RE: [ActiveDir] GPO wierdness during forest migration
Darren, SA rocks, although things are a bit cold at the moment - for us cold is single figure above 0 ;) Hm, have seen stuff around the profile as well, but not always consistent enough to point a shaking finger at it and lay blame there. Turns out that ADMT failed to migrate sid-history and QMM did migrate sid-history, thus an attribute comparison of two objects migrated with different turns out that the only difference was that ADMT failed on sid-history. When I dropped sid-history on migrated users RSOP returns a single set for the target environment and GPO's fire correctly, re-introduce sid-history and things go pear shaped. On some users, giving them fresh profiles also helped on some occasions though so I'm keen to know if you can give me a pointer in the right direction as to how HKLM and HKCU relates to GPO processing? -Original Message- From: Darren Mar-Elia [mailto:[EMAIL PROTECTED] Sent: 16 May 2006 03:17 AM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] GPO wierdness during forest migration Nicolas- I hope things are well in SA. So, one possible issue here could be in how the machines have been moved between forests. Were they re-imaged or just moved between domains? If the latter, then what you could be experiencing is some crap (technical term) in the registry from the old domain that effecting GP processing. I would look under the Policies keys in HKLM and HKCU for a given user and see if the stuff referenced in there is old or new. Not sure why ADMT would be any different however. Darren -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Nicolas Blank Sent: Monday, May 15, 2006 11:26 AM To: ActiveDir@mail.activedir.org Subject: [ActiveDir] GPO wierdness during forest migration Hi all Migrating from one forest into another, one way trust treating the source as a resource forest. Migrating using Quest Migration Manager with Sidhistory. Weird thing is that on the users machine, gpresult gives me source and target GPO's as applied, however target GPO's are applying inconsistently in practice - i.e. script firing sometimes. If I migrate with ADMT, this behavior does not follow. Anyone ever seen anything like this before? List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
[ActiveDir] GPO wierdness during forest migration
Hi all Migrating from one forest into another, one way trust treating the source as a resource forest. Migrating using Quest Migration Manager with Sidhistory. Weird thing is that on the users machine, gpresult gives me source and target GPO's as applied, however target GPO's are applying inconsistently in practice - i.e. script firing sometimes. If I migrate with ADMT, this behavior does not follow. Anyone ever seen anything like this before? List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
RE: [ActiveDir] Active Directory Performance for 64-bit Versions of Windows Server 2003
Havent lurked on the list for a while, so apologies if Im asking the answered, however: Bearing in mind the non-goals of the paper, i.e. Finding a precise database size at which the 64-bit version becomes more advantageous than the 32-bit version. Finding a precise amount of RAM to optimize caching the database. Any prescriptive guidance on these bearing in mind that most of our DITs contain more than just user info? Also, how do multiple processors affect 64 bit DC performance? What about DC specific settings in 64bit environments, do these change at all, since larger cache configurations are assumed the thinking is here that you wouldnt bother with 64 bit dcs without the extra memory From: Grillenmeier, Guido [mailto:[EMAIL PROTECTED]] Sent: 02 April 2006 09:58 AM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Active Directory Performance for 64-bit Versions of Windows Server 2003 although nothing official, we've done testing HP internally and were quite comfortable using a single well-sized 64-bit DC (well-sized meaning our whole DIT cached in memory) serving one of our sites with approx.4 Exchange Mbx. servers (I believe all dual-proc) with a total of 20.000 mailboxes. It worked like a charm. /Guido From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of joe Sent: Sonntag, 2. April 2006 09:52 To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Active Directory Performance for 64-bit Versions of Windows Server 2003 And silence swept the community as Microsoft folks dived under desks searching for dropped pens I second this request pleasethankyouverymuch. -- O'Reilly Active Directory Third Edition - http://www.joeware.net/win/ad3e.htm From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Jeremy Olson Sent: Friday, March 31, 2006 12:30 PM To: ActiveDir@mail.activedir.org Subject: Re: [ActiveDir] Active Directory Performance for 64-bit Versions of Windows Server 2003 Thanks. Looks like a really great white paper. Anything in the works to provide updated DC sizing for exchange ? Thanks again. Jeremy On 3/30/06, Steve Linehan [EMAIL PROTECTED] wrote: Since it has been asked many times on the alias when will a paper be released detailing the scenarios when deploying 64-bit servers for Active Directory makes since and providing detailed analysis and numbers, I thought everyone would be happy to know that the Active Directory Program Management and Development teams have released the following White Paper: Active Directory Performance for 64-bit Versions of Windows Server 2003 http://www.microsoft.com/downloads/details.aspx?FamilyID=52e7c3bd-570a-475c-96e0-316dc821e3e7DisplayLang=en. Thanks, -Steve
RE: [ActiveDir] Exchange - ESM - All Address Lists and All Global Address Lists disappeared
If objects disappear inside ESM, often the right to read the object or the right to read the permission of the object has been lost, mangled, whatever. You CAN expose this object using ADSIEDIT, by browsing to the config partition,services,exchange,orgname, which then exposes the top level objects and their children. A quick way out of this may just be re-granting the read right using ADSIEDIT. If need be, take ownership of the object and repermission. ESM is nice for permissioning, however even with showsecuritypage it's still severely limited. If you HAVE to change permissions at this level, then adsiedit is significantly more powerfull than esm, since all object permissions are exposed, including all child objects. My 2 cents worth _ From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Victor W. Sent: 06 February 2006 09:05 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Exchange - ESM - All Address Lists and All Global Address Lists disappeared Okay, so you start ESM with local system properties. Does that mean you have to start ESM from that same command prompt window? _ From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of TIROA YANN Sent: maandag 6 februari 2006 19:28 To: ActiveDir@mail.activedir.org Subject: RE : [ActiveDir] Exchange - ESM - All Address Lists and All Global Address Lists disappeared To right answer your question : Yes. I use ESM instead of dsacls because I get use granting ACL with GUI :o) Yann _ De: [EMAIL PROTECTED] de la part de Victor W. Date: lun. 06/02/2006 16:48 À: ActiveDir@mail.activedir.org Objet : RE: [ActiveDir] Exchange - ESM - All Address Lists and All Global Address Lists disappeared Thanks for your fast reply Yann! Do you mean to run the command which resets the permissions for the Authenticated users under local system priviliges? Cheers, Victor _ From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of TIROA YANN Sent: maandag 6 februari 2006 16:30 To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Exchange - ESM - All Address Lists and All Global Address Lists disappeared Hi, The only way to revert your organization accessible is to run the command under Local System privileges by passing this command in a command line windows as this: c:\at time /interactive cmd.exe Ex : c:\at 12:00 /interactive cmd.exe So at 12:00, a command prompt will appear with Local System privileges ( type whiami to be sure). Tip: if you connect to your server via RDP, the command will not be interactive and the command shell will not appear unless you active the /console in your RDP conection. However, just open a session directly to you r exchange server. Now you can open properly ESM with Local System privileges, and give full access to a user at the organisation level. After regainning total access to your exchange oraganisation server, run a /forestprep and /domainprep for the Systeme attendant to be in a stable state. Let us know if that works for you. Cordialement, Yann TIROA Centre de Ressources Informatique. Campus Scientifique de la DOUA. Bât. Gabriel Lippmann - 2 ème étage - salle 238. 43, Bd du 11 Novembre 1918. 69622 Villeurbanne Cedex. Web: www.univ-lyon1.fr _ De : [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] De la part de Victor W. Envoyé : lundi 6 février 2006 16:05 À : ActiveDir@mail.activedir.org Objet : RE: [ActiveDir] Exchange - ESM - All Address Lists and All Global Address Lists disappeared I had the chance to look at the actual problem today and hereunder I will describe the problem and what I have tried to resolve it: Problem: The All Address Lists container has dissapeared from ESM, as well as the All Global Address Lists container. From within Outlook it is as iff you can display the All Address List but you are presented with an error message when you actually select it, the same error message is displayed when clicking check name when creating a new Outlook profile. I know what happened, what has caused this; somebody had denied Everyone and Authenticated Users acces to this list. I found a MS article which deals with exactly this, if I am right: http://support.microsoft.com/?id=286296 When I try this in a command prompt: DSACLS CN=Default Global Address List,CN=All Global Address Lists,CN=Address Lists Container,CN=First Organization,CN=Microsoft Exchange,CN=Services,CN=Configuration,DC=Example,DC=com I get the following error message: Object path is not valid, please correct it When I try this in a command prompt: DSACLS CN=All Global Address Lists,CN=Address Lists Container,CN=First Organization,CN=Microsoft Exchange,CN=Services,CN=Configuration,DC=Example,DC=com /N /G Authenticated Users:SDRCWDWOWPRPCALO I get the following error message: The system cannot find the file specified. From within Adsi Edit I can see In the right hand
RE: [ActiveDir] ISA 2004 and Microsoft Cluster Server
Dont bother going the clustering route. ISA has a very decent version of NLB thats built in, and will work in a highly available configuration for a single route. Adding clustering to this will obscure and complicate things. Suggest you stick with the built in NLB, since adjacent Proxy servers can be aware of each other, and can take on the other boxes load transparently. This has the obvious advantage of taking you into a MS supported configuration, and allows you to scale out, i.e. NLB, using dissimilar hardware, as opposed to scaling up and clustering using matched hardware. My $0.02 worth From: Phil Renouf [mailto:[EMAIL PROTECTED] Sent: 13 September 2005 04:58 AM To: ActiveDir@mail.activedir.org Subject: Re: [ActiveDir] ISA 2004 and Microsoft Cluster Server The real question here is: Will Microsoft support ISA running under VCS?. That is a question that only Microsoft can answer so I would send that question to your TAM, or if you don't have a TAM call into PSS and open an Advisory case to get an answer to the question. Phil On 9/12/05, Aramide Adebanjo [EMAIL PROTECTED] wrote: Hey guys, Thanks for all these...now let me go a step further...what if a company wants to consolidate their applications,build redundancy, failver capabilites and implement clustering as well using Veritas clustering Solutioncan ISA be treated as a microsoft application that can be clustered...?? And if yes..whats the best way of doing it...apparently not too many companies have towed this line..but what if it can be pulled of..whatcha ya all think...?? thx -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] ] On Behalf Of [EMAIL PROTECTED] Sent: Monday, September 12, 2005 10:29 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] ISA 2004 and Microsoft Cluster Server Clustering and Load Balancing I wouldn't really call a tomato tomoto thing Maybe not in the ordinary sense, Brian. But in the ISA 2004 Enterp realm, we should be able to do that. OR, if you prefer, we can say tomato and ketchup or something. NLB is the way to go in ISA 2004, and the way ISA uses NLB (in addition to the new Configuration Storage server concept, you do indeed have some resilience that is not usually available in the normal NLB deployments. The only time I've seen ISA installed in another clustering configuration outside of NLB is when Rain Wall was used. Of course I haven't seen every ISA server installation, but I'd wager that NLB is generally considered the standard clustering solution for ISA 2004. Sincerely, Dèjì Akómöláfé, MCSE+M MCSA+M MCP+I Microsoft MVP - Directory Services www.readymaids.com - we know IT www.akomolafe.com Do you now realize that Today is the Tomorrow you were worried about Yesterday?-anon From: [EMAIL PROTECTED] on behalf of Brian Desmond Sent: Mon 9/12/2005 10:56 AM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] ISA 2004 and Microsoft Cluster Server Clustering and Load Balancing I wouldn't really call a tomato tomoto thing. More an apples and oranges thing. Load Balancing is not a fault tolerant solution, whereas clustering if something breaks everything moves over to another node... Thanks, Brian Desmond [EMAIL PROTECTED] c - 312.731.3132 -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]] On Behalf Of Medeiros, Jose Sent: Monday, September 12, 2005 1:43 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] ISA 2004 and Microsoft Cluster Server Greetings Aramide, I do not believe that Microsoft ISA server 2004 can be clustered per say using Microsoft Cluster service. I took the ISA server 2000 2004 class and the MOC stated that the ISA 2004 Enterprise edition is designed to be load balanced which I believe would solve your issue ( It's just a terminology thing. You say tomato, I say tomoto... ) :-) http://www.microsoft.com/technet/prodtechnol/isa/2004/plan/network_load_bala ncing_ee.mspx Jose -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]]On Behalf Of Aramide Adebanjo Sent: Monday, September 12, 2005 9:36 AM To: ActiveDir@mail.activedir.org Subject: [ActiveDir] ISA 2004 and Microsoft Cluster Server Hi guys, A quick one...does anyone have any idea where I can get documentation on installing ISA 2004 Standard/Enterprise edition on a Microsoft Clustering Solution. Kindest Regards List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List
RE: [ActiveDir] Finding user's with certain attributes
Peter, Not trying to oversimplify things but a really easy way to find most attributes, it to put a really obvious value in the attrib for a specific user, and examine the object with LDP or ADSI edit afterwards and see what got populated. As such, there is no expiry date attrib that Im aware of you can calculate it though - Check out this newsgroup thread: http://tinyurl.com/2n8ju Sorry for the indirect answer mate. From: Peter Johnson [mailto:[EMAIL PROTECTED] Sent: 01 September 2005 11:09 AM To: ActiveDir@mail.activedir.org Subject: [ActiveDir] Finding user's with certain attributes Hi all How could I, using adfind, really useful tool by the way respect to joe!!, find all users who have an expiry date set on their account. What would the name of that attribute be? Thanks in advance Regards Peter Johnson
RE: [ActiveDir] Native Mode Switch
Perfect sense, thank for the reply. Understand about Lanman rep to downlevel versions. What effect would it have if a DC was authorativelly restored pre native mode and the other dc's were native mode? This presumes no group nesting had taken place. On the DC, the built in groups (scema admin, ent admin) that had become USG, would be DGG allready. This would re-introduce a value of 1 in the nTMixedDomain attrib on the domain NC. Would the domain shift back to mixed mode? Thanks for your time so far Jorge. -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Jorge de Almeida Pinto Sent: 21 April 2005 01:17 PM To: 'Nicolas Blank '; '[EMAIL PROTECTED] '; 'ActiveDir@mail.activedir.org ' Subject: RE: [ActiveDir] Native Mode Switch As you know, changing the mode or FL switch to an upper level introduces new features. One of the consequences is that the DCs will not accept Lanman repl which is used by legacy DCs (NT4). Some of the features that are introduced are also not supported by NT4 DCs. One of the examples is UNIVERSAL SECURITY GROUPS (USGs) (group nesting is another). USGs only exist in at least DFL w2k native mode. If you switch to native mode and create USGs and use them to secure resources. Lets say that you want to go back to mixed mode... you would need to first undo all new introduced functionalities like the USGs and the group nesting. Does this make sense? #JORGE# -Original Message- From: [EMAIL PROTECTED] To: ActiveDir@mail.activedir.org Sent: 4/21/2005 12:03 PM Subject: RE: [ActiveDir] Native Mode Switch I hear you. I do know what the switch achieves in terms of functionality, I understand the litterature, have done this, have explained the same to clients, however I am faces with the Question of Why this is a non reversible switch? -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Jorge de Almeida Pinto Sent: 20 April 2005 09:07 PM To: 'Nicolas Blank '; Jorge de Almeida Pinto; 'ActiveDir@mail.activedir.org ' Subject: RE: [ActiveDir] Native Mode Switch Manually re-writing the attribute will not work. Also see: http://support.microsoft.com/kb/322692 http://www.petri.co.il/understanding_function_levels_in_windows_2003_ad. htm Jorge -Original Message- From: Nicolas Blank To: 'Jorge de Almeida Pinto'; ActiveDir@mail.activedir.org Sent: 4/20/2005 8:25 PM Subject: RE: [ActiveDir] Native Mode Switch Thanks for the answer. This is understood, however, what are the implications of manually re-writing the nTMixedDomain value back to 1? Also, what actions does a DC take once the value change is efected that makes the cange non-reversible? -Original Message- From: Jorge de Almeida Pinto [mailto:[EMAIL PROTECTED] Sent: 20 April 2005 08:17 PM To: 'Nicolas Blank '; '[EMAIL PROTECTED] '; 'ActiveDir@mail.activedir.org ' Subject: RE: [ActiveDir] Native Mode Switch When you convert the domain to native mode the attribute nTMixedDomain on the domain NC head of the replica where the change is made is changed from 1 to 0. This change replicates out to all other replicas. There is no way you can change this attribute back without doing a disaster recovery for the domain. The main thing here is that you don't have legacy DCs in the domain anymore!!! I can think of the following solutions to test the change of the mode switch: * Create a copy of the particular machine with the SNA application and test that in a test environment * Create a full backup of the particular DC with the SNA app, disable OUTBOUND replication for that DC (REPADMIN) and change the mode switch. If something goes wrong restore the DC and enable replication again (the latter is needed as the restored DC will receive the disabled state from the other DCs. Jorge -Original Message- From: [EMAIL PROTECTED] To: ActiveDir@mail.activedir.org Sent: 4/20/2005 7:30 PM Subject: [ActiveDir] Native Mode Switch Sorry, hijacked the topic by mistake. Appologies. -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Nicolas Blank Sent: 20 April 2005 07:21 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] GC's Eric,Joe,Al,Carlos,Guido Question for you guys and the wider audience. What happens EXACTLY in Win2k on a DC(s) when the native mode switch is pushed, and what are the ramifications of changing the attribute back to reflect mixed mode one this has happened? I have a customer with a nervous disposition that doesn't believe me when I say there ain't no way back that's supported without doing a AD DR. Background is a business critical SNA application that HAS to live on a DC. MS is cool about switching to native, but customer is REALLY nervous. Any insight will be appreciated. List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http
RE: [ActiveDir] Native Mode Switch
I hear you. I do know what the switch achieves in terms of functionality, I understand the litterature, have done this, have explained the same to clients, however I am faces with the Question of Why this is a non reversible switch? -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Jorge de Almeida Pinto Sent: 20 April 2005 09:07 PM To: 'Nicolas Blank '; Jorge de Almeida Pinto; 'ActiveDir@mail.activedir.org ' Subject: RE: [ActiveDir] Native Mode Switch Manually re-writing the attribute will not work. Also see: http://support.microsoft.com/kb/322692 http://www.petri.co.il/understanding_function_levels_in_windows_2003_ad.htm Jorge -Original Message- From: Nicolas Blank To: 'Jorge de Almeida Pinto'; ActiveDir@mail.activedir.org Sent: 4/20/2005 8:25 PM Subject: RE: [ActiveDir] Native Mode Switch Thanks for the answer. This is understood, however, what are the implications of manually re-writing the nTMixedDomain value back to 1? Also, what actions does a DC take once the value change is efected that makes the cange non-reversible? -Original Message- From: Jorge de Almeida Pinto [mailto:[EMAIL PROTECTED] Sent: 20 April 2005 08:17 PM To: 'Nicolas Blank '; '[EMAIL PROTECTED] '; 'ActiveDir@mail.activedir.org ' Subject: RE: [ActiveDir] Native Mode Switch When you convert the domain to native mode the attribute nTMixedDomain on the domain NC head of the replica where the change is made is changed from 1 to 0. This change replicates out to all other replicas. There is no way you can change this attribute back without doing a disaster recovery for the domain. The main thing here is that you don't have legacy DCs in the domain anymore!!! I can think of the following solutions to test the change of the mode switch: * Create a copy of the particular machine with the SNA application and test that in a test environment * Create a full backup of the particular DC with the SNA app, disable OUTBOUND replication for that DC (REPADMIN) and change the mode switch. If something goes wrong restore the DC and enable replication again (the latter is needed as the restored DC will receive the disabled state from the other DCs. Jorge -Original Message- From: [EMAIL PROTECTED] To: ActiveDir@mail.activedir.org Sent: 4/20/2005 7:30 PM Subject: [ActiveDir] Native Mode Switch Sorry, hijacked the topic by mistake. Appologies. -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Nicolas Blank Sent: 20 April 2005 07:21 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] GC's Eric,Joe,Al,Carlos,Guido Question for you guys and the wider audience. What happens EXACTLY in Win2k on a DC(s) when the native mode switch is pushed, and what are the ramifications of changing the attribute back to reflect mixed mode one this has happened? I have a customer with a nervous disposition that doesn't believe me when I say there ain't no way back that's supported without doing a AD DR. Background is a business critical SNA application that HAS to live on a DC. MS is cool about switching to native, but customer is REALLY nervous. Any insight will be appreciated. List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ This e-mail and any attachment is for authorised use by the intended recipient(s) only. It may contain proprietary material, confidential information and/or be subject to legal privilege. It should not be copied, disclosed to, retained or used by, any other party. If you are not an intended recipient then please promptly delete this e-mail and any attachment and all copies and inform the sender. Thank you. This e-mail and any attachment is for authorised use by the intended recipient(s) only. It may contain proprietary material, confidential information and/or be subject to legal privilege. It should not be copied, disclosed to, retained or used by, any other party. If you are not an intended recipient then please promptly delete this e-mail and any attachment and all copies and inform the sender. Thank you. List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
RE: [ActiveDir] GC's
Eric,Joe,Al,Carlos,Guido Question for you guys and the wider audience. What happens EXACTLY in Win2k on a DC(s) when the native mode switch is pushed, and what are the ramifications of changing the attribute back to reflect mixed mode one this has happened? I have a customer with a nervous disposition that doesn't believe me when I say there ain't no way back that's supported without doing a AD DR. Background is a business critical SNA application that HAS to live on a DC. MS is cool about switching to native, but customer is REALLY nervous. Any insight will be appreciated. List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
[ActiveDir] Native Mode Switch
Sorry, hijacked the topic by mistake. Appologies. -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Nicolas Blank Sent: 20 April 2005 07:21 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] GC's Eric,Joe,Al,Carlos,Guido Question for you guys and the wider audience. What happens EXACTLY in Win2k on a DC(s) when the native mode switch is pushed, and what are the ramifications of changing the attribute back to reflect mixed mode one this has happened? I have a customer with a nervous disposition that doesn't believe me when I say there ain't no way back that's supported without doing a AD DR. Background is a business critical SNA application that HAS to live on a DC. MS is cool about switching to native, but customer is REALLY nervous. Any insight will be appreciated. List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
RE: [ActiveDir] Native Mode Switch
Thanks for the answer. This is understood, however, what are the implications of manually re-writing the nTMixedDomain value back to 1? Also, what actions does a DC take once the value change is efected that makes the cange non-reversible? -Original Message- From: Jorge de Almeida Pinto [mailto:[EMAIL PROTECTED] Sent: 20 April 2005 08:17 PM To: 'Nicolas Blank '; '[EMAIL PROTECTED] '; 'ActiveDir@mail.activedir.org ' Subject: RE: [ActiveDir] Native Mode Switch When you convert the domain to native mode the attribute nTMixedDomain on the domain NC head of the replica where the change is made is changed from 1 to 0. This change replicates out to all other replicas. There is no way you can change this attribute back without doing a disaster recovery for the domain. The main thing here is that you don't have legacy DCs in the domain anymore!!! I can think of the following solutions to test the change of the mode switch: * Create a copy of the particular machine with the SNA application and test that in a test environment * Create a full backup of the particular DC with the SNA app, disable OUTBOUND replication for that DC (REPADMIN) and change the mode switch. If something goes wrong restore the DC and enable replication again (the latter is needed as the restored DC will receive the disabled state from the other DCs. Jorge -Original Message- From: [EMAIL PROTECTED] To: ActiveDir@mail.activedir.org Sent: 4/20/2005 7:30 PM Subject: [ActiveDir] Native Mode Switch Sorry, hijacked the topic by mistake. Appologies. -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Nicolas Blank Sent: 20 April 2005 07:21 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] GC's Eric,Joe,Al,Carlos,Guido Question for you guys and the wider audience. What happens EXACTLY in Win2k on a DC(s) when the native mode switch is pushed, and what are the ramifications of changing the attribute back to reflect mixed mode one this has happened? I have a customer with a nervous disposition that doesn't believe me when I say there ain't no way back that's supported without doing a AD DR. Background is a business critical SNA application that HAS to live on a DC. MS is cool about switching to native, but customer is REALLY nervous. Any insight will be appreciated. List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ This e-mail and any attachment is for authorised use by the intended recipient(s) only. It may contain proprietary material, confidential information and/or be subject to legal privilege. It should not be copied, disclosed to, retained or used by, any other party. If you are not an intended recipient then please promptly delete this e-mail and any attachment and all copies and inform the sender. Thank you. List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
[ActiveDir] GPO's not getting there
I have a customer with small links and 1200+ wan sites. Problem I'm having is that without local DC's GPO's aren't applied properly on the workstations on logon, and the workstations are not locked down. The customer is not willing to buy an extra 1200 dc's. Since WAN costs are a bit silly the size of our pipes seem to be fixed as well. I don't really know how to get around this without tatooing the registry for the currently loggon on user, but that wouldn't give me the flexibility needed to achieve complete lockdown either. Any ideas around this? List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
RE: [ActiveDir] Recover exchange database file
Daniel, have to agree with Al. Depending on the state of these DB's you may have absolute garbage. If the DB shutdown in a dirty state and you don't have logs to replay - problem, means a hard recovery. If a hard recovery works you may only loose a little data. If a hard recover fails you have zero options a far as MS is concerned. There are DR shops out there that specialise in rebuilding these if they make sense. You can run eseutil and examine the header to check the database state. For a bit of automation I've used a 3rd party tool here before, namelly Recovery Manager for Exchange. Even a demo (i.e. download and eval key) will tell you quite quickly if the db CAN be mounted or not, and if not attemtps to rebuild, but uses same dll's as eseutil in the background. That might save you having to build a full exchange environment to DR in. Failing this - build a pristine AD, add exchange, add a SG with DB names that resemble yours, dismount it, swap your files in, attemp a remount, and if all goes well you'll have a db full of disconnected mailboxes. After reconnection, exmerge is your friend ;) Hope that helps. -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Mulnick, Al Sent: 15 April 2005 03:18 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Recover exchange database file Have you read the disaster recovery whitepaper about Exchange on Microsoft's site yet? My guess is that you don't have enough of the relevant information, but it's possible you can salvage some of it. There are also utilities out there that might be helpful if you really want that data. Al -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Daniel Kolvik Sent: Thursday, April 14, 2005 5:49 PM To: ActiveDir@mail.activedir.org Subject: [ActiveDir] Recover exchange database file Hi, anyone with experience on how to import edb files? I had a crash and the only thing i could get out was the edb and stm files. Regards, Daniel List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
RE: [ActiveDir] Double Email Messages
Are you the only person experiencing this problem? From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of George ArezinaSent: 16 March 2005 11:09 AMTo: ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] Double Email Messages No, no rules were reconfigured. From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Jacqui HurstSent: 16 March, 2005 9:47 AMTo: ActiveDir@mail.activedir.orgSubject: Re: [ActiveDir] Double Email Messages Have you recently configured any rules for you mailbox that could be causing the issue? Jacqui George Arezina [EMAIL PROTECTED] wrote: Hi folks, I realize this is a totally off-topic question, but seeing as there are many experts, I thought someone may have an idea. As of yesterday, I began receiving double emails from the same person, actually from anyone sending me an email. I receive a lot of emails, and it is a nuisance to have to go through and delete the double emails. If anyone has an idea, thanks in advance. Cheers George Informacija sa Stedionica Opportunity International A.D. Novi Sad putem e-maila je bez garancije. Zakljucivanje pravnih poslova putem ovog medija nije dozvoljeno. Ovaj e-mail moze sadrzati poverljive i/ili povlascene informacije. Ukoliko ste ovaj e-mail primili greskom, ovim putem vas obavestavamo da je svako otkrivanje, kopiranje, distribucija ili preduzimanje bilo kakvih aktivnosti u vezi njegovog sadrzaja strogo zabranjeno i moze biti nezakonito. Ukoliko ste e-mail primili greskom, molimo Vas da nas odmah obavestite tako sto cete odgovoriti na ovaj email, a zatim ga izbrisite iz vaseg sistema.The exchange of messages with Stedionica Opportunity International A.D. Novi Sad via e-mail is not binding. Declarations regarding legal transactions must not be exchanged via this medium. The information contained in this e-mail message is confidential and intended exclusively for the addressee. Persons receiving this e-mail message who are not the named addressee (or his/her co-workers, or persons authorized to take delivery) must not use, forward or reproduce its contents. If you have received this e-mail message by mistake, please contact us immediately and delete this email message beyond retrieval.Informacija sa Stedionica Opportunity International A.D. Novi Sad putem e-maila je bez garancije. Zakljucivanje pravnih poslova putem ovog medija nije dozvoljeno. Ovaj e-mail moze sadrzati poverljive i/ili povlascene informacije. Ukoliko ste ovaj e-mail primili greskom, ovim putem vas obavestavamo da je svako otkrivanje, kopiranje, distribucija ili preduzimanje bilo kakvih aktivnosti u vezi njegovog sadrzaja strogo zabranjeno i moze biti nezakonito. Ukoliko ste e-mail primili greskom, molimo Vas da nas odmah obavestite tako sto cete odgovoriti na ovaj email, a zatim ga izbrisite iz vaseg sistema.The exchange of messages with Stedionica Opportunity International A.D. Novi Sad via e-mail is not binding. Declarations regarding legal transactions must not be exchanged via this medium. The information contained in this e-mail message is confidential and intended exclusively for the addressee. Persons receiving this e-mail message who are not the named addressee (or his/her co-workers, or persons authorized to take delivery) must not use, forward or reproduce its contents. If you have received this e-mail message by mistake, please contact us immediately and delete this email message beyond retrieval.
RE: [ActiveDir] LDAP dir syncproduct to AD
Good question. At this stage this is what I've been made aware of: No RACF (phew) LDAP Connector to mainframe - I haven't been told what version yet User and Attribute sync to AD from the mainframe is the primary goal. The business centres around mainframe existance. If you don't exist on the mainframe - you don't exist. This means that user provisioning AND identity currently happens there as a start. At this point there's a TON of NT4 domains (around 600) that will be switched off. Users used to be created automagically via a process from mainframe to NT 4 domains, however users were never killed off the NT domains when they died on the mainframe. Going forward, this means that users will be synced from the mainframe via LDAP - ergo the sync tool requirement to AD to a dump container. Users from the NT domains will be merge migrated to a sepparate container, and whatever is left behind will be investigated and killed. Migration tools are in place to do this, that the easy bit. The unknown entity is talking to a mainframe via LDAP with no knowledge at this point of what flavour of LDAP it's talking. The Imanami product looks really fine on paper - generic ldap connectivity, attribute transformation, supports schema extensions, etc, however I've never met anyone who's used it in anger. I'm trying to stay away from a scripted solution, since object colision resolution, attribute transformation, object matching, delta syncing, etc are pretty standard in the tool world, without having to re-script the weel. -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Mulnick, Al Sent: 08 March 2005 04:03 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] LDAP dir syncproduct to AD I think Murray brings up some good points. What are your requirements exactly? To differentiate between the products (or others) you'll need to understand what the ultimate goal is and what you have to work with. For example, is this a RACF sync? Or LDAP or ?? What exactly needs to sync? Passwords? Accounts? Questions like that should help to differentiate. Al -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Murray Wall Sent: Tuesday, March 08, 2005 6:45 AM To: ActiveDir@mail.activedir.org; Nicolas Blank Subject: RE: [ActiveDir] LDAP dir syncproduct to AD Nic, we have implemented Simple Sync, for roughly about 12 connectors and are pleased with the tool. It is syncing roughly 3 LDAP entries between exchange 5.5, 2000 and 2003 organizations with the exchange 5.5 organization being the root forest. In my mind, it would depend on your needs, and if you require a more advanced 'meta' directory. Simple Sync is a FIFO sync utility not a download all the updates to a meta dir, process them, then resync out (sounds like a description for msmail t1, t2 sync processes!) We are very pleased with the product and the support we get from them. I have no experience with the Imanami product. If you are looking for a LDAP in, LDAP out with transposing, or what have you, I would definitely recommend the Simple Sync. Murray Wall [EMAIL PROTECTED] -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Nicolas Blank Sent: Tuesday, March 08, 2005 1:56 AM To: ActiveDir@mail.activedir.org Subject: [ActiveDir] LDAP dir syncproduct to AD Hi all Anyone ever have to choose between Simple Sync and Imanami Directory Transformation Manager ? I'm talking to a mainframe via LDAP going to AD and on paper Imanami looks the better choice. Anyone have any recommendations either way? I've seen simple sync mentioned at least once on this list and also know it's maybe not the best product out there, even though it does the job and am keen to get any feedback on anything else? Thanks in advance for any feedback Nic List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
[ActiveDir] LDAP dir syncproduct to AD
Hi all Anyone ever have to choose between Simple Sync and Imanami Directory Transformation Manager ? I'm talking to a mainframe via LDAP going to AD and on paper Imanami looks the better choice. Anyone have any recommendations either way? I've seen simple sync mentioned at least once on this list and also know it's maybe not the best product out there, even though it does the job and am keen to get any feedback on anything else? Thanks in advance for any feedback Nic List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
RE: [ActiveDir] OT: Exchange mailbox diff tool
What you should look for are corrupted messages. These will typically be exemplified either by messages that cannot be moved/opened or deleted. You might see event log entries either from the Exchange store or even from your backup software, complaining about messages that can't be opened or be backed up. Browsing your store with mdbview without knowing what you're looking for is like browsing your registry in total ignorance, hoping you'll find something suspicious. Before you go in there I would suggest scanning your logs, if there's nothing in there, then turn up your logging level and have another look. At some stage, if there is something iffy about these mailboxes then the store will start complain/informing you about it. That's if the problem is in the store and not a malformed mail attribute on the user object. What did you say your problem was? _ From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Douglas M. Long Sent: 27 January 2005 06:51 AM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] OT: Exchange mailbox diff tool I will start reading the mbdvu document, but any pointers on what i should be looking for and how to look for it are appreciated. Thanks _ From: [EMAIL PROTECTED] on behalf of Steve Shaff Sent: Wed 1/26/2005 4:36 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] OT: Exchange mailbox diff tool You could try mdbview to see the mailboxes, to see if there is some sort of corruption. But, without having any further information, it is impossible for me to give you a definite answer. Thanks, S * Steve Shaff Active Directory / Exchange Administrator Corillian Corporation (W) 503.629.3538 (C) 503.807.4797 (F) 503.629.3674 -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Mulnick, Al Sent: Wednesday, January 26, 2005 1:18 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] OT: Exchange mailbox diff tool Haven't heard of any. What's the problem? -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Douglas M. Long Sent: Wednesday, January 26, 2005 3:15 PM To: ActiveDir@mail.activedir.org Subject: [ActiveDir] OT: Exchange mailbox diff tool I am having some problems with about 3 of 4000 mailboxes in an exchange 2003 environment and can not for the life of me figure it out. Are there any mailbox diff tools out there that I may be able to use to find the differences between these mailboxes and the rest of them? List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ attachment: winmail.dat
RE: [ActiveDir] Ladies and Gentleman, A complex AD/Exchange issue.
Title: Ladies and Gentleman, A complex AD/Exchange issue. Sounds like a process winning over technology issue here: A inter-forrest migration tool that will support a migration with Sid-history and offer an ACL cleanup should do the job. What youre looking for is a) Transparency for your roving users b) Consolidated accounts c) ACL cleanup I would advocate a Sid-history type consolidation (unless you work for gov or fin) as it gives you a reasonable time windows to find and clean your acls and then GET RID OF THEM, once theyre done with. Exchange accounts wont be to much of a problem, since youre migrating mail, from one account to another, and I would imagine youve done a bit of work so that only one mailbox is authoritive for mail delivery at any one time, or that youre syncing them constantly (unlikely). Again a good migration tool will help you here, ideally what youre looking for is pick the authorative mailbox, sync the mail data over and cut the mailbox over when its done and drop it. Although you can go n awe full long way if you have some script knowledge, I would advocate a toolset here, since a) object numbers in excess of 1000 users b) a vendor to blame and support you to fix if something breaks c) your but in a sling if your scripted solution breaks against one of the high ranking company officials see point b) In summary to your requirements below: A good migration tool that supports a two way dir sync, including passwords would sort the issue if you cant use a single logon it is the same forest after all. Why not keep the single account, permission accordingly and use outlook in offline sync mode? I might be thinking far to simplistically here? From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Brent Westmoreland Sent: 05 November 2004 10:06 PM To: [EMAIL PROTECTED] Subject: [ActiveDir] Ladies and Gentleman, A complex AD/Exchange issue. Background information: There is a global Windows 2000 active directory forest with three primary domains Europe, Americas, Asia Pacific as well as an empty forest root. There is a single global exchange 2003 organization with three administrative groups, Ill let you guess how they are arranged. The European market is in the process of migrating from HP Openmail to Exchange. The Americas market has always been using exchange. There is an expatriate program where business persons can travel abroad and hold positions for a period of years in which they will eventually return home. A great deal of these expatriates are high ranking company officials who have been with the company for a number of years and therefore have their sid associated with ACLs all over the place. When an expatriate travels from Europe to the Americas, their account has historically been maintained in both domains until their return to Europe. This has introduced a number of issues with the exchange migration leading the Europeans to issue a mandate that all 1500 of these expatriates choose the account that they want to keep within the next two weeks. This solution does not provide adequate customer service according to management. My question is two fold: does anyone know of an easy way to consolidate accounts and mailboxes into a single account and mailbox with an automated process that will preserve the permissions to files, directories, etc. and still allow for the users Openmail to be migrated into that single remaining mailbox? once the migration is completed, how is the move from one domain to another maintained as users begin new assignments and complete old ones so that their account is easily moved to the alternate domain with no loss of permissions? If anyone has any good solutions I would be happy to hear them, a quick solution is needed to allow for the migration to continue.
RE: [ActiveDir] Delegation of group membership changes to add users and not to ad d other groups
Title: Delegation of group membership changes to add users and not to add other groups a) third party provisioning tools, Quest/Aelita/Similar b) run a scheduled script to strip out groups within groups every fifteen minutes c) publicly beat a helpdesk employee to make an example of them oops, dont we do that anymore ? ;) From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Jorge de Almeida Pinto Sent: 28 October 2004 12:16 PM To: [EMAIL PROTECTED] Subject: [ActiveDir] Delegation of group membership changes to add users and not to ad d other groups Hi Everyone, Our situation: OU Groups with all security groups OU Users with users OU Tasks with a taskgroup named TK_ChangeGroupMembership Helpdesk accounts are member of the group TK_ChangeGroupMembership The group TK_ChangeGroupMembership has been delegated the control to change group memberships of groups in the OU Groups. With this solution the helpdesk has the possibility to add a user to a group. OK..., but the helpdesk also has the possibility to add a group to another group (group nesting) AND WE DON NOT WANT THAT! So we created a taskpath view so that the helpdesk only sees the USERS OU. With the last solution the problem still exists because the helpdesk guys open the properties of a user in the USERS OU they still have the possibility to resquest the properties of the groups the users are a member of, and therefore they still can add a group to another group. I think I've tried everything, but no solution until now... Does any of you know how I could solve this? Thanx! Met vriendelijke groet / Kind regards, Jorge de Almeida Pinto Infrastructure Consultant __ ...OLE_Obj... LogicaCMG Nederland B.V. (BU SD/AT) Division Industry, Distribution and Transport (IDT) Kennedyplein 248, 5611 ZT, Eindhoven . Postbus 7089 5605 JB Eindhoven ( Tel : +31-(0)40-29.57.777 2 Fax : +31-(0)40-29.57.709 ( Mobile : +31-(0)6-26.26.62.80 * E-mail : [EMAIL PROTECTED] http://www.logicacmg.com/ - Solutions that matter - This e-mail and any attachment is for authorised use by the intended recipient(s) only. It may contain proprietary material, confidential information and/or be subject to legal privilege. It should not be copied, disclosed to, retained or used by, any other party. If you are not an intended recipient then please promptly delete this e-mail and any attachment and all copies and inform the sender. Thank you.
RE: [ActiveDir] What attribute determines the Schema Master Role?
Further roles can be found on the fSMORoleOwner attribute on the following partitions: Primary Domain Controller (PDC) FSMO: LDAP://DC=MICROSOFT,DC=COM RID Master FSMO: LDAP://CN=Rid Manager$,CN=System,DC=Domain,DC=COM Schema Master FSMO: LDAP://CN=Schema,CN=Configuration,DC= Domain,DC=Com Infrastructure Master FSMO: LDAP://CN=Infrastructure,DC= Domain,DC=Com Domain Naming Master FSMO: LDAP://CN=Partitions,CN=Configuration,DC= Domain,DC=Com -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Tony Murray Sent: 27 October 2004 01:58 PM To: [EMAIL PROTECTED] Subject: Re: [ActiveDir] What attribute determines the Schema Master Role? Look for the fSMORoleOwner attribute (DN format) on the object in question, e.g. CN=Schema,CN=Configuration,DC=myco,DC=com fSMORoleOwner: CN=NTDS Settings,CN=Server1,CN=Servers,CN=Site1,CN=Sites,CN=Configuration,DC=myco,DC =com; I don't know of an LDAP monitor as such, but you can set logging in such a way that it shows all searches. Have a look at Robbie Allen's AD Cookbook. Also, this presentation provides some good info. http://www.rallenhome.com/conferences/RAllen_LDAP_Searching.ppt Tony -- Original Message -- From: Sanz de Leon, Juan Carlos [EMAIL PROTECTED] Reply-To: [EMAIL PROTECTED] Date: Wed, 27 Oct 2004 13:43:17 +0200 Dear gurus, We recently had a problem where the Schema Master ROLE was not recognized in the forest. Whenever we queried the DCs in our forest to indicate the Schema Master, the answer gave an error. To solve the issue we had to Seize the Schema Master role using ntdsutil. Now the question. What attribute in AD is the one that establishes who has the different roles of the forest or domain ? I know it is in the configuration partition, probably under NTDS settings... What I don´t know is the attribute in AD that decides who has which role. Anyone know of an LDAP monitor ? similar to regmon from sysinternals. Thanks in advance, Juan Carlos Sanz de León List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ Sent via the WebMail system at mail.activedir.org List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
RE: [ActiveDir] Maybe I'm just confused...
Note the header below, Cyrus didn't specify a valid domain suffix for his email address, and as a result your mail clients/mail routing software are appending a domain. Received: from mail.activedir.org ([64.245.160.7]) Received: from ams004.ftl.affinity.com [216.219.253.138] by mail.activedir.org with ESMTP (SMTPD32-8.11) id AEB024060124; Wed, 29 Sep 2004 01:57:04 -0400 Received: by ams.ftl.affinity.com id 313670-16943; Wed, 29 Sep 2004 01:55:04 -0400 References: [EMAIL PROTECTED] [EMAIL PROTECTED] In-Reply-To: [EMAIL PROTECTED] From: cyrus To: [EMAIL PROTECTED] Subject: Re: [ActiveDir] slow communication Date: Wed, 29 Sep 2004 01:55:03 -0400 Mime-Version: 1.0 Content-Type: text/plain; format=flowed; charset=iso-8859-1 Content-Transfer-Encoding: 7bit Message-Id: [EMAIL PROTECTED] Precedence: bulk Sender: [EMAIL PROTECTED] Reply-To: [EMAIL PROTECTED] -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Kapil Arora Sent: 29 September 2004 08:28 AM To: [EMAIL PROTECTED] Cc: [EMAIL PROTECTED]; [EMAIL PROTECTED] Subject: Re: [ActiveDir] Maybe I'm just confused... It's quite Strange I got this email with a from as [EMAIL PROTECTED]. Which is quite strange as this suppose to be our Domain. How is this spoof done ? Is he just writing his name cyrus in the email address field of the email client, and not specifying complete/correct email address. Thanks Kapil Shadow Roldan said: This is very odd. I have been reading this list for a long time now. I m an avid fan, I learn a lot keeping up with the geniuses on this newsgroup. Today, I caught this message On Behalf Of [EMAIL PROTECTED] Which is very odd to me, considering I am the IT manager at Zero G Software, Inc. and we own ZeroG.com. Who are you cyrus? And why are you mucking about with our domain names? Some kind of spammer harvesting address's off this list? Scum of the earth? Misguided admin? I've attached the message headers for geek analysis, personally I find the affinity.com and thuiszorgeindhoven.nl domains to be highly suspect. Please stop with the faked headers, it's just annoying. Or maybe this is some silly bug in the list software that's being used, it looks and acts like list.org's mailman maybe it's just an old version that's all buggy? Listadmin? Anything to say? Sincerely _ Shadow Roldan IT Manager Zero G Software, Inc. tel: +1.415.512.7771 x 306 cel: +1.415.370.3782 fax: +1.415.723.7244 mailto:[EMAIL PROTECTED] www.ZeroG.com The leading provider of multiplatform software deployment solutions. _ -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of [EMAIL PROTECTED] Sent: Tuesday, September 28, 2004 10:55 PM To: [EMAIL PROTECTED] Subject: Re: [ActiveDir] slow communication greetings paul, first it my first time to send message to this site, need ur guidance to how i can send porperly. were doing app vb6 as front end and sql as backend, workstation r connected tru hubs, when we run the app it takes long to connect to the sql server database, thus we r receiving msg relating to TIMEOUT EXPIRED my real problem is knowing were the prob is, is it the window 2000 server, sql 2000 server or the vb6 app designer or even the hubs were using. but it was not like this b4...with this i dont have any idea how to solve or what to reconfigure. thanks cyrus Paul writes: Some more information on the systems might be handy (service packs, hotfixes, etc) and what kind of application.. and how are they connected ? And, perhaps somewhat offtopic, but.. how come you're mailing from our domainname.. ? (am-ende.net) Regards, Paul van Geldrop. - Original Message - From: [EMAIL PROTECTED] To: [EMAIL PROTECTED] Sent: Tuesday, September 28, 2004 12:18 PM Subject: [ActiveDir] slow communication greetings, first of all i'm not sure were problem is, we have window2000 server and SqlServer 2000, when we execute vb6 application to access sql server its very frequent that we r receiving TIMEOUT EXPIRED, I m not sure if SQLServer or window2000 server or VB6 is causing the problem. coz i dont have any idea on how or if any , a way to test and identify the problem. any suggestion ? thnks cyrus List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive:
RE: [ActiveDir] Exchange and AD E-mails
Youll notice that those permissions on the store object arent explicit, but inherited and to use Joes exchange as an example are defined here: CN=Microsoft Exchange,CN=Services,CN=Configuration,DC=rendition networks,DC=com As Allow DOMAIN\Exchange Domain Servers List Children, Read All Properties, Read Permissions The two other places where permissions are detailed explicitly are on the org : ,CN=Rendition Networks,CN=Microsoft Exchange,CN=Services,CN=Configuration,DC=rendition networks,DC=com and a simply Deny DOMAIN\Exchange Domain Servers Receive As On the servers container: CN=Servers,CN=First Administrative Group,CN=Administrative Groups,CN=Re ndition Networks,CN=Microsoft Exchange,CN=Services,CN=Configuration,DC=rendition networks,DC=com Ive managed to break exchange by switching off inheritance in E2k on an admin group or server container, after which email from new servers joining the org could not send mail to servers already existent or other similar probs . Youll notice some interesting things browsing ACLs in exchange, and how they change subtly after service pack applications. I remember a SP rewriting base public folder permissions at one stage, which was rather upsetting in a legal environment ;) Suggest you switch permission inheritance back on if you have switched it off and permission explicitly where required and on the right levels if you HAVE to , so that a) mail flow wont break due to missing permission on the Exchange servers group and b) since there are so few places where ACL are written explicitly, youll have a better idea, i.e. things will be slightly more self documenting (did I mention that word?) when youre trying to figure out what changed six months after the fact. Suggest you document your Default permissions somewhere or have a second org in a lab so that you can compare whats different in the future if something breaks. I once spent a week chasing a NDR after figuring out that I switched something off somewhere and forgot where I did it Document ? ;). -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Michael B. Smith Sent: 02 August 2004 11:32 PM To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] Exchange and AD E-mails Because I was playing with permissions. J From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Mulnick, Al Sent: Monday, August 02, 2004 4:53 PM To: '[EMAIL PROTECTED]' Subject: RE: [ActiveDir] Exchange and AD E-mails Why wouldn't Exchange Domain Servers have the appropriate permission in your environment? Something get changed recently? Any event log entries on the Exchange servers? -Al From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Michael B. Smith Sent: Monday, August 02, 2004 3:26 PM To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] Exchange and AD E-mails Yeah, I just played with this a little bit. If Exchange Domain Servers doesn't have write access, I get a bounce. From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Mulnick, Al Sent: Monday, August 02, 2004 2:44 PM To: '[EMAIL PROTECTED]' Subject: RE: [ActiveDir] Exchange and AD E-mails I've got to back off the drinking apparently ;) ACL's very well can prevent mail delivery. Al
RE: [ActiveDir] Deleted Objects container
Do you want to view the container, or what's in it? The container can't be exposed to something like aduc, but can be viewed with LDP, etc, where an ACL edit of sorts can be done. If you're looking to display deleted objects, that's quite easy, look at this to start off with: http://support.microsoft.com/default.aspx?scid=kb;EN-US;258310 using LDP in this scenario is quite easy, but this is also scriptable. An LDAP query can be built using what's exposed in the article, let me know if you get stuck -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Tony Murray Sent: 02 August 2004 05:04 PM To: [EMAIL PROTECTED] Subject: [ActiveDir] Deleted Objects container Hi all Does anyone know how to view and change permissions on the Deleted Objects container? The container is hidden from the UI tools, but I suspect there is a way to do it programmatically. Tony Sent via the WebMail system at mail.activedir.org List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
RE: [ActiveDir] AD and printer admins
The easiest way of figuring out what rights you need to do anything on a member server, AD, service right delegation etc, etc, is to turn on auditing on success/failure and try what you're doing again. Read the security event log, and the rights that are missing are exposed in the failure log. This allows you to isolate the rights/special rights or ACL's required to accomplish your task. You'll see some interesting changes between win2k/win2k3 as some things have become simpler, e.g. only three delegated object rights needed to delegate Authorise DHCP, or one special right on the domain object to allow use of SidHistory, etc. But I digress -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Cothern Jeff D. Team EITC Sent: 27 July 2004 11:21 PM To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] AD and printer admins That lets them modify current printers yes. But not create new ones. Which is my dilemma. -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Quatro Info Sent: Tuesday, July 27, 2004 4:36 PM To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] AD and printer admins Make an OU for desktop support add users there In printer propertiessecurity tab add OU there and give full rights... Never tried but guess that's the way. Gr J -Oorspronkelijk bericht- Van: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] Namens Cothern Jeff D. Team EITC Verzonden: dinsdag 27 juli 2004 22:21 Aan: [EMAIL PROTECTED] Onderwerp: [ActiveDir] AD and printer admins Is there a way within AD and other security settings to allow a Desktop Support section the ability to create and maintain printers without putting them into the local admin group on the servers. Currently we are not using the Printers OU for AD. The printers are added the old way thru the add printer wizard. Jeff List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
RE: [ActiveDir] Another question
Neither one of them is more efficient but one is more compliant than thee other to the X500 user definition. If you are interoperating with other directories or products with Directory Connectors, then of the InterOrgPerson is the preferred class of object to use for the sync job. This precludes you of having a directory full of duplicate objects, because the user class could not be interoperated with. One advantage of the closeness of the classes - have a look at the class inheritance tree - inetorgperson is derived via the user class, is that in Win2k3 forest mode you can convert one kind of object into another, i.e. user to interorgperson, or visa/versa without to much trouble. Possible even with ADSIEdit/LDP/VBS, etc. Both classes authenticate - are security principals, can have mailboxes, group memberships, etc, etc. If you don't have an interoperability requirement, then stick with the user class, however, if you have an external sync requirement - I know one of the SAP connectors talks interorgperson, then your choice is made for you. -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of BATARD olivier Sent: 26 July 2004 11:54 AM To: '[EMAIL PROTECTED]' Subject: [ActiveDir] Another question Thanks a lot for your answer. I have an another question : What is the difference between the class user and inetorgperson ? What's the most efficient of the two classes? Thanks again Olivier BATARD, Technicien système - Poste 1655 Gestion Interne SIGMA Informatique http://www.sigma.fr 3 rue Newton, BP 4127, 44241 La Chapelle sur Erdre Cedex -Message d'origine- De : Tony Murray [mailto:[EMAIL PROTECTED] Envoyé : lundi 26 juillet 2004 11:09 À : [EMAIL PROTECTED] Objet : Re: [ActiveDir] Attributes terminal services path Olivier You can't read (or create) Terminal Services properties using CSVDE or any LDAP based tool. One option is to use the TScmd free tool: http://www.systemtools.com/free_frame.htm Alternatively, you can try the scripting method using IADsTSUserEx, as described here: http://msdn.microsoft.com/library/default.asp?url=/library/en-us/termserv/te rmserv/iadstsuserex.asp Cheers Tony -- Original Message -- Wrom: DGVCJVTLBXFGGMEPYOQKEDOTWFAOBUZXU Reply-To: [EMAIL PROTECTED] Date: Mon, 26 Jul 2004 10:20:23 +0200 Hello, I'm trying to create a csvde file to create my account in AD. Everything is ok, but I can't find attributes for terminal service path. How can I modify terminal service path by CSVDE ? Thanks, Olivier BATARD, Technicien système - Poste 1655 Gestion Interne SIGMA Informatique http://www.sigma.fr 3 rue Newton, BP 4127, 44241 La Chapelle sur Erdre Cedex List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ Sent via the WebMail system at mail.activedir.org List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
RE: [ActiveDir] Display specifier dsa.msc
Cannot do this with Display specifier, you will have to create your own DLL to do this and register on every machine you want the extension to be visible. Have a look in the archive for this list for some detailed posts on this. -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Olivier BATARD Sent: 22 July 2004 03:33 PM To: [EMAIL PROTECTED] Subject: [ActiveDir] Display specifier dsa.msc -BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Hello, I want to migrate a NT4 domain to 2003. I need to display attribute employee-number in dsa.msa, on the user's property. With display specifier ? do I need to create dll ? How can I do that ? Thanks, Olivier BATARD, Technicien systme - Poste 1655 Gestion Interne SIGMA Informatique http://www.sigma.fr 3 rue Newton, BP 4127, 44241 La Chapelle sur Erdre Cedex -BEGIN PGP SIGNATURE- Version: GnuPG v1.2.4 (GNU/Linux) iD8DBQFA/8IvUC+eYXFu1pARAvPbAJ9zeXkmzQ8UfNGAYtvfNh51MOw1PACfWRHw WyT7BJi2crw4++HEvZq9KKE= =cLDI -END PGP SIGNATURE- List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
RE: [ActiveDir] HELP URGENT how to recover exch2000 admin account d eleted
Title: RE: [ActiveDir] HELP URGENT how to recover exch2000 admin account d eleted Exchange Server 2003 Deployment Guide page 84/85 The account you use to run ForestPrep must be a member of the Enterprise Administrator and the Schema Administrator groups. While you are running ForestPrep, you designate an account or group that has Exchange Full Administrator permissions to the organization object. This account or group has the authority to install and manage Exchange2003 throughout the forest. This account or group also has the authority to delegate additional Exchange Full Administrator permissions after the first server is installed. Exchange Server 2003 Deployment Guide page 86 DomainPrep creates the groups and permissions necessary for Exchange servers to read and modify user attributes. Exchange Server 2003 Deployment Guide http://www.microsoft.com/technet/prodtechnol/exchange/2003/library/depguide.mspx The functionality described above has not changed significantly since Exchange 2000. Hope that helps. -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of [EMAIL PROTECTED] Sent: 01 June 2004 08:05 AM To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] HELP URGENT how to recover exch2000 admin account d eleted I think Domain Prep will do in reassiging those rights instead of Forest Prep. Please correct me if I am wrong. Regards, Mohammed Athif Khaleel Asst.Network Engineer AlFaisaliah Group Information Technology Tel.: +966-1-461-0077 x.209 Moble.: +966-509774015 Email: [EMAIL PROTECTED] Save Internet, Keep all the systems patched Web: http://alfaisaliah.com -Original Message- From: Nicolas Blank [mailto:[EMAIL PROTECTED]] Sent: Monday, 31 May 2004 8:17 PM To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] HELP URGENT how to recover exch2000 admin account d eleted Authoritive restore or if you can't recover this puppy, re-run forest prep and nominate another account. -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]] On Behalf Of Clist Sent: 31 May 2004 06:20 PM To: [EMAIL PROTECTED] Subject: [ActiveDir] HELP URGENT how to recover exch2000 admin account deleted I have deleted the exch2000 administrator account, how can i revover this account? Thanks -- - Clister UAH - List info : http://www.activedir.org/mail_list.htm List FAQ : http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/mail_list.htm List FAQ : http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ - This email and any files transmitted with it are confidential and intended solely for the use of the individual or entity to whom/which they are addressed. If you have received this email in error please notify the system manager at the following email address: [EMAIL PROTECTED] mailto:[EMAIL PROTECTED]. Please note that any views or opinions presented in this email are solely those of the author and do not necessarily represent those of Al Faisaliah Group. Internet communications cannot be guaranteed to be secure or error-free as information could be intercepted, corrupted, lost, arrive late or contain viruses. The sender therefore does not accept liability for any errors or omissions in the context of this message, which arise as a result of Internet transmission. Finally, the recipient should check this email and any attachments for the presence of viruses. Al Faisaliah Group accepts no liability for any damage caused by any virus transmitted by this email. -
RE: [ActiveDir] exchange 5.5, active directory and ADC
Correct, suggest since you havent worked with the ADC before that you lab/vmware this at least once, and document your process before trying this in production. This way youll have something to work with without being tempted to tick any options you havent seen work in the lab before. -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Chaudhary, Amit Sent: 01 June 2004 11:49 AM To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] exchange 5.5, active directory and ADC Sorry But want to make sure Im understanding you here. You suggesting set schedule to never, until the ADC is inplace and working ok? Then moving it to a schedule? We dont plan to completely shut down the old exchange server for a few weeks at least. Anything else I should be aware off adding the ADC in terms of this migration to Exchange 2003 From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Nicolas Blank Sent: 01 June 2004 10:39 To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] exchange 5.5, active directory and ADC Yip, the AD container/OU is selectable whilst creating the recipient agreement connection. Suggest the first thing you configure is setting your schedule to NEVER, and finish your other bits and pieces. -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Chaudhary, Amit Sent: 01 June 2004 11:21 AM To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] exchange 5.5, active directory and ADC Nick Cheers, can you configure ADC to create any accounts it needs to in a separate container in the AD? From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Nicolas Blank Sent: 01 June 2004 10:04 To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] exchange 5.5, active directory and ADC Amit, Depending on how the accounts were created, it is possible to use the ADC to match accounts already existing in AD. If no match is found for a 5.5 mailbox, a duplicate account will be created in AD. The default matching rule will match the 5.5 associated-NT-Account field to the AD accounts sid or sidHistory attribute. You may extend the matching rules in the ADC so that you can match RDN to CN or a mail alias to samaccountname ifyou have a match between those. I strongly suggest you read the article below: Understanding and Deploying Exchange 2000 Active Directory Connector http://www.microsoft.com/downloads/details.aspx?FamilyID=c763b584-c511-4687-b27f-a13a8f82d4c8displaylang=en If you configure your ADC incorrectly, you may only have duplicate accounts, but at worst case you might lose mail. -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Chaudhary, Amit Sent: 01 June 2004 10:13 AM To: [EMAIL PROTECTED] Subject: [ActiveDir] exchange 5.5, active directory and ADC Hi This maybe a bit of topic but I was hoping to get some advice from the list. I have a Windows 2000 active directory environment, one of my Windows 2000 servers is running exchange 5.5 (not a DC). We have been considering moving to exchange 2003, the migration method was to join exchange 2003 to the existing site, move the mailboxes and then bring down the old server. The problem is that I have come across the Active Directory Connector and I wanted to get some more information on this, as I have been told it has not been installed on my site. I.e. the5.5 directory is not updating the active directory and vice versa. If we were to install the Active Directory Connector, would exchange create new accounts in my AD for all the mailboxes I have in my mail system, or will it see that active directory accounts are already created? The AD accounts are created as firstname lastname, but the display names for our email accounts are lastname, firstname. What will be the overall affect on my AD of installing this connector and enabling bi-directional communication? Regards Amit
RE: [ActiveDir] Looking for a tool that displays SID
Title: Looking for a tool that displays SID Bind to the object using the LDAP:// or the WINNT:// provider and output to screen as below, pipe it or write it where needed. Cant claim this as my own source is Richard Mueller, http://groups.google.co.uk/groups?q=Function+HexStrToSidStr(strSid)hl=enlr=ie=UTF-8selm=eCCenuyPDHA.2228%40tk2msftngp13.phx.gblrnum=1 SNIP Option Explicit Dim strSid, objUser Set objUser = GetObject(LDAP://cn=TestUser,ou=Sales,dc=MyDomain,dc=com) strSid = OctetToHexStr(objUser.objectSid) Wscript.Echo HexStrToSidStr(strSid) Function HexStrToSidStr(strSid) Dim arrbytSid, lngTemp, j ReDim arrbytSid(Len(strSid)/2 - 1) For j = 0 To UBound(arrbytSid) arrbytSid(j) = CInt(H Mid(strSid, 2*j + 1, 2)) Next HexStrToSidStr = S- arrbytSid(0) - _ arrbytSid(1) - arrbytSid(8) lngTemp = arrbytSid(15) lngTemp = lngTemp * 256 + arrbytSid(14) lngTemp = lngTemp * 256 + arrbytSid(13) lngTemp = lngTemp * 256 + arrbytSid(12) HexStrToSidStr = HexStrToSidStr - CStr(lngTemp) lngTemp = arrbytSid(19) lngTemp = lngTemp * 256 + arrbytSid(18) lngTemp = lngTemp * 256 + arrbytSid(17) lngTemp = lngTemp * 256 + arrbytSid(16) HexStrToSidStr = HexStrToSidStr - CStr(lngTemp) lngTemp = arrbytSid(23) lngTemp = lngTemp * 256 + arrbytSid(22) lngTemp = lngTemp * 256 + arrbytSid(21) lngTemp = lngTemp * 256 + arrbytSid(20) HexStrToSidStr = HexStrToSidStr - CStr(lngTemp) lngTemp = arrbytSid(25) lngTemp = lngTemp * 256 + arrbytSid(24) HexStrToSidStr = HexStrToSidStr - CStr(lngTemp) End Function Function OctetToHexStr(arrbytOctet) ' Function to convert OctetString (byte array) to Hex string. Dim k OctetToHexStr = For k = 1 To Lenb(arrbytOctet) OctetToHexStr = OctetToHexStr _ Right(0 Hex(Ascb(Midb(arrbytOctet, k, 1))), 2) Next End Function SNIP -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Carlos Magalhaes Sent: 31 May 2004 10:06 AM To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] Looking for a tool that displays SID LDP wont work for NT it uses LDAP API. CM From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Salandra, Justin A. Sent: Tuesday, May 25, 2004 6:50 PM To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] Looking for a tool that displays SID The LDP.exe should do it for the AD side of the house, not sure about the NT side -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Lanci, Richard Sent: Tuesday, May 25, 2004 11:59 AM To: '[EMAIL PROTECTED]' Subject: [ActiveDir] Looking for a tool that displays SID In the middle of a migration from NT4 to AD and am looking for a tool that will display the SIDs (NT and AD) of migrated users. We are using the NET IQ product for the user/computer migration. Thanks in advance
RE: [ActiveDir] HELP URGENT how to recover exch2000 admin account deleted
Authoritive restore or if you can't recover this puppy, re-run forest prep and nominate another account. -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Clist Sent: 31 May 2004 06:20 PM To: [EMAIL PROTECTED] Subject: [ActiveDir] HELP URGENT how to recover exch2000 admin account deleted I have deleted the exch2000 administrator account, how can i revover this account? Thanks -- - Clister UAH - List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
RE: [ActiveDir] Users file permission display on intranet page or to file
Title: RE: [ActiveDir] win98 Lots of third party tools to do this I did exactly this for a client the other day using Quest Reporter published to HTML, excel, whatever automatically collected into a DB for auditing was an auditing requirement for a health provider. File/folder mods can be tracked using auditing on object access on the file/print box. Again used Reporter for this to store the logs audit requirement and report on them on an exception basis. Its not the only tool out there, but it fitted the clients requirement to a T no agents on any boxes, track file/foldershare ACLs and compare over time what was modified and by whom. -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Kenny Lee Sent: 27 May 2004 10:23 AM To: [EMAIL PROTECTED] Subject: [ActiveDir] Users file permission display on intranet page or to file Hello, I have a query here.I would like to track the permission ona specified folder for users ( Modify,Full Control, etc etc...) that can display on the intranet page or any other ways. Is that any Tools that can do this ? Would be great too if there is any ways that can put the data into a excel file. This is to know the person that modify the file/folders permission as well as would like toknow the latest file/folder permission that the users are having. Thanks. rgds, ken
RE: [ActiveDir] Extending ADUC
If you want to have something show up on the users property pages, then you need to register a handler to do so, see the MSDN link. http://msdn.microsoft.com/library/default.asp?url=/library/en-us/ad/ad/e xtending_the_user_interface_for_directory_objects.asp for another view on this, see this link http://www.experts-exchange.com/Networking/Microsoft_Network/Q_20814794. html If you want to register a script to display a value and allow you to edit it, that's a LOT easier, i.e. right click on an object (user in this case) and have extra options on the context menu that execute a custom script to display and modify ? You can do this by browsing to the display specifier for your language, i.e. in ADSIEDIT browse to CN=Configuration,DC=domain,DC=com expand DisplaySpecifiers expand your language; English is 409 show the properties for CN=user-Display show properties for contextMenu and add values in the following format: order, diplay value,path_to_script E.G. a value I have is: 11, Show Value,\\server\share\script.vbs the script doesn't need to be complicated in this case, as all you're doing is displaying a value with an option to change it; The ADUC gui passes the object reference as a command line to the script. in this script example, I'm displaying the users description attribute with a gui option to change. BEGIN SCRIPT set wshArguments =wscript.arguments set objuser=getobject(wsharguments(0)) sName = inputbox(Enter a new desciption,Description Box, objuser.description) if sName = then wscript.quit ' user clicked cancel objuser.description = sName objuser.setinfo ++ END SCRIPT Note that the attribute showinadvancedviewonly affects the visibility of this item as well, which means that you may chose to only have this new menu item pop up when show advanced is chosen. -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Devan Pala Sent: 22 April 2004 10:40 PM To: [EMAIL PROTECTED] Subject: [ActiveDir] Extending ADUC Hi, Is it possible to modify the User Property Pages (GUI) to include a Employee ID or Number attribute within a user object. Thanks, _ FREE pop-up blocking with the new MSN Toolbar - get it now! http://toolbar.msn.com/go/onm00200415ave/direct/01/ List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
RE: [ActiveDir] User to InetOrgPerson Class
I have chased Ms on this for an official KB article without success. I have done this in production without any hassles though on exactly the same scenario you described: third party kit that like inetorgPerson better than the user class. -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Brent Westmoreland Sent: 21 April 2004 02:40 PM To: [EMAIL PROTECTED] Subject: Re: [ActiveDir] User to InetOrgPerson Class Using pure ldap logic, One would assume that is the case. I guess I was hoping someone had stumbled across a kb article so that once this is done in production, I have an endorsed Microsoft methodology to take to management. On Apr 21, 2004, at 8:12 AM, Ulf B. Simon-Weidner wrote: Hello Brent, this is very easy to accomblish: you just need to add the inetOrgPerson class to the objectClass attribute of the user using adsiedit or a script. Ulf -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Brent Westmoreland Sent: Dienstag, 20. April 2004 21:18 To: [EMAIL PROTECTED] Subject: [ActiveDir] User to InetOrgPerson Class Does anyone know of a Microsoft endorsed way to change a win2k3 user object to an InetOrgPerson object without having to export the information and reimport it? There is a potential that some of our clients will need to interact with active directory from an alternate client. This change would be more easily supported if the user were defined as an InetOrgPerson. List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
RE: [ActiveDir] Migration Dilemma
SAMACCOUNTNAME - if old and new match then they can be considered the same. ADC does similar matching, although it can be extended to do matches on EX5.5 primary nt account to an AD accounts sidhistory. Since you've done script population, you need to match on a similar attribute. If nothing matches, you can use the route mentioned below, after doing your matching manually in excel. -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Coleman, Hunter Sent: 15 April 2004 04:56 PM To: '[EMAIL PROTECTED]' Subject: RE: [ActiveDir] Migration Dilemma From what I remember, there is an option in ADMT to merge accounts from a source domain if a similar account exists in the target domain. I think it's handled in the Naming Conflicts section of ADMT. I can't recall which attributes it uses to determine what constitutes a matching/conflicting account, but there may be something in the documentation. You can migrate the groups first, without the members, and then have the user account migrations update/correct the group memberships. This should also allow you to pull SIDHistory along. Alternatives would include a batch/script process to clone the groups and repopulate the members, and subinacl.exe from the resource kit to handle the file permissions. Or you could go with one of the migration tools that others have mentioned. Hunter From: Morris, Adam [mailto:[EMAIL PROTECTED] Sent: Thursday, April 15, 2004 7:41 AM To: [EMAIL PROTECTED] Subject: [ActiveDir] Migration Dilemma Hunter, The user accounts were all created by a script and an email was sent to the new account so it became a mailbox. Permissions were then assigned to the mailbox to allow the NT 4 domain account owner rights to the mailbox so they are still authenticating with the old domain controllers. There is an Exchange 5.5 and ADC in the mix but it is at another site so hopefully this won't cause any issues. Basically we just want to migrate the groups and group memberships over as well as all the old file permissions so we can decommission the old domain. Initially we had thought the ADMT was going to be able to help us by allowing us to tie the SID from the old account to the new account, but it looks like that is only an option if you don't already have the user accounts created. Thank you for the response! Adam From: Coleman, Hunter [EMAIL PROTECTED] http://by2fd.bay2.hotmail.msn.com/cgi-bin/compose?curmbox=F1a= 2792 74ffddd7b484f36fca3cb67f2795mailto=1[EMAIL PROTECTED]msg=MSG108 1999 696.15start=145797len=325208src=type=x Subject: RE: [ActiveDir] Migration Dilemma Date: Wed, 14 Apr 2004 09:50:16 -0600 Reply-To: [EMAIL PROTECTED] http://by2fd.bay2.hotmail.msn.com/cgi-bin/compose?curmbox=F1a= 2792 74ffddd7b484f36fca3cb67f2795mailto=1[EMAIL PROTECTED]ms g=MS G1081999696.15start=145797len=325208src=type=x What are the desired results? How were the user accounts and mailboxes created in the new domain initially? Are the users authenticating against the mailboxes with their NT 4 accounts, or with the AD accounts? Is there an Exch 5.5 organization and an ADC in the mix? Hunter -Original Message- From: Morris, Adam [mailto:[EMAIL PROTECTED] http://by2fd.bay2.hotmail.msn.com/cgi-bin/compose?mailto=1msg=MSG10819 9969 6.15start=145797len=325208src=type=xto=Adam%2eMorris%40experian%2ec omc c=bcc=subject=body=curmbox=F1a=279274ffddd7b484f36fca3cb67f 2795 ] Sent: Wednesday, April 14, 2004 9:41 AM To: [EMAIL PROTECTED] http://by2fd.bay2.hotmail.msn.com/cgi-bin/compose?curmbox=F1a= 2792 74ffddd7b484f36fca3cb67f2795mailto=1[EMAIL PROTECTED]ms g=MS G1081999696.15start=145797len=325208src=type=x Subject: [ActiveDir] Migration Dilemma Hello, We are in the process of planning our migration from NT 4 to Windows 2000 AD. Last year we deployed a minimal AD site in order to roll-out Exchange 2000 for our users. User accounts and mailboxes were created in the new domain but no users were migrated. Some initial testing with the ADMT indicates that it will not produce the desired results. At this time I can see 2 possible plans of action and I'm looking for some better options. (Like maybe another way to migrate the SID's to the new accounts in AD or a way to get ADMT to update the existing accounts instead of replacing them). Plan 1: Back up all the user mailboxes, wipe the AD accounts, use ADMT to move all the accounts/gropus, and then restore mailbox data. Plan 2: Spend the time to develop custom scripts that will add/create the appropriate groups and script as much of the migration as possible. Currently we have close to 150 groups for around 400 users and multiple file servers so the thought of doing a manual migration process is pretty painful. If anybody has any suggestions or thoughts I'd much appreciate the feedback. Thank you! Adam Morris List info : http://www.activedir.org/mail_list.htm
RE: [ActiveDir] Migration Dilemma
I have used Quests migratory product in similar situations where the user base was populated, but all we wanted was symbolic linkage for groups, reacling and sidhistory, without disturbing what was there already, and nothing broke, including mail. Ive also done a non ADC migrations using the same tool with great success. If you have to script, then doing the group sync can be done, but the reacling on anything more than 2 machines is going to bite you badly, if youre scripting, a ACE append for every old sid and an ACE cleanup after co-existence is done. Even with sidHistory, at some stage you need to re-acl and drop the old ACEs. If you can afford to wipe out and try again, suggest using a third party tool like migrator, as Ive done green field migrations manually and with tools, and Id rather take the tool route any day, especially if I can choose to NOT use the ADC ;) -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Morris, Adam Sent: 15 April 2004 03:41 PM To: [EMAIL PROTECTED] Subject: [ActiveDir] Migration Dilemma Hunter,The user accounts were all created by a script and an email was sent to the new account so it became a mailbox. Permissions were then assigned to the mailbox to allow the NT 4 domain account owner rights to the mailbox so they are still authenticating with the old domain controllers. There is an Exchange 5.5 and ADC in the mix but it is at another site so hopefully this wont cause any issues. Basically we just want to migrate the groups and group memberships over as well as all the old file permissions so we can decommission the old domain. Initially we had thought the ADMT was going to be able to help us by allowing us to tie the SID from the old account to the new account, but it looks like that is only an option if you dont already have the user accounts created. Thank you for the response!AdamFrom: Coleman, Hunter [EMAIL PROTECTED]Subject: RE: [ActiveDir] Migration DilemmaDate: Wed, 14 Apr 2004 09:50:16 -0600Reply-To: [EMAIL PROTECTED]What are the desired results?How were the user accounts and mailboxes created in the new domaininitially? Are the users authenticating against the mailboxes with their NT4 accounts, or with the AD accounts? Is there an Exch 5.5 organization andan ADC in the mix?Hunter -Original Message-From: Morris, Adam [mailto:[EMAIL PROTECTED]] Sent: Wednesday, April 14, 2004 9:41 AMTo: [EMAIL PROTECTED]Subject: [ActiveDir] Migration DilemmaHello,We are in the process of planning our migration from NT 4 to Windows 2000AD. Last year we deployed a minimal AD site in order to roll-out Exchange2000 for our users. User accounts and mailboxes were created in the newdomain but no users were migrated. Some initial testing with the ADMTindicates that it will not produce the desired results. At this time I can see 2 possible plans of action and I'm looking for somebetter options. (Like maybe another way to migrate the SID's to the newaccounts in AD or a way to get ADMT to update the existing accounts insteadof replacing them).Plan 1: Back up all the user mailboxes, wipe the AD accounts, use ADMT tomove all the accounts/gropus, and then restore mailbox data.Plan 2: Spend the time to develop custom scripts that will add/create theappropriate groups and script as much of the migration as possible.Currently we have close to 150 groups for around 400 users and multiple fileservers so the thought of doing a manual migration process is prettypainful. If anybody has any suggestions or thoughts I'd much appreciate thefeedback.Thank you!Adam MorrisList info : http://www.activedir.org/mail_list.htmList FAQ : http://www.activedir.org/list_faq.htmList archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ -
RE: [ActiveDir] Making a test Network, 3 w2k srvs
Exchange wont just not install. Have you got an error message? From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Jon Holstrom Sent: 23 March 2004 11:30 AM To: [EMAIL PROTECTED] Subject: [ActiveDir] Making a test Network, 3 w2k srvs Hello, I have 3 W2K Srv, server 1 AD, DHCP, DNS server 2 CA server 3 Exchange 2000 all three on 10 mb hub. server 3 has two nics, one for local, one for internet I can't get Exchange 2000 to let me install with this setup. I can add one more test server if need be, But not sure what would be the best way. Iam just out to see how all this can work, Thanks for any all help everyone.
RE: [ActiveDir] [MailServer Notification]To Recipient file blocking settings matched and action taken.
Calling Greg.. -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Administrator Sent: 22 March 2004 07:38 PM To: [EMAIL PROTECTED] Subject: [ActiveDir] [MailServer Notification]To Recipient file blocking settings matched and action taken. ScanMail for Microsoft Exchange has blocked an attachment. Sender = Dean Wells Recipient(s) = AD mailing list (Send) Subject = RE: [ActiveDir] Converting Active Directory 64 Bit Time Values into Date Strings with Perl and general process you can use for other languages Scanning time = 3/22/2004 12:38:04 PM Action on file blocking: The attachment AccountExpires.ZIP matches the file blocking settings. ScanMail has Quarantined it. The attachment was quarantined to C:\Program Files\Trend\Smex\Alert\AccountExpires405f247c6a.ZIP_. An attachment has been blocked. The email had the following subject RE: [ActiveDir] Converting Active Directory 64 Bit Time Values into Date Strings with Perl and general process you can use for other languages. It was sent on 3/22/2004 at 12:38:04 PM from Dean Wells. The following action was taken AccountExpires.ZIP/Quarantined . If this was in error, please contact Gregg Porter. List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
RE: [ActiveDir] Gateway Serive For Netware (GSNW) in Windows 2003
Hang on, in order to migrate groupwise accounts, you require visibility of groupwise, which may be achieved using the client, without resorting to installing gateway services. Why do you need the gateway ? Connecting Exchange to groupwise is achieved using the mail connector and not the gateway. Are you trying to co-exist, migrate, migrate file/print, anything else ? -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Santhosh Sivarajan Sent: 11 March 2004 02:10 PM To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] Gateway Serive For Netware (GSNW) in Windows 2003 Wow! Basically, I have to install Exchange 2003 on a Windows 2000 box in order to install GSNW. That can't be right. Is there any way I can install Windows 2000 version of GSNW on a Windows 2003 machine? -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of GRILLENMEIER,GUIDO (HP-Germany,ex1) Sent: Thursday, March 11, 2004 12:34 AM To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] Gateway Serive For Netware (GSNW) in Windows 2003 the helpfile for 2000 is correct (GSNW is included in 2000) and so is the helpfile for 2003 (GSNW is not available for 2003) not nice, but that's the way it is. you'll have to use a 2000 box if you want use the function /Guido -Original Message- From: Santhosh Sivarajan [mailto:[EMAIL PROTECTED] Sent: Donnerstag, 11. März 2004 03:57 To: [EMAIL PROTECTED] Subject: [ActiveDir] Gateway Serive For Netware (GSNW) in Windows 2003 Hello, Does anyone know where I can find GSNW for Windows 2003? According to the help file Gateway Service for NetWare is included in Windows 2000 Server. It is not included in the Windows Server 2003 family. I need to install GSNW on a Windows 2003 machine to do a GroupWise migration. Any ideas? Thanks in advance, Santhosh List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
RE: [ActiveDir] AD Groups
Another might be to check where the groups are being used. If theyre used to secure file/print type resources and/or AD resources then they may be discovered using a decent reporting tool, i.e check if group X is used in AD anywhere, or is present on THAT server. You could explore this via scripts or use third party reporting tools that support ACL level reporting From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of GRILLENMEIER,GUIDO (HP-Germany,ex1) Sent: 10 March 2004 11:23 PM To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] AD Groups delete one by one and see who screems ;-) or go through a terrible audit of your whole IT environment to see which groups are used on which resoures on any joined or trusted part of your AD infrastructure. Welcome to the downsides of the DACL (Discretionary Access Control List) model, whereany owner controls ACLs on his objects= I sure hope that MS is able to keep to their plans to try to replace DACL with RBAC(Role Based Access Control) in future OSs - but they have a long way to go (won't even try to imaging the compatibility issues...). /Guido From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Philadelphia, Lynden - Revios Toronto Sent: Mittwoch, 10. März 2004 19:35 To: '[EMAIL PROTECTED]' Subject: [ActiveDir] AD Groups Is there a way that I can see what groups are not used anymore in AD.
RE: [ActiveDir] OT: Exchange 2003 Hardening Guide
Then there's the little gripe of. Publishing an Exchange attribute in MSDN and then UN-publishing it in oops style, after you find out you really really WANT to address this multi value attribute in a script, and not a one line GUI... *SIGH* -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of joe Sent: 09 March 2004 09:30 AM To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] OT: Exchange 2003 Hardening Guide Good god Rick, you are going to scare the crap out of everyone and I'm not going to be allowed near Redmond nor anywhere else I am going to wear a tag that says, Hi, my name is !joe Ok if you don't get that c humor. Although We now have a fun issue where the RUS is building address lists for us and a specific filter works perfectly fine on one RUS against one Admin Site but doesn't work on another RUS servicing two other Admin Sites... It isn't that it isn't building the lists, it is just ignoring the filters we have for the lists. Anyway, I intend to be very nice and very civil and generally well lubricated everywhere I go when I am out there. :o) If I speak with the Exchange guys at all it will be along the lines of AD is A Directory, it isn't YOUR directory. Oh, and In order to call this enterprise ready and scalable, you have to be serious about command line tools and scripting - and not just from the command prompt of an Exchange Server.. Finally, something along the lines of The fact that the Exchange admins aren't using the command line and scripts heavily is more a function of what the Exchange Dev Team has done than what the Exchange Admins' capabilities are. Oh wait another one... Enough with the spaces in the DN's already Use command line tools once in a while to query your stuff in AD. I never used LDP, until I had to start poking around in the config container looking at Exchange crap. Of course after this posting from you, I should expect snipers on the roof of SeaTac when I fly in and wondering why I will be getting that extra special attention when I get off the plane... If anyone asks I'm flying in on Monday the 5th Actually, I would like to have the main point of topic be Group Management, do we have the right groups we need to really do this stuff well and how exactly should this stuff be managed Personally I am looking for a group that is a cross between a universal group and domain localgroup - call it super duper group or the BAM group. You can put anyone you want in it, it can be used on any resource anywhere, but its membership isn't in every GC because we make it unnecessary by good cross partition backlinks for memberof. No more chasing across partitions looking for group memberships. If we have good cross partition backlinks, we don't need membership in the GCs for the groups. Also a user has to get back to a DC of their domain to authenticate anyway, all of the info should be there for his ID. Why have to go to a DC of your domain and then ALSO go to a GC to get some more stuff. Just inefficient I tell you. Oh and maybe hard links between AD/AM and AD. You don't replicate the data from the user object to AD/AM and then add to it. You have the specific App info in AD/AM and it references the user object in AD via GUID or whatever. Ditto in AD, a field that references additional info in AD/AM's. So if you pull a record for a user, you can say, grab additional data and it chases out to AD/AM(s) to get the extra stuff. Slows down the whole having to keep things in sync everywhere business which is rather a pain. Of course LDAP search rules and implementation of same gets a little interesting... joe - http://www.joeware.net (download joeware) http://www.cafeshops.com/joewarenet (wear joeware) -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Rick Kingslan Sent: Wednesday, February 25, 2004 8:28 PM To: [EMAIL PROTECTED] Subject: [ActiveDir] OT: Exchange 2003 Hardening Guide Given that we discuss a number of topics in this list, and that Exchange has taken its beatings at my hands, as well as joe's and many others - it's about time that there was some good news on the Exchange front. Microsoft has released - as of yesterday - a hardening guide for Exchange 2k3. Not that any of what they are saying is exactly revolutionary, or other than good common sense, but that the Exchange team, too, has gotten religion. This, coupled with the fact that I suspect that Redmond is beginning to build fortifications around the Exchange team offices, because they know Joe is coming. And, when Joe Richards gets there in April - the shit's going to hit the fan. I just HOPE I'm close enough to enjoy the action. :o) Finally, I can't take credit for coming up with this. Susan Bradley, spunky Small Business Server and Security maven that she is, turned me on to this. I'm just editorializing and passing it on to the good folks on
RE: [ActiveDir] Removing inherited mailbox persmissions on AD ac counts
SELF should DEFINITELLY stay there ! IF an ACL shows inherited permissions then they generally come from the database object or the store object above it. Enable the showpermission regkey you saw posted earlier, and examine the database permissions and the store permissions. Also sidHistory won't be exhibited on the ACL as it is an attribute of a user. You may examine this by using LDP/ADSIEDIT and examining the sidHistory attribute of a user. Oh, and SELF definitely stays there too ;) ! _ From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Grantham, Caron Sent: 26 February 2004 04:32 AM To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] Removing inherited mailbox persmissions on AD ac counts I picked him because he needed help delegating his exec. assistant access to his Outlook. The option at his desktop is not available for some reason. Basically, this account is one of many users who have delegated inbox/calendar read/write access to their executive assistants. These positions can be fairly transient so during the migration period I believe the delegate the user originally had, left our org. Her account was deleted from NT but not before being having been brought over to AD thru ADC. I'm just doing clean-up by removing accounts that no longer should be there and adding user who need permissions to this guys mailbox. It should only be him, one exec staff , domain admins, and the exchange nodes. I guess SELF stays too? _ From: [EMAIL PROTECTED] on behalf of Mulnick, Al Sent: Wed 2/25/2004 12:49 PM To: '[EMAIL PROTECTED]' Subject: RE: [ActiveDir] Removing inherited mailbox persmissions on AD ac counts sIDHistory would show the user since it's an attribute on the migrated user-object anyway. It could look like a ghost account if there's a problem finding the user object (i.e. it was deleted permanently and sIDHistory wasn't brought for that user), or if there was a problem with the trust etc. What was the reason to pick this particular user in the first place? Is there a problem that drew you to that user or did you just pick out of a hat? I think if we knew the big picture, we could offer better help. -Original Message- From: Grantham, Caron [mailto:[EMAIL PROTECTED] Sent: Wednesday, February 25, 2004 12:45 PM To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] Removing inherited mailbox persmissions on AD ac counts Al, I don't why, I'm new to AD. We have recently migrated from NT 4 to Server 2003/Exchange 2003. We were co-existing with the NT 4 domain through a two-way trust relationship and some users who were migrated have since been deleted from NT. My suspicion is that this could be SID history of those users. I wasn't an admin on the NT side who set up permissions for users originally. attachment: winmail.dat
RE: [ActiveDir] Exchange 2003 Migration Question
Title: Message Suggest you do one org at a time and never more people than you can a) roll back at a time b) support by yourself/with helpdesk the next day ;) Ive had a LOT of success with Quests migration tool, since you can do the domain migration and the exchange migration from the same tool, which is cool when youre trying to track down which tool did what. It also rewrites the outlook profile remotely, which is a big plus when it comes to not driving to Hicksville to repoint profiles, even if youre willing to remote admin them, its hard without a tool to catch every profile thats logged onto a machine once, including people on maternity leave. Aelita also does a really exchange migration tool, but theyve split their directory and email migration tool, as have so many others. PST files are a real bane to absorb during migration, and although Ive kept these attached during a migration, its a bit hard to re-address to profile once migrated to reflect a new mailbox as the delivery location, since this would transparently pump the pst help mail back into the new active mailbox. Tools that address mail held in PST files, tend to be archive related KVS, EAS, COMVAULT, etc, which major on getting the PST content into another online store. If youre feeling brave, then have a dig around here [HKEY_USERS\S-1-5-21-YOUR-USER-SID-HERE\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\XGUID Youll find some info on the delivery location, although youll have to lookup the GUID values at the end on MSDN or a friendly outlook developer. If you understand these keys, you CAN influence your mail delivery location, and of course you can break every outlook profile on every desktop J if you get it wrong. From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Kent Maxwell Sent: 20 February 2004 06:25 PM To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] Exchange 2003 Migration Question Nicolas, Thank you very much! I found your email very informative! We are going to be doing three migrations. The first is 400+ mailboxes, one exchange server. The second will be 100 mailboxes, to a different exchange server in a different site. The third will be 300+ mailboxes to another exchange server in a different site. I am particularly interested in the 3rd party tool you would recommend to connect the exchange organizations and if you know of any good tool to change the client outlook profiles. I also have a problem that in one site they have many PST files and did not retain the email in their exchange mailbox and I need to not only get their new MAPI profile connected with the PST(s) but also migrate all the email in the PST back to Exchange. Thank you! Kent -Original Message- From: Nicolas Blank [mailto:[EMAIL PROTECTED] Sent: Friday, February 20, 2004 3:19 AM To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] Exchange 2003 Migration Question Kent There's a number of factor you need to consider here, and three of the biggest one's that come to mind are co-existence, user profile re-pointing, and freezing the admin environment for the duration on one or both sides. You didn't mention how many mailboxes, servers or mail you had, so it's hard to advise on the purchase on a 3'rd party tool, native tool or manual options, although I would recommend you look at a number of the 3'rd party tools that are available, especially when you look at an extended co-existence period where you need solid dir-sync to maintain both set's of directories. If you go the tool route, you should look at a solution which will build and maintain the target GAL, plus build objects, or in your case match on the objects which you already have which is matching the associated NT account on the 5.5 mailbox to the AD user's sidHistory attribute. This can be done natively, but not as cleanly as I've done with third party. In essence your migration path would be the following: Setup routing between the two org's - preferably X.400 connector, since this allows you to maintain your SMTP namespace in both orgs and still have a namespace to route against Build a target GAL that would route mail back to the source org using x400 proxy's, but mace sure the GAL is built using mail enabled users that are stamped with the source org's DN as x500 addresses. This will absorb reply-ability between source and target org, including outstanding meeting request, etc Batch MAILBOX ENABLE as many users as you wish to migrate at a time and transfer their mail. Since the target object's will be overwritten the x400 proxy route will be overwritten. Set alternate recipients on the source mailboxes to route new mail to the target GAL. The advantage of this method is that you have a co-existence model which will allow you to co-exist for a while, plus once your target GAL is built you can switch your MX record over at any time
RE: [ActiveDir] Extended Rights
Title: Extended Rights You can do this in two places - you can edit dssec.dat as mentioned to expose extra rights or you can use ADSIEDIT which has no limitations. Drawback to editing dssec.dat is that you need to do it on all the machines you want to delegate from, and you need to know what the entries/rights mean, especially when you starting out this can be daunting. ADSIEDIT at least exposes all the rights in the GUI so theres no guesswork if youve exposes the right thing or not. Do your delegation out of ADSIEDIT, which is available on the support tools section of your CD. ADSIEDIT shows all the rights available for delegation on an object or attribute level. ADUC is not a great place for exposing too many rights, since the interface gets cluttered too quickly. Suggest I you need/want to use ADUC for delegation, only expose the rights you need to for user/comp/ou/share/ etc type roles, and do everything else out of ADSIEDIT. I would strongly suggest you do your delegation out of ADSIEDIT or use a third party delegation tool which gives you track/audit and undo, ESPECIALLY if youre playing in live, as ADSIEDIT is a lot like regedit you have to know what youre doing, otherwise you might have to use dsacls to set aces/acls back to factory default which wll break other dir enabled apps. If you cannot get access to a third party tool, may I strongly suggest that whatever you need to do you do programmatically i.e. via a script in your lab, and then use the same script to rollout in live removes finger trouble and uncertainty. Also gives you a bit of an audit trail as to what youve done ;) The ability to delegate in an enormously powerful tool, this requires that you do some background reading on what your delegation will affect, how the inheritance model works, etc. There are a number of excellent books on the subject for which you could gain a number of suggestions from this forum. From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Kent Maxwell Sent: 24 February 2004 05:28 PM To: [EMAIL PROTECTED] Subject: [ActiveDir] Extended Rights Ok, I must be crazy. I read the Best Practices of Delegating Active Directory Administration I have defined my service administration and data administration model. I started to define the physical infrastructure. The first step to is to create a Universal group that will be a Forest Configuration Operators Role. Per the Microsoft Documentation I need to grant the following rights: 1. Grant this group permissions required to perform assigned Installation Management tasks. a. Grant this group the DS-Replication-Get-Changes extended right on the following objects: CN=Configuration, DC=Forest-Root-Domain CN=Schema, CN=Configuration, DC=Forest-Root-Domain b. Grant this group the DS-Replication-Manage Topology extended right on the following objects: CN=Configuration, DC=Forest-Root-Domain CN=Schema, CN=Configuration, DC=Forest-Root-Domain c. In a Windows 2000 Active Directory environment, additionally grant this group the DS-Replication-Get-Changes-All extended right on the following objects: CN=Configuration, DC=Forest-Root-Domain CN=Schema, CN=Configuration, DC=Forest-Root-Domain d. In a Windows 2000 Active Directory environment, additionally grant this group the DS-Replication-Monitor-Topology extended right on the following objects: CN=Configuration, DC=Forest-Root-Domain CN=Schema, CN=Configuration, DC=Forest-Root-Domain e. Grant this group the following permissions: Read All Properties on CN=Sites, CN=Configuration, DC=Forest-Root-Domain (Inheritable - apply onto this object and all child objects) Create All Child Objects on CN=Servers, CN=Site, CN=Sites, CN=Configuration, DC=Forest-Root-Domain (Inheritable - apply onto this object and all child objects) Create Computer objects on OU=Domain Controllers,DC=domain Full Control to Creator Owner on CN=Sites, CN=Configuration, DC=Forest-Root-Domain (Inheritable - apply onto this object and all child objects) f. Grant this group the Enable computer and user accounts to be trusted for delegation user right by modifying the default domain controller security policy for this domain. g. Finally, when a member of this group needs to add a replica DC, he/she must be granted Full Control on the computer object representing the server that is being promoted and must be made a member of the Local Administrators group on that computer. 2. Grant this group permissions required to perform assigned Operations Master Role Management tasks. h. Grant this group the Change-Schema-Master extended right on cn=Schema, CN=Configuration, DC=Forest-Root-Domain i. Grant this group the Change-Domain-Master extended right on cn=Partitions, CN=Configuration, DC=Forest-Root-Domain j. Grant this group Write-Property permissions to write the fSMORoleOwner property on cn=Schema, CN=Configuration, DC=Forest-Root-Domain k. Grant this group Write-Property
RE: [ActiveDir] NT Member Server Migration to AD 2003
Debbie, unless you want to take advantage of the features which the directory client provides, theres very little that needs doing to member server. I find that depending on what the servers are hosting, that re/acl-ing and moving them to the target domain is all that needs doing. Is there a reason why these need to stay NT4 ? Ive seen file/print boxes behave much better after moving onto win2k3, but then you might have an app that needs to live on NT4 ? From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Ellis, Debbie Sent: 19 February 2004 05:01 PM To: '[EMAIL PROTECTED]' Subject: [ActiveDir] NT Member Server Migration to AD 2003 We have reached the phase in our migration where all the users and their computers have been migrated. We are upgrading most of our member servers to 2000 before migrating. There are a few servers we are leaving at NT4. We are using NetIQ Migration Suite and it works great. The question I have is have any of you had any problems migrating NT 4 member servers to AD? Are there any preparations that need to be done before the member servers are migrated. I know with our NT workstations we installed the directory services client, but I understand that is just for workstations. Our domain controllers are all 2003.
