see some more changes prior to beta 3. At last, depending on your requirements, you may also need to look into changing the default security descriptor of some of the objects (for example, check out all the default write permissions, which every user is granted on it's own object via the SELF security principal; many companies are still unaware of this). You can check these rights most easily via the schema mgmt mmc (check properties of a class object, such as user and click on the Default Security tab). So it's fair to say that although handling ACLs remains to be a complex topic, you can get most of the things done with existing commandline tools from MSFT. Sometimes it will simply be more appropriate to use the UI for a few settings. And there is always the option to script setting ACLs if you really have special requirements. As for your delegation model = I would not have the goal to teach your delegated admins how to do ACLing inside AD. I'm fine with a delegated admin doing the security on a file-server that he completely manages on his own. But AD security should be kept in the hand of domain and enterprise admins (partly because it is rather complex and you only want few folks to fiddle around with it, partly because it is plain risky to do it otherwise). The critical piece for most delegation models to succeed is to build a centrally controlled OU structure (ideally standardized for your different delegated admin units as I like to call them and not to grant your data admin (= the delegated admins) any rights to create OUs themselves (otherwise - with the current ACLing model - you can't prevent them to configure the security of the OU). Basically the same is true for any objects they create, but it's the OUs that allow you to manage the security for multiple child objects at once (and thus these need to be controlled centrally). Many more things to share in this respect, but no delegation model is the same as any other so you're best to understand and plan it from the ground up. There may be similarities between many models, but for the various infrastructures I've planned, every customer has had their special requirements. /Guido -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Matheesha Weerasinghe Sent: Tuesday, July 25, 2006 9:34 AM To: ActiveDir@mail.activedir.org Subject: Re: [ActiveDir] ldp in ADAM-SP1 Wow, Thanks you so much for the detailed info guys. Basically my goal is quite simple. At least it is in my head. What I want to do, is to go through the entire case study given in the AD delegation whitepaper, and do all of that permissions configuration entirely at command line (where possible). I am willing to use the delegation wizard to some extent, but as I am configuring quite a lot of permissions for an AD design I am involved in, I would rather avoid having to use GUI tools for this. You see, I am going to end up as been a very privileged service administrator and data administrator once my proposed AD design model is in place. I expect I will be making some endeavour to train sufficiently capable people in doing this. But I dont plan to spoon feed. I want the guys to know to a decent level ACL'ing and if not, do their research. At least on an adhoc basis. Then once they understand whats involved, they can go ahead and add/modify/delete
RE: [ActiveDir] ldp in ADAM-SP1
Re Access System Security checkbox. We removed it from the latest versions of ldp.exe because it does not do what you want. Even if you grant this right to some principal, he will still be unable to read or tweak the SACLs. The only way to be able to do this is to grant SE_ACCESS_SYSTEM_SECURITY privilege. You do this from gpedit.msc (security settings/User rights assignments). On a more general note -- yes, AD security is a mess to manage and to understand. We are trying to improve it, but it is super super difficult task. Not only the rules are difficult to understand and are numerous, but also we need to respect the existing security setups which use weird ACLs. There were several attempts to improve things, but I don't believe we are getting closer, mostly due to backward compatibility issues, as well as due to the need to introduce new rules (such as confidentiality bit and many new control access rights). BTW, the Delegation Wizard is considered to be the entry-level ACLing tool. Alas, it does not work for ADAM. Dmitri -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of joe Sent: Monday, July 24, 2006 1:42 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] ldp in ADAM-SP1 Yeah what I was doing was setting a FC ACE for connection objects only. If you want to cover multiple objects for this you would need to specify multiple objectclasses which would result in multiple ACEs which is not a good option. Which means, use a different tool as the bugs in the current version of LDP make that difficult for this specific task. In my tests, I was specifically using LDP from ADAM SP1. But for what you want to do, use ADUC or DSACLS. As an aside, I emailed Matheesha directly a little while ago when my first email was lost in limbo waiting to be sent out by the list. A version of LDP that doesn't have this issue should be in Longhorn when it is released. The developer quickly fixed the first bug I mentioned this morning after I pinged him and it seems the second bug had already been corrected. This folks is the power of this list Take note. I am not entirely positive what the Access system security is supposed to be... This is not an issue in later versions of LDP... I would say read the chapters on security in the AD book, then if you don't have it, get and read Sakari's book as that has a great chapter on AD security and then finally if you still want to learn more, wander into the MSDN library and start reading about Security Descriptors, Access Control Lists, and Access Control Entries. Once you understand the structures and how they are represented a lot of the security stuff starts making more and more sense. joe -- O'Reilly Active Directory Third Edition - http://www.joeware.net/win/ad3e.htm -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Matheesha Weerasinghe Sent: Monday, July 24, 2006 2:03 PM To: ActiveDir@mail.activedir.org Subject: Re: [ActiveDir] ldp in ADAM-SP1 Joe joe I see you were configuring Full Control (GA) for nTDSConnection objects by configuring perms on the parent nTDSDSA object. I was trying to actually configure full control to the nTDSDSA using perms on the CN=Sites object but the principal is the same I guess. The only thing is nTDSConnection objects cant have child objects can they? Still I am having some issues repro'ing. You said your workaround was to configure on the object types. Did you mean to configure explicitly on the object or on the parent with the child's object type specified in the ACE? I cant repro here and I am not sure whether you used dsacls or ldp to repro. And why does it not choose the Access System Security option when you edit a Full Control ACE? Is that expected? I thought full control meant everything. Not everything but Access System Security. Also how come there is no string defined for Access System Security? There is for all other access masks. I freely admit I know very little in this arena. Any lesson offered is most appreciated. I am already reading technet and many books by the fine guys on here. I just havent finished them yet ;-) Thanks to everyone who's read this so far and for all the help I am offered. I truly appreciate it. Sincerely M@ On 7/24/06, joe [EMAIL PROTECTED] wrote: Beautiful, this is bug week There are actually two bugs here. 1. The inherit only check box is greyed out. This is the checkbox you would need to check in order to specify an inherit only ACE (i.e. Child Objects Only). 2. When you try to work around it and specify the actual object types to inherit to it creates two ACEs instead of one. The first ACE is the FC inherit only to the object class you specify but then there is also a FC to the object itself. In the example below note the TEST\joe ACEs... I only added a single FC for nTDSConnection objects for test\joe but got that AND the non-inheritable Test\joe FC on the object
RE: [ActiveDir] Deny permissions in AD
The cleanest way is not to deny permissions but to revoke permissions. In other words, you should remove ACEs that are granting access that you dont need. From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Joshua Coffman Sent: Monday, June 26, 2006 11:22 AM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Deny permissions in AD I think you are correct. I started lookinginto this immediately after posting. Looks like domain admins, Self, and account operators have hard-coded rights to the object. This would be applied before the inherited deny ACE. Thanks! Josh JoshuaM.Coffman [EMAIL PROTECTED] Cell:(970)402-3457 Subject: RE: [ActiveDir] Deny permissions in AD Date: Mon, 26 Jun 2006 13:50:13 -0400 From: [EMAIL PROTECTED] To: ActiveDir@mail.activedir.org Probably order of inheritance 1. Noninherited Deny entries. 2. Noninherited Allow entries. 3. Inherited Deny entries. 4. Inherited Allow entries. :m:dsm:cci:mvp| marcusoh.blogspot.com From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Joshua Coffman Sent: Monday, June 26, 2006 1:44 PM To: ActiveDir@mail.activedir.org Subject: [ActiveDir] Deny permissions in AD I have an Active Directory 2003 domain that is used only as an LDAP User store for a 3rd party Identity Management Application. There are no workstations or servers in the domain, other than the DCs themselves. We are trying to lock down the domain, so that an ordinary user cannot read other user's attributes. For some specialattributes, we have implemented the 2K3 SP1 Confidential Attribute function, and it is working well. However, over the weekend, another administrator decided to try something that has me a little perplexed. Here is what the Admin did: Put a DENY ACEfor the Domain Users groupforRead All Properties (in advanced security settings) on an OU containing a lot of users. Now, your average user account cannot read attributes, which is good. Domain Admins and Administrators can read the attributesof users in the OU,which is also good. However, I am wondering, whydoes thiswork this way? Shouldn't the DENYACE override all other permissions, including those inherited for domain Admins, which I believe is a member of the domain users group by default. Also, an additional group was created which allows read/write access to a singleuser attribute in the same OU. A non-administrative account, when added to this group,can read andwrite to the attribute, even though there is a deny on readall properties. Can anyone tell me why this is working this way? It is contrary towhat I thought Iknew about Deny ACEs. Thanks, Josh
RE: [ActiveDir] How To Determine What GC a Server is Using?
Title: How To Determine What GC a Server is Using? Correction nltest wont help you with your exchange problem, because it shows what OS locator has cached currently. Exchange has its own DC location mechanism, separate from the OS locator. I believe Steve posted a KB link on how to query Exchange for its list of GCs. From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Dmitri Gavrilov Sent: Saturday, May 27, 2006 10:24 AM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] How To Determine What GC a Server is Using? If you run nltest /server:targetServer /dsgetdc:forestDnsName /gc Then you get an answer which should be fairly precise. From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Blair, James Sent: Thursday, May 25, 2006 5:51 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] How To Determine What GC a Server is Using? Stu, Download and configure BGINFO and check to Login Server attribute... http://www.sysinternals.com/Utilities/BgInfo.html James Blair From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Stu Packett Sent: Friday, 26 May 2006 10:34 AM To: ActiveDir@mail.activedir.org Subject: [ActiveDir] How To Determine What GC a Server is Using? We have a strange situation here where one of our Exchange servers keeps getting 8026 and 2102 errors. This causes our users on that Exchange server to temporarily lose connection to the Exchange server. Also, my Unity server just failed over to the secondary Unity server at exactly the same time my last Exchange 8026 error happened. This leads me to believe I may have a problem with a global catalog server. Is there a way to determine what GC each server is using? Thanks in advance.
RE: [ActiveDir] tokenGroups field
TokenGroups does talk to a GC, if the current DC is not a GC itself. Basically, that's the reason we disallow one-level and subtree searches hitting tokenGroups (so that we don't overload the DC -- it is an expensive call). You will get different results depending on which DC you are connected to, because the results include local groups. If you want consistent results, read tokenGroupsGlobalAndUniversal -- that will return the same result no matter which DC you are connected to. However, it will not include local groups. If you want to avoid the GC call, then call tokenGroupsNoGcAvailable (or something like this, sorry, forgot the exact name -- check in the schema) -- this one will give you local info without talking to the GC, but then you've got what you've got. Dmitri -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of joe Sent: Friday, May 26, 2006 5:25 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] tokenGroups field nah-ah. would have to hit a GC to get those. Thanks for responding Deji. Good guess, 50/50 shot at it[1]. Unfortunately you are incorrect. :) I had a feeling but wasn't positive when I wrote that response so I made it clear that I wasn't sure and that I needed to test it (that was the part you snipped). Now that I have had a chance to test it though I can definitely say that tokenGroups WILL get the Universal groups from the other domains even if is NOT a GC. I just did it in my test lab. I thought it worked that way as I recalled chasing the source path and actually seeing it. I wanted to understand why the three tokengroups attributes were the only ones you had to use a BASE query for. In the source I finally chased through all of the nested calls and got to the point where it looked like it would call out to a GC for expansion if needed which answered that question pretty well (been a while since I looked at it, I should go peek again). Basically the intent is that the value of the attribute should be what would be generated for your logon token. wrt #2, any GC should be able to hand out the UG info in the forest. So, by hitting a GC in a domain local to the account, we should be able to retrieve the domain local, global and universal groups the account belongs to. For that domain only The OP's question was about getting memberships from other domains which is fine if all other memberships are only UGs. That won't catch DLGs however. And as corrected above, you don't have to hit a GC in the default domain, any DC will do as the token expansion will be handled just like it is for auth. joe [1] Well not really I was about 72.6022% sure it would work so lets say you had about a 5% chance of being right. ;o) -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of [EMAIL PROTECTED] Sent: Friday, May 26, 2006 6:21 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] tokenGroups field but I think that will get the Universals from other domains as well nah-ah. would have to hit a GC to get those. wrt #2, any GC should be able to hand out the UG info in the forest. So, by hitting a GC in a domain local to the account, we should be able to retrieve the domain local, global and universal groups the account belongs to. Sincerely, _ (, / | /) /) /) /---| (/_ __ ___// _ // _ ) /|_/(__(_) // (_(_)(/_(_(_/(__(/_ (_/ /) (/ Microsoft MVP - Directory Services www.readymaids.com http://www.readymaids.com - we know IT www.akomolafe.com http://www.akomolafe.com Do you now realize that Today is the Tomorrow you were worried about Yesterday? -anon From: [EMAIL PROTECTED] on behalf of joe Sent: Fri 5/26/2006 2:29 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] tokenGroups field Not in a single call no... You would need to 1. Request tokengroups from a DC of the default domain for the user, I am not sure, but I think that will get the Universals from other domains as well, but possibly you have to hit a GC of the default domain. I would have to check it and can't at the moment. 2. Request tokengroups from a DC of every other domain that is also a GC. If you request the user object on the LDAP port you are just going to get referred back to a DC for the user's domain, you must request it through the GC port. If one or more of the foreign domains doesn't have a GC, you will not be able to use this method at all. You will have to do a recursive enumeration of the member attributes. Thankfully this is much faster in ADAM and K3 than it was in 2K due to the use of the implicit indexing of linked attributes. #2 is why I have continuously asked MSFT to give us more DNS records that the DCs register so I can easily ask for a GC of domain X instead of just any GC in the
RE: [ActiveDir] How To Determine What GC a Server is Using?
Title: How To Determine What GC a Server is Using? If you run nltest /server:targetServer /dsgetdc:forestDnsName /gc Then you get an answer which should be fairly precise. From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Blair, James Sent: Thursday, May 25, 2006 5:51 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] How To Determine What GC a Server is Using? Stu, Download and configure BGINFO and check to Login Server attribute... http://www.sysinternals.com/Utilities/BgInfo.html James Blair From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Stu Packett Sent: Friday, 26 May 2006 10:34 AM To: ActiveDir@mail.activedir.org Subject: [ActiveDir] How To Determine What GC a Server is Using? We have a strange situation here where one of our Exchange servers keeps getting 8026 and 2102 errors. This causes our users on that Exchange server to temporarily lose connection to the Exchange server. Also, my Unity server just failed over to the secondary Unity server at exactly the same time my last Exchange 8026 error happened. This leads me to believe I may have a problem with a global catalog server. Is there a way to determine what GC each server is using? Thanks in advance.