RE: [ActiveDir] Recommendations for a DOD wipe of a RAID Array?
They don't work with the newer raid controllers G3. We had to give up using ghost because of that. -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Ken Cornetet Sent: Wednesday, November 16, 2005 1:20 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Recommendations for a DOD wipe of a RAID Array? This looks like what you want: http://h18023.www1.hp.com/support/files/server/us/download/7599.html -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Medeiros, Jose Sent: Wednesday, November 16, 2005 12:14 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Recommendations for a DOD wipe of a RAID Array? Hi Ken, Hmm.. Dos drivers may be available for ATA controllers but are they available for high end RAID SCSI Raid Controllers? http://h18007.www1.hp.com/support/files/storage/us/family/model/1237.htm l?lang=encc=us Sincerely, Jose Medeiros ADP | National Account Services ProBusiness Division | Information Services 925.737.7967 | 408-449-6621 CELL -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] Behalf Of Ken Cornetet Sent: Wednesday, November 16, 2005 5:47 AM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Recommendations for a DOD wipe of a RAID Array? Go to the HP drivers page for your server and download the MS-DOS SCSI drivers. Copy the appropriate driver(s) to your boot disk, and add the driver(s) to the config.sys file. You should be good to go! -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Medeiros, Jose Sent: Tuesday, November 15, 2005 9:31 PM To: ActiveDir@mail.activedir.org Subject: [ActiveDir] Recommendations for a DOD wipe of a RAID Array? Greetings, I am trying to use Symantecs Gdisk with a /DODWIPE option to do a security wipe of a Compaq 7000's Raid Array, however using a dos boot disk will not allow me to access the disk array. My work around on this was that I created a 32 bit bootable CD-Rom using Bart's PE and I added the server's 32bit Raid controller driver which now allows me to access the disk array. However since it is running a 32bit OS, gdisk will not work as it is only a 16bit program. When I try and use Symantec's Gdisk32 which will run, the /DODWIPE option is not available. Does anyone know if Symantec has an updated version of GDISK32 that supports a DODWIPE? Does any one have any prefered tools other then GDISK that they can recommend that will work with my Raid Array? Since there are some HP employees on this list, does HP have a recommended tool they provide there customers to use on Proliant servers before decommisioning them? Sincerely, Jose Medeiros ADP | National Account Services ProBusiness Division | Information Services 925.737.7967 | 408-449-6621 CELL MCP+I, MCSE, NT4 MCT www.ntea.net www.tvnug.org www.sfntug.org List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
[ActiveDir] Force a Domain Sync
Title: Force a Domain Sync Isnt there some command line that will force all the DCs in a Domain to sync immediately? I cant remember what it is but, seems like there was some way. Brian Narkinsky System's Analyst Florida Department of Environmental Protection Tallahassee, FL 32399
RE: [ActiveDir] Adding Helpdesk Group to Local Admin Group
The easiest way Ive found to do it is have a GPO that runs a batch file on startup. net localgroup Administrators /ADD helpdesk Weve also written some _vbscript_s that adds a local account and makes it a member of the administrators group. We feed the password as a parameter from the GPO so we can change the password and always have a local admin account that we know the password to but, can change that password periodically. Brian Brian Narkinsky System's Analyst Florida Department of Environmental Protection Tallahassee, FL 32399 From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Salandra, Justin A. Sent: Thursday, October 13, 2005 11:12 AM To: ActiveDir@mail.activedir.org Subject: [ActiveDir] Adding Helpdesk Group to Local Admin Group How would I utilize Restriced Groups in a GPO to add in a Helpdesk Group that I have for my helpdesk staff to have administrative rights on a local PC with out having to touch each PC and without screwing up the local admin group? Justin A. Salandra MCSE Windows 2000 2003 Network and Technology Services Manager Catholic Healthcare System 646.505.3681 - office 917.455.0110 - cell [EMAIL PROTECTED]
RE: [ActiveDir] Purging Mailboxes Programatically
Exmerge? Brian Narkinsky System's Analyst Florida Department of Environmental Protection Tallahassee, FL 32399 From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Brian Desmond Sent: Tuesday, June 07, 2005 12:06 AM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Purging Mailboxes Programatically Does mbconn purge mailboxes? I just looked at it and it s like it only reconnects I think Thanks, Brian Desmond [EMAIL PROTECTED] c - 312.731.3132 From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of joe Sent: Monday, June 06, 2005 10:42 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Purging Mailboxes Programatically Oh... I think you are screwed. :o) I once looked at alternate methods to do this and mailbox reconnects but it was all MAPI based and MS was very ungiving in terms of documentation around this stuff. What I got working was so incredibly flakey I didn't trust it and it never made it out of very very raw pre-alpha POC stage. I really would like to find some other method because the method MS gave for doing reconnects in E2K3 completely sucks though they can at least say it is better than what was available for E2K. We went from unforgivable to sucky. I wish they would publish source to the ESM or mbconn which are doing this stuff through MAPI from what I can tell. joe From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Brian Desmond Sent: Monday, June 06, 2005 11:26 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Purging Mailboxes Programatically Danke. Just that Im running on Ex2000. Thanks, Brian Desmond [EMAIL PROTECTED] c - 312.731.3132 From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of joe Sent: Monday, June 06, 2005 10:21 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Purging Mailboxes Programatically Recipe 17.13 in the Windows Server Cookbook... It is probably on Robbie's website somewhere, I would post it here but I am not clear if I have the rights to even though I wrote the script. I believe it is owned by O'Reilly. joe From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Brian Desmond Sent: Monday, June 06, 2005 11:05 PM To: ActiveDir@mail.activedir.org Subject: [ActiveDir] Purging Mailboxes Programatically Im pretty sure weve had this discussion here before, but I cant find the thread. :( I need to programmatically purge a fairly extensive list of mailboxes across more than a dozen mailbox servers. I cannot wait the retention time, and I certainly cannot run the cleanup agent on 12 servers x 4 storage groups x 5 mailstores manually. I have this feeling Im going to be told Im SOL, but, can I purge mailboxes somehow in code/script? Thx, brian Thanks, Brian Desmond [EMAIL PROTECTED] c - 312.731.3132
RE: [ActiveDir] [OT] NTFS Read-only Status
Windows Doesn't share disk very well. From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Michael B. SmithSent: Sunday, July 25, 2004 2:42 PMTo: [EMAIL PROTECTED]Subject: RE: [ActiveDir] [OT] NTFS Read-only Status Im actually talking about c) a logical disk visible on multiple servers. (Its an HP MSA-1000 SAN with a particular logical disk configured via SSP to be viewable on all SAN servers for shared storage. I cannot find anything about this on HPs website. Ill burn a call to support tomorrow I guess.) I only want one of the multiple servers to have write access to the disk. There are a whole slew of issues I can imagine otherwise. Thanks for your reply, Michael From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Grillenmeier, GuidoSent: Sunday, July 25, 2004 1:06 PMTo: [EMAIL PROTECTED]Subject: RE: [ActiveDir] [OT] NTFS Read-only Status first of all - are you sure you're a) talking about a volume (e.g. physical or logical disk?) that you want to mount on one box, or b) are you talking about a share with data, which you want to make available to others, but they should only read from it? if a), this is simply related to ACLs (Access Control Lists = Permissions, set via the Security tab) at the root of the drive - mounting the drive itself doesn't allow to configure it for read-only. But you can remove the "Everyone - Full Control" ACLs and replace them with something you'd preferr (e.g. Administrators - Full Control and Users - Read Only). XCACLS is one of those magic programs, which can do this for you. if b), you simply set read-access at the share-level before you mount the share for your users.This is now default in Win2003, but prior versions grant Everyone Fullcontrol at the share-level. /Guido From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Michael B. SmithSent: Friday, July 23, 2004 9:44 PMTo: [EMAIL PROTECTED]Subject: [ActiveDir] [OT] NTFS Read-only Status I've tried this on other groups, and it is not A/D related. But you guys know so much... I want a way to mount an NTFS volume read-only. I want a magic command like "mode e: read-only". :-) It is clear to me (and I've found references) that this is supported with NTFS (Windows XP and above), but I cannot figure out/find out how to set it. Any ideas? Thanks, Michael
[ActiveDir] Prevent Windows 9x from logging into AD
IS there anyway to keep users from authenticating from a standard Windows 9x machine? I am trying to kill the last few of these guys on our network and I thought there was some sort of NTLM registry setting I could set such that on NT clients could autenticate. Brian Brian Narkinsky System Manager Department of Environmental Protection MS 6520 2600 Blairstone RD Tallahassee, FL 32399 phone (850)245-8314 fax (850)412-0400 List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
[ActiveDir] DSQUERY piping into DSMOVE
I am trying to run the following command dsquery computer CN=Computers,DC=mydomain,DC=net -stalepwd 75 -limit 0|dsmove -newparent OU=Computers To Be Deleted,DC=mydomain,DC=net All I get is dsmove failed:`CN=DH5TQD11,CN=Computers,DC=floridadep,DC=net' is an unknown parameter. I can move the object through ADUC and it does it on every account. Just running the DSQuery command returns the CN in quotation marks and coppying each line to dsmove CN=DH5TQD11,CN=Computers,DC=mydomain,DC=net -newparent OU=Computers To Be Deleted,DC=mydomain,DC=net works. Any ideas? Brian Narkinsky System Manager Department of Environmental Protection MS 6520 2600 Blairstone RD Tallahassee, FL 32399 phone (850)245-8314 fax (850)412-0400 List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
RE: [ActiveDir] I've locked myself out HELP!
Think I've been there and done that. FROM ADUC go to view and choose view Advanced GO to the System container and look at the permisions on Policies. I think you can probably add yourself back in their. HTH, Brian -Original Message- From: Rich Milburn [mailto:[EMAIL PROTECTED] Sent: Monday, February 02, 2004 4:29 PM To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] I've locked myself out HELP! Julie what did you change specifically? Can you log in as a local admin in a member workstation and run it that way? Or add another domain admin user and access it through that login? Rich -Original Message- From: Wilson, Julie [mailto:[EMAIL PROTECTED] Sent: Monday, February 02, 2004 3:18 PM To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] I've locked myself out HELP! I looked at those and I don't think any of them will work for me. We are up and running fine...Thank God! I just need to get into the group policies somehow so that I can take out a policy change I made to lock myself out of the group policy MMC. Isn't this fun! Julie -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Lou Vega Sent: Monday, February 02, 2004 3:11 PM To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] I've locked myself out HELP! While I've not had a chance to use it myself, I've heard good things about Winternal's: http://www.winternals.com/products/repairandrecovery/index.asp -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Wilson, Julie Sent: Monday, February 02, 2004 4:01 PM To: [EMAIL PROTECTED] Subject: [ActiveDir] I've locked myself out HELP! Importance: High Ok as you all laugh.I can take it. In an effort to throw off a recently discovered hacker that came upon one of our lab admins passwords I locked down our system! Boy did I do a good job, I can't even get in! I need to get into the group policy management to disable some things but I can't. Anyone know a backdoor to get into the domain policy. I'm running a complete 2000 domain. Any ideas are appreciated! Thanks, Julie Julie A. Wilson, MCSA Microsoft Network Administrator Exchange Administrator Distributed Computing - Eastern Illinois University 217-581-7808 List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ ---APPLEBEE'S INTERNATIONAL, INC. CONFIDENTIALITY NOTICE--- PRIVILEGED / CONFIDENTIAL INFORMATION may be contained in this message or any attachments. This information is strictly confidential and may be subject to attorney-client privilege. This message is intended only for the use of the named addressee. If you are not the intended recipient of this message, unauthorized forwarding, printing, copying, distribution, or using such information is strictly prohibited and may be unlawful. If you have received this in error, you should kindly notify the sender by reply e-mail and immediately destroy this message. Unauthorized interception of this e-mail is a violation of federal criminal law. Applebee's International, Inc. reserves the right to monitor and review the content of all messages sent to and from this e-mail address. Messages sent to or from this e-mail address may be stored on the Applebee's International, Inc. e-mail system. List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
RE: [ActiveDir] Weird GPO question
Perfect exactly what I needed. Brian -Original Message- From: Fuller, Stuart [mailto:[EMAIL PROTECTED] Sent: Thursday, November 06, 2003 5:32 PM To: '[EMAIL PROTECTED]' Subject: RE: [ActiveDir] Weird GPO question Brian, Look at Group Policy loopback - See http://support.microsoft.com/default.aspx?scid=kb;en-us;231287 -Stuart From: Narkinsky, Brian [mailto:[EMAIL PROTECTED] Sent: Thursday, November 06, 2003 2:26 PM To: [EMAIL PROTECTED] Subject: [ActiveDir] Weird GPO question We are trying to develop a GPO to enforce a screensaver/workstation locking. We have it working fine as long as we apply it to the Users OU. However here is the problem. We want to enforce this policy by machine. We have lots of laboratory equipment that people watch the screen hands off SO we don't want these machines locking. I thought if I applied the GPO to an OU with computer accounts in it the users would pick up the settings when they logged onto that machine. But the only way they pick it up is if I apply it to the users OU. SO how do I make a user setting apply to a group of machines? I was thinking of modifying the templates so the the Screen Saver settings are in the machine section. But am I missing something here. Forgive me if I sound/am terribly confused. Brian Brian Narkinsky System Manager Department of Environmental Protection MS 6520 2600 Blairstone RD Tallahassee, FL 32399 phone (850)245-8314 fax (850)412-0400 �
RE: [ActiveDir] Little OT: AD, LDAP, Exchange
Title: Message Is mailboxnickname really an object class? -Original Message- From: Pelle, Joe [mailto:[EMAIL PROTECTED] Sent: Friday, November 07, 2003 1:36 PM To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] Little OT: AD, LDAP, Exchange That is exactly what Im after, however I couldnt LDAP myself out of a paper bag! I ran the following LDIF string? and received No Entries found: Ldifde f c:\ldifde.ldf d: cn=users,cn=corporate,DC=TESTLAB,DC=LABROOT r (objectClass=mailboxnickname) Unfortunately, I dont know what the actual attribute is that I want; nor do I have any scripting knowledge. This is scheduled to occur once a month and for the most part there wouldnt be very many changes. Could you point me in the right direction? Joe Pelle Systems Analyst Information Technology Valassis / IT 19975 Victor Parkway Livonia, MI 48152 Tel 734.591.3000 Fax 734.632.6151 [EMAIL PROTECTED] http://www.valassis.com/ This message may have included proprietary or protected information. This message and the information contained herein are not to be further communicated without my express written consent. From: Gil Kirkpatrick [mailto:[EMAIL PROTECTED] Sent: Friday, November 07, 2003 1:01 PM To: '[EMAIL PROTECTED]' Subject: RE: [ActiveDir] Little OT: AD, LDAP, Exchange First thought would be MIIS, but that's kind of expensive for a temporary solution. What about daily LDIF transfers? The 5.5 GAL is LDAP-ish, isn't it? -gil -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Pelle, Joe Sent: Friday, November 07, 2003 9:37 AM To: [EMAIL PROTECTED] Subject: [ActiveDir] Little OT: AD, LDAP, Exchange Hopefully someone has done this Scenario: Company A owns Company B and Company C. Company A runs Active Directory and Exchange 5.5. Company B runs Active Directory and Exchange 2000. Company A and Company B do not share networks, do not have any type of trusts, etc. Company A and Company B want to share Exchange server directories by way of exporting and importing .CSV files. How does Company B export from 2000 in a way that Company A can import into 5.5? Is there a better method? I'm looking for a way to do this as temporary until we have the time and efforts to bring our forests together. Please send me your thoughts, suggestions, and experiences! Joe Pelle Systems Analyst Information Technology Valassis / IT 19975 Victor Parkway Livonia, MI 48152 Tel 734.591.3000 Fax 734.632.6151 [EMAIL PROTECTED] http://www.valassis.com/ This message may have included proprietary or protected information. This message and the information contained herein are not to be further communicated without my express written consent. �
[ActiveDir] ODBC query of Active DIrectory
Is it possible to set up an ODBC to Active Directory? I wish to do some reporting using Access and apart from dumping and importing flat files I havent found a way to do it. Brian Brian Narkinsky System Manager Department of Environmental Protection MS 6520 2600 Blairstone RD Tallahassee, FL 32399 phone (850)245-8314 fax (850)412-0400 �
RE: [ActiveDir] Add junior admin to Local workstations admin grou p
Title: Message NOt an E2K answer but in E2K3 there is a WMI method to do this. http://msdn.microsoft.com/library/default.asp?url=""> -Original Message-From: Joe [mailto:[EMAIL PROTECTED]Sent: Wednesday, August 27, 2003 8:06 AMTo: [EMAIL PROTECTED]Subject: RE: [ActiveDir] Add junior admin to Local workstations admin grou p We have MCS and MSPSS Alliance Premier. I realize we have a largeunusual non-homogenius environment but we have encountered many who say it isn't a problem until they get into it and then realize the questions we ask aren't questions normally asked and that we don't just give out tons of rights and permissions to anyone who needs it. I guess one I'll ask you right off is how do you reconnect amailbox thatwas disconnected w/o using the GUI? I.E. Something scriptable in E2K. We have hundreds of thousands of users with mailboxes and many leave and come back and so forth. Any answer for any problem that involves the GUI is almost always immediately wrong. Yet, there is very little docs on how to do everything an E2K admin would have to do without using the GUI's to do it. -Original Message-From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Roger SeielstadSent: Wednesday, August 27, 2003 7:04 AMTo: '[EMAIL PROTECTED]'Subject: RE: [ActiveDir] Add junior admin to Local workstations admin grou p You're not looking under the right rocks for the Exchange talent then ;) There is a significant percentage of "Exchange admins" out there that don't understand it, but there are some really, really sharp ones who understand it quitewell. Roger -- Roger D. Seielstad - MTS MCSE MS-MVP Sr. Systems Administrator Inovis Inc. -Original Message-From: Joe [mailto:[EMAIL PROTECTED] Sent: Tuesday, August 26, 2003 6:23 PMTo: [EMAIL PROTECTED]Subject: RE: [ActiveDir] Add junior admin to Local workstations admin grou p H Not sure I can stand behind that *best* statement without listing caveats until next April. Also I can't seem to find many people who really understand it other than when to toss the chicken bones around which I don't consider truly understanding. Most of the responses we get when asking questions like WHY about Exchange are responses of JUST BECAUSE or BECAUSE PSS SAYS SO. Personally I kind of liked MSDOS and the built in BASIC Interpreter - Go Bill!. :op -Original Message-From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Roger SeielstadSent: Tuesday, August 26, 2003 11:05 AMTo: '[EMAIL PROTECTED]'Subject: RE: [ActiveDir] Add junior admin to Local workstations admin grou p Scary part is that Exchange is still one of the best products Microsoft's ever put out. Just takes someone who really understands it to run it.. -- Roger D. Seielstad - MTS MCSE MS-MVP Sr. Systems Administrator Inovis Inc. -Original Message-From: Joe [mailto:[EMAIL PROTECTED] Sent: Tuesday, August 26, 2003 8:15 AMTo: [EMAIL PROTECTED]Subject: RE: [ActiveDir] Add junior admin to Local workstations admin grou p Seemslike someone invent a lotion or something to help with Exchange... I mean come on we have lotions for poison ivy and rashes and other nasty annoyances... Hello Dr... I have a really nasty case of Exchange 2K, it really itches, can you help me out here? :op -Original Message-From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Roger SeielstadSent: Tuesday, August 26, 2003 7:12 AMTo: '[EMAIL PROTECTED]'Subject: RE: [ActiveDir] Add junior admin to Local workstations admin grou p See, here's the part you don't get - I AM the Exchange admin. I think the ratio was actually a bit higher - like 900 DL's to 1200 Users, or something close to that. I'm still cleaning up that mess, and that was two Exchange orgs ago! -- Roger D. Seielstad - MTS MCSE MS-MVP Sr. Systems Administrator Inovis Inc. -Original
RE: [ActiveDir] Add junior admin to Local workstations admin grou p
Well isn't NTFS or really any file system really a simple database? The way it is looking to me is not so much SQL everywhere! but WinFS everywhere!. And WinFS has borrowed heavily from SQL technology. Not sure I am using WinFS right here maybe... WinFS is just the CIFS/SMB/drive letter interface to this new technology. But I am calling this new technology WinFS for now. The question to me is how will the systems really look? I mean will WinFS simply be an NTFS partition with a Database on it? That is basically a SQL database. Or will WinFS basically be a partition with no NTFS. That is a file system unto itself. Brian -Original Message- From: Roger Seielstad [mailto:[EMAIL PROTECTED] Sent: Wednesday, August 27, 2003 7:00 AM To: '[EMAIL PROTECTED]' Subject: RE: [ActiveDir] Add junior admin to Local workstations admin grou p Its absolutely going to be a fun ride, that's for sure. I'm VERY interested in seeing how they choose to overcome the inherent limitations in the structured vs. unstructuctured debate. I'm starting to be of the opinion that structured data storage is going the way of the dodo - again because of increases in raw horsepower, the speed benefit provided by structured storage might no longer be worth the distiction. That being said, technically NTFS IS structured storage - I burn a cluster no matter how small the amount of data being stored. So that begs the questions of can we make everything fit into a reasonable structured storage model? (answer is obviously yes) and Can we make the structure modifiable? (I'd assume yes). The latter question is akin to saying Can we make hard drive clusters in different sizes? That's been done for 20+ years, IIRC. So maybe the future engine is SQL server with variable page sizes rather than fixed 8k pages. Maybe going as far as different page sizes per database - where a database could be a file system or anything else for that matter. Interesting indeed. -- Roger D. Seielstad - MTS MCSE MS-MVP Sr. Systems Administrator Inovis Inc. -Original Message- From: Rick Kingslan [mailto:[EMAIL PROTECTED] Sent: Tuesday, August 26, 2003 6:15 PM To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] Add junior admin to Local workstations admin grou p True enough, Roger. I won't in any way disagree that this was the case. But, there have been some changes - rhetoric or not, I can't say. But, we were told in what is now a public transcript that the future database technology that would be first introduced in Yukon would be pervasive throughout the server line, and most prevalent in the AD database and the Exchange stores. Granted - I know the issues with database technology and the limitations. Hence, one of the reasons that I am so interested to see the 'preview' release of the Longhorn code as the WinFS should be a telling factor as to how far they really do have to go. Now, are there going to be derivations (hence structured, unstructured)? I suspect yes. Clearly, the EDB that is used for NTDS is similar but not the same as that used for Exchange. And, do I think that exposing an interface such as what you describe for doing the work that we do would be unwelcome? In fact, I think that it would have over-whelming acceptance from the Professional maintainers such as ourselves - as long as there was the 'dumbified' interface for everyone else and for the one-off chores. To say the least (as if it's not always) the next few years are going to be very interesting as these products develop. Rick Kingslan MCSE, MCSA, MCT Microsoft MVP - Active Directory Associate Expert Expert Zone - www.microsoft.com/windowsxp/expertzone -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Roger Seielstad Sent: Tuesday, August 26, 2003 2:34 PM To: '[EMAIL PROTECTED]' Subject: RE: [ActiveDir] Add junior admin to Local workstations admin grou p The actual prognostication I heard at a Windows NT5 preview (pick your date based on *that* statement) was that we'd have two data stores - one for structured (i.e. SQL) data and the other for unstructured (i.e. email, files, etc) data. So, the idea was that NTFS (version ??) would handle email storage. Think of what's out there with RIS today for SIS in a file tree - but on a full filesystem scale. There's a performance penalty, quite significantly so, for variable length fields, in databases. At some point, the system bus speeds will stop being the bottlenecks, and they'll have to consider issues like in building data stores. The published information has led me to believe that its more a data storage strategy rather than a product. I also think that there's a difference between the front end and back end technologies, and significant benefits to be had from building a unified
RE: [ActiveDir] Add junior admin to Local workstations admin grou p
Wow ... Didn't know my original question was so deep! :) BRian -Original Message- From: Rick Kingslan [mailto:[EMAIL PROTECTED] Sent: Tuesday, August 26, 2003 2:29 PM To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] Add junior admin to Local workstations admin grou p Well, let's be a bit cautious on that statement. What I understand to be the case is that: (and this is widely publicized - I was put under severe NDA - then Bill Gates talked about it 1 day after I was threatened within an inch of my life.) Microsoft has this new, cool DB technology that is being used in: * Yukon - the next version of SQL Server * Longhorn Client for the file system (WinFS) * Future server versions for AD database (Longhorn server, Blackcombe - you figure it out) * Future versions of Exchange for store database * etc, etc, etc. Now, one might this that this is all really suprising and a sweeping change. And, by some rights, it is. But, if you take a look at the store and AD (ntds) database today - they're very much the same; and strikingly similar to SQL 2000. The big change is really the file system. So, to say that Exchange is going to be based on SQL, yeah, that's pretty much true. But, then, so will AD, and WinFS - but SQL will be based on a base technology that is shared amongst the entire server family. I haven't had the DBAs over lately trying to convince upper management that they own Exchange or AD - and that's not likely to happen in the next iteration, either. Do I think that you need to get to know Yukon (which will likely be the first PUBLICLLY available (not beta, not preview) code of the next gen database, um. Yeah. That might be a really good idea. Rick Kingslan MCSE, MCSA, MCT Microsoft MVP - Active Directory Associate Expert Expert Zone - www.microsoft.com/windowsxp/expertzone -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Costanzo, Ray Sent: Tuesday, August 26, 2003 11:53 AM To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] Add junior admin to Local workstations admin grou p Let's not forget about SQL Server here, which will replace Exchange. Ray at work -Original Message- From: Roger Seielstad [mailto:[EMAIL PROTECTED] Scary part is that Exchange is still one of the best products Microsoft's ever put out. Just takes someone who really understands it to run it.. ** The information contained in this e-mail message is intended only for the personal and confidential use of the recipient(s) named above. Distribution, publication, or retransmission of this message is strictly prohibited. This message may be a bank to client communication and as such is priviliged and confidential. If the reader of this message is not the intended recipient or an agent responsible for delivering it to the intended recipient, you are hereby notified that you have received this document in error and that any review, dissemination, distribution, or copying of this message is strictly prohibited. If you have received this communication in error, please notify us immediately by e-mail, and delete the original message. The sender of this e-mail specifically opts-out of the Electronic Signatures and Global and National Commerce Act (E-Sign) and any and all similar state and federal acts. Accordingly, but without limitation, any and all documents, contracts, and ageements must contain a handwritten signature of the sender to be legal, valid, and enforceable. ** List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
[ActiveDir] Add junior admin to Local workstations admin group
I need to add two users to the local administrators group of every machine in an OU. I've looked at restricted groups GPO but, this doesn't really seem to do what I want. I don't need to restrict just add. I am also looking at writing a script to run at boot ,but again not sure there isn't an easier way. Any Ideas? Brian Narkinsky List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
RE: [ActiveDir] Group Policy question
Title: Message Group Policy is not applied to Groups. So Group Policy has nothing to do with Groups. BE nice if you could ( I think there is a third party Fazam?) Brian Narkinsky System Manager Department of Environmental Protection MS 6520 2600 Blairstone RD Tallahassee, FL 32399 phone (850)245-8314 fax (850)412-0400 -Original Message- From: Roger Seielstad [mailto:[EMAIL PROTECTED] Sent: Monday, July 21, 2003 1:29 PM To: '[EMAIL PROTECTED]' Subject: RE: [ActiveDir] Group Policy question I believe there's nothing in TechNet on it because its technically impossible to do. You can't have an object in more than one OU. -- Roger D. Seielstad - MTS MCSE MS-MVP Sr. Systems Administrator Inovis Inc. -Original Message- From: Chris Flesher [mailto:[EMAIL PROTECTED] Sent: Monday, July 21, 2003 12:49 PM To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] Group Policy question Guido, that's not quite what I had in mind. Two OU's that are not hierarchical to each other. It could be a flat OU architecture. Two seperate OU's that have gpo's applied to a group. If a user is a member of both groups, which gpo will take precedence? Maybe it's a dumb question but it was posed to me by a higher up and I can't find anything about this scenario in technet. Chris Flesher The University of Chicago NSIT/DCS 1-773-834-8477 -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of GRILLENMEIER,GUIDO (HP-Germany,ex1) Sent: Monday, July 21, 2003 10:43 AM To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] Group Policy question I guess you're using the groups to filterfor whom a GPO is applied - but you're not applying a GPO to a group ;-)It doesn't matter which OU the group resides in, it simply matters, which OU the respective GPO is applied to. Assuming you're talking about applying two GPOs to the same OU - each with a separate Group used for filtering, then you can set the priority of the GPO processing order directly on the OU on the Group Policy tab. /Guido From: Chris Flesher [mailto:[EMAIL PROTECTED] Sent: Montag, 21. Juli 2003 17:18 To: [EMAIL PROTECTED] Scenario: a user is a member of two groups. Each group is in a seperate OU. A gpo is applied to each group. Which gpo will take precedence for that user? In other words, which will be the last to be applied and get the settings applied to that user? Chris Flesher The University of Chicago NSIT/DCS 1-773-834-8477 �
RE: [ActiveDir] HP-UX, Kerberos AD
Title: Message This might be some help. http://online.securityfocus.com/infocus/1563 Brian Narkinsky System Manager Department of Environmental Protection MS 6520 2600 Blairstone RD Tallahassee, FL 32399 phone (850)245-8314 fax (850)412-0400 -Original Message- From: Ken Cornetet [mailto:[EMAIL PROTECTED] Sent: Monday, February 24, 2003 10:15 AM To: [EMAIL PROTECTED] Subject: [ActiveDir] HP-UX, Kerberos AD Does anyone know what magic is required to get an HP-UX system authenticating to AD using kerberos? The eventlog on my DC seems to show successful authentication attempts from the HP-UX box, but the HP-UX box doesn't seem to like whats coming back from AD. �
RE: [ActiveDir] AD user sync to flat file
Hate to talk about an unreleased product but the New MS Meta Directory Services 3.0 should be able to do this pretty easily. But it may also be overkill. Saw it a MEC and it looked to be a big improvement over the old MMS product. You no longer need a consulting contract to get it and it looked very easy to use. Brian Brian Narkinsky System Manager Department of Environmental Protection MS 6520 2600 Blairstone RD Tallahassee, FL 32399 phone (850)245-8314 fax (850)412-0400 -Original Message- From: Amit Zinman [mailto:Amit_Z;integrity-sys.com] Sent: Saturday, November 02, 2002 11:58 AM To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] AD user sync to flat file Let me know what you need, and I'll see how I can help you with the scripting. I have done a lot of those. Say, is the flat file in CSV format? -Original Message- From: Andy Grafton [mailto:orangerover;hotmail.com] Sent: Thursday, October 31, 2002 3:39 PM To: [EMAIL PROTECTED] Subject: [ActiveDir] AD user sync to flat file This is one of those does anyone know a product which can do this...? questions. Apologies. Have an Active Directory (single domain) with about 65,000 users. Have a personnel system which produces a flat file consisting of [only] usernames. Once a week, our customer wants to run a utility which will perform a very simple synchronisation of the users in the Active Directory with those listed in the flat file. The rules... If the user is in the flat file and the directory, do nothing. If the user is in the flat file but not the directory, create it in the directory [in a default location]. If the user is in the directory, but not the flat file, delete it from the directory. My immediate response is that you should do this with a script of some sort, but I was wondering if anyone has located a product can do such simple things? If its relatively inexpensive, then its not worth spending programming hours on reinventing the wheel. I had a look at NetIQ, Fastlane and iPlanet's offerings, but they are all far too heavyweight to even consider. Don't ask why the flat file... The personnel system is not connected to anything and the data travels by CD and sneaker-net. Thanks, Andy List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ BEGIN:VCARD VERSION:2.1 N:Narkinsky;Brian FN:Narkinsky, Brian ORG:Florida Dept Environmental Protection;Division Resource Assess./Mgmt. TITLE:Dist. Comp. Sys. Analyst TEL;WORK;VOICE:850/488-1205 SC 278-1205 ADR;WORK;ENCODING=QUOTED-PRINTABLE:;Lab A-4th Floor;FL Dept. of Environmental Protection=0D=0ADivision of Reso= urce Assessment Mgmt.=0D=0ATwin Towers Office Building=0D=0A2600 Blair Sto= ne Road;Tallahassee;FL;32399-2400;UNITED STATES LABEL;WORK;ENCODING=QUOTED-PRINTABLE:Lab A-4th Floor=0D=0AFL Dept. of Environmental Protection=0D=0ADivision of = Resource Assessment Mgmt.=0D=0ATwin Towers Office Building=0D=0A2600 Blair= Stone Road=0D=0ATallahassee, FL 32399-2400=0D=0AUNITED STATES EMAIL;PREF;INTERNET:[EMAIL PROTECTED] REV:20020227T163346Z END:VCARD
[ActiveDir] Modify Search for People
IS it Possible to modify what get's returned when people do a find people against Active Directory? I'd like to include some internal information etc when users search for people using W2K, XP clients. I've figured out how to modify the templates in Exchange but that only works if they search from Outlook. Brian -Original Message- From: marija efnuseva [mailto:[EMAIL PROTECTED]] Sent: Tuesday, September 24, 2002 7:02 AM To: ActiveDirLista Subject: [ActiveDir] Security Templates Hallo, Can anybody tell me where can I find more documentation on Security Templates especially about working with the File System on local computers. Also, can anybody send me an expample on how to deny access to all folders on the local C: drive, and then allow only one specific folder for every user. So drive C: and all subfolders should be inaccessible for everybody. But, for example the user marija should be able to access only her My Documents folder and have the rights that I assign her. She sholud not be able to see, browse, list the contents, and not to mention to read, or write to any other folder on drive C: Thanks, Marija List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
RE: [ActiveDir] Group Policy Folder Redirection Question
I believe in this case it tattoos the registry. That is it makes the changes permanent to the local registry. Once it is done the only way to undo is manually edit the registry. Brian -Original Message- From: Christopher Hummert [mailto:[EMAIL PROTECTED]] Sent: Monday, June 24, 2002 3:35 PM To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] Group Policy Folder Redirection Question Ok so I did the secdedit /refreshpolicy user_policy and for machine_policy but whenever I log in with the Admin account or the test account their still pointed to the old location. Is there something else I need to do? -Chris -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]] On Behalf Of Darren Sykes Sent: Saturday, June 22, 2002 12:22 AM To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] Group Policy Folder Redirection Question Chris, It should work pretty much instantly. To refresh the policy you can use secedit /refreshpolicy or more recently gpupdate (XP). Darren. -Original Message- From: Christopher Hummert [mailto:[EMAIL PROTECTED]] Sent: 21 June 2002 23:20 To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] Group Policy Folder Redirection Question Anyone? -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]] On Behalf Of Christopher Hummert Sent: Friday, June 21, 2002 11:12 AM To: [EMAIL PROTECTED] Subject: [ActiveDir] Group Policy Folder Redirection Question Ok so I have a new server and a new domain that I'm setting up. I was editing the default domain policy and I was setting up folder redirection. I set up the applictaion data to redirect to \\server\share\%username%\ and the same place with the My Documents and the Desktop folder. I realised my mistake of not adding the \My Documents\, \Application Data\ and \Desktop\ after the string when I loged out and logged back in. I current have 2 users on this machine one is the administrator and one is the test account. I've corrected the mistake in the default domain policy but the users on the machine don't seem to have had the change effect them yet. Is there anyways to get these changes to update to the current users? Thanks Chris Hummert Network Administrator - Albany Agency of Insurance Webmaster for Noghri.net http://www.noghri.net MS Beta tester ID #: 388366 Sometimes I think the surest sign that intelligent life exists elsewhere in the universe is that none of it has tried to contacts us. - from Calvin and Hobbes List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
RE: [ActiveDir] Group Policy Folder Redirection Question
http://support.microsoft.com/search/preview.aspx?scid=kb;en-us;Q242557 -Original Message- From: Christopher Hummert [mailto:[EMAIL PROTECTED]] Sent: Monday, June 24, 2002 5:13 PM To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] Group Policy Folder Redirection Question Know where I can fix that in the registry? -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]] On Behalf Of Narkinsky, Brian Sent: Monday, June 24, 2002 1:53 PM To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] Group Policy Folder Redirection Question I believe in this case it tattoos the registry. That is it makes the changes permanent to the local registry. Once it is done the only way to undo is manually edit the registry. Brian -Original Message- From: Christopher Hummert [mailto:[EMAIL PROTECTED]] Sent: Monday, June 24, 2002 3:35 PM To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] Group Policy Folder Redirection Question Ok so I did the secdedit /refreshpolicy user_policy and for machine_policy but whenever I log in with the Admin account or the test account their still pointed to the old location. Is there something else I need to do? -Chris -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]] On Behalf Of Darren Sykes Sent: Saturday, June 22, 2002 12:22 AM To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] Group Policy Folder Redirection Question Chris, It should work pretty much instantly. To refresh the policy you can use secedit /refreshpolicy or more recently gpupdate (XP). Darren. -Original Message- From: Christopher Hummert [mailto:[EMAIL PROTECTED]] Sent: 21 June 2002 23:20 To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] Group Policy Folder Redirection Question Anyone? -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]] On Behalf Of Christopher Hummert Sent: Friday, June 21, 2002 11:12 AM To: [EMAIL PROTECTED] Subject: [ActiveDir] Group Policy Folder Redirection Question Ok so I have a new server and a new domain that I'm setting up. I was editing the default domain policy and I was setting up folder redirection. I set up the applictaion data to redirect to \\server\share\%username%\ and the same place with the My Documents and the Desktop folder. I realised my mistake of not adding the \My Documents\, \Application Data\ and \Desktop\ after the string when I loged out and logged back in. I current have 2 users on this machine one is the administrator and one is the test account. I've corrected the mistake in the default domain policy but the users on the machine don't seem to have had the change effect them yet. Is there anyways to get these changes to update to the current users? Thanks Chris Hummert Network Administrator - Albany Agency of Insurance Webmaster for Noghri.net http://www.noghri.net MS Beta tester ID #: 388366 Sometimes I think the surest sign that intelligent life exists elsewhere in the universe is that none of it has tried to contacts us. - from Calvin and Hobbes List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
RE: [ActiveDir] Password changes and password must change
Password changes are replicated immediately. However, the attribute for password expires follows normal replication procedures. So you get a confusing lag. Seen the exact same thing at our help desk. Brian n-Original Message- From: Ayers, Diane [mailto:[EMAIL PROTECTED]] Sent: Monday, June 10, 2002 8:47 PM To: '[EMAIL PROTECTED]' Subject: [ActiveDir] Password changes and password must change Folks: I've gotten some calls from our help desk where they are resetting passwords for our users. When a user calls in to have their pwd changed, they reset the pwd for the user and then verify that password must change on login is checked. When the user logs in, the new pwd is in effect but the password must change on login is not being enforced. Later when the user logs in, they are forced to change their pwd (again). I'm assuming that it's a combo of replication delays between the new pwd being enforced and of the password must change on login attribute. We are at Win2K SP2SRP1 AD native mode for user accounts. Workstations are still in the NT 4.0 sp6a resource domains and a mix of Win2K, NT and Win9x. Anyone have any insights? Diane List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
RE: [ActiveDir] Searching LDAP
I think you may need to put the entire distinguished name in for the OU. I ran into a similiar problem trying to write a filter to exclude a group from an Exchange thing. something like ((objectClass=organizationalUnit)(!ou=OU=foo,OU=man,DC=chu,DC=net)) MY 2 cents FWIW. Brian -Original Message- From: Tony Murray [mailto:[EMAIL PROTECTED]] Sent: Friday, May 24, 2002 11:02 AM To: [EMAIL PROTECTED] Subject: Re: [ActiveDir] Searching LDAP Hi Brendan I could be wrong, but I don't believe you can do this with a single ldap query. Your attempts failed because the objectClass of user specified in your filter there is no OU attribute. The way I would do it is to run a query to return all the OUs you are interested in and then step the results with your user query. In other words start with a query like this: ((objectClass=organizationalUnit)(!ou=Contacts)) Return the organizationalUnit attribute. Subtree search from the top. Then run your original query against each of the returned OUs in turn. I have a script that does something similar. Mail me off-list if you want to see it. Tony www.activedir.org -- Original Message -- From: Stephens, Brendan [EMAIL PROTECTED] Reply-To: [EMAIL PROTECTED] Date: Fri, 24 May 2002 10:21:40 -0400 If anyone is familiar with LDAP syntax, I could use some help on this one... Our directory structure is separated into OU's, and I am trying to filter a specific OU out of the picture... I can pull the users by using the following syntax for ADO... strSQL = LDAP://; Domain ;((objectClass=user)(objectCategory=person)(sn=*);samAccountName,name,co mpany,telephoneNumber,AdsPath;subtree But how do I filter out an OU? (Contacts) I have tried: strSQL = LDAP://; Domain ;((objectClass=user)(objectCategory=person)(sn=*)(!ou=*Contacts*);samAcc ountName,name,company,telephoneNumber,AdsPath;subtree and a couple of other variants on this, but to no avail... Any suggestions or guru's on this matter? Brendan Stephens Web Applications Developer Tech-Advances List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
[ActiveDir] Internet Locator Service in AD
Does anybody know what attributes are set when you enter ILS information under Exchange Advanced in ADUC. I need to enable 3000+ accounts and hate to do it by hand, but I can't seem to find what attribute actually gets set. Thanks, Brian Brian Narkinsky System Manager Department of Environmental Protection MS 6520 2600 Blairstone RD Tallahassee, FL 32399 phone (850)488-1205 fax (850)412-0400 List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
[ActiveDir] size of a group always returns 1000
I have the following VBS program DIM adsMembers Set adsGroup= GetObject(LDAP://CN=all-employees,OU=Distribution Lists,DC=test,DC=net) Set adsMembers=adsGroup.Members Wscript.Echo number of members of all employessp adsMembers.count It always returns 1000. I know there are more than 1000 in the group. Any Ideas? Brian List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
[ActiveDir] LDAP filter for Group membership
I am trying to write an LDAP query to choose all the members in my Directory who belong to a ceartain group. This is the only thing I have come up with ,but it still returns 0 results. Any ideas? ((objectclass=user)(memberof=*STOBOB*)) Any ideas? Thanks. Brian Brian Narkinsky System Manager Department of Environmental Protection MS 6520 2600 Blairstone RD Tallahassee, FL 32399 phone (850)488-1205 fax (850)412-0400 List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
RE: [ActiveDir] LDAP filter for Group membership
Thankyou sir. That was the trick. Brian Brian Narkinsky System Manager Department of Environmental Protection MS 6520 2600 Blairstone RD Tallahassee, FL 32399 phone (850)488-1205 fax (850)412-0400 -Original Message- From: Tom Meunier [mailto:[EMAIL PROTECTED]] Sent: Friday, February 08, 2002 3:19 PM To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] LDAP filter for Group membership I've only had luck with completely naming the group. (memberof=cn=supreme court,ou=supreme court,dc=courts,dc=state,dc=tx,dc=us) I always just thought it was my own nincompoopedness, but that's what works for me. -tom -Original Message- From: Narkinsky, Brian [mailto:[EMAIL PROTECTED]] Sent: Friday, February 08, 2002 02:01 PM To: [EMAIL PROTECTED] Subject: [ActiveDir] LDAP filter for Group membership I am trying to write an LDAP query to choose all the members in my Directory who belong to a ceartain group. This is the only thing I have come up with ,but it still returns 0 results. Any ideas? ((objectclass=user)(memberof=*STOBOB*)) Any ideas? Thanks. Brian Brian Narkinsky System Manager Department of Environmental Protection MS 6520 2600 Blairstone RD Tallahassee, FL 32399 phone (850)488-1205 fax (850)412-0400 List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
