RE: [ActiveDir] OT: Query Based Distribution Groups

[Katherine Coombs]

[unlurk]
 
Hi Justin,
 
Right-click on the Distribution Group that you'd like the QBDG to be a 
member of and select "Add Exchange Query-based Distribution 
Groups".
 
HTH,
Katherine
 
[/unlurk]


From: [EMAIL PROTECTED] 
[mailto:[EMAIL PROTECTED] On Behalf Of Clay, Justin 
(ITS)Sent: 26 July 2006 16:56To: 
ActiveDir@mail.activedir.orgSubject: [ActiveDir] OT: Query Based 
Distribution Groups


What are the rules for nesting QDGs? 
Most of the MS documentation we see says that you can nest QDGs in other 
Universal Distribution Groups, but when we try to add a QDG to a Universal DG, 
we are unable to find the QDG. We’re running Exchange 2003 Native Mode and 2003 
FFL for AD. Our Exchange admins have the Exchange 2003 ADUC console 
installed.
 
What are we 
missing?
 
Thanks,
Justin
 

  
  
ITS ENTERPRISE SERVICES EMAIL 
  NOTICEThe information contained in this email and any attachments 
  is confidential and may be subject to copyright or other intellectual 
  property protection. If you are not the intended recipient, you are not 
  authorized to use or disclose this information, and we request that you 
  notify us by reply mail or telephone and delete the original message from 
  your mail system.

RE: [ActiveDir] Exchange queue(OT)

[Katherine Coombs]

Hi Tom,
 
I'm sure that you've spent more than the 5 seconds that I did trying to 
find a solution, but I came across this article:  http://support.microsoft.com/default.aspx?kbid=884996
 
HTH,
Katherine


From: [EMAIL PROTECTED] 
[mailto:[EMAIL PROTECTED] On Behalf Of Tom 
KernSent: 04 May 2006 20:35To: 
activedirectorySubject: [ActiveDir] Exchange 
queue(OT)

I have an issue where a user sends an email to about 1800 recipients using 
Outlook DL's.
 
The email always gets stuck in the "messages awaiting directory lookup" 
queue for hours(sometimes days).
 
The only thing logged in the app log is-
 

Event Type: WarningEvent Source: MSExchangeTransportEvent 
Category: Categorizer Event 
ID: 6004Date:  5/4/2006Time:  3:21:02 
PMUser:  N/AComputer: EXNYC01Description:The 
categorizer is unable to categorize messages due to a retryable error. There is 
not enough space on the disk.  
For more information, click http://www.microsoft.com/contentredirect.asp. 
Data:: 70 00 00 
00   
p...    
 
The server has about 80gig of free space.
 
I tried moving the user's mailbox to another server but she still gets the 
same issue.
 
Has anyone had experience with this error?
 
I'm running Exchange 2k in mixed mode ina AD 2000 native mode enviorment.
 
Thanks

RE: [ActiveDir] User accessing mailboxes

[Katherine Coombs]

Al,
 
I 
think that this is what you're referring to?  http://support.microsoft.com/kb/895949/
 
Cheers,
Katherine Coombs


From: [EMAIL PROTECTED] 
[mailto:[EMAIL PROTECTED] On Behalf Of Al 
MulnickSent: 01 April 2006 14:48To: 
ActiveDir@mail.activedir.orgSubject: Re: [ActiveDir] User accessing 
mailboxes

There was a hotfix that changed the behavior of Exchange 2003 for the full 
mailbox access rights.  Could be you ran into that. 
 
If I recall correctly, you need to also grant the receive as rights for [EMAIL PROTECTED] to access [EMAIL PROTECTED] (grant it on sales account). 

That send as and receive as should allow him to access the account 
properly. From there, you may want to get more granular and remove some rights, 
but that's something you'll have to work on to get it the way you want in your 
organization. 
For the users that need to send as, grant them the send as 
rights.  They can do this from their Outlook client when they want to send 
as. 
 
Al 
On 4/1/06, Milton 
Sancho <[EMAIL PROTECTED]> 
wrote: 

  Hi,I configure an user with his 
  mailbox-enable account [EMAIL PROTECTED], besides 
  this user needs to get access to the mailbox-enabled account [EMAIL PROTECTED], it is a 
  business company e-mail account. I granted him rights over sales e-mail 
  account:-Delete mailbox storage and Full Mailbox access -Grant 
  permissions to: Send on behalf 
  However when the user access his mailbox [EMAIL PROTECTED] can send 
  and receive e-mails fine;  but when I added him the mailbox [EMAIL PROTECTED] he can 
  not send e-mails as sales user, IMAP config will works fine; but exchange 
  e-mail accounts the process change.-On the other hand, I need several 
  users with rights to send but no receive e-mails ([EMAIL PROTECTED]) 
  Thanks comments that drive me to the right config or to 
  understand why I can not get the config that I need! Thanks 
  comments

RE: [ActiveDir] display name confusion

[Katherine Coombs]

Tom,
 
The column Name in ADU&C is not the displayName, 
but you can add this latter column.
 
When generating a user via ADU&C, the field called Full Name 
is used to populate the user's CN, displayName and 
name attributes.  By default this format is "givenName 
sn" but you can modify this via the relevant DisplaySpecifier as 
you mentioned (see http://support.microsoft.com/?kbid=250455).  
Note that changing the DisplaySpecifier only affects objects 
created afterwards; objects previously created won't be updated to reflect this 
change.  Additionally, the displayName can be subsequently 
over-written, or a displayName can be specified at the point of object 
creation which doesn't adhere to the createDialog 
format.
 
If your createDialog for users is %, 
% then - within ADU&C - the Full 
Name field (which populates the CN, displayName and 
name attributes) will be populated automatically based on the 
information in the First name and Last name fields.  
If you don't populate these two fields then the Full Name will need to 
be specified manually before you can proceed.  I presume that this field is 
required in ADU&C because it populates the CN, which is a mandatory 
attribute, and just for convenience sake the information from this field is then 
used to populate those other attributes.  Creating a user via another 
mechanism, such as via a script, should only require you to specify the 
CN and samAccountName, since other attributes including the 
displayName are optional.  Actually, you don't even need to 
specify the samAccountName come to think of it, since it will be 
created automatically if you don't, but ultimately the samAccountName 
attribute itself is mandatory.
 
So, if you're certain that you're creating the users via ADU&C, then 
someone manually entered the samAccountName in the Full Name 
field, which propagates to the displayName attribute amongst 
others.
 
I'm not sure what you mean by "the dn's are all mixed".  I thought 
that your problem was with the displayName attribute?  It sounds to me 
like someone mis-populated the Full Name field, which then flows to the 
displayName and the CN, and the 
distinguishedName.
 
HTH,
Katherine Coombs
 
PS.  For those interested, it would appear that 4 days is the time 
required to spend with joe before being converted from a lurker to an eassayist 
:-)
PPS.  I landed a couple of hours ago and am jetlagged, so anything 
written above should be taken with a pillar of salt.
 



From: 
[EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] 
On Behalf Of Tom KernSent: 30 March 2006 07:16To: 
activedirectorySubject: [ActiveDir] display name 
confusion

Can someone explain to me how the display names get generated in 
ADUC?
 
I have users whose display names are "lastname,firstname" but whose 
accounts show up in aduc as the samaccountname format.
This is sporadic and not for all users.
The "user-Display" is set to "lastname,firstname" as well in the config 
NC.
 
 
When I do a query with adfind or dsquery, the dn's are all mixed as well 
with some in sAMAccountName format and some as the display name.
 
Thanks

RE: [ActiveDir] AD Schema Attribute

[Katherine Coombs]

Maybe I'm missing something obvious, but why not just use a single
valued attribute??  Something along the lines of:

distinguishedName=CN=OpenBarTabIncludingSpirits,CN=Schema,CN=Configurati
on,DC=ADCORP,DC=LAN,CN=OpenBarTab adminDescription=Confirms for all and
sundry that management at this fine company are committed to sponsoring
your consumption (responsible or otherwise) of alcohol.  Bring on the
Christmas parties Avanade!


-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Paul Williams
Sent: 30 November 2005 07:37
To: ActiveDir@mail.activedir.org
Subject: Re: [ActiveDir] AD Schema Attribute

It's a good way of preparing management for what you want at the
Christmas party.

We also put quantity in there!


- Original Message -
From: "Dean Wells" <[EMAIL PROTECTED]>
To: "Send - AD mailing list" <[EMAIL PROTECTED]>
Sent: Wednesday, November 30, 2005 2:29 AM
Subject: RE: [ActiveDir] AD Schema Attribute


> Note that it's multi-valued ... what can I say, we're British and
there's
> [EMAIL PROTECTED] all else to do :o)
>
> --
> Dean Wells
> MSEtechnology
> * Email: [EMAIL PROTECTED]
> http://msetechnology.com
>
>
> -Original Message-
> From: [EMAIL PROTECTED]
> [mailto:[EMAIL PROTECTED] On Behalf Of Almeida
Pinto,
> Jorge de
> Sent: Monday, November 28, 2005 11:48 PM
> To: ActiveDir@mail.activedir.org
> Subject: [ActiveDir] AD Schema Attribute
>
> Now this is fun...
> The AD Schema contains the following attribute:
>
> distinguishedName=CN=drink,CN=Schema,CN=Configuration,DC=ADCORP,DC=LAN
> CN=drink
> adminDescription=The drink (Favourite Drink) attribute type specifies
the
> favorite drink of an object (or person).
> isSingleValued=FALSE
>
> ;-)
>
> Cheers,
> Jorge
> PS.: I read about this here:
>
http://blogs.dirteam.com/blogs/tomek/archive/2005/11/29/drink_attr.aspx
>
>
>
> This e-mail and any attachment is for authorised use by the intended
> recipient(s) only. It may contain proprietary material, confidential
> information and/or be subject to legal privilege. It should not be
copied,
> disclosed to, retained or used by, any other party. If you are not an
> intended recipient then please promptly delete this e-mail and any
> attachment and all copies and inform the sender. Thank you.
> List info   : http://www.activedir.org/List.aspx
> List FAQ: http://www.activedir.org/ListFAQ.aspx
> List archive:
http://www.mail-archive.com/activedir%40mail.activedir.org/
>
>
>
> List info   : http://www.activedir.org/List.aspx
> List FAQ: http://www.activedir.org/ListFAQ.aspx
> List archive:
http://www.mail-archive.com/activedir%40mail.activedir.org/ 

List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive:
http://www.mail-archive.com/activedir%40mail.activedir.org/
List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/

RE: [ActiveDir] Active Directory wish list

[Katherine Coombs]

The user account performing the backup needs to have "Restore Files and
Directories" rights to be able to perform a backup of the system state.
I know that it's small in the scheme of things, but anytime MS wants to
fix that I'd be happy.  In other words, just granting the "Back up Files
and Directories" rights should be all that is required to, oh let's see,
back up files and directories, including System State.

K 

-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of joe
Sent: 05 October 2005 03:20
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] Active Directory wish list

Yeah I can say that it isn't in Longhorn. As the dev guys put it, this
is a tough one. It wouldn't just be a nobrainer if they had separate
instances of AD, there are just tons of other things involved that make
it extremely difficult. It was something that was brought up in the
summit though, not sure how much I can say around it other than no, it
won't be there.

MS feels the focus of this is dramatically reduced now as well due to
the fact that VS is available and can run DCs. Also the Server Core DCs
helps here as well as the DCs will have a smaller footprint. If folks
are NOT in agreement with that assessment, definitely speak up, it is
too late for Longhorn but possibly the opportunity exists to convince
them for BlackComb.

  joe

 

-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Charlie Kaiser
Sent: Tuesday, October 04, 2005 9:37 PM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] Active Directory wish list

I'd also like to see the ability to run DCs for multiple domains on the
same server. SMBs with limited resources balk at having to buy
additional server hardware for redundancy on multiple domains,
especially when the AD load on the DCs is minimal. This feature sounds
like an offshoot of your list below.
If you can run AD as a service, it might not be that hard to allow
multiple domains similar to multiple websites/DBs on one server...

I remember discussing this with Stuart Kwan at DEC a couple of years
ago. I hope it makes it into the mix...

**
Charlie Kaiser
W2K3 MCSA/MCSE/Security, CCNA
Systems Engineer
Essex Credit / Brickwalk
510 595 5083
**
 

> -Original Message-
> From: [EMAIL PROTECTED]
> [mailto:[EMAIL PROTECTED] On Behalf Of joe
> Sent: Tuesday, October 04, 2005 4:25 PM
> To: ActiveDir@mail.activedir.org
> Subject: RE: [ActiveDir] Active Directory wish list
> 
> Vista is the client OS. I don't believe they have named Longhorn 
> Server yet.I am voting for something like Windows Server 5.4.0 or 
> something like that. I realize that the marketing group would have 
> something to say about it but I figure the best thing from them is if 
> they pronounced their thoughts from the bottom of Lake Washington.
> People don't install servers because they have cool names.
>  
> The biggest non-NDA pieces that I have heard announced in conferences 
> or seen on the web already is the Read Only DC to limit security 
> exposure for WAN deployments, restartable AD that can be 
> stopped/started as necessary, DA/Admin separation so that you can have

> an Admin on a DC that "can't" achieve Domain-wide DA level rights, and

> DCs running on Server Foundation or now its called Server Core which 
> is a GUI-challenged Windows Server.
>  
> I can also say that there are a myriad of GUI updates for the Admin 
> tools though I can't state specifics. BJ Whalen who was involved with 
> the GPMC project has been brought in to work on admin experience and 
> anyone who has worked with GPOs with and without GPMC know that he 
> really helped out.
>  
> All in all, there is some very cool stuff and MS has really been 
> listening to the community on what they want and need. I know that 
> this list is watched for ideas and such and has been the source of 
> DCRs internally. So if you have ideas, spout them here, they will most

> certainly be heard. They may not make Longhorn as it is getting a bit 
> late to add major changes but your ideas could make it into a later 
> rev.
>  
>  
>joe
>  
> 
> 
> 
> From: [EMAIL PROTECTED]
> [mailto:[EMAIL PROTECTED] On Behalf Of Steven Wood
> Sent: Monday, October 03, 2005 3:46 PM
> To: ActiveDir@mail.activedir.org
> Subject: [ActiveDir] Active Directory wish list
> 
> 
> Hi,
>  
> With Windows Vista on it's way what's on people's wish list as far as 
> Active Directory is concerned? Also are there any big enhancements 
> due?
>  
> Thanks
> Steven
> 
List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive:
http://www.mail-archive.com/activedir%40mail.activedir.org/

List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive:
http://www.mail-archive.com/activedir%40mail.activedir.org/
List info   : http://ww

RE: [ActiveDir] 2 exchange public folder questions

[Katherine Coombs]

Hi Tom,

For question number two check out http://support.microsoft.com/?id=815916

Cheers,
Katherine

-Original Message-
From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Coleman, Hunter
Sent: 29 September 2005 21:47
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] 2 exchange public folder questions

Don't know on 1, but for 2 get PFDavAdmin which is either in the Exchange 
Resource Kit or downloadable from Microsoft. It will let you set permissions on 
a folder and then propagate them down to subfolders. 

-Original Message-
From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Kern, Tom
Sent: Thursday, September 29, 2005 7:38 AM
To: ActiveDir@mail.activedir.org
Subject: [ActiveDir] 2 exchange public folder questions

1. When I attach a shortcut to a public folder item(word doc) as an attachment 
to an email, many users cannot open the attachement but just click on the 
shortcut and nothing happens.
they all have appropriate rights to the folder.
is this some OLE issue on the client?
by what mechanism does this occur?
 
2. Is there anyway to set inheritance on a public folder? There doesn't seem to 
be an "inheritance" tab in Outlook or under "client permissions" tab in ESM.
How can i set a user to have say, reviewer role or create items right for all 
folders and/or items underneath a public folder or future folders created 
underneath said folder?
or block that right?
 
Thanks alot.
.Böv
rzÊryi
List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/

RE: [ActiveDir] Tombstone Interval

[Katherine Coombs]

Title: Tombstone Interval



Hi Jorge,
 
It's to do with DNS (resource?) records, not AD tombstoned 
objects.  As per http://msdn.microsoft.com/library/default.asp?url="">:
 

DsTombstoneInterval 
Data type: uint32Lifetime of tombstoned records in Directory 
Service integrated zones, expressed in seconds.
 
HTH,
Katherine
 
PS.  Sorry - in a rush.  Hope this email doesn't seem 
abrupt!


From: [EMAIL PROTECTED] 
[mailto:[EMAIL PROTECTED] On Behalf Of Almeida Pinto, 
Jorge deSent: 14 September 2005 17:58To: 
ActiveDir@mail.activedir.orgSubject: [ActiveDir] Tombstone 
Interval

Hi, 
The first I understand 
but I do not understand the second. Does anyone know what the second 
does? 
Thanks 
Jorge 
(1) configured per 
forest in AD The tombstone lifetime 
value in an Active Directory forest defines the default number of days that a 
domain controller preserves knowledge of deleted objects. This value also 
defines the useful life of a system state backup that is used for disaster 
recovery or installation from backup media. Active Directory protects itself 
from restoring data that is older than the tombstone lifetime by disallowing the 
restore. 
(2) configured per DNS 
server in the registry manually or through DNSCMD /dstombstoneinterval[ 1-30] 
Amount of time in seconds to keep 
tombstoned records in Active Directory alive. 
Met 
vriendelijke groet / Kind regards, 
Jorge de Almeida Pinto 
Infrastructure Consultant __ 
 
LogicaCMG Nederland B.V. (BU SD/AT) Division 
Industry, Distribution and Transport (ID&T) Kennedyplein 248, 
5611 ZT, Eindhoven .   Postbus 7089     5605 JB Eindhoven 
(   Tel 
    : +31-(0)40-29.57.777 
2   Fax : 
+31-(0)40-29.57.709 (   Mobile  : 
+31-(0)6-26.26.62.80 
*   E-mail  : 
[EMAIL PROTECTED]
"    - Solutions that matter 
- 
This e-mail and any 
attachment is for authorised use by the intended recipient(s) only. It may 
contain proprietary material, confidential information and/or be subject to 
legal privilege. It should not be copied, disclosed to, retained or used by, any 
other party. If you are not an intended recipient then please promptly delete 
this e-mail and any attachment and all copies and inform the sender. Thank 
you.

RE: [ActiveDir] 2003 SP1

[Katherine Coombs]

Hi Johnny,

The only major issue I've run into was around
http://support.microsoft.com/?id=892501

HTH,
Katherine 

-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Figueroa,
Johnny
Sent: 07 September 2005 02:15
To: ActiveDir@mail.activedir.org
Subject: [ActiveDir] 2003 SP1


Good morning folks, I am entertaining the idea of applying SP1 to our
2003 domain controllers. I figured I would start with
http://support.microsoft.com/kb/889101  but if you have any 1st hand
knowledge of any issues, please let me know.

For that matter, if you have a good link about applying 2003 SP1 to
"member servers" please send it to me. I will probably assist with this
task also.

Thanks

Johnny Figueroa
Enterprise Network Consultant/Integrator Network Services Banner Health
Voice (602)
495-4195 Fax (602) 495-4406
 
WARNING: This message, and any attachments, are intended only for the
use of the individual or entity to which it is addressed and may contain
information that is privileged, confidential and exempt from disclosure
under applicable law.  If the reader of this message is not the intended
recipient or employee/agent responsible for delivering the message to
the intended recipient, you are hereby notified that any dissemination,
distribution or copying of the communication is strictly prohibited.  If
you receive this communication in error, please notify us immediately

List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive:
http://www.mail-archive.com/activedir%40mail.activedir.org/
List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/

[ActiveDir] Restore permission required to backup System State

[Katherine Coombs]

Title: Restore permission required to backup System State






Hey all,


To backup the System State on a DC (or for the option to even appear) the user has to have both of the following permissions:

 - Back up files and directories 

 - Restore files and directories


The permission to "Back up files and directories" is self-evident, but why would a user also need the permission to "Restore files and directories"??

My current customer wants a particular account to be able to perform backups, but not restorations.  If a need arises, the customer was planning on changing the backup account's permissions at that time to grant them the right to perform a restoration, or use an account that does have restoration rights.

Anyone have the inside scoop on the rationale behind these required permissions??  This isn't a show-stopper for me; I'm simply curious as to why restore permissions would be required in order to take a backup.

Katherine

RE: [ActiveDir] Exchange issues again(ot)

[Katherine Coombs]

Hi Tom,
 
Long-time lurker on the AD mailing list and after seeing your posts in 
recent weeks I really feel for you!!
 
Anyway, this particular situation got me interested and so I thought 
that I'd dig around to see what I could find.  The closest article that I 
could find of relevance was http://thelazyadmin.com/2005/01/exchange-disaster-recovery.htm where the guy mentions:
 
"Even though forestprep and domainprep was run when you 
first installed Exchange, you will need to run them again to reset some security 
accounts. Because it is not updating the Schema, it is a lot faster than you may 
remember. Now on to the Exchange install. Run the following command to enter 
disaster recovery mode: setup.exe 
/disasterrecovery"I don't have a 
lab handy at the moment, but it sounds like the above could at least explain 
what you're seeing, namely that unless the Schema Master is available, the 
disasterrecovery switch won't work.  Unfortunately I don't know of any way 
to trick Exchange into thinking that it's performed the ForestPrep and 
DomainPrep.
 
Cheers,
Katherine



From: [EMAIL PROTECTED] 
[mailto:[EMAIL PROTECTED] On Behalf Of Kern, 
TomSent: 26 August 2005 23:53To: 
ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] Exchange issues 
again(ot)

No, I already have an exchange org installed!!!
 
I have 10 exchange servers in my AD.
 
I'm just trying to recover one with the /disasterrecovery switch instead of 
restoring system state to dissimallar hardware.
 
I'm not introducing exchange into AD for the first time.
 
I have an exchange org and admin group and servers already in place.
I'm only trying to recover one.
 
Now, again, before you bail, why does setup need to write to the schema in 
this case?
 
Exchange is already here. the place holders have been filled with "real" 
objects.
 
Help me please!!
 
Ah!!!

  -Original Message- From: 
  [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] Sent: Fri 
  8/26/2005 2:17 PM To: ActiveDir@mail.activedir.org Cc: 
  Subject: RE: [ActiveDir] Exchange issues 
  again(ot)
   

RE: [ActiveDir] OT: new job

[Katherine Coombs]

Title: Message








OK well I’m going to have to stop
lurking and respond to that one.

 

After enrolling for one of Dean’s DVD
courses that he put together for Avanade, I was much amused when he decided to
spice things up (whether that was for his sake or ours I’m not sure) by
switching accents mid-discussion.  This was later followed by him drawing
a picture of what the pause button looks like to really help us along J.  The English accent
was obviously there and I believe that Scottish and a few others were attempted,
but Australian was, regretfully, not.  Hearing foreigners trying to mimic
our accent (1) always amuses me.  Perhaps next time Dean??

 

 

(1)  and our vocabulary…at
least the vocabulary that you see on TV.  I’ve yet to see an
Australian actually wrestle a crocodile and exclaim ‘crikey…she’s
a little beauty isn’t she’ but perhaps I’ve led a sheltered
existence.

 









From:
[EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Dean Wells
Sent: 02 August 2005 16:48
To: Send - AD mailing list
Subject: RE: [ActiveDir] OT: new
job



 



... cheeky [EMAIL PROTECTED]&[EMAIL PROTECTED]@[EMAIL PROTECTED][EMAIL PROTECTED]@[EMAIL PROTECTED]@!



--
Dean Wells
MSEtechnology
* Email: [EMAIL PROTECTED]
http://msetechnology.com



 



 







From:
[EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of joe
Sent: Tuesday, August 02, 2005
10:59 AM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] OT: new
job



 

I didn't hear you but I actually saw this
message. :o)

 

How could you even make up mean and nasty
things about me? If you are going to say bad things, at least use a British
accent. Or that Australian Accent that Dean uses.

 







From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On
Behalf Of Al Mulnick
Sent: Tuesday, August 02, 2005
10:24 AM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] OT: new
job



Joe? Can you hear me Joe?  If not, is
this a good time to talk about you Joe, and say mean and nasty things (made up
of course)? 





 





If you can hear me, check the
headers.  If you can't hear me raise your right hand ;)





 





-Original Message-
From:
[EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of joe
Sent: Tuesday, August 02, 2005
10:01 AM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] OT: new
job

Is something wrong with the list or is it
just me? This is the second response I have seen to this subject that is
completely empty.

 







From:
[EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Al Mulnick
Sent: Tuesday, August 02, 2005
9:52 AM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] OT: new
job

RE: [ActiveDir] ADUC Export

[Katherine Coombs]

Title: Message








Check out http://www.windowsitpro.com/Windows/Article/ArticleID/44085/44085.html
for a script that will document the OU structure and the number of user, group
and computer accounts contained therein.  It doesn’t list the
individual accounts that are contained in each, but it should be easy enough
(says she who has no grasp of coding) to tweak it to output each of these
rather than just updating the count.

 

Cheers,

katherine









From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On
Behalf Of Lou Vega
Sent: Wednesday, 2 February 2005
7:38 AM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] ADUC
Export



 

If you’re interested I have similar
code which can be dropped into a simple VB.NET form and run that way. I was
doing this type of operation routinely enough that I just put the whole thing
in a VB.NET app so I could pull it up on the screen for the management whenever
they wanted it.

 

r/

Lou

 

 

-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On
Behalf Of Brad Hibbert
Sent: Tuesday, February 01, 2005
3:20 PM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] ADUC
Export

 

Here is
a simple recursive VB script that can accomplish this

 

strDomain =
"DC=ds,dc=nplab,dc=secure"  ‘ Enter your DN here 
strOutput = "" 
enumerateOUs(strDomain) 
Set FSO = CreateObject("Scripting.FileSystemObject") 
Set file = fso.CreateTextFile("Result.txt", true) 
file.writeLine(strOutput) 
file.Close 
Function enumerateOUs(strDN) 
    Set
container = GetObject("LDAP://" + strDN) 
 
    strOutput =
strOutput & "Current OU" & vbTab & strDN & vbcrlf 
   
container.Filter = Array("User") 
    For each obj
in container 
   
If obj.class="user" Then 
   
strOutput = strOutput & vbTab & vbTab & vbTab &
obj.DistinguishedName & vbcrlf 
   
End If 
    next 
   
container.Filter = Array("OrganizationalUnit") 
    For each Obj
in Container 
   
enumerateOUs(obj.distinguishedName) 
    Next 
End Function 

 

Regards

Brad

 











From:
[EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Rogers, James
Sent: Tuesday, February 01, 2005
7:08 AM
To: ActiveDir@mail.activedir.org
Subject: [ActiveDir] ADUC Export



In ADUC
2003, an "Export List" command is available that will export the
contents of the immediate OU you're viewing.  Is there a way to export the
full tree for an entire domain?  I'd like to pull a list of all OU's,
their position in the tree, and their contents.  Is this possible, or just
a pipe dream?





 





-James
R. Rogers

RE: [ActiveDir] ADS&S mods replicate, ADUC mods does not

[Katherine Coombs]

Hi John,
 
Check out:
 
http://www.eventid.net/display.asp?eventid=1084&eventno=980&source=NTDS%20Replication&phase=1
 
HTH,
Katherine


From: [EMAIL PROTECTED] 
[mailto:[EMAIL PROTECTED] On Behalf Of John 
WitasickSent: Tuesday, 1 February 2005 11:05 AMTo: 
ActiveDir List ServerSubject: [ActiveDir] ADS&S mods replicate, 
ADUC mods does not

One of our divisions has a DC in a child domain of 
a large W2k forest (empty root & 8 child domains, 200+ total DCs) that 
is having replication issues.  Sites and Services modifications replicate 
ok (we have successfully manipulated ntdsConnections settings), but changes made 
in Users and Computers (new user accounts) do not.  Our plan is to blow 
away the server, clean up the metadata, and then rebuild and reintroduce the 
server.  Prior to doing this, however, I was wondering if anyone had any 
input given on the listed errors:
 
The following errors are consistent in the Directory Service 
log on the remote server:
 
Event Type: ErrorEvent 
Source: NTDS ReplicationEvent Category: (5)Event 
ID: 1084Date:  1/31/2005Time:  6:09:46 
PMUser:  EveryoneComputer: Description:Replication 
error: The directory replication agent (DRA) couldn't update object 
CN=,OU=Member Servers,DC=xxx,DC=xxx,DC=xxx,DC=xxx,DC=xxx 
(GUID 95a006b5-ca6f-439c-950d-357a5e34e81e) on this system with changes which 
have been received from source server 
752eec36-9ccf-46e7-931c-ffa4f28bcefe._msdcs.xxx.xxx.xxx.xxx. An error occurred 
during the application of the changes to the directory database on this 
system.  The error message is: The replication operation 
encountered a database error. The directory will try to update the 
object later on the next replication cycle. Synchronization of this server with 
the source is effectively blocked until the update problem is corrected. 

If this condition appears to be related to a 
resource shortage, please stop and restart this Windows Domain 
Controller. 
If this condition is an internal error, a database 
error, or an object relationship or constraint error, manual intervention will 
be required to correct the database and allow the update to proceed.  It is 
valuable to note that the problem is caused by the fact that the change on the 
remote system cannot be applied locally. Manually updating the objects on the 
local system in not recommended. Instead, on the source system (which has the 
changes already), try to reverse or back out the change.  Then, on the next 
replication cycle, observe whether the change can now be applied locally. 

The record data is the status code. Data:: 
03 21 00 
00   
.!..    
 
The above error occurs twice for two different objects, 
one object from within the domain, and one object from outside the domain 
(a different child domain).  Each iteration is followed by the following 
Information entry:
 
Event Type: InformationEvent 
Source: NTDS ISAMEvent Category: General Event 
ID: 901Date:  1/31/2005Time:  6:09:59 
PMUser:  N/AComputer: 
Description:NTDS (708) Internal trace: 
[EMAIL PROTECTED] 
 
DCDiags yields the following information:
 
Domain Controller Diagnosis
 
Performing initial setup:   Done 
gathering initial info.
 
Doing initial required tests
 
   Testing server: 
\  
Starting test: Connectivity 
.  passed test 
Connectivity
 
Doing primary tests
 
   Testing server: 
\  
Starting test: Replications 
REPLICATION LATENCY WARNING 
: This replication path was preempted by higher 
priority 
work.    from 
 to 
    
Reason: The operation completed 
successfully.    
The last success occurred at 
(never).    
Replication of new changes along this path will be 
delayed.    
Progress is occurring normally on this 
path. REPLICATION LATENCY 
WARNING 
: A full synchronization is in 
progress    
from  to 
    
Replication of new changes along this path will be 
delayed.    
The full sync is 0.00% 
complete. [Replications 
Check,] A recent replication attempt 
failed:
 
    From 
 to 
    
Naming Context: 
DC=xxx,DC=xxx,DC=xxx,DC=xxx.DC=xxx    
The replication generated an error 
(8451):    
The replication operation encountered a database 
error.    The 
failure occurred at 2005-01-31 
18:09.50.    
The last success occurred at 2004-11-24 
08:55.01.    
20 failures have occurred since the last 
success.    A 
serious error is preventing replication from 
continuing.    
Consult the error log for further 
information.    
If a particular object is named, it may be necessary to 
manually    
modify or delete the 
object.    If 
the condition persists, contact Microsoft 
Support. REPLICATION LATENCY 
WARNING 
: This replication path was preempted by higher 
priority 
work.    from 
 to 
    
Reason: The operation completed 
suc

RE: [ActiveDir] XP Permissioning and Group Policy

[Katherine Coombs]

Mario,

 

Is the Remote Registry Service running on
these XP machines?

 

Katherine

 









From:
[EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Rosales, Mario
Sent: Thursday, 26 August 2004
5:06 AM
To: '[EMAIL PROTECTED]'
Subject: [ActiveDir] XP
Permissioning and Group Policy



 

Ok here is
what we have. This might be a little off topic but Hopefully with all the GPO
experience here I could get some assistance.    Any Help would
be appreciated.

 

1. XP SP1
Workstation on an NT 4.0 Domain

2. Workstation
User and Domain Admins Have Administration Access to the Computer

 

Here is what
happens

 

Workstation
User logs on and everything works fine

Domain Admin
Logs in and everything works fine

 

Domain admin
tries to remotely look at the registry and gets access Denied

Domain Admin
tries to remotely look at the event viewer and gets access Denied

 

Domain Admin
tries to remotely look at the User accounts/Groups and gets access Denied

 

 

Is there a
setting or LocalGroup Policy that might affect this computer in this way?

 

Any help is
appreciated!

 

Thanks in
advance









*** 

 The contents of this communication are intended only for the addressee and may contain confidential and/or privileged material. If you are not the intended recipient, please do not read, copy, use or disclose this communication and notify the sender.  Opinions, conclusions and other information in this communication that do not relate to the official business of my company shall be understood as neither given nor endorsed by it.  

*** 

RE: [ActiveDir] Password Expiry Warning

[Katherine Coombs]

Mark,

 

Check out KB 135403.  In Windows
2003, the group policy setting is Interactive
Logon: Prompt user to change password before expiration – in there
you can enter the number of days that you’d like set.

 

HTH,

Katherine

 









From:
[EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Creamer, Mark
Sent: Friday, 9 July 2004 8:36 AM
To: [EMAIL PROTECTED]
Subject: [ActiveDir] Password
Expiry Warning



 

I’ve
seen where the password expiry warning (number of days) can be changed on a
workstation – is that for domain password, local accounts, or both? I
thought that setting would be on the domain controller side, as part of the
domain default group policy, but I don’t see it there. So to change the
14 days to something else on all my clients, do I need to set that per client
machine?

 

Thanks,

 



Mark

[ActiveDir] AAS files and Software updates within GP

[Katherine Coombs]

Title: AAS files and Software updates within GP






Hi all,

I remember some discussion a while back (could I be less specific I wonder??) about group policy software installation updates, and the effect on AAS files.  I can’t find this thread in the Archives but I was hoping that someone might have the entire thread that they could forward to me?  

TIA,

Katherine

[EMAIL PROTECTED]

RE: [ActiveDir] Roll up MCSE on Windows 2000 to MCSE on Windows 2003

[Katherine Coombs]

Title: RE: [ActiveDir] Roll up MCSE on Windows 2000 to MCSE on Windows 2003






Check out the following website:  


http://www.microsoft.com/learning/mcp/mcse/windows2003/upgrade.asp


Basically, you have to sit two upgrade exams.


HTH,K


-Original Message-

From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]] On Behalf Of MAI ANH TUAN

Sent: Tuesday, 17 February 2004 6:48 PM

To: '[EMAIL PROTECTED]'

Subject: [ActiveDir] Roll up MCSE on Windows 2000 to MCSE on Windows 2003

Importance: High


Hi,


I have MCSE on Windows 2000, and nơ I wourld like to Upgrade it to MCSE

Windows 2003. What shoult I do?




Mai Anh Tuan


List info   : http://www.activedir.org/mail_list.htm

List FAQ    : http://www.activedir.org/list_faq.htm

List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/

RE: [ActiveDir] Windows 2000 startup screen

[Katherine Coombs]

Title: RE: [ActiveDir] Windows 2000 startup screen






Russ,


You can do this through GPO by changing the following settings:


Interactive logon: message text for users attempting to logon

Interactive logon: message title for users attempting to logon


The are found in the following location within the GPO editor: Computer

Configuration\Windows Settings\Security Settings\Local Policies\Security

Options


HTH,

Katherine


-Original Message-

From: [EMAIL PROTECTED]

[mailto:[EMAIL PROTECTED]] On Behalf Of Rimmerman, Russ

Sent: Friday, 6 February 2004 1:51 AM

To: '[EMAIL PROTECTED]'

Subject: [ActiveDir] Windows 2000 startup screen



Thanks to all who helped me with the GC Disaster recovery issue!!!


Now, I've been asked to replace all the Windows 2000 and XP startup

splash

screens (the one you see in the background when you hit ctrl-alt-del.

We're

going to have our legal notice there since our top dogs don't like the

legal

notice GPO.  Question is, is there a GPO for this, and if not, is there

a

registry entry or something we can automate on login?


I know XP's solution is here http://www.updatexp.com/tip12.html

What about Win2000?  Any easy ways to do this?


~~

This e-mail is confidential, may contain proprietary information

of the Cooper Cameron Corporation and its operating Divisions

and may be confidential or privileged.


This e-mail should be read, copied, disseminated and/or used only

by the addressee. If you have received this message in error please

delete it, together with any attachments, from your system.

~~

List info   : http://www.activedir.org/mail_list.htm

List FAQ    : http://www.activedir.org/list_faq.htm

List archive:

http://www.mail-archive.com/activedir%40mail.activedir.org/

RE: [ActiveDir] Hiding Menus via a GPO

[Katherine Coombs]

Olly,

This might be of some help:

http://www.microsoft.com/technet/treeview/default.asp?url=/technet/prodtechn
ol/office/office2003/reskit/ork03/html/MntA04.asp

Katherine

-Original Message-
From: Oliver Marshall [mailto:[EMAIL PROTECTED] 
Sent: Friday, 16 January 2004 2:20 AM
To: [EMAIL PROTECTED]
Subject: [ActiveDir] Hiding Menus via a GPO

Does anyone know how I can use a GPO to hide a menu item? You might have
been listening to the Outlook thread going on on this list. I'm told
that it can be done, but I cant find any mention of it anywhere.

Ta

olly
List info   : http://www.activedir.org/mail_list.htm
List FAQ: http://www.activedir.org/list_faq.htm
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/

--
This e-mail may be confidential. Any opinions expressed herein are the opinion of the 
writer unless there is an express indication to the contrary. If you are not the 
intended recipient of this communication please delete and destroy all copies and 
immediately reply by return e-mail. Ipex ITG disclaims all liability and 
responsibility for any direct or indirect loss arising from this e-mail and/or any 
attachments.
List info   : http://www.activedir.org/mail_list.htm
List FAQ: http://www.activedir.org/list_faq.htm
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/

RE: [ActiveDir] Change passwords in AD through internet

[Katherine Coombs]

Title: Message









Hi Jason,

 

Although I'm aware that there are
security holes etc, I've used IISADMPWD to achieve what you're
after.  It allows you to dictate that a user must change the PW upon logging on,
let's them change it whenever they'd like etc.

 

HTH,

Katherine

 

-Original
Message-
From: Gleason, Jason
[mailto:[EMAIL PROTECTED] 
Sent: Tuesday, 18 November 2003
8:24 AM
To: '[EMAIL PROTECTED]'
Subject: [ActiveDir] Change
passwords in AD through internet

 



Hi all, 





 





We have an intranet site running on
IIS with SQL Server 2000 that uses Active Directory to control user access and
passwords. The problem is that under the current set-up, I have to go into
Active Directory and change each users password once a month which is a pain
for both the users and I. 





 





Has anyone run into this before? If
so, how can I allow the users to change their passwords through their internet
browsers when it expires? 





 





Cheers, 
Jason





 



_
Jason
Gleason
Data Warehouse Analyst
Sector Strategy and
Co-ordination Unit
Ministry of Justice
Tahu o
te Ture
Charles Fergusson Tower
Block
PO Box 180
Wellington, New Zealand 

ddi:
+64 4 494 5342
mobile: +021 183 4634
fax: +64 4 494 9916 

www.justice.govt.nz 

Building a
fairer and safer New Zealand 

 



 





This e-mail message and attachments do not necessarily reflect the views of 
the New Zealand Ministry of Justice and may contain 
information that is confidential and may be subject to legal privilege. If you 
are not the intended recipient, you are hereby notified that you must not use, 
disseminate, distribute or copy this e-mail message or its attachments. If you 
received this message in error, please notify the Ministry of Justice 
by telephone (call collect: 00-64-4-918-8800) or return the 
original message to us by e-mail, and destroy any copies.
Thank you.






DISCLAIMER: This e-mail may be 
confidential. Any opinions expressed herein are the opinion of the writer unless 
there is an express indication to the contrary. If you are not the intended 
recipient of this communication please delete and destroy all copies and 
immediately reply by return e-mail. Ipex ITG disclaims all liability and 
responsibility for any direct or indirect loss arising from this e-mail and/or 
any attachments.