RE: [ActiveDir] AD Schema - adding an attribute
I can't seem to find the birthDate attribute in any of my classes. Looking in MMC->ActiveDirectorySchema. Thanks, -- Matt Brown [EMAIL PROTECTED] Sr. Consultant for Student Technology Fee website: http://techfee.ewu.edu/ +--+ | 509.359.6972 ph. - 509.359.7087 fx | 307 MONROE HALL | Cheney, WA 99004 +--+ -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Brian Desmond Sent: Wednesday, January 10, 2007 8:55 AM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] AD Schema - adding an attribute It's an attribute of the user class. Thanks, Brian Desmond [EMAIL PROTECTED] c - 312.731.3132 -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Matt Brown Sent: Wednesday, January 10, 2007 8:53 AM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] AD Schema - adding an attribute Hi, Thanks for the replies. > birthDate already exists - can you take advantage of it? Where would I find this? If it already exists I think I'd be better off using that one. Thanks, -- Matt Brown [EMAIL PROTECTED] Sr. Consultant for Student Technology Fee website: http://techfee.ewu.edu/ +--+ | 509.359.6972 ph. - 509.359.7087 fx | 307 MONROE HALL | Cheney, WA 99004 +--+ -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Brian Desmond Sent: Tuesday, January 09, 2007 9:09 AM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] AD Schema - adding an attribute Well, first off - birthDate already exists - can you take advantage of it? Second you need to register a prefix and OID tree with Microsoft on MSDN. This is how you will get a starting point for OIDs. You'll also get a prefix so it would be ewu-birthMonth or something. Don't use oidgen. Thanks, Brian Desmond [EMAIL PROTECTED] c - 312.731.3132 -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Matt Brown Sent: Tuesday, January 09, 2007 10:56 AM To: ActiveDir@mail.activedir.org Subject: [ActiveDir] AD Schema - adding an attribute How do I add an attribute to AD? I'd like to add birthMonth, birthDay, birthYear to my Active Directory Schema for extra data to store for my users. Looking in MMC -> Schema, I see I can add an attribute, but it wants an Object ID (OID). I know there's a oidgen program somewhere (haven't found it yet). but is that the best way to do it? Thanks, -- Matt Brown [EMAIL PROTECTED] Sr. Consultant for Student Technology Fee website: http://techfee.ewu.edu/ +--+ | 509.359.6972 ph. - 509.359.7087 fx | 307 MONROE HALL | Cheney, WA 99004 +--+ List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.activedir.org/ma/default.aspx List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.activedir.org/ma/default.aspx List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.activedir.org/ma/default.aspx List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.activedir.org/ma/default.aspx List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.activedir.org/ma/default.aspx
RE: [ActiveDir] AD Schema - adding an attribute
Hi, Thanks for the replies. > birthDate already exists - can you take advantage of it? Where would I find this? If it already exists I think I'd be better off using that one. Thanks, -- Matt Brown [EMAIL PROTECTED] Sr. Consultant for Student Technology Fee website: http://techfee.ewu.edu/ +--+ | 509.359.6972 ph. - 509.359.7087 fx | 307 MONROE HALL | Cheney, WA 99004 +--+ -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Brian Desmond Sent: Tuesday, January 09, 2007 9:09 AM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] AD Schema - adding an attribute Well, first off - birthDate already exists - can you take advantage of it? Second you need to register a prefix and OID tree with Microsoft on MSDN. This is how you will get a starting point for OIDs. You'll also get a prefix so it would be ewu-birthMonth or something. Don't use oidgen. Thanks, Brian Desmond [EMAIL PROTECTED] c - 312.731.3132 -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Matt Brown Sent: Tuesday, January 09, 2007 10:56 AM To: ActiveDir@mail.activedir.org Subject: [ActiveDir] AD Schema - adding an attribute How do I add an attribute to AD? I'd like to add birthMonth, birthDay, birthYear to my Active Directory Schema for extra data to store for my users. Looking in MMC -> Schema, I see I can add an attribute, but it wants an Object ID (OID). I know there's a oidgen program somewhere (haven't found it yet). but is that the best way to do it? Thanks, -- Matt Brown [EMAIL PROTECTED] Sr. Consultant for Student Technology Fee website: http://techfee.ewu.edu/ +--+ | 509.359.6972 ph. - 509.359.7087 fx | 307 MONROE HALL | Cheney, WA 99004 +--+ List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.activedir.org/ma/default.aspx List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.activedir.org/ma/default.aspx List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.activedir.org/ma/default.aspx
[ActiveDir] AD Schema - adding an attribute
How do I add an attribute to AD? I'd like to add birthMonth, birthDay, birthYear to my Active Directory Schema for extra data to store for my users. Looking in MMC -> Schema, I see I can add an attribute, but it wants an Object ID (OID). I know there's a oidgen program somewhere (haven't found it yet). but is that the best way to do it? Thanks, -- Matt Brown [EMAIL PROTECTED] Sr. Consultant for Student Technology Fee website: http://techfee.ewu.edu/ +--+ | 509.359.6972 ph. - 509.359.7087 fx | 307 MONROE HALL | Cheney, WA 99004 +--+ List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.activedir.org/ma/default.aspx
[ActiveDir] ADAM / AD Sync
Hi, I have an Active Directory environment with an account for all my users. I am also in the process of setting up ADAM to store more information about those users and have a X.500 style DN. I would like to be able to use some sort of pass-through authentication to Active Directory, is this possible and if so, How? What I'm trying to do is set it up so that if somebody try's to authenticate to the ADAM LDAP it passes authentication to the Active Directory Servers. Thanks, -- Matt Brown Information Technology System Specialist V Eastern Washington University List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.activedir.org/ml/threads.aspx
[ActiveDir] ADAM with Domain
How does ADAM integrate with a domain? Will they be completely separate directories or can they somehow be joined together? I'm wanting to use an X.500 name for the ADAM instance. Thanks in advanced for the help provided, -- Matt Brown IT System Specialist Eastern Washington University List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.activedir.org/ml/threads.aspx
[ActiveDir] Converting OpenLDAP to Active Directory
Anybody seen any good resources or info on converting OpenLDAP to Active Directory? Thanks, -- Matt Brown Information Technology System Specialist V Eastern Washington University List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.activedir.org/ml/threads.aspx
[ActiveDir] Active Directory DN for new setup
Hi, I'm wondering if it's possible to make the Active Directory DN like an LDAP DN? something like: o=company,st=wa,c=us instead of: dc=mydomain,dc=edu I've been tasked with converting our OpenLDAP system over to an Active Directory system and it help the programmers out if I didn't change the DN on them. Although I'm sure some of the things may change. Thanks, -- Matt Brown Information Technology System Specialist V Eastern Washington University List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.activedir.org/ml/threads.aspx
[ActiveDir] Active Directory Health Scripts?
Hi, wondering if anybody has written any scripts using the free tools to monitor the health of Active Directory? I was thinking about writing a python script to run DCDiag and check the output for any failures and when found shoot me an email to let me know... maybe something with repadmin, etc. Thanks,--Matt Brown[ SELECT * FROM IT WHERE EyeContact=True ]Information Technology System SpecialistEastern Washington University
[ActiveDir] Domain, Lab Computers & DeepFreeze
I'm using Deepfreeze in my computer labs here on campus, (deepfreeze restores the computer on every restart). I also have all these computers as members of our Domain. I'm wondering if the computer accounts in the domain reset their passwords or something every so often and if my deepfreeze product might be messing this up? Here are the following event logs I'm getting on my domain controller. I've tried removing the computers from the domain and re-adding them, which sometimes fixes the problem but it seems to just come back. Both Computer Accounts are in the domain and were created less than 3 weeks ago after removing them and deleting the accounts in the domain. Event Type: ErrorEvent Source: NETLOGONEvent Category: NoneEvent ID: 5805Date: 9/8/2005Time: 5:52:05 AMUser: N/AComputer: DC2Description:The session setup from the computer PSYCH-03 failed to authenticate. The following error occurred: Access is denied. For more information, see Help and Support Center at http://go.microsoft.com/fwlink/events.asp.Data:: 22 00 00 c0 "..À -- AND --- Event Type: ErrorEvent Source: NETLOGONEvent Category: NoneEvent ID: 5723Date: 9/8/2005Time: 1:46:08 AMUser: N/AComputer: DC2Description:The session setup from computer 'PSYCH-05' failed because the security database does not contain a trust account 'PSYCH-05$' referenced by the specified computer. USER ACTION If this is the first occurrence of this event for the specified computer and account, this may be a transient issue that doesn't require any action at this time. Otherwise, the following steps may be taken to resolve this problem: If 'PSYCH-05$' is a legitimate machine account for the computer 'PSYCH-05', then 'PSYCH-05' should be rejoined to the domain. If 'PSYCH-05$' is a legitimate interdomain trust account, then the trust should be recreated. Otherwise, assuming that 'PSYCH-05$' is not a legitimate account, the following action should be taken on 'PSYCH-05': If 'PSYCH-05' is a Domain Controller, then the trust associated with 'PSYCH-05$' should be deleted. If 'PSYCH-05' is not a Domain Controller, it should be disjoined from the domain. For more information, see Help and Support Center at http://go.microsoft.com/fwlink/events.asp.Data:: 8b 01 00 c0 ‹..À Thanks, -- Matt Brown [EMAIL PROTECTED]Consultant for Student Technology Feewebsite: http://techfee.ewu.edu/+--+| 509.359.6972 ph. - 509.359.7087 fx| 307 MONROE HALL | Cheney, WA 99004+--+
RE: [ActiveDir] Virtual Domain Controllers
Title: Virtual Domain Controllers I really could of got the job done without AD, this was the first server for the company and it took a while to talk them into it. I looked at SBS but didn't really see any benefits over 2003 Server Standard for their environment so decided against it. The domain is so small I can rebuild it from scratch in about 20 minutes so I'm not too worried about it. Matt From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of joeSent: Friday, August 05, 2005 6:51 PMTo: ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] Virtual Domain Controllers That sounds like you should probably be running SBS. That was designed for those types of deployments. From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Matt BrownSent: Friday, August 05, 2005 8:47 PMTo: ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] Virtual Domain Controllers I run a single DC in a small environment... only about 10 users, and since it's just a single server office, and single DC domain... I just run everything on the domain controller. Domain, DNS, File, Print, and Accounting Software on the same server... no VM ware... although I considered it. Since it's a single domain server I just take ghost snapshots of the domain and then backup the files. Seems to work pretty good, as it's been running solid for about a year now. Thanks, -- Matt Brown [EMAIL PROTECTED]Consultant for Student Technology Feewebsite: http://techfee.ewu.edu/+--+| 509.359.6972 ph. - 509.359.7087 fx| 307 MONROE HALL | Cheney, WA 99004+--+ From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of [EMAIL PROTECTED]Sent: Friday, August 05, 2005 3:36 PMTo: ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] Virtual Domain Controllers Could you just do the file/print on the DC? In a small environment you could probably get away with it. Al Maurer Service Manager, Naming and Authentication Services IT | Information Technology Agilent Technologies (719) 590-2639; Telnet 590-2639 http://activedirectory.it.agilent.com -- A good plan today is better than a perfect plan tomorrow. -Original Message-From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]On Behalf Of Seely Jonathan JSent: Friday, August 05, 2005 12:54 PMTo: ActiveDir@mail.activedir.orgSubject: [ActiveDir] Virtual Domain Controllers Hi All, I have a question about running DCs on GSX server. I understand that MS does not support this configuration, but I've heard that many people are running DCs in this fashion. Can anyone give some advice in this arena? The idea here is to do VM for a file/print, and another one for a DC in our remote sites. Currently, we've got different hardware for each box, but we're trying to consolidate a bit out there. Thank you. JJ Seely Systems Administrator Oregon Department of Justice Division of Child Support (503) 378-4500 x22277 [EMAIL PROTECTED] *CONFIDENTIALITY NOTICE*This e-mail may contain information that is privileged, confidential, or otherwise exempt from disclosure under applicable law. If you are not the addressee or it appears from the context or otherwise that you have received this e-mail in error, please advise me immediately by reply e-mail, keep the contents confidential, and immediately delete the message and any attachments from your system.
RE: [ActiveDir] Virtual Domain Controllers
Title: Virtual Domain Controllers I run a single DC in a small environment... only about 10 users, and since it's just a single server office, and single DC domain... I just run everything on the domain controller. Domain, DNS, File, Print, and Accounting Software on the same server... no VM ware... although I considered it. Since it's a single domain server I just take ghost snapshots of the domain and then backup the files. Seems to work pretty good, as it's been running solid for about a year now. Thanks, -- Matt Brown [EMAIL PROTECTED]Consultant for Student Technology Feewebsite: http://techfee.ewu.edu/+--+| 509.359.6972 ph. - 509.359.7087 fx| 307 MONROE HALL | Cheney, WA 99004+--+ From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of [EMAIL PROTECTED]Sent: Friday, August 05, 2005 3:36 PMTo: ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] Virtual Domain Controllers Could you just do the file/print on the DC? In a small environment you could probably get away with it. Al Maurer Service Manager, Naming and Authentication Services IT | Information Technology Agilent Technologies (719) 590-2639; Telnet 590-2639 http://activedirectory.it.agilent.com -- A good plan today is better than a perfect plan tomorrow. -Original Message-From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]On Behalf Of Seely Jonathan JSent: Friday, August 05, 2005 12:54 PMTo: ActiveDir@mail.activedir.orgSubject: [ActiveDir] Virtual Domain Controllers Hi All, I have a question about running DCs on GSX server. I understand that MS does not support this configuration, but I've heard that many people are running DCs in this fashion. Can anyone give some advice in this arena? The idea here is to do VM for a file/print, and another one for a DC in our remote sites. Currently, we've got different hardware for each box, but we're trying to consolidate a bit out there. Thank you. JJ Seely Systems Administrator Oregon Department of Justice Division of Child Support (503) 378-4500 x22277 [EMAIL PROTECTED] *CONFIDENTIALITY NOTICE*This e-mail may contain information that is privileged, confidential, or otherwise exempt from disclosure under applicable law. If you are not the addressee or it appears from the context or otherwise that you have received this e-mail in error, please advise me immediately by reply e-mail, keep the contents confidential, and immediately delete the message and any attachments from your system.
RE: [ActiveDir] OT: MIIS, ADAM, & AD
I have MIIS, but have not used it for our OpenLDAP to Active Directory Sync. Before I got MIIS I wrote python scripts to sync our LDAP with our Active Directory. I don't sync passwords via the scripts, because we I have another PHP script that sets the user password on both directories when changed. I don't really plan on switching this over to MIIS because my python scripts are working so well and are so easy to manage. But playing with MIIS It really should be too hard to setup the sync with it. I also use python scripts to sync our Student Information system with the openLDAP. I'm not really a programmer and learned python just for this project, had the scripts working in less than a week. If you want some info or code samples just let me know. Thanks, -- Matt Brown [EMAIL PROTECTED] Consultant for Student Technology Fee website: http://techfee.ewu.edu/ +--+ | 509.359.6972 ph. - 509.359.7087 fx | 307 MONROE HALL | Cheney, WA 99004 +--+ _ From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of TIROA YANN Sent: Friday, July 29, 2005 8:46 AM To: ActiveDir@mail.activedir.org Subject: RE : [ActiveDir] OT: MIIS, ADAM, & AD Hello, We use MIIS 2003 to synchronise users identity between AD2003, openldap, Oracle 9i, and that works pretty good. MIIS includes preintegrated directory to manage such as ADAM, novell edirectory, Active Directory, DSML, Oracle 9i, and many more called Management Agents (MA) or connectors. With the MIIS 2003 Sp1, u could easily synchronize users passwords between differents directories but always in the way below: --> User password changes (via MMC ADUC, ctrl+alt+Del, web) are detected by AD 20003 DCs, these changes are pushed to your MIIS server which pushes passwords to your configured Directories: in your case ADAM. And that works great ! All passwords are crypted between synchronisations. BUT MIIS have those inconvenients: 1) It costs . The price is per processor (~12000 euros/processor pretty equivalent to 1 dollars/processors). 2) u must have very good knowledge in dev. : VB.net and c# are the dev environnement for MIIS. These links will help u to better understand the product. Yahoo newsgroup: http://groups.yahoo.com/group/MMSUG/ u have to sing in in before. http://www.activeidm.com/servlet/constructor.includeHTTP?iwebsiteID=8627 <http://www.activeidm.com/servlet/constructor.includeHTTP?iwebsiteID=8627&is ectionTypeID=1&isectionID=43519> &isectionTypeID=1&isectionID=43519 http://www.microsoft.com/windowsserversystem/miis2003/support/default.mspx A MS tutorial: http://www.microsoft.com/downloads/details.aspx?FamilyId=DADC5021-222B-4AF7- 8C58-2227C358756F <http://www.microsoft.com/downloads/details.aspx?FamilyId=DADC5021-222B-4AF7 -8C58-2227C358756F&displaylang=en#filelist> &displaylang=en#filelist ...and a good practice on how configure MIIS to synchronize with ADAM, but it is in french .. :( http://www.techheadbrothers.com/DesktopDefault.aspx?tabindex=1 <http://www.techheadbrothers.com/DesktopDefault.aspx?tabindex=1&tabid=7&CatI d=6> &tabid=7&CatId=6 see "MIIS pas à pas, Partie 1/3 " MIIS pas à pas, Partie 2/3 and MIIS pas à pas, Partie 3/3 A good webcast about the MMS which is the old version, but a good presentation of how MIIS works http://support.microsoft.com/default.aspx?kbid=324572 I do not know what is ADAM "proxy users" and how u can use it to achieve your goal. Maybe someone in this could help u... Good luck :) Cheers, Yann _ De: [EMAIL PROTECTED] de la part de Ken Cornetet Date: ven. 29/07/2005 16:03 À: ActiveDir@mail.activedir.org Objet : [ActiveDir] OT: MIIS, ADAM, & AD We have an upcoming project which will require an LDAP directory containing both our internal users, and our extranet users. Currently, our internal users are in one AD domain, the extranet users are in another. The domains are in separate forests, and there are no trusts. My plan is to use ADAM for the central LDAP directory. However, I'm on the horns of an enema, um, I mean dilemma on how to sync ADAM to the two domains. A first glance would suggest MIIS. However, MIIS looks pretty complicated, and difficult to configure. I'm considering writing my own sync code since the task at hand is relatively straight-forward. Passwords will be a bit of a problem, but not unworkable. We use Psynch to maintain our internal passwords, so I can have it change the ADAM passwords at the same time it changes the internal AD passwords. The extranet users change their password via an existing web app, so having it change the ADAM passwords won't be an issue. Reading about ADAM "proxy users" leads me to believe they'd be a perfect fit as the object type to use for our internal users (authentication is relayed to
RE: [ActiveDir] 2003 sp1 security agent
Ya, I mean the security config wizard. I've normally never had any firewall stuff on my domain controllers... But was thinking it might be possible with 2003 SP1. Anybody have any recommendations? Thanks, -- Matt Brown [EMAIL PROTECTED] Consultant for Student Technology Fee website: http://techfee.ewu.edu/ +--+ | 509.359.6972 ph. - 509.359.7087 fx | 307 MONROE HALL | Cheney, WA 99004 +--+ -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Rick Kingslan Sent: Wednesday, July 27, 2005 9:26 AM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] 2003 sp1 security agent Security Config Agent Not sure on that. Do you mean the Security Config Wizard? If so - nope - none at all. Rick -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Matt Brown Sent: Wednesday, July 27, 2005 10:42 AM To: ActiveDir@mail.activedir.org Subject: [ActiveDir] 2003 sp1 security agent Anybody used the security config agent and had any issues with it on Domain Controllers... Or any recommendations? Thanks, -- Matt Brown [EMAIL PROTECTED] Consultant for Student Technology Fee website: http://techfee.ewu.edu/ +--+ | 509.359.6972 ph. - 509.359.7087 fx | 307 MONROE HALL | Cheney, WA 99004 +--+ List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
[ActiveDir] 2003 sp1 security agent
Anybody used the security config agent and had any issues with it on Domain Controllers... Or any recommendations? Thanks, -- Matt Brown [EMAIL PROTECTED] Consultant for Student Technology Fee website: http://techfee.ewu.edu/ +--+ | 509.359.6972 ph. - 509.359.7087 fx | 307 MONROE HALL | Cheney, WA 99004 +--+ List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
[ActiveDir] Deny logon locally for Macs?
Hi, I am using the Mac Active Directory plug-in to authenticate our Macs. I have a group of users that are allowed access to some network resources but are not allowed to logon locally to the computers (Mac's OSX or PCs). I am using a group policy to control this and it works great on the PCs, but for some reason the Mac's can still login. Anybody know how to stop this besides disabling the account? Thanks, -- Matt Brown [EMAIL PROTECTED]Consultant for Student Technology Feewebsite: http://techfee.ewu.edu/+--+| 509.359.6972 ph. - 509.359.7087 fx| 307 MONROE HALL | Cheney, WA 99004+--+
RE: [ActiveDir] User with LDAP userPassword permissions
Worked perfectly, thanks. Thanks, -- Matt Brown [EMAIL PROTECTED]Consultant for Student Technology Feewebsite: http://techfee.ewu.edu/+--+| 509.359.6972 ph. - 509.359.7087 fx| 307 MONROE HALL | Cheney, WA 99004+--+ From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Dan HolmeSent: Tuesday, July 19, 2005 12:07 AMTo: ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] User with LDAP userPassword permissions I didn’t see any responses to this… don’t know if I missed an answer… but you should be able to ACL the Write permission to the userPassword property to any account you want… and you’re right to do it to a “limited” account, although I’d be concerned about ANY code that could be accessed and leveraged to change passwords… but that’s a security discussion, not a delegation discussion… What’s the actual PROBLEM? Is it the delegation or how to do it? I’ve not dealt with that attribute recently, but I might have the piece (that most people miss) for you. Hopefully this is the answer: You need to “expose” the permissions for that property in order to delegate them. There are LOTS of properties of a user (and other objects) that are “hidden” to keep the ACL Editor “clean.” On the machine FROM WHICH YOU ADMINISTER, open Notepad and open %windir%\system32\dssec.dat Find the section [user]. Find the line userPassword=7. Delete it. (the =7 “hides” the permissions for this property in the ACL editor) Restart AD Users & Computers. In ADU&C View – Advanced Features. Right-click the OU that contains the users for whom you want this PHP app to set the passwords for. Security – Advanced – Add Specify the account (or a group containing the account) used by the PHP app. In the dialog box, click the PROPERTIES tab. In the drop down list, choose USER OBJECTS. Scroll down and you’ll find Write userPassword. If this doesn’t work, or wasn’t quite the problem you were having, please reply. IN such case, please let us know what domain and forest functional level you’re running and if you have SP1 on your W2K3 DCs. It makes a difference, as you might know. Dan From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Matt BrownSent: Monday, July 18, 2005 1:49 PMTo: ActiveDir@mail.activedir.orgSubject: [ActiveDir] User with LDAP userPassword permissions Hi, I'm trying to give an account permission to update the userPassword field via LDAP protocol in PHP. I have it working perfect using my Admin account. But since that has to be stored in the PHP file I would really like to have an account with much tighter security able to make the modification. Any ideas? Thanks, -- Matt Brown [EMAIL PROTECTED]Consultant for Student Technology Feewebsite: http://techfee.ewu.edu/+--+| 509.359.6972 ph. - 509.359.7087 fx| 307 MONROE HALL | Cheney, WA 99004+--+
[ActiveDir] User with LDAP userPassword permissions
Hi, I'm trying to give an account permission to update the userPassword field via LDAP protocol in PHP. I have it working perfect using my Admin account. But since that has to be stored in the PHP file I would really like to have an account with much tighter security able to make the modification. Any ideas? Thanks, -- Matt Brown [EMAIL PROTECTED]Consultant for Student Technology Feewebsite: http://techfee.ewu.edu/+--+| 509.359.6972 ph. - 509.359.7087 fx| 307 MONROE HALL | Cheney, WA 99004+--+
RE: [ActiveDir] New System Setup
Lets' say I do this... put all drives in Raid 5 or Raid 1 with the hot spare. Any recommendations on how to partition it out. Domain has about 25 - 30K accounts in it... so it's relatively small. Thanks, -- Matt Brown [EMAIL PROTECTED]Consultant for Student Technology Feewebsite: http://techfee.ewu.edu/+--+| 509.359.6972 ph. - 509.359.7087 fx| 307 MONROE HALL | Cheney, WA 99004+--+ From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Brian DesmondSent: Wednesday, July 06, 2005 7:44 AMTo: ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] New System Setup My assumption based on the question is that the domain isn’t big enough for there to be perf issues at the i/o end of things. RAID1 with a hot standby works too. Given the 4hr or overnight replacement parts service on most new servers, might as well RAID5 them and get the extra space. I don’t know enough about how the RAID controller works to guess about which of the two scenarios has more of an impact. --brian From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Peter JohnsonSent: Wednesday, July 06, 2005 5:28 AMTo: ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] New System Setup The other option, depending on size of domain, to take Brian statement into account, is to RAID 1 the first 2 drives and have the 3rd drive as a hot standby. This is based on the idea that mirroring tends to be quicker than RAID 5. But at small write levels it makes very little difference as Brian pointed out. I’m just thinking that I hot standby might be an option from a point of view of availability. Which would have less performance impact, calculating the missing/parity data on a RAID 5 set or rebuilding the mirror to a host standby? Regards Peter JOhnson From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Brian DesmondSent: 06 July 2005 02:25To: ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] New System Setup Just RAID5 the three of them together. 1 on its own is a silly idea in a server really if it supports raid. 15K RPM drives are going to sustain a significant amount of iops before you see a perf hit. Thanks,Brian Desmond [EMAIL PROTECTED] c - 312.731.3132 From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Matt BrownSent: Tuesday, July 05, 2005 6:32 PMTo: ActiveDir@mail.activedir.orgSubject: [ActiveDir] New System Setup Hi, I have a new server with 4GB Ram and 3 (72GB) 15K drives. Wondering what the best way to set this up would be. I was planning on doing a raid mirror on 2 of the drives and having the 3rd by itself. any suggestions on how I should partition / where I should install the OS / ntds files, etc. Will be my new main Active Directory Server. Thanks, -- Matt Brown [EMAIL PROTECTED]Consultant for Student Technology Feewebsite: http://techfee.ewu.edu/+--+| 509.359.6972 ph. - 509.359.7087 fx| 307 MONROE HALL | Cheney, WA 99004+--+
[ActiveDir] New System Setup
Hi, I have a new server with 4GB Ram and 3 (72GB) 15K drives. Wondering what the best way to set this up would be. I was planning on doing a raid mirror on 2 of the drives and having the 3rd by itself. any suggestions on how I should partition / where I should install the OS / ntds files, etc. Will be my new main Active Directory Server. Thanks, -- Matt Brown [EMAIL PROTECTED]Consultant for Student Technology Feewebsite: http://techfee.ewu.edu/+--+| 509.359.6972 ph. - 509.359.7087 fx| 307 MONROE HALL | Cheney, WA 99004+--+
[ActiveDir] Deny Log on Locally
I'm trying to stop certain users from being able to log on to computers in our lab. I created a group called 'nsaccess' and then created a group policy and added the group I created to the following: Computer Configuration Windows Settings Security Settings Local Policies/User Rights Assignment Deny log on locally Deny log on through Terminal Services For some reason it's not working. Anybody have any ideas. The users have local admin rights once they log onto the machine, as I have the INTERACTIVE group in the local workstations Administrators group. Thanks, -- Matt Brown Information Technology System Specialist Eastern Washington University List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
[ActiveDir] AD Training
Anybody have any recommended training on Active Directory? already taken the "Microsoft Windows 2003 Configuring Active Directory Services" from Global Knowledge, but am looking for the next step I guess. Thanks, -- Matt Brown [ SELECT * FROM IT WHERE EyeContact=True ] Information Technology System Specialist Eastern Washington University List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
RE: [ActiveDir] DC's not communicating with each other
Honestly, not really. I know how to DCpromo the bad machine out of the domain, but I haven't been able to figure out which DC that is. I have 4 of them. Thanks, -- Matt Brown [ SELECT * FROM IT WHERE EyeContact=True ] Information Technology System Specialist Eastern Washington University From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Al Mulnick Sent: Monday, June 06, 2005 9:25 AM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] DC's not communicating with each other Do you know how to get the AD Fixed at this point? From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Matt Brown Sent: Friday, June 03, 2005 11:22 AM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] DC's not communicating with each other Yes, I now realize that I should Never Do that. Thanks, -- Matt Brown [ SELECT * FROM IT WHERE EyeContact=True ] Information Technology System Specialist Eastern Washington University From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Al Mulnick Sent: Friday, June 03, 2005 5:44 AM To: ActiveDir@mail.activedir.org; Matt Brown; [EMAIL PROTECTED]; ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] DC's not communicating with each other Did I read that right? Did you mention that you restored one of your DC's from GHOST just before your problems started? Al From: [EMAIL PROTECTED] on behalf of Jorge de Almeida Pinto Sent: Thu 6/2/2005 4:35 PM To: 'Matt Brown '; '[EMAIL PROTECTED] '; 'ActiveDir@mail.activedir.org ' Subject: RE: [ActiveDir] DC's not communicating with each other Oh yes they do.. See for more info http://www.microsoft.com/technet/prodtechnol/windowsserver2003/library/Opera tions/833842ca-6a61-4e62-8c25-e3edfa266701.mspx Select "Active Directory Operations Guide ", select "Troubleshooting Active Directory", select "Troubleshooting Active Directory Replication Problems" In this location you will see some troubleshooting tips Cheers #JORGE# -Original Message- From: [EMAIL PROTECTED] To: ActiveDir@mail.activedir.org Sent: 6/2/2005 8:39 PM Subject: RE: [ActiveDir] DC's not communicating with each other The logs don't really tell much because they are so full they are only holding 2 day's worth of data. I keep getting repeats of the following Events in my Directory Services Event Log: Event ID: 1865 "The Knowledge Consistency Checker (KCC) was unable to form a complete spanning tree network topology. As a result, the following list of sites cannot be reached from the local site..." Event ID: 1925 "The attempt to establish a replication link for the following writable directory partition failed. ..." -- Event ID: 1566 "All domain controllers in the following site that can replicate the directory partition over this transport are currently unavailable" -- Event ID 1311: "The Knowledge Consistency Checker (KCC) has detected problems with the following directory partition. Directory partition: CN=Configuration,DC=mydc,DC=mydomain,DC=edu There is insufficient site connectivity information in Active Directory Sites and Services for the KCC to create a spanning tree replication topology. Or, one or more domain controllers with this directory partition are unable to replicate the directory partition information. This is probably due to inaccessible domain controllers. -- All of the Domain controllers are still allowing users to log on, which is why I'm limping through the last week and a half of the Quarter. I believe the problem occurred because I restored my PDC from a ghost image of the day before at the end of march because of a problem the server had with a windows update that I couldn't get rid of. And ever since replication seems to have been working but my guess is it's only been working 1 direction. My PDC receives updates from another DC in the site and that has worked. But replication from my PDC back to that DC has not. Although this last week replication has just given up all together. Thanks, -- Matt Brown [ SELECT * FROM IT WHERE EyeContact=True ] Information Technology System Specialist Eastern Washington University -----Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Jorge de Almeida Pinto Sent: Wednesday, June 01, 2005 12:03 PM To: 'Matt Brown '; '[EMAIL PROTECTED] '; 'ActiveDir@mail.activedir.org ' Subject: RE: [ActiveDir] DC's not communicating with each other Does the PDC FSMO or the other DCs have any events with errors can possibly tell more about this issue? #JORGE# -Original Message- From: [EMAIL PROTECTED] To: ActiveDir@mail.activedir.org Sent: 6/1/2005 6:39 PM Subject: [ActiveDir] DC's not
RE: [ActiveDir] DC's not communicating with each other
Title: RE: [ActiveDir] DC's not communicating with each other Yes, I now realize that I should Never Do that. Thanks,--Matt Brown[ SELECT * FROM IT WHERE EyeContact=True ]Information Technology System SpecialistEastern Washington University From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Al MulnickSent: Friday, June 03, 2005 5:44 AMTo: ActiveDir@mail.activedir.org; Matt Brown; [EMAIL PROTECTED]; ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] DC's not communicating with each other Did I read that right? Did you mention that you restored one of your DC's from GHOST just before your problems started? Al From: [EMAIL PROTECTED] on behalf of Jorge de Almeida PintoSent: Thu 6/2/2005 4:35 PMTo: 'Matt Brown '; '[EMAIL PROTECTED] '; 'ActiveDir@mail.activedir.org 'Subject: RE: [ActiveDir] DC's not communicating with each other Oh yes they do..See for more infohttp://www.microsoft.com/technet/prodtechnol/windowsserver2003/library/Operations/833842ca-6a61-4e62-8c25-e3edfa266701.mspxSelect "Active Directory Operations Guide ", select "Troubleshooting ActiveDirectory", select "Troubleshooting Active Directory Replication Problems"In this location you will see some troubleshooting tipsCheers#JORGE#-Original Message-From: [EMAIL PROTECTED]To: ActiveDir@mail.activedir.orgSent: 6/2/2005 8:39 PMSubject: RE: [ActiveDir] DC's not communicating with each otherThe logs don't really tell much because they are so full they are onlyholding 2 day's worth of data. I keep getting repeats of the followingEvents in my Directory Services Event Log:Event ID: 1865"The Knowledge Consistency Checker (KCC) was unable to form a completespanning tree network topology. As a result, the following list of sitescannot be reached from the local site..."Event ID: 1925"The attempt to establish a replication link for the following writabledirectory partition failed. ..."--Event ID: 1566"All domain controllers in the following site that can replicate thedirectory partition over this transport are currently unavailable"--Event ID 1311:"The Knowledge Consistency Checker (KCC) has detected problems with thefollowing directory partition.Directory partition:CN=Configuration,DC=mydc,DC=mydomain,DC=eduThere is insufficient site connectivity information in Active DirectorySites and Services for the KCC to create a spanning tree replicationtopology. Or, one or more domain controllers with this directorypartitionare unable to replicate the directory partition information. This isprobably due to inaccessible domain controllers.--All of the Domain controllers are still allowing users to log on, whichiswhy I'm limping through the last week and a half of the Quarter. Ibelievethe problem occurred because I restored my PDC from a ghost image of thedaybefore at the end of march because of a problem the server had with awindows update that I couldn't get rid of. And ever since replicationseemsto have been working but my guess is it's only been working 1 direction.MyPDC receives updates from another DC in the site and that has worked.Butreplication from my PDC back to that DC has not. Although this lastweekreplication has just given up all together.Thanks,--Matt Brown[ SELECT * FROM IT WHERE EyeContact=True ]Information Technology System SpecialistEastern Washington University-Original Message-From: [EMAIL PROTECTED][mailto:[EMAIL PROTECTED]] On Behalf Of Jorge deAlmeidaPintoSent: Wednesday, June 01, 2005 12:03 PMTo: 'Matt Brown '; '[EMAIL PROTECTED] ';'ActiveDir@mail.activedir.org 'Subject: RE: [ActiveDir] DC's not communicating with each otherDoes the PDC FSMO or the other DCs have any events with errors canpossiblytell more about this issue?#JORGE#-Original Message-From: [EMAIL PROTECTED]To: ActiveDir@mail.activedir.orgSent: 6/1/2005 6:39 PMSubject: [ActiveDir] DC's not communicating with each otherI've talked about this a little before, but I dug in a littler furtherandfound more info.I have 4 domain controllers in 1 domain.When I'm on one of the 3 DC's that is not the PDC and I try to connecttothe PDC it tells me I'm not authorized. I get this when trying toconnectto the PDC's AD users and computers, DNS, or even a file share. I canhowever connect to any of these services using the IP address. This isstrange because all DC's can ping each other and resolve the IPaddressesfrom the names just fine and I don't seem to be having any DNS issues.The3 DC's (not the PDC) can connect to each other just fine.I'm pretty sure I'm going to need to remove 1 or more of the DC's fromthedomain and re-introduce them. I'm just trying to figure out if I shouldremove the PDC or remove the othe
RE: [ActiveDir] DC's not communicating with each other
The logs don't really tell much because they are so full they are only holding 2 day's worth of data. I keep getting repeats of the following Events in my Directory Services Event Log: Event ID: 1865 "The Knowledge Consistency Checker (KCC) was unable to form a complete spanning tree network topology. As a result, the following list of sites cannot be reached from the local site..." Event ID: 1925 "The attempt to establish a replication link for the following writable directory partition failed. ..." -- Event ID: 1566 "All domain controllers in the following site that can replicate the directory partition over this transport are currently unavailable" -- Event ID 1311: "The Knowledge Consistency Checker (KCC) has detected problems with the following directory partition. Directory partition: CN=Configuration,DC=mydc,DC=mydomain,DC=edu There is insufficient site connectivity information in Active Directory Sites and Services for the KCC to create a spanning tree replication topology. Or, one or more domain controllers with this directory partition are unable to replicate the directory partition information. This is probably due to inaccessible domain controllers. -- All of the Domain controllers are still allowing users to log on, which is why I'm limping through the last week and a half of the Quarter. I believe the problem occurred because I restored my PDC from a ghost image of the day before at the end of march because of a problem the server had with a windows update that I couldn't get rid of. And ever since replication seems to have been working but my guess is it's only been working 1 direction. My PDC receives updates from another DC in the site and that has worked. But replication from my PDC back to that DC has not. Although this last week replication has just given up all together. Thanks, -- Matt Brown [ SELECT * FROM IT WHERE EyeContact=True ] Information Technology System Specialist Eastern Washington University -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Jorge de Almeida Pinto Sent: Wednesday, June 01, 2005 12:03 PM To: 'Matt Brown '; '[EMAIL PROTECTED] '; 'ActiveDir@mail.activedir.org ' Subject: RE: [ActiveDir] DC's not communicating with each other Does the PDC FSMO or the other DCs have any events with errors can possibly tell more about this issue? #JORGE# -Original Message- From: [EMAIL PROTECTED] To: ActiveDir@mail.activedir.org Sent: 6/1/2005 6:39 PM Subject: [ActiveDir] DC's not communicating with each other I've talked about this a little before, but I dug in a littler further and found more info. I have 4 domain controllers in 1 domain. When I'm on one of the 3 DC's that is not the PDC and I try to connect to the PDC it tells me I'm not authorized. I get this when trying to connect to the PDC's AD users and computers, DNS, or even a file share. I can however connect to any of these services using the IP address. This is strange because all DC's can ping each other and resolve the IP addresses from the names just fine and I don't seem to be having any DNS issues. The 3 DC's (not the PDC) can connect to each other just fine. I'm pretty sure I'm going to need to remove 1 or more of the DC's from the domain and re-introduce them. I'm just trying to figure out if I should remove the PDC or remove the other 3 DCs. Thanks, -- Matt Brown [ SELECT * FROM IT WHERE EyeContact=True ] Information Technology System Specialist Eastern Washington University List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ This e-mail and any attachment is for authorised use by the intended recipient(s) only. It may contain proprietary material, confidential information and/or be subject to legal privilege. It should not be copied, disclosed to, retained or used by, any other party. If you are not an intended recipient then please promptly delete this e-mail and any attachment and all copies and inform the sender. Thank you. List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
[ActiveDir] Stop a DC from authenticating?
How can I stop a DC from processing Authentication. If I build another site that is not hooked to any of the Subnets will the computers stop authenticating to the DC? I just want to stop it temporarily but don't want to turn the DC off. Thanks, -- Matt Brown [ SELECT * FROM IT WHERE EyeContact=True ] Information Technology System Specialist Eastern Washington University List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
[ActiveDir] DC's not communicating with each other
I've talked about this a little before, but I dug in a littler further and found more info. I have 4 domain controllers in 1 domain. When I'm on one of the 3 DC's that is not the PDC and I try to connect to the PDC it tells me I'm not authorized. I get this when trying to connect to the PDC's AD users and computers, DNS, or even a file share. I can however connect to any of these services using the IP address. This is strange because all DC's can ping each other and resolve the IP addresses from the names just fine and I don't seem to be having any DNS issues. The 3 DC's (not the PDC) can connect to each other just fine. I'm pretty sure I'm going to need to remove 1 or more of the DC's from the domain and re-introduce them. I'm just trying to figure out if I should remove the PDC or remove the other 3 DCs. Thanks, -- Matt Brown [ SELECT * FROM IT WHERE EyeContact=True ] Information Technology System Specialist Eastern Washington University List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
RE: [ActiveDir] Error in PDC Operations Master
Ok thanks, I found my original issue was that I had restored my PDC to a ghost image from the day before because of a windows update that was causing the machine to reboot like the LSASS virus. Ever since I did that restore my domain has not properly replicated, although looking at accounts in my OU's where I've added many new accounts and made hundreds of changes, it appears to be in sync. I'm contemplating rebuilding the entire domain, as I have scripts that will create all the accounts in a matter of minutes, minus passwords, I wonder if there's a way to get those out of the current accounts so I can re-sync them up also. Thanks, -- Matt Brown [EMAIL PROTECTED] Consultant for Student Technology Fee website: http://techfee.ewu.edu/ +--+ | 509.359.6972 ph. - 509.359.7087 fx | 307 MONROE HALL | Cheney, WA 99004 +--+ -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Dean Wells Sent: Tuesday, May 31, 2005 9:20 AM To: Send - AD mailing list Subject: RE: [ActiveDir] Error in PDC Operations Master I would strongly advise against that, restoring an AD DC to an earlier point in time without its knowledge causes an issue known as USN rollback which is difficult to detect, manifests odd symptoms and may cause more problems than it resolves. The role related approaches posted so far are, IMHO, the better next-step. -- Dean Wells MSEtechnology * Email: [EMAIL PROTECTED] http://msetechnology.com -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Matt Brown Sent: Tuesday, May 31, 2005 12:11 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Error in PDC Operations Master I also have Ghost Images of my servers from the day before my replication stopped. What do you think of restoring back to those images and then restoring 1 of my active directory backups? Because were a university, this is normally the time of year I reset passwords, so I could get away with doing a master reset of all passwords. Thanks, -- Matt Brown [EMAIL PROTECTED] Consultant for Student Technology Fee website: http://techfee.ewu.edu/ +--+ | 509.359.6972 ph. - 509.359.7087 fx | 307 MONROE HALL | Cheney, WA 99004 +--+ -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Dean Wells Sent: Tuesday, May 31, 2005 5:50 AM To: Send - AD mailing list Subject: RE: [ActiveDir] Error in PDC Operations Master It certainly is finite, everything I have, however, indicates that RID strength is ~30 bits equating to ~1 billion per domain. I've had a brief look elsewhere and can find no reference to other constraining factors though that's not to say there aren't any since this most certainly isn't a scenario I've personally encountered. -- Dean Wells MSEtechnology * Email: [EMAIL PROTECTED] http://msetechnology.com -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Mark Parris Sent: Tuesday, May 31, 2005 5:08 AM To: ActiveDir@mail.activedir.org Subject: Re: [ActiveDir] Error in PDC Operations Master As a by the way: I remember attending an Active Directory session last year at TechED Amsterdam, where it was stated that the RID pools were not unlimited and it was a finite number, somthing like 143 million RIDS per domain, now if it increase by 1 million everytime automatically plus you have a lot of objects in your AD 143Million does not seem that many. The session was a John Craddock session, on AD as part of the pre-conference programme. Can anyone confirm this number and confirm the matter? Regards Mark -Original Message- From: Jorge de Almeida Pinto <[EMAIL PROTECTED]> Date: Tue, 31 May 2005 10:31:02 To:ActiveDir@mail.activedir.org, Send - AD mailing list <[EMAIL PROTECTED]> Subject: RE: [ActiveDir] Error in PDC Operations Master Hi Dean, You are right... That 1 million is enough. I did not know that when seizing the RID master the ridavailablepool is increased automatically by 1 million. Thanks for the info and sorry for the wrong info about the need to manually increase the RID available pool. Is the automatic increased somehow depended on another variable? (like number of DCs and/or number of days or something else) Or is it a fixed value? Cheers #JORGE# -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Dean Wells Sent: dinsdag 31 mei 2005 1:15 To: Send - AD mailing list Subject: RE: [ActiveDir] Error in PDC Operations Master It's already increased by 1 mil. (IIRC) as part of the seizure process, do you feel this is insufficient even when taking the replication outage into account? -- Dean Wells MSEtechnology * Email: [EMAIL PROTECTED] http://msetechnology.com -Original Message- From:
RE: [ActiveDir] Error in PDC Operations Master
I also have Ghost Images of my servers from the day before my replication stopped. What do you think of restoring back to those images and then restoring 1 of my active directory backups? Because were a university, this is normally the time of year I reset passwords, so I could get away with doing a master reset of all passwords. Thanks, -- Matt Brown [EMAIL PROTECTED] Consultant for Student Technology Fee website: http://techfee.ewu.edu/ +--+ | 509.359.6972 ph. - 509.359.7087 fx | 307 MONROE HALL | Cheney, WA 99004 +--+ -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Dean Wells Sent: Tuesday, May 31, 2005 5:50 AM To: Send - AD mailing list Subject: RE: [ActiveDir] Error in PDC Operations Master It certainly is finite, everything I have, however, indicates that RID strength is ~30 bits equating to ~1 billion per domain. I've had a brief look elsewhere and can find no reference to other constraining factors though that's not to say there aren't any since this most certainly isn't a scenario I've personally encountered. -- Dean Wells MSEtechnology * Email: [EMAIL PROTECTED] http://msetechnology.com -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Mark Parris Sent: Tuesday, May 31, 2005 5:08 AM To: ActiveDir@mail.activedir.org Subject: Re: [ActiveDir] Error in PDC Operations Master As a by the way: I remember attending an Active Directory session last year at TechED Amsterdam, where it was stated that the RID pools were not unlimited and it was a finite number, somthing like 143 million RIDS per domain, now if it increase by 1 million everytime automatically plus you have a lot of objects in your AD 143Million does not seem that many. The session was a John Craddock session, on AD as part of the pre-conference programme. Can anyone confirm this number and confirm the matter? Regards Mark -Original Message- From: Jorge de Almeida Pinto <[EMAIL PROTECTED]> Date: Tue, 31 May 2005 10:31:02 To:ActiveDir@mail.activedir.org, Send - AD mailing list <[EMAIL PROTECTED]> Subject: RE: [ActiveDir] Error in PDC Operations Master Hi Dean, You are right... That 1 million is enough. I did not know that when seizing the RID master the ridavailablepool is increased automatically by 1 million. Thanks for the info and sorry for the wrong info about the need to manually increase the RID available pool. Is the automatic increased somehow depended on another variable? (like number of DCs and/or number of days or something else) Or is it a fixed value? Cheers #JORGE# -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Dean Wells Sent: dinsdag 31 mei 2005 1:15 To: Send - AD mailing list Subject: RE: [ActiveDir] Error in PDC Operations Master It's already increased by 1 mil. (IIRC) as part of the seizure process, do you feel this is insufficient even when taking the replication outage into account? -- Dean Wells MSEtechnology * Email: [EMAIL PROTECTED] http://msetechnology.com -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Jorge de Almeida Pinto Sent: Sunday, May 29, 2005 5:22 PM To: ActiveDir@mail.activedir.org; Send - AD mailing list Subject: RE: [ActiveDir] Error in PDC Operations Master Because you are seizing and not transfering and as the NEW Rid Manager object may not be up-to-date on the remaining DCs (because replication halted/stopped for some reason) you may want to increase the Ridavailablepool attribute (on the Rid Manager object in the domain) for the NEW RID MANAGER FSMO (just to be sure) Cheers, #JORGE# -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Dean Wells Sent: vrijdag 27 mei 2005 22:53 To: Send - AD mailing list Subject: RE: [ActiveDir] Error in PDC Operations Master Yes, but a fleeting one in most cases. You'll need to seize the roles assigned to the errant DC. In terms of who owns the roles, you are only interested in the perspective of the other DCs. The PDC FSMO serves many purposes and is indeed an important DC but even it can tolerate downtime. -- Dean Wells MSEtechnology * Email: [EMAIL PROTECTED] http://msetechnology.com -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Matt Brown Sent: Friday, May 27, 2005 4:25 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Error in PDC Operations Master Because I believe my errant DC to by my PDC will that be a problem demoting it and then re-introducing it to the domain? Here is a screen shot of my Operations Masters... http://www.mjbdesignz.com/temp/OM.htm Thanks, -- Matt Brown [ SELECT * FROM IT WHERE EyeContact=True ] Information Technology System Specialist Eastern Washington University -Original Message- From: [EMAIL PR
RE: [ActiveDir] Error in PDC Operations Master
Because I believe my errant DC to by my PDC will that be a problem demoting it and then re-introducing it to the domain? Here is a screen shot of my Operations Masters... http://www.mjbdesignz.com/temp/OM.htm Thanks, -- Matt Brown [ SELECT * FROM IT WHERE EyeContact=True ] Information Technology System Specialist Eastern Washington University -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Dean Wells Sent: Friday, May 27, 2005 12:39 PM To: Send - AD mailing list Subject: RE: [ActiveDir] Error in PDC Operations Master That's what I expected. Choice 1 - Mod. the registry and permit the errant DC to re-enter the replication topology (not recommended) Choice 2 - Forcibly demote the errant DC, cleanup its metadata and reintroduce it through DCpromo Caveats - Choice 1: lingering objects may exist Choice 2: you'll lose any changes locally introduced to the errant DC that occurred after its last successful replication attempt ? -- Dean Wells MSEtechnology * Email: [EMAIL PROTECTED] http://msetechnology.com -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Matt Brown Sent: Friday, May 27, 2005 3:08 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Error in PDC Operations Master 1. Number of DCs/Domain/Sites 3 Sites -> Site A has DC1 & DC2 -> Site B DC3 -> Site C DC4 2. OS version of DCs -> All DCs are running Windows 2003 Server Standard 3. Are the remaining DCs replicating successfully? -> According to DC diag they all passed replications -> They do all show in the DC diag the following: DC=domain,DC=ewu,DC=edu Last replication recieved from DC2 at 2005-03-23 02:00:40. WARNING: This latency is over the Tombstone Lifetime of 60 days! Thanks, -- Matt Brown [ SELECT * FROM IT WHERE EyeContact=True ] Information Technology System Specialist Eastern Washington University -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Dean Wells Sent: Friday, May 27, 2005 11:16 AM To: Send - AD mailing list Subject: RE: [ActiveDir] Error in PDC Operations Master It seems the FSMO errors you're receiving are merely symptoms of another more significant problem; my guess is that your DCs have been ignoring one another for quite some time, i.e. - not replicating. Before proceeding, can you give me some more info. - 1. Number of DCs/Domain/Sites 2. OS version of DCs 3. Are the remaining DCs replicating successfully? -- Dean Wells MSEtechnology * Email: [EMAIL PROTECTED] http://msetechnology.com -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Matt Brown Sent: Friday, May 27, 2005 2:05 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Error in PDC Operations Master Well, I have quite a few weird things going on. Roles: (both DCs in same site) DC2 = PDC role, RID pool manager DC1 = Infrastructure owner, schema owner, domain role owner When I look at the Operations Masters... -> from DC1 It shows ERROR for RID & PDC, & shows DC1 in Infrastructure -> from DC2 it shows ERROR for PDC, & shows DC2 for RID & DC1 for Infrastructure So neither DC1 or DC2 know who the PDC is. (It should be DC2) When I use the "netdom query fsmo": -> from DC1 it shows the roles as it should like above from DC2 it shows -> the PDC role as DC1 rather than itself 1. When I try to manually replicate from DC2 to DC1 I get an error about "Target Principal Name Incorrect" After completing Article ID 288167 about resetting password (netdom resetpwd) and trying to replicate, I get a tombstone error between the 2 domains saying it has exceeded tombstone lifetime and cannot continue. 2. When I try to manually replicate from DC1 to DC2 I get the same error about "Target Principal Name Incorrect" but this is where I've stopped because DC2 is supposed to be the PDC and the KB article makes it sound like the PW should only be reset on the non PDC machines. All in all, my PDC seems to have amnesia and doesn't seem to remember that it's the PDC Thanks, -- Matt Brown [ SELECT * FROM IT WHERE EyeContact=True ] Information Technology System Specialist Eastern Washington University -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Dean Wells Sent: Friday, May 27, 2005 8:53 AM To: Send - AD mailing list Subject: RE: [ActiveDir] Error in PDC Operations Master What does the machine question report within its event log? -- Dean Wells MSEtechnology * Email: [EMAIL PROTECTED] http://msetechnology.com -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Matt Brown Sent: Friday, May 27, 2005 11:32 AM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Error in PDC Oper
RE: [ActiveDir] Error in PDC Operations Master
1. Number of DCs/Domain/Sites
3 Sites
-> Site A has DC1 & DC2
-> Site B DC3
-> Site C DC4
2. OS version of DCs
-> All DCs are running Windows 2003 Server Standard
3. Are the remaining DCs replicating successfully?
-> According to DC diag they all passed replications
-> They do all show in the DC diag the following:
DC=domain,DC=ewu,DC=edu
Last replication recieved from DC2 at 2005-03-23 02:00:40.
WARNING: This latency is over the Tombstone Lifetime of 60
days!
Thanks,
--
Matt Brown
[ SELECT * FROM IT WHERE EyeContact=True ]
Information Technology System Specialist
Eastern Washington University
-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Dean Wells
Sent: Friday, May 27, 2005 11:16 AM
To: Send - AD mailing list
Subject: RE: [ActiveDir] Error in PDC Operations Master
It seems the FSMO errors you're receiving are merely symptoms of another
more significant problem; my guess is that your DCs have been ignoring one
another for quite some time, i.e. - not replicating.
Before proceeding, can you give me some more info. -
1. Number of DCs/Domain/Sites
2. OS version of DCs
3. Are the remaining DCs replicating successfully?
--
Dean Wells
MSEtechnology
* Email: [EMAIL PROTECTED]
http://msetechnology.com
-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Matt Brown
Sent: Friday, May 27, 2005 2:05 PM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] Error in PDC Operations Master
Well, I have quite a few weird things going on.
Roles: (both DCs in same site)
DC2 = PDC role, RID pool manager
DC1 = Infrastructure owner, schema owner, domain role owner
When I look at the Operations Masters...
-> from DC1 It shows ERROR for RID & PDC, & shows DC1 in Infrastructure
-> from DC2 it shows ERROR for PDC, & shows DC2 for RID & DC1 for
Infrastructure
So neither DC1 or DC2 know who the PDC is. (It should be DC2)
When I use the "netdom query fsmo":
-> from DC1 it shows the roles as it should like above from DC2 it shows
-> the PDC role as DC1 rather than itself
1. When I try to manually replicate from DC2 to DC1 I get an error about
"Target Principal Name Incorrect"
After completing Article ID 288167 about resetting password (netdom
resetpwd) and trying to replicate, I get a tombstone error between the 2
domains saying it has exceeded tombstone lifetime and cannot continue.
2. When I try to manually replicate from DC1 to DC2 I get the same error
about "Target Principal Name Incorrect" but this is where I've stopped
because DC2 is supposed to be the PDC and the KB article makes it sound like
the PW should only be reset on the non PDC machines.
All in all, my PDC seems to have amnesia and doesn't seem to remember that
it's the PDC
Thanks,
--
Matt Brown
[ SELECT * FROM IT WHERE EyeContact=True ] Information Technology System
Specialist Eastern Washington University
-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Dean Wells
Sent: Friday, May 27, 2005 8:53 AM
To: Send - AD mailing list
Subject: RE: [ActiveDir] Error in PDC Operations Master
What does the machine question report within its event log?
--
Dean Wells
MSEtechnology
* Email: [EMAIL PROTECTED]
http://msetechnology.com
-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Matt Brown
Sent: Friday, May 27, 2005 11:32 AM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] Error in PDC Operations Master
My Dcdiag output shows the following error:
#
Starting test: KnowsOfRoleHolders
Warning: STF2 is the PDC Owner, but is not responding to DS RPC
Bind.
[STF2] LDAP bind failed with error 8341,
A directory service error has occurred..
Warning: STF2 is the PDC Owner, but is not responding to LDAP Bind.
Warning: STF2 is the Rid Owner, but is not responding to DS RPC
Bind.
Warning: STF2 is the Rid Owner, but is not responding to LDAP Bind.
. STF1 failed test KnowsOfRoleHolders
Starting test: RidManager
. STF1 failed test RidManager
Starting test: frsevent
There are warning or error events within the last 24 hours after
the
SYSVOL has been shared. Failing SYSVOL replication problems may
cause
Group Policy problems.
. STF1 failed test frsevent
Starting test: FsmoCheck
Warning: DcGetDcName(PDC_REQUIRED) call failed, error 1355
A Primary Domain Controller could not be located.
The server holding the PDC role is down.
..... domain failed test FsmoCheck
###
RE: [ActiveDir] Error in PDC Operations Master
Well, I have quite a few weird things going on. Roles: (both DCs in same site) DC2 = PDC role, RID pool manager DC1 = Infrastructure owner, schema owner, domain role owner When I look at the Operations Masters... -> from DC1 It shows ERROR for RID & PDC, & shows DC1 in Infrastructure -> from DC2 it shows ERROR for PDC, & shows DC2 for RID & DC1 for Infrastructure So neither DC1 or DC2 know who the PDC is. (It should be DC2) When I use the "netdom query fsmo": -> from DC1 it shows the roles as it should like above -> from DC2 it shows the PDC role as DC1 rather than itself 1. When I try to manually replicate from DC2 to DC1 I get an error about "Target Principal Name Incorrect" After completing Article ID 288167 about resetting password (netdom resetpwd) and trying to replicate, I get a tombstone error between the 2 domains saying it has exceeded tombstone lifetime and cannot continue. 2. When I try to manually replicate from DC1 to DC2 I get the same error about "Target Principal Name Incorrect" but this is where I've stopped because DC2 is supposed to be the PDC and the KB article makes it sound like the PW should only be reset on the non PDC machines. All in all, my PDC seems to have amnesia and doesn't seem to remember that it's the PDC Thanks, -- Matt Brown [ SELECT * FROM IT WHERE EyeContact=True ] Information Technology System Specialist Eastern Washington University -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Dean Wells Sent: Friday, May 27, 2005 8:53 AM To: Send - AD mailing list Subject: RE: [ActiveDir] Error in PDC Operations Master What does the machine question report within its event log? -- Dean Wells MSEtechnology * Email: [EMAIL PROTECTED] http://msetechnology.com -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Matt Brown Sent: Friday, May 27, 2005 11:32 AM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Error in PDC Operations Master My Dcdiag output shows the following error: # Starting test: KnowsOfRoleHolders Warning: STF2 is the PDC Owner, but is not responding to DS RPC Bind. [STF2] LDAP bind failed with error 8341, A directory service error has occurred.. Warning: STF2 is the PDC Owner, but is not responding to LDAP Bind. Warning: STF2 is the Rid Owner, but is not responding to DS RPC Bind. Warning: STF2 is the Rid Owner, but is not responding to LDAP Bind. . STF1 failed test KnowsOfRoleHolders Starting test: RidManager . STF1 failed test RidManager Starting test: frsevent There are warning or error events within the last 24 hours after the SYSVOL has been shared. Failing SYSVOL replication problems may cause Group Policy problems. . STF1 failed test frsevent Starting test: FsmoCheck Warning: DcGetDcName(PDC_REQUIRED) call failed, error 1355 A Primary Domain Controller could not be located. The server holding the PDC role is down. . domain failed test FsmoCheck # Thanks, -- Matt Brown [EMAIL PROTECTED] Consultant for Student Technology Fee website: http://techfee.ewu.edu/ +--+ | 509.359.6972 ph. - 509.359.7087 fx | 307 MONROE HALL | Cheney, WA 99004 +--+ -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Matt Brown Sent: Friday, May 27, 2005 8:12 AM To: ActiveDir@mail.activedir.org Subject: [ActiveDir] Error in PDC Operations Master Hi, My PDC just started acting up and is showing an error in the PDC box under Operations Master. The only recent change that I can think of to the server was I uninstalled & re-installed the Certificate Authority 3 or 4 times, which was installed on the PDC. Thanks, -- Matt Brown [ SELECT * FROM IT WHERE EyeContact=True ] Information Technology System Specialist Eastern Washington University List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
RE: [ActiveDir] Error in PDC Operations Master
My Dcdiag output shows the following error: # Starting test: KnowsOfRoleHolders Warning: STF2 is the PDC Owner, but is not responding to DS RPC Bind. [STF2] LDAP bind failed with error 8341, A directory service error has occurred.. Warning: STF2 is the PDC Owner, but is not responding to LDAP Bind. Warning: STF2 is the Rid Owner, but is not responding to DS RPC Bind. Warning: STF2 is the Rid Owner, but is not responding to LDAP Bind. . STF1 failed test KnowsOfRoleHolders Starting test: RidManager . STF1 failed test RidManager Starting test: frsevent There are warning or error events within the last 24 hours after the SYSVOL has been shared. Failing SYSVOL replication problems may cause Group Policy problems. . STF1 failed test frsevent Starting test: FsmoCheck Warning: DcGetDcName(PDC_REQUIRED) call failed, error 1355 A Primary Domain Controller could not be located. The server holding the PDC role is down. . domain failed test FsmoCheck # Thanks, -- Matt Brown [EMAIL PROTECTED] Consultant for Student Technology Fee website: http://techfee.ewu.edu/ +--+ | 509.359.6972 ph. - 509.359.7087 fx | 307 MONROE HALL | Cheney, WA 99004 +--+ -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Matt Brown Sent: Friday, May 27, 2005 8:12 AM To: ActiveDir@mail.activedir.org Subject: [ActiveDir] Error in PDC Operations Master Hi, My PDC just started acting up and is showing an error in the PDC box under Operations Master. The only recent change that I can think of to the server was I uninstalled & re-installed the Certificate Authority 3 or 4 times, which was installed on the PDC. Thanks, -- Matt Brown [ SELECT * FROM IT WHERE EyeContact=True ] Information Technology System Specialist Eastern Washington University List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
[ActiveDir] Error in PDC Operations Master
Hi, My PDC just started acting up and is showing an error in the PDC box under Operations Master. The only recent change that I can think of to the server was I uninstalled & re-installed the Certificate Authority 3 or 4 times, which was installed on the PDC. Thanks, -- Matt Brown [ SELECT * FROM IT WHERE EyeContact=True ] Information Technology System Specialist Eastern Washington University List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
RE: [ActiveDir] MacOSX Active Directory Plug-in
If you having trouble binding with an Admin Account using the built in plug-in. Add the AD DNS Servers in your Networking on the Mac. I have been using it with just the standard Mac Active Directory plug-in for the past year in most of my labs. It works very well, my only problem is for some reason it's only letting me add them to the domain using a Domain Admin account unless I pre-create the computer account in Active Directory. I'd like to allow a group to add them, so my lab managers can add and remove them on there own. Thanks, -- Matt Brown [ SELECT * FROM IT WHERE EyeContact=True ] Information Technology System Specialist Eastern Washington University List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
[ActiveDir] MacOSX Active Directory Plug-in
When adding Mac’s to Active Directory using the Mac AD Directory Services Plug-in I can do it just fine using my Domain Admin account. But when I try to add the machine using an account in the group with privileges to add to the domain I get an error saying “Insufficient Privileges”. Anybody seen this or know of a privilege I need to set? All of my lab managers on campus have are in the group that can add computers to the domain and it works fine for the PC’s. Thanks, -- Matt Brown [ SELECT * FROM IT WHERE EyeContact=True ] Information Technology System Specialist Eastern Washington University
RE: [ActiveDir] time sync script
That worked great!
Thanks,
--
Matt Brown
[ SELECT * FROM IT WHERE EyeContact=True ]
Information Technology System Specialist
Eastern Washington University
-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Stelley, Douglas
Sent: Tuesday, April 05, 2005 12:06 PM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] time sync script
Can't check my own mail...
Set objWMIService1 = GetObject("winmgmts:" _
& "{impersonationLevel=impersonate}!\\" & strComputer1 & "\root\cimv2")
Set objWMIService2 =
GetObject("winmgmts:{impersonationLevel=impersonate, " _
& "(Systemtime)}!\\" & strComputer2 & "\root\cimv2")
Find code below and replace with above
-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Stelley,
Douglas
Sent: Tuesday, April 05, 2005 3:01 PM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] time sync script
Here's a simpe 'script' that'll do it for you across the domain. Rough
around the edges, but it works.
See the 2 required fields near the top.
Doug
On Error Resume Next
dim strComputer2
Set objExplorer = WScript.CreateObject("InternetExplorer.Application")
gowindow()
' enter your DC that controls time here
strComputer1 = "ntapps"
'strComputer2 = inputbox("client1")
dim objFS,TheFileObj,TheFilePath,dat
' enter the file name of all PC's
TheFilePath="Z:\reboot\timepcs.txt"
set objFS=CreateObject("Scripting.FileSystemObject")
set TheFileObj=objFS.OpenTextFile(ThefilePath,1,false)
Do Until TheFileObj.AtEndOfStream
strComputer2 = TheFileObj.Readline
Set objWMIService1 = GetObject("winmgmts:" _ &
"{impersonationLevel=impersonate}!\\" & strComputer1 & "\root\cimv2")
Set objWMIService2 =
GetObject("winmgmts:{impersonationLevel=impersonate, " _ &
"(Systemtime)}!\\" & strComputer2 & "\root\cimv2")
Set colOSes1 = objWMIService1.ExecQuery("SELECT * FROM
Win32_OperatingSystem")
strTime1 = Now
Set colOSes2 = objWMIService2.ExecQuery("SELECT * FROM
Win32_OperatingSystem")
strTime2 = Now
intSeconds1 = CInt(Left(Right(strTime1, 5), 2))
intSeconds2 = CInt(Left(Right(strTime2, 5), 2)) intDiff = 0 If
intSeconds1 <> intSeconds2 Then
intDiff = intSeconds2 - intSeconds1
End If
For Each objOS1 in colOSes1
For Each objOS2 in colOSes2
dtmRefDateTime = objOS1.LocalDateTime
intDateTime1 = Left(dtmRefDateTime, 14)
intDateTime2 = Left(objOS2.LocalDateTime, 14)
If intDiff <> 0 Then
intDateTime1 = intDateTime1 + intDiff
End If
If intDateTime1 = intDateTime2 Then
'gosamewindow(strComputer2)
objExplorer.Document.Body.InnerHTML = "Dates and times on " &
strComputer1 & " and " & strComputer2 & "are equal."
' Wscript.Echo "Dates and times on " & strComputer1 & " and " & _
'strComputer2 & "are equal."
Else
intSet = objOS2.SetDateTime(dtmRefDateTime)
If intSet = 0 Then
' gogoodwindow(strComputer2)
objExplorer.Document.Body.InnerHTML = "Successfully synchronized
date and time on " & strComputer2
' Wscript.Echo "Successfully synchronized date and time on " & _
' strComputer2 & " with reference (" & strComputer1 & ")."
Else
' gobadwindow(strComputer2)
objExplorer.Document.Body.InnerHTML = "Unable to set new date and
time on " & strComputer2
'Wscript.Echo "Unable to set new date and time on " &
strComputer2 & "."
End If
End If
Next
Next
loop
sub gowindow()
objExplorer.Navigate "about:blank"
objExplorer.ToolBar = 0
objExplorer.StatusBar = 0
objExplorer.Width=500
objExplorer.Height = 100
objExplorer.Left = 0
objExplorer.Top = 0
Do While (objExplorer.Busy)
Wscript.Sleep 200
Loop
objExplorer.Visible = 1
objExplorer.Document.Body.InnerHTML = "Retrieving account information. "
_
& strComputer2
end sub
sub gogoodwindow(strComputer2)
objExplorer.Document.Body.InnerHTML = "Successfully synchronized date
and time on " & strComputer2 end sub sub gobadwindow(strComputer2)
objExplorer.Document.Body.InnerHTML = "Unable to set new date and time
on " & strComputer2 end sub
sub gosamewindow(strComputer2)
objExplorer.Document.Body.InnerHTML = "Dates and times on " &
strComputer1 & " and " & strComputer2 & "are equal."
end sub
-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Burkes, Jeremy
[Contractor]
[ActiveDir] time sync script
Anybody have a script that can check the time on client machines and auto sync them with the Domain Controller? Thanks, -- Matt Brown [ SELECT * FROM IT WHERE EyeContact=True ] Information Technology System Specialist Eastern Washington University List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
RE: [ActiveDir] AD Site Confusion
All 3 of my sites (A,B,C) have GC in them and at least 1 DC in them. All DC's have DNS running on them. By taking Site A down I was meaning shutting the machines off. Thanks, -- Matt Brown [ SELECT * FROM directories WHERE AD > OpenLDAP ] Information Technology System Specialist Eastern Washington University > I have 3 sites, site A has 2 DC's and site B & C each have 1 DC. > > When I take down site A (both DC's), the clients in Site A cannot log in. > Shouldn't they be able to log in using site B or C? List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
RE: [ActiveDir] AD Site Confusion
Ok, that's my problem.. I have DNS on all DC's but only have DNS configured to point to site A. So I really should add all sites in the DNS or have them grab dns automatically? Thanks, -- Matt Brown Information Technology System Specialist Eastern Washington University -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Grillenmeier, Guido Sent: Monday, March 28, 2005 1:09 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] AD Site Confusion Yes they should, if your clients can still access DNS and have network connectivity to site B or C. So if you host DNS on all DCs, but you've configured your clients in A only to use DCs from A as DNS servers, then they won't be able to query for DCs in other Sites when all DCs in Site A go down. /Guido -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Matt Brown Sent: Montag, 28. März 2005 22:55 To: ActiveDir@mail.activedir.org Subject: [ActiveDir] AD Site Confusion I have 3 sites, site A has 2 DC's and site B & C each have 1 DC. When I take down site A (both DC's), the clients in Site A cannot log in. Shouldn't they be able to log in using site B or C? Thanks, -- Matt Brown Information Technology System Specialist Eastern Washington University List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
RE: [ActiveDir] AD Site Confusion
All DC's in all sites are GCs. Windows 2003 Domain, all clients are Windows XP Pro SP2 Thanks, -- Matt Brown Information Technology System Specialist Eastern Washington University -Original Message- From: John Singler [mailto:[EMAIL PROTECTED] Sent: Monday, March 28, 2005 1:16 PM To: [EMAIL PROTECTED] Subject: Re: [ActiveDir] AD Site Confusion are you w2k or w2k3? are any of the DCs in sites B and C GCs? Matt Brown wrote: > I have 3 sites, site A has 2 DC's and site B & C each have 1 DC. > > When I take down site A (both DC's), the clients in Site A cannot log in. > Shouldn't they be able to log in using site B or C? > > Thanks, > -- > Matt Brown > Information Technology System Specialist > Eastern Washington University > > > > List info : http://www.activedir.org/List.aspx > List FAQ: http://www.activedir.org/ListFAQ.aspx > List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
[ActiveDir] AD Site Confusion
I have 3 sites, site A has 2 DC's and site B & C each have 1 DC. When I take down site A (both DC's), the clients in Site A cannot log in. Shouldn't they be able to log in using site B or C? Thanks, -- Matt Brown Information Technology System Specialist Eastern Washington University List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
[ActiveDir] login / profiles
2 questions: 1. How do I restrict logon if the workstation can not find the default profile. I have an account that is used for users to setup/activate their account info that is completely locked down and only allows them to run one program, my activate account application. But a user can unplug the network cable during login and receive the default profile for the computer. 2. If a user is logged in and working with their roaming profile and their computer shuts off for some reason like power outage, when they log back in they have lost all the changes they made during that day as it reloads the profile from the server. Is there a policy setting to have it synchronize the newest files / changes or something? Thanks, -- Matt Brown [ SELECT * FROM computers WHERE OS > MS ] Information Technology System Specialist Eastern Washington University
[ActiveDir] Domain Controller Firewalls
Do any of you run the windows firewall on your Domain Controllers? If so where would I find what ports need to be open for Active Directory & DNS? Thanks, -- Matt Brown [ SELECT * FROM LDAP_Servers WHERE AD > OpenLDAP ] Information Technology System Specialist Eastern Washington University List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
[ActiveDir] LSASS with recent windows update
I just performed recent windows updates on my Windows 2003 Active Directory Server this was a machine that had already been patched the LSASS NT Security Shutdown thing came back. Anybody else seen this? Man I was just starting to ponder the idea of the auto updates but wow! Here is a list of the security updates I did, I havent narrowed it down yet, but its got to be one of these: Cumulative Security Update for Internet Explorer for Windows Server 2003 (KB867282) Security Update for Windows Server 2003 (KB891781) Security Update for Windows Server 2003 (KB885834) Security Update for Windows Server 2003 (KB885250) Security Update for Windows Server 2003 (KB888113) Security Update for Windows Server 2003 (KB890047) Security Update for Windows Server 2003 (KB87) Security Update for Windows Server 2003 (KB890175) Security Update for Windows Server 2003 (KB891711) Security Update for Microsoft .NET Framework, Version 1.1 Service Pack 1 (KB886903) Security Update for Windows Server 2003 (KB871250) Security Update for Windows Media Player 9 Series (KB885492) Security Update for Windows Server 2003 (KB885835) Security Update for Windows Server 2003 (KB885836) Thanks, -- Matt Brown [ SELECT * FROM computers WHERE OS > M$ ] Information Technology System Specialist Eastern Washington University List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
[ActiveDir] Domain Groups / users in lab
Hi, I’m run a domain in a University environment. I currently have 1 domain with all accounts in it: students, faculty, and staff. We have computer labs that any users (students, fac/staff) can use. These computers do not offer roaming profiles and we allow accounts local administrative access. Each lab has its own profile that is specific to their lab and not the user. What I would also like to do is allow faculty/staff members to use the domain for their personal workstations but I don’t want them to have the same GPO as they would have if they were using a computer lab. Do I need to setup a separate domain? Or a child domain? Or is it possible for user OU’s to apply to computer groups rather than applying them on the User OU? Current domain structure example mydomain.edu mycomputers lab1 lab2 human resources Information Technology people employees students Thanks, -- Matt Brown [ SELECT * FROM computers WHERE OS > MS ] Information Technology System Specialist Eastern Washington University
RE: [ActiveDir] User Creation Scripts
I currently use python scripting language to create users via the LDAP protocol. This works well for us because we pull daily from our Human Resources system. I have in the past used: php -> via LDAP protocol LDIFDE -> using LDIF Files & a batch script C++ adduser (I think that's what this was called) CSVDE -> using CSV Files and a batch script. Lots of different options, really it depends on what your up to doing and how automated you want it to be. I feed in student accounts and add / delete approx 2000+ accounts every 3 months, so I need to be as automated as possible to keep from doing it full time. Thanks, -- Matt Brown [ SELECT * FROM active_directory WHERE userPassword = '' ] Information Technology System Specialist Eastern Washington University +--+ List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
RE: [ActiveDir] New AD tool hits the web
Isn't that link from the Beta? There is no information on Microsoft's site regarding the product other than through the Beta Site. > You can find the beast here: > http://download.microsoft.com/download/f/d/0/fd05def7-68a1-4f7 > 1-8546-25c359cc0842/limitlogin.exe Thanks, -- Matt Brown [ SELECT * FROM computers WHERE OS > MS ] Information Technology System Specialist Eastern Washington University List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
RE: [ActiveDir] LDAP dir syncproduct to AD
I'm using Python Scripts that I have running daily to sync up our OpenLDAP with our Active Directory Domain. I learned python in 2 days (with a little help from the net and a friend) and put together a 1 way Synchronization, as our OpenLDAP is the master and AD just keeps the data synced up. I like the ability to have complete control over my scripts... although paying for a program would be pretty quick to setup. I don't sync passwords because passwords can only be changed through a web based system that sets the password for both systems. Although I very easily could if I were using the lanman hash for OpenLDAP. Thanks, -- Matt Brown [ SELECT * FROM users WHERE clue > 0 ] Information Technology System Specialist Eastern Washington University List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
RE: [ActiveDir] LDAP dir syncproduct to AD
-Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Nicolas Blank Sent: Monday, March 07, 2005 11:56 PM To: ActiveDir@mail.activedir.org Subject: [ActiveDir] LDAP dir syncproduct to AD Hi all Anyone ever have to choose between Simple Sync and Imanami Directory Transformation Manager ? I'm talking to a mainframe via LDAP going to AD and on "paper" Imanami looks the better choice. Anyone have any recommendations either way? I've seen simple sync mentioned at least once on this list and also know it's maybe not the best product out there, even though it does the job and am keen to get any feedback on anything else? Thanks in advance for any feedback Nic List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
[ActiveDir] LimitLogon
Title: backup script Anybody heard anything on LimitLogon and when it may be released? Thanks, -- Matt Brown [EMAIL PROTECTED] Consultant for Student Technology Fee website: http://techfee.ewu.edu/ +--+ | 509.359.6972 ph. - 509.359.7087 fx | 307 MONROE HALL | Cheney, WA 99004 +--+ From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Creamer, Mark Sent: Thursday, January 20, 2005 1:09 PM To: ActiveDir@mail.activedir.org Subject: [ActiveDir] backup script In my test lab, I have NTBackup running a nightly backup of the test AD via a script. I would like to add additional steps to the script, but I’m not sure how to capture that NTBackup has completed and exited before the next command runs. Anyone know how to do that? Thanks! Mark This e-mail transmission contains information that is intended to be confidential and privileged. If you receive this e-mail and you are not a named addressee you are hereby notified that you are not authorized to read, print, retain, copy or disseminate this communication without the consent of the sender and that doing so is prohibited and may be unlawful. Please reply to the message immediately by informing the sender that the message was misdirected. After replying, please delete and otherwise erase it and any attachments from your computer system. Your assistance in correcting this error is appreciated. Thank you. Cintas Corporation.
RE: [ActiveDir] DNS Setup
I installed it as a separate DNS first and then changed it to active directory integrated after the domain was setup... so I'm assuming they don't just automagically appear. Thanks, -- Matt Brown [ SELECT * FROM users WHERE clue > 0 ] Information Technology System Specialist Eastern Washington University -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Renouf, Phil Sent: Tuesday, January 18, 2005 1:44 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] DNS Setup If you don't install an Active Directory integrated DNS server then you will need to create those extra DNS entries by hand. Phil -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Matt Brown Sent: Tuesday, January 18, 2005 4:40 PM To: ActiveDir@mail.activedir.org Subject: [ActiveDir] DNS Setup Does DNS need to be setup with Active Directory? My DNS isn't showing any of the LDAP ports or standard stuff that shows when you have an AD Integrated DNS. I tried deleting all the Zones and re-creating them... but it doesn't seem to help. Thanks, -- Matt Brown [ SELECT * FROM users WHERE clue > 0 ] Information Technology System Specialist Eastern Washington University -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Cothern Jeff D. Team EITC Sent: Tuesday, January 18, 2005 12:01 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Policies that effect secure websites Putting the web sites into the security zones did not work. Still unable to browse to the sites on the XP workstations. -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Cothern Jeff D. Team EITC Sent: Thursday, January 13, 2005 5:25 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Policies that effect secure websites The firewall is disabled on the machines. I will try the security zones. -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Mulnick, Al Sent: Thursday, January 13, 2005 5:03 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Policies that effect secure websites Are you sure it's the firewall and not some other setting? For example, some of the other security settings will prevent you from loading ActiveX controls and won't even prompt you for that. Firewall has nothing to do with that. Once you have connected to a web page via SSL, the conversation is encrypted and the firewall either allows the TCP 443 connection or it doesn't. Not partially, etc. Troubleshooting the firewall usually starts with logging. Have you tried logging the firewall to see what it's doing? Do you see it dropping connections to that page? You may also want to turn on script debugging to see if something is failing before the page loads. Finally, you may also want to put the web page into a different security zone for testing purposes to see if some of the security zone settings are too restrictive. Al -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Cothern Jeff D. Team EITC Sent: Thursday, January 13, 2005 4:49 PM To: ActiveDir@mail.activedir.org Subject: [ActiveDir] Policies that effect secure websites I am having an issue on a windows XP SP2 where some of the secure web sites will not come up. I have SSL and TSL selected and we are able to connect to our OWA server, but unable to connect a banking page for example. Now I checked on a windows 2000 machine and we are able to get to the page. I don't have anything in the policies that I see that tells IE how to handle secure sites but then I could be missing something. Any Ideas where to look. Jeff List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq
[ActiveDir] DNS Setup
Does DNS need to be setup with Active Directory? My DNS isn't showing any of the LDAP ports or standard stuff that shows when you have an AD Integrated DNS. I tried deleting all the Zones and re-creating them... but it doesn't seem to help. Thanks, -- Matt Brown [ SELECT * FROM users WHERE clue > 0 ] Information Technology System Specialist Eastern Washington University -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Cothern Jeff D. Team EITC Sent: Tuesday, January 18, 2005 12:01 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Policies that effect secure websites Putting the web sites into the security zones did not work. Still unable to browse to the sites on the XP workstations. -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Cothern Jeff D. Team EITC Sent: Thursday, January 13, 2005 5:25 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Policies that effect secure websites The firewall is disabled on the machines. I will try the security zones. -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Mulnick, Al Sent: Thursday, January 13, 2005 5:03 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Policies that effect secure websites Are you sure it's the firewall and not some other setting? For example, some of the other security settings will prevent you from loading ActiveX controls and won't even prompt you for that. Firewall has nothing to do with that. Once you have connected to a web page via SSL, the conversation is encrypted and the firewall either allows the TCP 443 connection or it doesn't. Not partially, etc. Troubleshooting the firewall usually starts with logging. Have you tried logging the firewall to see what it's doing? Do you see it dropping connections to that page? You may also want to turn on script debugging to see if something is failing before the page loads. Finally, you may also want to put the web page into a different security zone for testing purposes to see if some of the security zone settings are too restrictive. Al -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Cothern Jeff D. Team EITC Sent: Thursday, January 13, 2005 4:49 PM To: ActiveDir@mail.activedir.org Subject: [ActiveDir] Policies that effect secure websites I am having an issue on a windows XP SP2 where some of the secure web sites will not come up. I have SSL and TSL selected and we are able to connect to our OWA server, but unable to connect a banking page for example. Now I checked on a windows 2000 machine and we are able to get to the page. I don't have anything in the policies that I see that tells IE how to handle secure sites but then I could be missing something. Any Ideas where to look. Jeff List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
RE: [ActiveDir] Computer Display
I believe it has something to do with the NetBIOS settings on the machine you are connecting from. Thanks, -- Matt Brown [ SELECT * FROM users WHERE clue > 0 ] Information Technology System Specialist Eastern Washington University -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Za Vue Sent: Friday, December 17, 2004 5:17 AM To: [EMAIL PROTECTED] Subject: [ActiveDir] Computer Display When you look at the open sessions on a DC, some machines are reported by computer names and others by IP addresses. I thought it may be because of the mixed environment of W2k and XP machines, but this is not the case. Anyone notice this too? THX, Z.V. List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
RE: [ActiveDir] Custom Password Filter DLL
You can use a program called Rhacker to modify the Gina, then rename it, change the reg key and reboot. All there is too it. We use it for our computer labs on campus to replace the Microsoft logos with our own and to add an appropriate use alert. Thanks, -- Matt Brown [Matt[EMAIL PROTECTED] Consultant for Student Technology Fee website: http://techfee.ewu.edu/ +--+ | 509.359.6972 ph. - 509.359.7087 fx | 307 MONROE HALL | Cheney, WA 99004 +--+ -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Santhosh Sivarajan Sent: Thursday, December 02, 2004 3:01 PM To: [EMAIL PROTECTED] Subject: [ActiveDir] Custom Password Filter DLL Hi all, I am in a process of writing a custom password filter DLL. I modified the DLL and implemented it. Password filter is working according our requirements but my problem is, it is still displaying the default password complexity message (7 char, 24 history..etc etc). Is there anyway I can modify the display message without modifying the GINA? I found GINA source code on MSDN but it looks so complicated to me. Any suggestions or recommendations? Thanks in advance! Sen
RE: [ActiveDir] AD Sync with OpenLDAP
Will send to you directly Thanks, -- Matt Brown [ SELECT * FROM users WHERE clue > 0 ] Information Technology System Specialist Eastern Washington University -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Hutchins, Mike Sent: Thursday, December 02, 2004 9:00 AM To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] AD Sync with OpenLDAP Oh, would I like to see that. :-) List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
RE: [ActiveDir] AD Sync with OpenLDAP
I ended up creating a Python script that checks both directories and keeps them in sync, including name changes, enabled / disabled accounts, ou changes, new accounts, and account deletes. Took me about 3 days with the first day learning Python. Seems to work pretty good. Thanks, -- Matt Brown [ SELECT * FROM users WHERE clue > 0 ] Information Technology System Specialist Eastern Washington University List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
[ActiveDir] Group / Permission
Anybody know what group I need to assign a user so they can log on locally to a single Domain Controller and start / stop services on the machine without being able to modify any part of active directory? Thanks, -- Matt Brown [ SELECT * FROM users WHERE clue > 0 ] Information Technology System Specialist Eastern Washington University
[ActiveDir] Logging Login / Logout
This is what I’m doing for keeping
record of login / logouts in our domain. We use this for finding problems
and for providing stats on usage for our campus computer labs. Seems to work
ok, although I’m sure there are better ways to do it.
We Run
this Bat file on login as part of the Group Policy & a similar one on
logout (file name change) as part of the group policy. A scheduled task
archives the log files and clears them out every so often.
set
mydate=%date:~4,2%/%date:~7,2%/%date:~12,4%
set mytime=%time:~0,8%
set myfile=%logonserver:~2,7%_login_log
set MYIP=127.0.0.1
for /f "tokens=1-6 delims=:. "
%%a in ('ipconfig ^| find "IP Address"') do set MYIP=%%c.%%d.%%e.%%f
echo
%username% %computername% %MYIP% %mydate% %mytime%
>>%logonserver%\logs\%myfile%.txt
This writes the user,computer,ip,date,time
to a file that corresponds to the login server used, as we have 4 DC’s in
our domain within 3 sites.
Thanks,
--
Matt Brown [EMAIL PROTECTED]
Consultant for Student Technology Fee
website: http://techfee.ewu.edu/
+--+
| 509.359.6972 ph. - 509.359.7087 fx
| 307 MONROE HALL | Cheney, WA 99004
+--+
-Original Message-
From:
[EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of joe
Sent: Tuesday,
November 16, 2004 9:42 AM
To: [EMAIL PROTECTED]
Subject: RE: [ActiveDir] LDP does
not return modifyTimeStamp attribute...
Well that's why I did the
ping. :o)
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On
Behalf Of Eric Fleischman
Sent: Monday,
November 15, 2004 3:37 PM
To: joe;
[EMAIL PROTECTED]
Subject: RE: [ActiveDir] LDP does
not return modifyTimeStamp attribute...
3 words: blah, blah and
blah
:)
I’ll try and
revisit this sometime this week. Sorry, I lost track of it.
~Eric
From: joe
[mailto:[EMAIL PROTECTED]
Sent: Monday,
November 15, 2004 11:16 AM
To: [EMAIL PROTECTED]
Cc: Eric Fleischman
Subject: RE: [ActiveDir] LDP does
not return modifyTimeStamp attribute...
ping ~Eric
Pinging ~Eric.texas.cpr.microsoft.com
[xx.xx.xx.xx] with 32 bytes of data:
Request timed out.
Request timed out.
:o)
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On
Behalf Of Eric Fleischman
Sent: Tuesday, November
09, 2004 7:44 PM
To: [EMAIL PROTECTED]
Subject: RE: [ActiveDir] LDP does
not return modifyTimeStamp attribute...
Let me digest a bit and
report back. The answer is probably yes, I just need to think about it.
Have you noticed that
every ldp snip I do is from a different domain? Yes, I have that many forests
in virtual machines. I just noticed that I’m not sure if I’ve used
the same one twice on this list………
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On
Behalf Of listmail
Sent: Tuesday,
November 09, 2004 5:30 PM
To: [EMAIL PROTECTED];
[EMAIL PROTECTED]
Subject: RE: [ActiveDir] LDP does
not return modifyTimeStamp attribute...
Understood on
the constructed. Though it makes you wonder why that one is and whenChanged
isn't. :o)
How
about the overall more general question, is there a way to ascertain what would
and wouldn't be displayed? For instance, is there something
"query-able" that tells me ntsecuritydescriptor would or wouldn't be
displayed.
joe
From: [EMAIL PROTECTED]
on behalf of Eric Fleischman
Sent: Tue 11/9/2004 6:19 PM
To: [EMAIL PROTECTED]
Subject: RE: [ActiveDir] LDP does
not return modifyTimeStamp attribute...
In this case:
>> Dn:
CN=Modify-Time-Stamp,CN=Schema,CN=Configuration,DC=corp,DC=microsoft,DC=com
1> lDAPDisplayName: modifyTimeStamp;
1> systemFlags: 0x814 = ( FLAG_ATTR_IS_CONSTRUCTED | FLAG_SCHEMA_BASE_OBJECT | FLAG_DOMAIN_DISALLOW_RENAME );
Constructed attributes
are only returned 1) If requested AND 2) if requested in a base search against
the object
~Eric
From:
[EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of listmail
Sent: Tuesday,
November 09, 2004 5:16 PM
To: [EMAIL PROTECTED];
[EMAIL PROTECTED]
Subject: RE: [ActiveDir] LDP does
not return modifyTimeStamp attribute...
Nope.
Not every attribute is returned. I don't know personally what the logic is that
specifies what is returned and what isn't. I would like to think it is
something you can query out of the schema but I have never seen anything to
substantiate that thought.
It is easy to see it in action
though, query the schema on 2K and do the same on K3. You will certain attribs
on certain objects returned in 2K but not in K3, you have to ask for them
meaning that MS backed out the default return set. Why I don't know but helped
someone with an App that blew up because of it. I don't recall exactly what the
attribute was though, I purpos
RE: [ActiveDir] AD Sync with OpenLDAP
Anybody here actually Syncing OpenLDAP with Active Directory using MIIS? Thanks, -- Matt Brown Information Technology System Specialist Eastern Washington University
RE: [ActiveDir] AD Sync with OpenLDAP
I was just going to say… working in a University setting… as I am… it’s very much just a political thing. We could move to using Active Directory as our only directory without too much problem… using OpenLDAP as our only directory would have some issues as far as the domain logins but could be done. Thanks, -- Matt Brown [EMAIL PROTECTED] Consultant for Student Technology Fee website: http://techfee.ewu.edu/ +--+ | 509.359.6972 ph. - 509.359.7087 fx | 307 MONROE HALL | Cheney, WA 99004 +--+ -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Brian Desmond Sent: Wednesday, November 10, 2004 1:24 PM To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] AD Sync with OpenLDAP Quite often it’s political more than it is for an actual functional requirement – at least where I come from that’s the case. Thanks. --Brian Desmond [EMAIL PROTECTED] Payton on the web! www.wpcp.org v - 773.534.0034 x135 f - 773.534.8101 From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Jackson Shaw Sent: Wednesday, November 10, 2004 3:21 PM To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] AD Sync with OpenLDAP I’m always curious why customers want to maintain duplicate data/directory services. I firmly believe we can never get to one “enterprise directory” but we ought to be able to reduce the # of directories. Even though I am the product manager for MIIS I’d want to ask why not consolidate around AD before even putting a tool in place? Keeping it simple and less moving parts are my mottos… Cheers, Jackson Shaw Microsoft Corporation From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Mulnick, Al Sent: Wednesday, November 10, 2004 1:05 PM To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] AD Sync with OpenLDAP So if it's just account data that you're interested in, any particular reason you want to change it? Are there problems? One idea that does come to mind is that you could have a perl script that controls all of it without LDIFDE in the middle. If you wanted to. The advantage of something like MIIS or another commercial product is the control and logic already built in without you having to work in all the crazy logic to make it more robust. You could however just use perl if that's what you're comfortable with since you're not really doing anything too more than reading user-objects from the OL directory and duplicating them in AD. It's more or less a mapping function and a function to make sure that you get new accounts either as they are introduced else on commit. Am I missing anything? From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Matt Brown Sent: Wednesday, November 10, 2004 3:56 PM To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] AD Sync with OpenLDAP Currently I have one way sync coming from my OpenLDAP server to my AD Domain. The modifications that happen to the OpenLDAP server are done daily with Perl Scripts… which then create ldife files for AD whenever changes are made to the account. A batch file is then used to grab the ldife files and import them into AD using LDIFDE. All passwords are handled separately through a web page I have programmed (php/asp) that sets both OpenLDAP password and the AD password whenever a user changes their password. Thanks, -- Matt Brown Information Technology System Specialist Eastern Washington University -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Mulnick, Al Sent: Wednesday, November 10, 2004 12:21 PM To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] AD Sync with OpenLDAP MIIS or simplesynch come to mind. What level of sync do you have? For example, are synching passwords, groups, id's etc? What kind of process do you have now? From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Matt Brown Sent: Wednesday, November 10, 2004 3:05 PM To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] AD Sync with OpenLDAP Well, I have an OpenLDAP server running with all user accounts (approx 14k accounts) in it. I’d like to keep a replica of all the accounts in Active Directory, making appropriate changes when necessary. (IE: account renames, ou changes, etc.) I currently have something in place to do this, but it’s a cumbersome process and I’m curious what others are doing and how they are getting the job done. Thanks, -- Matt Brown Information Technology System Specialist Eastern Washington University
RE: [ActiveDir] Using csvde & forests
csvde -r (objectClass=person) -d dc=,dc= -f allusers.csv -l cn This should get you all user accounts giving you: dn,cn Thanks, -- Matt Brown -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Harding, Devon Sent: Wednesday, November 10, 2004 9:12 AM To: [EMAIL PROTECTED] Subject: [ActiveDir] Using csvde & forests Is there a way to use csvde to export all users in all child domains in a forest? Devon Harding Windows Systems Engineer Southern Wine & Spirits - GSD 954-602-2469 __ This message and any attachments are solely for the intended recipient and may contain confidential or privileged information. If you are not the intended recipient, any disclosure, copying, use or distribution of the information included in the message and any attachments is prohibited. If you have received this communication in error, please notify us by reply e-mail and immediately and permanently delete this message and any attachments. Thank You.
RE: [ActiveDir] AD Sync with OpenLDAP
Currently I have one way sync coming from my OpenLDAP server to my AD Domain. The modifications that happen to the OpenLDAP server are done daily with Perl Scripts… which then create ldife files for AD whenever changes are made to the account. A batch file is then used to grab the ldife files and import them into AD using LDIFDE. All passwords are handled separately through a web page I have programmed (php/asp) that sets both OpenLDAP password and the AD password whenever a user changes their password. Thanks, -- Matt Brown Information Technology System Specialist Eastern Washington University -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Mulnick, Al Sent: Wednesday, November 10, 2004 12:21 PM To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] AD Sync with OpenLDAP MIIS or simplesynch come to mind. What level of sync do you have? For example, are synching passwords, groups, id's etc? What kind of process do you have now? From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Matt Brown Sent: Wednesday, November 10, 2004 3:05 PM To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] AD Sync with OpenLDAP Well, I have an OpenLDAP server running with all user accounts (approx 14k accounts) in it. I’d like to keep a replica of all the accounts in Active Directory, making appropriate changes when necessary. (IE: account renames, ou changes, etc.) I currently have something in place to do this, but it’s a cumbersome process and I’m curious what others are doing and how they are getting the job done. Thanks, -- Matt Brown Information Technology System Specialist Eastern Washington University
RE: [ActiveDir] AD Sync with OpenLDAP
Well, I have an OpenLDAP server running with all user accounts (approx 14k accounts) in it. I’d like to keep a replica of all the accounts in Active Directory, making appropriate changes when necessary. (IE: account renames, ou changes, etc.) I currently have something in place to do this, but it’s a cumbersome process and I’m curious what others are doing and how they are getting the job done. Thanks, -- Matt Brown Information Technology System Specialist Eastern Washington University
[ActiveDir] AD Sync with OpenLDAP
Hi, I'm new to the list. been working with AD - 2003 for quite a while now. Just curious if anybody is syncing Active Directory with OpenLDAP and what process they are using to get it done. This may have already been discussed to death. Is this an appropriate subject for this list? Thanks, -- Matt Brown Information Technology System Specialist Eastern Washington University List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
