[ActiveDir] ADAM
Hello - I know Microsoft ADAM supports LDAP referrals but I wanted to know if it's possible to create them and if so how. I'd like to create a container in the directory that returns contents based on a referral to another part of the directory. Thanks Jim Do you Yahoo!? Everyone is raving about the all-new Yahoo! Mail.
[ActiveDir] Active Directory Delegation & Management tools...
Hi everyone, Does anyone have any experience with a product called Active Administrator from Scriptlogic? How does it compare with products such as NetIQ DRA or Quests Active Roles? What type of questions should I be asking the vendor regarding this product? thanks James Do you Yahoo!? Everyone is raving about the all-new Yahoo! Mail.
RE: [ActiveDir] OT: DNS entry
Neil, thanks for your response, would you say the best way for me to view the audits would be from the Event Viewer console? Jim[EMAIL PROTECTED] wrote: Neil, Are there any risks by carrying out your change listed below or is it a straight forward procedure.[Neil Ruston] The steps merely add SACL entries to DNS objects - that will certainly result in more security events and a slight overhead on the DCs but you need to weigh that against the risk of *not*
auditing this type of change. As usual, it depends upon your environment and your requirements. I don't think I have this enabled, if I do would that mean in the future if a DNS record is deleted this can be traced?[Neil Ruston] Yes, if the zone is stored in AD. We use MOM here, is this something I could use?[Neil Ruston] MOM is aimed at systems monitoring whilst this thread deals with security monitoring. MS don't have an app in that space (yet) altho other vendors do. NetPro, NetIQ and Quest are the usual suspects here. These vendors offer tools that help with tracing changes (or 'forensic analysis', to use the correct
parlance :) thanks Jim[EMAIL PROTECTED] wrote: That's a huge subject, a useful link is here: http://www.microsoft.com/technet/prodtechnol/windows2000serv/technologies/activedirectory/maintain/bpguide/part1/adsecp1.mspx I'll give steps to audit DNS objects: using adsiedit 1. Navigate to CN=MicrosoftDNS,CN=System (in the domain NC) 2. Right click, choose Properties, then select the Security tab and click Advanced 3. Select the Auditing tab 4. Click Add... and add group Everyone 5. Select "Apply onto" and choose "dnsZone objects" 6. Select 'Write all properties' Failed and 'Write all properties' Success 7. Click OK 8. Repeat steps 4 to 7 for object type dnsNode 9. Click OK, OK to close property sheets The above will audit all writes to zone objects and DNS records which are stored in AD itself. As stated previously, if the zones are stored as text files, then there is little that can be audited. hth, neil From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of HBooGzSent: 05 August 2006 06:25To: ActiveDir@mail.activedir.orgSubject: Re: [ActiveDir] OT: DNS entryhey guys, could you point me to an article on how to setup audting for dns modifications and overall domain auditing ? i've done auditing on the desktop level, just wondering whats changed.. On 8/4/06, Paul Williams <[EMAIL PROTECTED]> wrote: If you've got the necessary auditing enabled in your domain, and you had auditing ACEs configured on the DNS zone (location depends, generally you'd set it on CN=MicrosoftDNS folder) then yes, you can. But you'll have to search each DCs security event log for this info. Otherwise, you can't get this info. You can check the whenChanged attribute on the tombstoned record for a rough idea of when the deletion occurred and try and move from there by looking at logon events, again if you have auditing enabled. If you're not using AD-Integrated DNS, then none of the above will really help. --Paul- Original Message - From: James Carter To: ActiveDir@mail.activedir.org Sent: Friday, August 04, 2006 12:09 PM Subject: [ActiveDir] OT: DNS
entry We had a static Server DNS entry deleted over the weekend. Is there anyway to find out who deleted this entry? This is a Windows 2003 R2 server/domain thanks JAmes Do you Yahoo!?Next-gen email? Have it all with the all-new Yahoo! Mail Beta. -- HBooGz:\> PLEASE READ: The information contained in this email is confidential and intended for the named recipient(s) only. If you are not an intended recipient of this email please notify the sender immediately and delete your copy from your system. You must not copy, distribute or take any further action in reliance on it. Email is not a secure method of communication and Nomura International plc ('NIplc') will not, to the extent permitted by law, accept responsibility or liability for (a) the accuracy or completeness of, or (b)
the presence of any virus, worm or similar malicious or disabling code in, this message or any attachment(s) to it. If verification of this email is sought then please request a hard copy. Unless otherwise stated this email: (1) is not, and should not be treated or relied upon as, investment research; (2) contains views or opinions that are solely those of the author and do not necessarily represent those of NIplc; (3) is intended for informational purposes only and is not a recommendation,
solicitation or offer to buy or sell securities or related financial instruments. NIplc does not provide investment services to private customers. Authorised and regulated by the Financial Services Authority. Re
RE: [ActiveDir] OT: DNS entry
Neil, Are there any risks by carrying out your change listed below or is it a straight forward procedure. I don't think I have this enabled, if I do would that mean in the future if a DNS record is deleted this can be traced? We use MOM here, is this something I could use? thanks Jim[EMAIL PROTECTED] wrote: That's a huge subject, a useful link is here: http://www.microsoft.com/technet/prodtechnol/windows2000serv/technologies/activedirectory/maintain/bpguide/part1/adsecp1.mspx I'll give steps to audit DNS objects: using adsiedit 1. Navigate to CN=MicrosoftDNS,CN=System (in the domain NC) 2. Right click, choose Properties, then select the Security tab and click Advanced 3. Select the Auditing tab 4. Click Add... and add group Everyone 5. Select "Apply onto" and choose "dnsZone objects" 6. Select 'Write all properties' Failed and 'Write all properties' Success 7. Click OK 8. Repeat steps 4 to 7 for object type dnsNode 9. Click OK, OK to close property sheets The above will audit all writes to zone objects and DNS records which are stored in AD itself. As stated previously, if the zones are stored as text files, then there is little that can be audited. hth, neil From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of HBooGzSent: 05 August 2006 06:25To: ActiveDir@mail.activedir.orgSubject: Re: [ActiveDir] OT: DNS entryhey guys, could you point me to an article on how to setup audting for dns modifications and overall domain auditing ? i've done auditing on the desktop level, just wondering whats
changed.. On 8/4/06, Paul Williams <[EMAIL PROTECTED]> wrote: If you've got the necessary auditing enabled in your domain, and you had auditing ACEs configured on the DNS zone (location depends, generally you'd set it on CN=MicrosoftDNS folder) then yes, you can. But you'll have to search each DCs security event log for this info. Otherwise, you can't get this info. You can check the whenChanged attribute on the tombstoned record for a rough idea of when the deletion occurred and try and move from
there by looking at logon events, again if you have auditing enabled. If you're not using AD-Integrated DNS, then none of the above will really help. --Paul- Original Message - From: James Carter To: ActiveDir@mail.activedir.org Sent: Friday, August 04, 2006 12:09 PM Subject: [ActiveDir] OT: DNS entry We had a static Server DNS entry deleted over the weekend. Is there anyway to find out who deleted this entry? This is a Windows 2003 R2 server/domain thanks JAmes Do you Yahoo!?Next-gen email? Have it all with the all-new Yahoo! Mail Beta. -- HBooGz:\> PLEASE READ: The information contained in this email is confidential and intended for the named recipient(s) only. If you are not an intended recipient of this email please notify the sender immediately and delete your copy from your system. You must not copy, distribute or take any further action in reliance on it. Email is not a secure method of communication and Nomura International plc ('NIplc') will not, to the extent permitted by law, accept responsibility or liability for (a) the accuracy or completeness of, or (b) the presence of any virus, worm or similar malicious or disabling code in, this message or any attachment(s) to it. If verification of this email is sought then please request a hard copy. Unless otherwise stated this email: (1) is not, and should not be treated or relied upon as, investment research; (2) contains views or opinions that are solely those of the author and do not necessarily represent those of NIplc; (3) is intended for informational purposes only and is not a recommendation, solicitation or offer to buy or sell securities or related financial instruments. NIplc does not provide investment services to private customers. Authorised and regulated by the Financial Services Authority. Registered in England no. 1550505 VAT No. 447
2492 35. Registered Office: 1 St Martin's-le-Grand, London, EC1A 4NP. A member of the Nomura group of companies.
Do you Yahoo!? Everyone is raving about the all-new Yahoo! Mail Beta.
[ActiveDir] OT: DNS entry
We had a static Server DNS entry deleted over the weekend. Is there anyway to find out who deleted this entry? This is a Windows 2003 R2 server/domain thanks JAmes Do you Yahoo!? Next-gen email? Have it all with the all-new Yahoo! Mail Beta.
[ActiveDir] DNS Scavenging
Hi, Windows 2003 R2 Single Domain/ FFL, AD Intergrated DNS I am thinking about configuring DNS Scavenging, I was reading the AD Cookbook and it mentions 'Configure Non Refresh and Refresh Intervals as necessary' What does this mean? what do you normally set your environment to? does this also look at Reverse Zones as well? thanks James Do you Yahoo!? Get on board. You're invited to try the new Yahoo! Mail Beta.
[ActiveDir] OT: HP disk array expansion
Hi, I have a HP ML370 Proliant Server. It currently has 4 x 36GB in a RAID 5 set. I want to upgrade the disk capacity of this server. I have bought 4 x 300gb disks as replacements. At present I have 4 x 36GB disks in the server. I was told I could replace one disk in the RAID with a 300GB, let the raid rebuild and do the next disk. Repeat until all of the disks are 300GB and then I can look in the ACU and create a second logical drive that sees all that new space. Can this be done? Anyone know how long it would take to rebuild? currently there is 90gb used in the current volume. My other alternative is to buy a Tape Drive, backup, break array, create new array and then restore but this department don't want any downtime. Anyway shed some light as to which is the best method to take? thanks James __Do You Yahoo!?Tired of spam? Yahoo! Mail has the best spam protection around http://mail.yahoo.com
[ActiveDir] AD Sites Rename
Hi, I need to rename some of my AD Sites, is this likely to cause any issues I am unaware off? I use DFS if thats any help. Windows 2003 Single Domain/Forest FFL. thanks James Do you Yahoo!? Next-gen email? Have it all with the all-new Yahoo! Mail Beta.
Re: [ActiveDir] DNS reverse lookup problem
Al, Thanks for the response. I am glad you have made me feel better than this is what should happen. We have a load of desktop dudes who are doing a widescale replacement of user desktops. At the moment they are just shutting the PC's down, then booting up the sysprepped version and joining the domain. If I got them to remove the PC from the domain before they startup the new one, would this automatically delete the old PTR and A record in DNS? That way when the new Workstation is started, they can add this to the domain and new records created without the old ones in existance. Cheers AlAl Mulnick <[EMAIL PROTECTED]> wrote:Makes sense to me why it got a new ip and didn't do anything with the old one. If you got a new ip address, it's a new PTR record. The old ip address doesn't exist in that zone any longer so it only left the PTR out there all alone. There's a setting in the DHCP server that can be used to remove the PTRs, but I don't recommend it in this case. I think the lease time and the scavenging would be pretty similar. You changed IP's so it did what it was supposed to do and created a new one. To you it looks like it shouldn't be there because you're looking at friendly name vs. IP addr. If you know the old one is not needed, you certainly could remove it manually. Scavenging would be a good idea if you have a lot of that going on but be careful - ensure that you read and understand the implications of scavenging before starting down that path. Al On 6/14/06, James Carter <[EMAIL PROTECTED]> wrote: Basically, I have a web application which connects to a server outside of our network. This application does a reverse lookup on the client before allowing the computer access.. The connection was working until we replaced the persons PC with new hardware but with the same name. It appears that his new PC has been given a new IP address via DHCP however, in DNS it has registered a new PTR record and not updated/deleted his old record so they now have two PTR records. The problem is that the application works if only 1 PTR is registered, if there is more than one the app fails to let the client connect. I have managed to get round this by deleting the old PTR record. This fixes the problem, I just wanted the old records to be deleted automatically. Does this make sense? Al Mulnick <[EMAIL PROTECTED]> wrote: 1) I wouldn't expect it to change the behavior you're specifically seeing. Why? Because the system doesn't just arbitrarily decide to register some host. That setting is more to do with security and legacy clients than it is spontaneous creation and registration of host records. 2) Best way to clear the unneeded/unused records is with scavenging. In your case, I don't know that it solve your particular problem, but it's one way to get closer. I say that becuase a) I'm not sure why you're so terribly interested in the PTR records of workstations and b) laptops especially can/might/will wreak havoc on this type of record depending on how the records are created/updated, etc. What makes you interested in PTR records? Can you shed some light on that? On 6/13/06, James Carter <[EMAIL PROTECTED] > wrote: Hi, Windows 2003, FFL Single Domain, Active Integrated DNS on two DC's I have an issue with DNS and the reverse zone. Some computers have multiple PTR records e.g: Computer1 192.168.6.5 Computer1 192.168.6.66 I don't know why this is happening, I noticed that the DHCP Properties under the DNS tab had changed from 'Dynamically update DNS A and PTR records only if requested by the DHCP Clients' to 'Always dynamically updated DNS A and PTR records' I now have an issue whereby my I have multiple PTR records for individual PC's. Does anyone know: 1) Whether the setting change would have this effect? if not, what else would? Whats the difference between the two? 2) What is the best way to clear the stale records that are no longer valid? do I need to manually delete them? thanks from James__Do You Yahoo!?Tired of spam? Yahoo! Mail has the best spam protection around http://mail.yahoo.com __Do You Yahoo!?Tired of spam? Yahoo! Mail has the best spam protection around http://mail.yahoo.com __Do You Yahoo!?Tired of spam? Yahoo! Mail has the best spam protection around http://mail.yahoo.com __Do You Yahoo!?Tired of spam? Yahoo! Mail has the best spam protection around http://mail.yahoo.com __Do You Yahoo!?Tired of spam? Yahoo! Mail has the best spam protection around http://mail.yahoo.com
Re: [ActiveDir] DNS reverse lookup problem
Basically, I have a web application which connects to a server outside of our network. This application does a reverse lookup on the client before allowing the computer access. The connection was working until we replaced the persons PC with new hardware but with the same name. It appears that his new PC has been given a new IP address via DHCP however, in DNS it has registered a new PTR record and not updated/deleted his old record so they now have two PTR records. The problem is that the application works if only 1 PTR is registered, if there is more than one the app fails to let the client connect. I have managed to get round this by deleting the old PTR record. This fixes the problem, I just wanted the old records to be deleted automatically. Does this make sense?Al Mulnick <[EMAIL PROTECTED]> wrote:1) I wouldn't expect it to change the behavior you're specifically seeing. Why? Because the system doesn't just arbitrarily decide to register some host. That setting is more to do with security and legacy clients than it is spontaneous creation and registration of host records. 2) Best way to clear the unneeded/unused records is with scavenging. In your case, I don't know that it solve your particular problem, but it's one way to get closer. I say that becuase a) I'm not sure why you're so terribly interested in the PTR records of workstations and b) laptops especially can/might/will wreak havoc on this type of record depending on how the records are created/updated, etc. What makes you interested in PTR records? Can you shed some light on that? On 6/13/06, James Carter <[EMAIL PROTECTED]> wrote: Hi, Windows 2003, FFL Single Domain, Active Integrated DNS on two DC's I have an issue with DNS and the reverse zone. Some computers have multiple PTR records e.g: Computer1 192.168.6.5 Computer1 192.168.6.66 I don't know why this is happening, I noticed that the DHCP Properties under the DNS tab had changed from 'Dynamically update DNS A and PTR records only if requested by the DHCP Clients' to 'Always dynamically updated DNS A and PTR records' I now have an issue whereby my I have multiple PTR records for individual PC's. Does anyone know: 1) Whether the setting change would have this effect? if not, what else would? Whats the difference between the two? 2) What is the best way to clear the stale records that are no longer valid? do I need to manually delete them? thanks from James__Do You Yahoo!?Tired of spam? Yahoo! Mail has the best spam protection around http://mail.yahoo.com __Do You Yahoo!?Tired of spam? Yahoo! Mail has the best spam protection around http://mail.yahoo.com __Do You Yahoo!?Tired of spam? Yahoo! Mail has the best spam protection around http://mail.yahoo.com
[ActiveDir] DNS reverse lookup problem
Hi, Windows 2003, FFL Single Domain, Active Integrated DNS on two DC's I have an issue with DNS and the reverse zone. Some computers have multiple PTR records e.g: Computer1 192.168.6.5 Computer1 192.168.6.66 I don't know why this is happening, I noticed that the DHCP Properties under the DNS tab had changed from 'Dynamically update DNS A and PTR records only if requested by the DHCP Clients' to 'Always dynamically updated DNS A and PTR records' I now have an issue whereby my I have multiple PTR records for individual PC's. Does anyone know: 1) Whether the setting change would have this effect? if not, what else would? Whats the difference between the two? 2) What is the best way to clear the stale records that are no longer valid? do I need to manually delete them? thanks from James __Do You Yahoo!?Tired of spam? Yahoo! Mail has the best spam protection around http://mail.yahoo.com
Re: [ActiveDir] Restricted Groups
You made a good point, I forgot about the delay. I suppose I need to review my delegation model because if they can modify themselves to be included in any of the builtin groups, they have too many permissions already so using the restricted groups function would not be required. Back to basics for me. Thanks JamesAl Mulnick <[EMAIL PROTECTED]> wrote: Hmm... I'm not sure this is the way to go for your requirements. Restricted groups is going to have a delay before it puts the groups back to the way they *should* be. It sounds like you need a better system for delegation. Can you expand on your requirements? On 5/31/06, James Carter <[EMAIL PROTECTED]> wrote: Sorry I should clarify, by User I mean an IT Helpdesk Account Creator Single Domain Windows 2003, FFL. I have delegated rights to various Security Groups for privileges in the domain. James James Carter <[EMAIL PROTECTED] > wrote:Hi, I am thinking of making all the builtin groups apart from the Administrators group part of the Restricted Groups function. I don't want any user to add themselves to the Account, Backup,Server, Print Operators group for any length of time. Or does anyone know of a simpler way to acheive this? Regards, James Be a chatter box. Enjoy free PC-to-PC calls with Yahoo! Messenger with Voice.New Yahoo! Messenger with Voice. Call regular phones from your PC and save big. Do you Yahoo!? Everyone is raving about the all-new Yahoo! Mail Beta.
Re: [ActiveDir] Restricted Groups
Sorry I should clarify, by User I mean an IT Helpdesk Account Creator Single Domain Windows 2003, FFL. I have delegated rights to various Security Groups for privileges in the domain. JamesJames Carter <[EMAIL PROTECTED]> wrote:Hi, I am thinking of making all the builtin groups apart from the Administrators group part of the Restricted Groups function. I don't want any user to add themselves to the Account, Backup,Server, Print Operators group for any length of time. Or does anyone know of a simpler way to acheive this? Regards, James Be a chatter box. Enjoy free PC-to-PC calls with Yahoo! Messenger with Voice. New Yahoo! Messenger with Voice. Call regular phones from your PC and save big.
[ActiveDir] Restricted Groups
Hi, I am thinking of making all the builtin groups apart from the Administrators group part of the Restricted Groups function. I don't want any user to add themselves to the Account, Backup,Server, Print Operators group for any length of time. Or does anyone know of a simpler way to acheive this? Regards, James Be a chatter box. Enjoy free PC-to-PC calls with Yahoo! Messenger with Voice.
[ActiveDir] OT: Disk Capacity
Hi, I have a Compaq ML370 Proliant Tower Server, our lab department are creating digital images that are 30mb per pic so I need lots of storage space. I am thinking of putting in 4x300gb Ulta320 SCSI drives in a RAID5 set, does anyone see any performance problems with this? Does anyone have any experience if I need to upgrade any firmware? thanks Yahoo! Messenger with Voice. PC-to-Phone calls for ridiculously low rates.
[ActiveDir] Delegate Permissions not populating to every object
Hi, Windows 2003 FFL, Single Domain. I have an issue whereby I have delegated permissions to the top of an OU Tree with 8 OU's beneath it. There are approx 15 objects. I delegated these permissions 6 months ago, but our new helpdesk team are complaining now that every so often they find an account which they can't modify. When I go into Advanced Settings > Security on the object they can't modify, the group I delegated the permissions to are not listed. Is there any reason why some objects have not been updated? Do I need to add the permissions again or is there some way of re-populating the permissions via a forced method. James Love cheap thrills? Enjoy PC-to-Phone calls to 30+ countries for just 2¢/min with Yahoo! Messenger with Voice.
[ActiveDir] Export group membership of particular OU
Hi There, I have been askedon short notice to provide a list of mail enabled security groups and their members. All the groups are listed in the same OU. Does anyone have a script which will enable me to do this? or provide me with pointers J Yahoo! Messenger with Voice. Make PC-to-Phone Calls to the US (and 30+ countries) for 2¢/min or less.
RE: [ActiveDir] Query regarding Windows Time Service
thanks joe, that seems like a straightforward command to run. a lot more simpler than the following kb (I'm looking at the external time source) http://support.microsoft.com/kb/816042/ Does anyone know why this would be different?joe <[EMAIL PROTECTED]> wrote: I would certainly check into it, it is implying the machines aren't syncing their time which could be bad for you. Normally I just set this with net time /setsntp:server However it would appear they just do the same thing. It used to be w32tm had a cool switch for testing the time sync process and outputting a verbose listing of all of the steps and values, that doesn't appear to be in there now. I would wonder how people are supposed to troubleshoot now. -- O'Reilly Active Directory Third Edition - http://www.joeware.net/win/ad3e.htm From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of James CarterSent: Wednesday, May 03, 2006 3:47 AMTo: ActiveDir@mail.activedir.orgSubject: [ActiveDir] Query regarding Windows Time ServiceI have a query regarding the Windows Time Service. Our environment is Windows 2003 FFL, Single Domain. We have a Network Time Server which I have configured our PDCe to use. Having read other posts I also configured our Core DC's to use this Time Server so that if the PDCe failed, I could just seize the role to another DC and have one less thing to configure. What I am receiving is Eventlog messages saying "the time provider NtpClient is configured to acquire a time from one or more time sources, however none of the sources are currently accessible. No attempt to contact a source will be made for 960 minutes. Ntpclient has no source of accurate time" Event ID 29 This is received on all of the Core DC's that I have configured to use the Network Time Server rather than the PDCe. All I did was run the following command on each DC that could potentially be used as a PDCe w32tm /config /manualpeerlist:10.1.1.225 /syncfromflags:manual /reliable:yes /update Anyone know why I would be receiving these event messages, should I be concerned? James Yahoo! Messenger with Voice. Make PC-to-Phone Calls to the US (and 30+ countries) for 2¢/min or less. Talk is cheap. Use Yahoo! Messenger to make PC-to-Phone calls. Great rates starting at 1¢/min.
RE: [ActiveDir] Query AD for Smartcard enforced users
Thanks - this worked a treat!Kurzdorfer Michael TSgt 107CF/SCBN <[EMAIL PROTECTED]> wrote: I am using this thru ADUC. Using LDIFDE you could use: (Change out the -s and -d to your site) ldifde -f SCLEnabled.ldf -s 107ARW-DC-01 -d "OU=107 ARW,OU=NYNIAG,OU=ANG,DC=ang,DC=ds,DC=af,DC=mil" -l "userAccountControl:1.2.840.113556.1.4.803:=262144" -r "(&(&(objectCategory=user)(userAccountControl:1.2.840.113556.1.4.803:=262144)))" //SIGNED//Michael Kurzdorfer, TSgt, NYANGNetwork Administrator107CF/SCBN Niagara Falls ANGBComm 716.236.3064 DSN 238.3064 From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of James CarterSent: Thursday, May 04, 2006 7:30 AMTo: ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] Query AD for Smartcard enforced usersThanks for responding Michael. What would be the full command if you don't mind me asking? JCKurzdorfer Michael TSgt 107CF/SCBN <[EMAIL PROTECTED]> wrote: (&(&(objectCategory=user)(userAccountControl:1.2.840.113556.1.4.803:=262144))) will do the trick //SIGNED//Michael Kurzdorfer, TSgt, NYANGNetwork Administrator107CF/SCBN Niagara Falls ANGBComm 716.236.3064 DSN 238.3064 From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of James CarterSent: Thursday, May 04, 2006 4:08 AMTo: ActiveDir@mail.activedir.orgSubject: [ActiveDir] Query AD for Smartcard enforced usersI would like to find a way to extract all the users who have 'Smart card is required for interactive logon' ticked within their account. I have looked at LDIFDE and CSVDE but I can't see how I can get retrieve this list thanks James Love cheap thrills? Enjoy PC-to-Phone calls to 30+ countries for just 2¢/min with Yahoo! Messenger with Voice. Yahoo! Messenger with Voice. PC-to-Phone calls for ridiculously low rates. Love cheap thrills? Enjoy PC-to-Phone calls to 30+ countries for just 2¢/min with Yahoo! Messenger with Voice.__Do You Yahoo!?Tired of spam? Yahoo! Mail has the best spam protection around http://mail.yahoo.com
RE: [ActiveDir] Query AD for Smartcard enforced users
Wow, thanks joe, I really appreciate the effort you've made to respond. joe <[EMAIL PROTECTED]> wrote: Two quick items. First the query can be simplified a little, there is an unneeded level with the & operand in there. You only need something of the format (&(something)(something)). It isn't a big deal, the engine will strip it out when it optimizes the query but it does make it look more foreboding/complex that it needs to be. Second, __in general__ when you are going after users you actually want to change (objectCategory=user) to (objectCategory=person(objectclass=user) or sAMAccountType=805306368. The user class is not an objectcategory, it is only an objectclass. When you specify (objectCategory=user) the system looks up the defaultObjectCategory of user and finds person. So (objectCategory=user) becomes (objectCategory=person) which means depending on the rest of the query it will be looking at all user and contact objects. If you have no contact objects, this works itself out, however if you have lots of contacts, you will feel the pinch in perf as the query looks over objects it doesn't need to. With this query, it is tough (at least for me as I understand things) to tell if just using objectcategory=person will work out ok there or not... The reason being is that userAccountControl is also indexed and, it is possible, depending on the rough estimate of the number of objects with a useraccountcontrol value versus the rough estimate of the number of objects with person as the objectcategory that the useraccountcontrol index will be used as the main index for the query. You can tell for sure in a given situation by using the STATS control to see what AD really did. You could also use samaccounttype=805306368. That tends to be more efficient than using the previously mentioned pairing as it is then a single indexed attribute value to look at. As an example of what can happen based on my joe.com test forest. (&(objectCategory=user)(userAccountControl:1.2.840.113556.1.4.803:=262144)) had to look over 7214 objects and used idx_userAccountControl. (&(objectCategory=person)(objectclass=user)(userAccountControl:1.2.840.113556.1.4.803:=262144)) had the same results. (&(samaccounttype=805306368)(userAccountControl:1.2.840.113556.1.4.803:=262144)) had to look over 7168 objects and used idx_sAMAccountType. joe -- O'Reilly Active Directory Third Edition - http://www.joeware.net/win/ad3e.htm From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Kurzdorfer Michael TSgt 107CF/SCBNSent: Thursday, May 04, 2006 7:16 AMTo: 'ActiveDir@mail.activedir.org'Subject: RE: [ActiveDir] Query AD for Smartcard enforced users(&(&(objectCategory=user)(userAccountControl:1.2.840.113556.1.4.803:=262144))) will do the trick //SIGNED//Michael Kurzdorfer, TSgt, NYANGNetwork Administrator107CF/SCBN Niagara Falls ANGBComm 716.236.3064 DSN 238.3064 From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of James CarterSent: Thursday, May 04, 2006 4:08 AMTo: ActiveDir@mail.activedir.orgSubject: [ActiveDir] Query AD for Smartcard enforced usersI would like to find a way to extract all the users who have 'Smart card is required for interactive logon' ticked within their account. I have looked at LDIFDE and CSVDE but I can't see how I can get retrieve this list thanks James Love cheap thrills? Enjoy PC-to-Phone calls to 30+ countries for just 2¢/min with Yahoo! Messenger with Voice. __Do You Yahoo!?Tired of spam? Yahoo! Mail has the best spam protection around http://mail.yahoo.com New Yahoo! Messenger with Voice. Call regular phones from your PC and save big.
RE: [ActiveDir] Query AD for Smartcard enforced users
Thanks for responding Michael. What would be the full command if you don't mind me asking? JCKurzdorfer Michael TSgt 107CF/SCBN <[EMAIL PROTECTED]> wrote: (&(&(objectCategory=user)(userAccountControl:1.2.840.113556.1.4.803:=262144))) will do the trick //SIGNED//Michael Kurzdorfer, TSgt, NYANGNetwork Administrator107CF/SCBN Niagara Falls ANGBComm 716.236.3064 DSN 238.3064 From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of James CarterSent: Thursday, May 04, 2006 4:08 AMTo: ActiveDir@mail.activedir.orgSubject: [ActiveDir] Query AD for Smartcard enforced usersI would like to find a way to extract all the users who have 'Smart card is required for interactive logon' ticked within their account. I have looked at LDIFDE and CSVDE but I can't see how I can get retrieve this list thanks James Love cheap thrills? Enjoy PC-to-Phone calls to 30+ countries for just 2¢/min with Yahoo! Messenger with Voice. Yahoo! Messenger with Voice. PC-to-Phone calls for ridiculously low rates.
[ActiveDir] Query AD for Smartcard enforced users
I would like to find a way to extract all the users who have 'Smart card is required for interactive logon' ticked within their account. I have looked at LDIFDE and CSVDE but I can't see how I can get retrieve this list thanks James Love cheap thrills? Enjoy PC-to-Phone calls to 30+ countries for just 2¢/min with Yahoo! Messenger with Voice.
[ActiveDir] Query regarding Windows Time Service
I have a query regarding the Windows Time Service. Our environment is Windows 2003 FFL, Single Domain. We have a Network Time Server which I have configured our PDCe to use. Having read other posts I also configured our Core DC's to use this Time Server so that if the PDCe failed, I could just seize the role to another DC and have one less thing to configure. What I am receiving is Eventlog messages saying "the time provider NtpClient is configured to acquire a time from one or more time sources, however none of the sources are currently accessible. No attempt to contact a source will be made for 960 minutes. Ntpclient has no source of accurate time" Event ID 29 This is received on all of the Core DC's that I have configured to use the Network Time Server rather than the PDCe. All I did was run the following command on each DC that could potentially be used as a PDCe w32tm /config /manualpeerlist:10.1.1.225 /syncfromflags:manual /reliable:yes /update Anyone know why I would be receiving these event messages, should I be concerned? James Yahoo! Messenger with Voice. Make PC-to-Phone Calls to the US (and 30+ countries) for 2¢/min or less.
RE: [ActiveDir] "No Terminal License Server available"
Thanks for your response, I think keeping if I keep the old DC as a member server, it will be a pain to have to manually configure every workstation & server to discover the existing license server. Having the TS licensing server on a DC appears to make the discovery alot more automated. So if I want to move the TS licensing server to a new domain controller, does anyone know what the procedure is for this? I was thinking about backing up the LServer folder on the old DC and then restoring it onto the new DC. Sorry, this appears to be going off topic,[EMAIL PROTECTED] wrote: FYI: The landscape changed somewhat with w2k3 TS.Excerpt
fromhttp://download.microsoft.com/download/2/f/2/2f2dc861-d567-4492-ae88-81afafa2d08d/Terminal%20Server%20Licensing.doc"Although it is possible for non-domain controllers to be licenseservers in Windows Server 2003, it is important to note that domainlicense servers are not automatically discovered. You must configure apreferred license server on all terminal servers that need tocommunicate with non-Domain controller license servers configured asdomain license servers. Enterprise domain license servers deployed onnon-domain controllers are automatically discovered. "Hth,neil-Original Message-From: [EMAIL PROTECTED][mailto:[EMAIL PROTECTED] On Behalf Of[EMAIL PROTECTED]Sent: 13 April 2006 07:58To: ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] "No Terminal License Server available"Let me guess because the DC you demoted is
your Terminal ServiceLicense server in the domain?It's been a while since I last baby-sat a TS issue, but I believe thatif the Site license service is not installed on a DC, then you will haveto manually tell EACH TS in your environment how to locate the sitelicense server. You do this through the registry. I don't have a TSserver/environment handy to tell you exactly where the key is located.You can, however search the registry for "DomainLicenseServer" (I think)and this should be where you specify the name of the TS License server.HTHSincerely, _ (, / | /) /) /) /---| (/_ __ ___// _ // _ ) / |_/(__(_) // (_(_)(/_(_(_/(__(/_(_/ /) (/ Microsoft MVP - Directory Serviceswww.readymaids.com - we know ITwww.akomolafe.com Do you now realize thatToday is the Tomorrow you were worried about Yesterday?
-anonFrom: [EMAIL PROTECTED] on behalf of James CarterSent: Wed 4/12/2006 11:28 PMTo: ActiveDir@mail.activedir.orgSubject: [ActiveDir] "No Terminal License Server available"Hi,Single Windows 2003 domainI demoted our DC to a member server and now we have an issue wherebywhen Iopen Terminal Server Licensing manager, I get a message "No TerminalServerLicense Server is available in the current domain or workgroup"Anyone know why I receive this from demoting a DC and how to fix this!?How low will we go? Check out Yahoo! Messenger's low PC-to-Phone callrates.m/evt=39663/*http://voice.yahoo.com> List info : http://www.activedir.org/List.aspxList FAQ : http://www.activedir.org/ListFAQ.aspxList
archive:http://www.mail-archive.com/activedir%40mail.activedir.org/PLEASE READ: The information contained in this email is confidential andintended for the named recipient(s) only. If you are not an intendedrecipient of this email please notify the sender immediately and delete yourcopy from your system. You must not copy, distribute or take any furtheraction in reliance on it. Email is not a secure method of communication andNomura International plc ('NIplc') will not, to the extent permitted by law,accept responsibility or liability for (a) the accuracy or completeness of,or (b) the presence of any virus, worm or similar malicious or disablingcode in, this message or any attachment(s) to it. If verification of thisemail is sought then please request a hard copy. Unless otherwise statedthis email: (1) is not, and should not be treated or relied upon as,investment research; (2) contains views or opinions that
are solely those ofthe author and do not necessarily represent those of NIplc; (3) is intendedfor informational purposes only and is not a recommendation, solicitation oroffer to buy or sell securities or related financial instruments. NIplcdoes not provide investment services to private customers. Authorised andregulated by the Financial Services Authority. Registered in Englandno. 1550505 VAT No. 447 2492 35. Registered Office: 1 St Martin's-le-Grand,London, EC1A 4NP. A member of the Nomura group of companies.List info : http://www.activedir.org/List.aspxList FAQ : http://www.activedir.org/ListFAQ.aspxList archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
Love cheap thrills? Enjoy PC-to-Phone calls to 30+ countries for just 2¢/min with Yahoo! Messenger with Voice.
[ActiveDir] "No Terminal License Server available"
Hi, Single Windows 2003 domain I demoted our DC to a member server and now we have an issue whereby when I open Terminal Server Licensing manager, I get a message "No Terminal Server License Server is available in the current domain or workgroup" Anyone know why I receive this from demoting a DC and how to fix this!? How low will we go? Check out Yahoo! Messengers low PC-to-Phone call rates.
[ActiveDir] R2 Schema..
Hi, I have a root domain with 4 child domains. I only want to upgrade the child domain to Windows 2003 R2. I assume all I need to do is run adprep /forestprep and then adprep /domainprep for each child domain I want upgraded to R2 or does it matter? thanks J New Yahoo! Messenger with Voice. Call regular phones from your PC and save big.
[ActiveDir] DC Demotion & AD Site Configuration
Hey guys, Single Windows 2003 Domain. I have 5 core sites and 70 branch offices. Each of the core sites host 2 x dc's and each branch office has a DC. The design is legacy from NT4 whereby we had a BDC at each of the branch offices as they had slow WAN links at the time. During the upgrade, each of the BDC's were made dc's. Each dc is located in it's own AD Site & IP Subnet defined. Our concerns are that some of these remote dc's are located in insecure environments, i.e the are just a server sat in an unlocked closet in a business office environment. We've just completed an WAN upgrade and our links are minimum of 1mb to each of the remote offices. This is good news for us, as we can now demote most of the remote dc's (about 60 of them) My question is regarding the cleanup process. We have 75 AD Sites created with a subnet assigned to each site. Once the demotion process takes place, will I need to a) add the IP subnet to the core site so that the branch office is serviced by the dc's located there and then delete the old AD Site which no longer holds a dc. b) leave the AD site in existance with the IP Subnet assigned and let the DC locator service find a DC for the client to authenticate to? (this means I am left with a load of un-needed Sites in AD..I assume) We also use DFS but moving to DFS-R shortly. Thoughts anyone? Jim__Do You Yahoo!?Tired of spam? Yahoo! Mail has the best spam protection around http://mail.yahoo.com
[ActiveDir] Renaming RDN & Displayname using ADMOD
Hi, I am trying to rename a user's RDN & Displayname. I have tried using the following command using ADMOD admod -b "cn=HR Asia Pacific Mailbox,ou=GMail,ou=AP,dc=SUNINT,dc=com" -rename "HRAP IT Mailbox" "displayname::HRAP IT Mailbox" This renames the RDN, but it does not rename the displayname. The displayname field currently contains text so it's not empty Any idea's why this won't work? Thanks James. Yahoo! Travel Find great deals to the top 10 hottest destinations!
[ActiveDir] Configuring PDC Emulator for time source
Hi, I have been looking into configuring with Windows Time Source on our PDCe http://technet2.microsoft.com/WindowsServer/en/Library/f1d8b85d-2b4f-4acd-8c2e-259167b95e481033.mspx How does everyone else configure their corporate environment? Do you use hardware time clocks? is there any security risks with the link provided above? What would the impact be if our PDCe is not already configured? thanks James Carter Yahoo! Travel Find great deals to the top 10 hottest destinations!
[ActiveDir] Forest Recovery Question
Hi everyone, I have read a MS whitepaper regarding Forest Recovery. The process seems straightforward. My question is regarding GC's, it mentions that you should disable the GC function on a restored root DC if enabled as this may contain a partial replica newer than that of the domain it's authoritative for. If the GC function is disabled, you can't seize the Domain naming master FSMO which I assume would mean you can't add additional child domains. So would you have to disable then re-enable the GC function, seize the FSMO roles (ex IM) to the restored root DC (now a GC) before adding a second DC and making this a IM FSMO before recovering the child domains? So my question is at what point would you need to re-enable the GC function on the recovered root DC? This is assuming it's a multi-domain environment...so would disabling the GC function be required in a single domain forest recovery? I would thought not. thanks James Carter Yahoo! Mail Bring photos to life! New PhotoMail makes sharing a breeze.
