RE: [ActiveDir] Disable CD ROM through GP

2007-01-27 Thread Ulf B. Simon-Weidner 
Hello Dhiraj,

it's always a kind of risk to put something into production without testing
- even with good guidance there might be small issues which may lead to big
results.

That said - implementing a new Policy Extension in GP is pretty easy. First,
copy the ADM to the ADM-Files in the Group Policy Object in Sysvol. They are
referenced by GUID ({xxx-xxx-xxx-xxx}) there - you are able to find out the
GUID of your GPO using GPMC. After you copied the ADM-File there, open the
Group Policy. For custom ADMs you have to adjust the Filter (in the View
Menu of the GP-Object Editor): Select the Administrative Template Node
underneath either User or Computer Configuration (prop. Computer in your
case), then go into the View Menu and click Filter. Unselect Only show
policy settings that can be fully managed.
Afterwards you should be able to find your policy setting and you are able
to configure it.

I'd do this in a separate GPO for testing, and remove the Right (in
Security, make sure that you remove the right and do _not_ deny it) of
Authenticated Users to apply the policy. Afterward enter your own
computeraccount and give him the right to apply the policy - just to make
sure that you are testing it before. If it works on your computer you can
reset the rights be allowing Authenticated Users to apply it again and
remove your computer account from the security settings. Now they will apply
to all computer accounts underneath the level (domain, OU, site) where you
linked the GPO.

Gruesse - Sincerely, 

Ulf B. Simon-Weidner 

  Profile 
Publications:   http://mvp.support.microsoft.com/profile=35E388DE-4885-4308-
B489-F2F1214C811D   
  Weblog: http://msmvps.org/UlfBSimonWeidner
  Website: http://www.windowsserverfaq.org

-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Haritwal, Dhiraj
Sent: Samstag, 27. Januar 2007 09:18
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] Disable CD ROM through GP

If anyone had done the same, kindly guide me...

Bcoz right now donot have this mucb of time.


-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Susan Bradley,
CPA aka Ebitz - SBS Rocks [MVP]
Sent: Saturday, January 27, 2007 1:10 PM
To: ActiveDir@mail.activedir.org
Subject: Re: [ActiveDir] Disable CD ROM through GP

Why not setting up a test network/machine in VirtualPC/Vmware?


Haritwal, Dhiraj wrote:

 Hi All,

 I want to disable CD ROM on all client machines through GP. I found 
 the KB http://support.microsoft.com/kb/555324  created the attached 
 test.adm file. Actually I don't have any testing machine where I can 
 test this *adm *file. Can anybody try  tell me the complete process 
 to enable it. Also tell me where it will reflect the changes whether 
 in registry or it will create that option in GP to disable/enable CD
ROM.

 Dhiraj Haritwal




 This email is confidential and intended only for the use of the 
 individual or entity named above and may contain information that is 
 privileged. If you are not the intended recipient, you are notified 
 that any dissemination, distribution or copying of this email is 
 strictly prohibited. If you have received this email in error, please 
 notify us immediately by return email or telephone and destroy the 
 original message. - This mail is sent via Sony Asia Pacific Mail
Gateway.


List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive: http://www.activedir.org/ma/default.aspx




---
This email is confidential and intended only for the use of the individual
or entity named above and may contain information that is privileged. If you
are not the intended recipient, you are notified that any dissemination,
distribution or copying of this email is strictly prohibited. If you have
received this email in error, please notify us immediately by return email
or telephone and destroy the original message. - This mail is sent via Sony
Asia Pacific Mail Gateway.
---
List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive: http://www.activedir.org/ma/default.aspx

List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive: http://www.activedir.org/ma/default.aspx

RE: [ActiveDir] OT: maintaining creation date when copying directories?

2007-01-25 Thread Ulf B. Simon-Weidner 
Robocopy with the /B-Switch should work.

 

Ulf

 

From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Thommes, Michael M.
Sent: Donnerstag, 25. Januar 2007 13:10
To: ActiveDir@mail.activedir.org
Subject: [ActiveDir] OT: maintaining creation date when copying
directories?

 

What move/copy tools can be used to copy directories/files to another
location and still retain the creation date value?  Robocopy seems to keep
creation date on files but directories are given the current date.  Am I
missing a switch in Robocopy to do this?  A backup/restore operation (with
ntbackup.exe) retains the creation date as one would expect.  I am just
looking for other possible tools.  I should mention that with all of the
tools I've tried, the modified date is always the current date for
directories.  Any help is appreciated!

 

Mike Thommes

RE: [ActiveDir] [OT] Odd Folder under Forward Lookup Zone

2007-01-25 Thread Ulf B. Simon-Weidner 
A Hostname underneath a folder 1? I'd agree if just the number would be
there, but not with a name ( other number) underneath.

 

Ulf

 

From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Paul Williams
Sent: Donnerstag, 25. Januar 2007 15:14
To: ActiveDir@mail.activedir.org
Subject: Re: [ActiveDir] [OT] Odd Folder under Forward Lookup Zone

 

You can register records like this by messing up a reverse lookup record
addition using DNSCMD.

 

--Paul

 

- Original Message - 

From: EIS Lists mailto:[EMAIL PROTECTED]  

To: ActiveDir@mail.activedir.org 

Sent: Wednesday, January 24, 2007 9:28 PM

Subject: RE: [ActiveDir] [OT] Odd Folder under Forward Lookup Zone

 

Thanks, all. Ulf, you explanation was great! I am sure it was someone
(probably me!) just typed a .1 in some setting on the printer and allowed it
to register in DNS. 

 

Many thanks.

 

-- nme

 

Noah Eiger

 


  _  


From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Ulf B.
Simon-Weidner
Sent: Wednesday, January 24, 2007 12:29 PM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] [OT] Odd Folder under Forward Lookup Zone

 

Just 9:30 pm here, so not really late.

 

Many are mixing up the zones with the DNS-Subdomains or whatever they are
actually called. But in this case he even had it right, he said that under
the domain zone he has the _*-folders as well as a folder 1. I had to
reread too ;-)

 

How are things? See you in March?

 

Gruesse - Sincerely, 

Ulf B. Simon-Weidner 

  Profile  Publications:
blocked::http://mvp.support.microsoft.com/profile=35E388DE-4885-4308-B489-F
2F1214C811D
http://mvp.support.microsoft.com/profile=35E388DE-4885-4308-B489-F2F1214C811
D   
  Weblog:  blocked::http://msmvps.org/UlfBSimonWeidner
http://msmvps.org/UlfBSimonWeidner
  Website:  blocked::http://www.windowsserverfaq.org/
http://www.windowsserverfaq.org

 

From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Al Mulnick
Sent: Mittwoch, 24. Januar 2007 21:17
To: ActiveDir@mail.activedir.org
Subject: Re: [ActiveDir] [OT] Odd Folder under Forward Lookup Zone

 

That's what I would expect.  But since the original poster called it a
zone I figured I'd ask. What are you doing up so late? :)

On 1/24/07, Ulf B. Simon-Weidner [EMAIL PROTECTED] wrote:

No Zone - no properties ;-)

 

From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Al Mulnick
Sent: Mittwoch, 24. Januar 2007 20:24
To: ActiveDir@mail.activedir.org
Subject: Re: [ActiveDir] [OT] Odd Folder under Forward Lookup Zone

 

What are properties of the 1 zone? 

On 1/24/07, EIS Lists [EMAIL PROTECTED] wrote:

Hi -



Under one of our forward lookup zones (AD-integrated), we have the usual
folders (_msdcs, _sites, _tcp, _udp, DomainDnsZones, ForestDnsZones) as well
as a single folder just named: 1 (without the quotes). There is a single 
A-record  under it for one of our printers.



Any idea what this folder is?



Thanks.



-- nme

RE: [ActiveDir] OT: maintaining creation date when copying directories?

2007-01-25 Thread Ulf B. Simon-Weidner 
Hi Thommes,

 

I've just tried this here, and both commands

Robocopy /B .\ ..\ wins.dll

Robocopy /B .\ c:\ wins.dll

 

(first one on the same drive, second one on another drive)

 

Maintain the Create and Modified date. My Robocopy-Version is the same
(XP010, 5.1.1.1010)

 

Weird.

 

Gruesse - Sincerely, 

Ulf B. Simon-Weidner 

  Profile  Publications:
blocked::http://mvp.support.microsoft.com/profile=35E388DE-4885-4308-B489-F
2F1214C811D
http://mvp.support.microsoft.com/profile=35E388DE-4885-4308-B489-F2F1214C811
D   
  Weblog:  blocked::http://msmvps.org/UlfBSimonWeidner
http://msmvps.org/UlfBSimonWeidner
  Website:  blocked::http://www.windowsserverfaq.org/
http://www.windowsserverfaq.org

 

From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Thommes, Michael M.
Sent: Donnerstag, 25. Januar 2007 14:18
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] OT: maintaining creation date when copying
directories?

 

Hi Ulf,

Thanks for the response!  I tried Robocopy (version XP010) with the /E
/B /COPYALL switches.  It does not seem to have the desired effect (ie, both
the modified date and the creation date are still the current date).
Any other thoughts?

 

Mike Thommes

 

  _  

From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Ulf B.
Simon-Weidner
Sent: Thursday, January 25, 2007 6:52 AM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] OT: maintaining creation date when copying
directories?

 

Robocopy with the /B-Switch should work.

 

Ulf

 

From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Thommes, Michael M.
Sent: Donnerstag, 25. Januar 2007 13:10
To: ActiveDir@mail.activedir.org
Subject: [ActiveDir] OT: maintaining creation date when copying
directories?

 

What move/copy tools can be used to copy directories/files to another
location and still retain the creation date value?  Robocopy seems to keep
creation date on files but directories are given the current date.  Am I
missing a switch in Robocopy to do this?  A backup/restore operation (with
ntbackup.exe) retains the creation date as one would expect.  I am just
looking for other possible tools.  I should mention that with all of the
tools I've tried, the modified date is always the current date for
directories.  Any help is appreciated!

 

Mike Thommes

RE: [ActiveDir] How to find non-primary SMTP addresses?

2007-01-25 Thread Ulf B. Simon-Weidner 
Hi Stu,

 

I don't think there's a way to expose mulitvalued attributes with CSVDE -
you'd either have to use LDIFDE or VBScript or anything else to view all
values of those attributes.

 

Gruesse - Sincerely, 

Ulf B. Simon-Weidner 

  Profile  Publications:
blocked::http://mvp.support.microsoft.com/profile=35E388DE-4885-4308-B489-F
2F1214C811D
http://mvp.support.microsoft.com/profile=35E388DE-4885-4308-B489-F2F1214C811
D   
  Weblog:  blocked::http://msmvps.org/UlfBSimonWeidner
http://msmvps.org/UlfBSimonWeidner
  Website:  blocked::http://www.windowsserverfaq.org/
http://www.windowsserverfaq.org

 

From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Stu Packett
Sent: Freitag, 26. Januar 2007 00:53
To: ActiveDir@mail.activedir.org
Subject: [ActiveDir] How to find non-primary SMTP addresses?

 

How does one go about getting the non-primary SMTP addresses for every
Exchange user?  I can't seem to find a way via csvde, but maybe I'm doing
something wrong.  Thanks again.

RE: [ActiveDir] OT: maintaining creation date when copying directories?

2007-01-25 Thread Ulf B. Simon-Weidner 
Sorry - I've missed that point.

 

Yes - you're right, I got the same results.

 

However, if you use robocopy which is now included in Vista in System32
(XP027, 5.1.10.1027) you can use a new switch to accomplish this:

robocopy /dcopy:t /E /B /copyall . .

 

The /dcopy:t does the trick.

 

Thanks for bringing this up so I had to look into it - I'll blog this since
it's a very interesting change.

Gruesse - Sincerely, 

Ulf B. Simon-Weidner 

  Profile  Publications:
blocked::http://mvp.support.microsoft.com/profile=35E388DE-4885-4308-B489-F
2F1214C811D
http://mvp.support.microsoft.com/profile=35E388DE-4885-4308-B489-F2F1214C811
D   
  Weblog:  blocked::http://msmvps.org/UlfBSimonWeidner
http://msmvps.org/UlfBSimonWeidner
  Website:  blocked::http://www.windowsserverfaq.org/
http://www.windowsserverfaq.org

 

From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Thommes, Michael M.
Sent: Freitag, 26. Januar 2007 02:21
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] OT: maintaining creation date when copying
directories?

 

Hi Ulf,

I don't have any problems with the creation date on files.  It's the
creation date on the directory folders that is not right.  Could you try
robocopy again, this time trying to copy some tree structure that has
branches (subdirectories) and see what creation date is on the
subdirectory folders?  Thanks much!

 

Mike Thommes

 

  _  

From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Ulf B.
Simon-Weidner
Sent: Thursday, January 25, 2007 3:41 PM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] OT: maintaining creation date when copying
directories?

 

Hi Thommes,

 

I've just tried this here, and both commands

Robocopy /B .\ ..\ wins.dll

Robocopy /B .\ c:\ wins.dll

 

(first one on the same drive, second one on another drive)

 

Maintain the Create and Modified date. My Robocopy-Version is the same
(XP010, 5.1.1.1010)

 

Weird.

 

Gruesse - Sincerely, 

Ulf B. Simon-Weidner 

  Profile  Publications:
blocked::http://mvp.support.microsoft.com/profile=35E388DE-4885-4308-B489-F
2F1214C811D
http://mvp.support.microsoft.com/profile=35E388DE-4885-4308-B489-F2F1214C811
D   
  Weblog:  blocked::http://msmvps.org/UlfBSimonWeidner
http://msmvps.org/UlfBSimonWeidner
  Website:  blocked::http://www.windowsserverfaq.org/
http://www.windowsserverfaq.org

 

From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Thommes, Michael M.
Sent: Donnerstag, 25. Januar 2007 14:18
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] OT: maintaining creation date when copying
directories?

 

Hi Ulf,

Thanks for the response!  I tried Robocopy (version XP010) with the /E
/B /COPYALL switches.  It does not seem to have the desired effect (ie, both
the modified date and the creation date are still the current date).
Any other thoughts?

 

Mike Thommes

 

  _  

From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Ulf B.
Simon-Weidner
Sent: Thursday, January 25, 2007 6:52 AM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] OT: maintaining creation date when copying
directories?

 

Robocopy with the /B-Switch should work.

 

Ulf

 

From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Thommes, Michael M.
Sent: Donnerstag, 25. Januar 2007 13:10
To: ActiveDir@mail.activedir.org
Subject: [ActiveDir] OT: maintaining creation date when copying
directories?

 

What move/copy tools can be used to copy directories/files to another
location and still retain the creation date value?  Robocopy seems to keep
creation date on files but directories are given the current date.  Am I
missing a switch in Robocopy to do this?  A backup/restore operation (with
ntbackup.exe) retains the creation date as one would expect.  I am just
looking for other possible tools.  I should mention that with all of the
tools I've tried, the modified date is always the current date for
directories.  Any help is appreciated!

 

Mike Thommes

RE: RE: [ActiveDir] Question about DNS SRV registration.

2007-01-24 Thread Ulf B. Simon-Weidner 
Hello Yann,

 

you’re welcome!

 

No – it is not best practice to disable it. The effect you have is only
happening if a Site has no DC assigned to it, or if a single DC of a Site is
offline for a while. It is important that the Clients are able to look up a
DC, and if you disable Automatic Site Coverage and a Site is without a DC
for some time Clients may experience longer logon times, and they might fall
back on a DC which is in a site which goes over multiple WAN links. I’d say
best practice is to keep the Automatic Site Coverage active, and check once
in a while if there are wrong registrations which you may delete if the DCs
of that Site are back online. They will also dissolve if you enable aging
and scavenging.

 

Also what some customers are doing is the following: Assuming a “Star-shaped
Network Topology” with a Hub-Site where each Branch connects to, they are
configuring the DCs of the Hub-Site to register their SRV-Records at the
Branch Sites with a lower Priority than default, therefore the Branch-Office
Clients will use the Branch-Office DC as long as it’s available but fall
back to the Hub DCs when the BO-DC is not available.

 

Gruesse - Sincerely, 

Ulf B. Simon-Weidner 

  Profile  Publications:
blocked::http://mvp.support.microsoft.com/profile=35E388DE-4885-4308-B489-F
2F1214C811D
http://mvp.support.microsoft.com/profile=35E388DE-4885-4308-B489-F2F1214C811
D   
  Weblog:  blocked::http://msmvps.org/UlfBSimonWeidner
http://msmvps.org/UlfBSimonWeidner
  Website:  blocked::http://www.windowsserverfaq.org/
http://www.windowsserverfaq.org

 

From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Yann
Sent: Mittwoch, 24. Januar 2007 11:19
To: ActiveDir@mail.activedir.org
Subject: RE : RE: [ActiveDir] Question about DNS SRV registration.

 

Hello Ulf,

 

Thanks so much for such explainations ! That rocks !

2 interesting points you pointed to me

 

So if i understand, it is good practice, in my case, to disable automatic
site coverage ?

 

After checking our production, Automatic site coverage is effectively set to
disable (set on default domain controller policy). So it seems that DCa is
still advertising himself as DC in site B. I will look why the process does
not work in our case... :(

 

We did not configured automatic aging/scavenging, i will look also into this
option.

 

Thanks again,

 

Yann

Ulf B. Simon-Weidner [EMAIL PROTECTED] a écrit :

Hello Yann,

 

this is usual and happens because Site B was configured in Active Directory
before DC B was there and assigned to that site. Automatic Site Coverage is
the process which is taking care of this effect. What it does, is making
sure that every site in Active Directory has DCs. If a DC detects a site
which has no DCs assigned to it, it will try to figure out if he’s a “close”
DC (not crossing multiple site-links) and assigning himself to that site.

 

So since Site B was configured and DC A was the only DC in your environment,
DC A decided to advertise himself as DC in Site B. However since DC B exists
now, DC A will not refresh those records, and if you have aging and
scavenging configured the “old” records of DC A in Site B will vanish.

 

You can also delete those records if you wish, as long as the records of DC
B are registered in Site B you can delete the records of DC A in Site B,
however make sure that you are only deleting the SRV-Records underneath the
DNS-Subdomains of the Site-specific Records in the “Site B”-DNS-Domains
(looks like folders in the DNS Managementconsole).

 

Gruesse - Sincerely, 

Ulf B. Simon-Weidner 

  Profile  Publications:
blocked::http://mvp.support.microsoft.com/profile=35E388DE-4885-4308-B489-F
2F1214C811D
http://mvp.support.microsoft.com/profile=35E388DE-4885-4308-B489-F2F1214C811
D   
  Weblog:  blocked::http://msmvps.org/UlfBSimonWeidner
http://msmvps.org/UlfBSimonWeidner
  Website:  blocked::http://www.windowsserverfaq.org/
http://www.windowsserverfaq.org

 

From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Yann
Sent: Dienstag, 23. Januar 2007 22:28
To: ActiveDir@mail.activedir.org
Subject: [ActiveDir] Question about DNS SRV registration.

 

Hello all and happy new year:-),

 

Say:

- Site A with DCa that is also dns (integrated to AD).

- Site B that is a new site.

my goal: dcpromo a new DC (DCb) in site B.DCb will be also dns (integrated
to AD).

- DCa  DCb belong to the same domain (domain.local).

My AD is w2k3 FFL mode.

 

In order to add the new DCb in the existing domain.com, DCb is  dns client
to DCa.

 

When dcpromo is finished, i configured:

- DCb as dns client for himself 

- DCa as secondary dns sever for DCb.

 

Everything looks good .. BUT:

When clients in site B ask for all DCs in site B (with netlogon process),DCb
returns DCb and DCa !

a  nslookup set type=srv _ldap._tcp.siteB._sites.domain.local shows the 2
DCs

- DCa.domain.local

- DCb.domain.local

 

When i search in dns console, i found that DCa still present in site B, i
think

RE: RE: RE: [ActiveDir] Question about DNS SRV registration.

2007-01-24 Thread Ulf B. Simon-Weidner 
Hello Yann,

 

unfortunately not – MS-Press said they will decide whether it’s selling
well, and it sold very well (and we were asked if we’d like to come up with
a second release already after a few month), but I doubt they’ll do it since
the timeframe is getting shorter every day (Longhorns approaching ;-) ).

 

Gruesse - Sincerely, 

Ulf B. Simon-Weidner 

  Profile  Publications:
blocked::http://mvp.support.microsoft.com/profile=35E388DE-4885-4308-B489-F
2F1214C811D
http://mvp.support.microsoft.com/profile=35E388DE-4885-4308-B489-F2F1214C811
D   
  Weblog:  blocked::http://msmvps.org/UlfBSimonWeidner
http://msmvps.org/UlfBSimonWeidner
  Website:  blocked::http://www.windowsserverfaq.org/
http://www.windowsserverfaq.org

 

From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Yann
Sent: Mittwoch, 24. Januar 2007 16:23
To: ActiveDir@mail.activedir.org
Subject: RE : RE: RE: [ActiveDir] Question about DNS SRV registration.

 

Ulf,

 

Thanks for clarification.

I will follow your advices. :)

 

Just an OT ... i found your windows server 2003 book on amazon.com here

http://www.amazon.de/exec/obidos/ASIN/3866456042

 

Do you have english (or french version) of the book available ?

 

Cheers,

 

Yann

Ulf B. Simon-Weidner [EMAIL PROTECTED] a écrit :

Hello Yann,

 

you’re welcome!

 

No – it is not best practice to disable it. The effect you have is only
happening if a Site has no DC assigned to it, or if a single DC of a Site is
offline for a while. It is important that the Clients are able to look up a
DC, and if you disable Automatic Site Coverage and a Site is without a DC
for some time Clients may experience longer logon times, and they might fall
back on a DC which is in a site which goes over multiple WAN links. I’d say
best practice is to keep the Automatic Site Coverage active, and check once
in a while if there are wrong registrations which you may delete if the DCs
of that Site are back online. They will also dissolve if you enable aging
and scavenging.

 

Also what some customers are doing is the following: Assuming a “Star-shaped
Network Topology” with a Hub-Site where each Branch connects to, they are
configuring the DCs of the Hub-Site to register their SRV-Records at the
Branch Sites with a lower Priority than default, therefore the Branch-Office
Clients will use the Branch-Office DC as long as it’s available but fall
back to the Hub DCs when the BO-DC is not available.

 

Gruesse - Sincerely, 

Ulf B. Simon-Weidner 

  Profile  Publications:
blocked::http://mvp.support.microsoft.com/profile=35E388DE-4885-4308-B489-F
2F1214C811D
http://mvp.support.microsoft.com/profile=35E388DE-4885-4308-B489-F2F1214C811
D   
  Weblog:  blocked::http://msmvps.org/UlfBSimonWeidner
http://msmvps.org/UlfBSimonWeidner
  Website:  blocked::http://www.windowsserverfaq.org/
http://www.windowsserverfaq.org

 

From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Yann
Sent: Mittwoch, 24. Januar 2007 11:19
To: ActiveDir@mail.activedir.org
Subject: RE : RE: [ActiveDir] Question about DNS SRV registration.

 

Hello Ulf,

 

Thanks so much for such explainations ! That rocks !

2 interesting points you pointed to me

 

So if i understand, it is good practice, in my case, to disable automatic
site coverage ?

 

After checking our production, Automatic site coverage is effectively set to
disable (set on default domain controller policy). So it seems that DCa is
still advertising himself as DC in site B. I will look why the process does
not work in our case... :(

 

We did not configured automatic aging/scavenging, i will look also into this
option.

 

Thanks again,

 

Yann

Ulf B. Simon-Weidner [EMAIL PROTECTED] a écrit :

Hello Yann,

 

this is usual and happens because Site B was configured in Active Directory
before DC B was there and assigned to that site. Automatic Site Coverage is
the process which is taking care of this effect. What it does, is making
sure that every site in Active Directory has DCs. If a DC detects a site
which has no DCs assigned to it, it will try to figure out if he’s a “close”
DC (not crossing multiple site-links) and assigning himself to that site.

 

So since Site B was configured and DC A was the only DC in your environment,
DC A decided to advertise himself as DC in Site B. However since DC B exists
now, DC A will not refresh those records, and if you have aging and
scavenging configured the “old” records of DC A in Site B will vanish.

 

You can also delete those records if you wish, as long as the records of DC
B are registered in Site B you can delete the records of DC A in Site B,
however make sure that you are only deleting the SRV-Records underneath the
DNS-Subdomains of the Site-specific Records in the “Site B”-DNS-Domains
(looks like folders in the DNS Managementconsole).

 

Gruesse - Sincerely, 

Ulf B. Simon-Weidner 

  Profile  Publications:
blocked::http://mvp.support.microsoft.com/profile=35E388DE-4885-4308-B489-F
2F1214C811D
http

RE: [ActiveDir] [OT] Odd Folder under Forward Lookup Zone

2007-01-24 Thread Ulf B. Simon-Weidner 
Hello nme,

 

quite easy - create a new host with the name test.1 in your domains zone
and it'll be created under the same folder.

 

Those folders you see underneath the zone (and Zones are all on the top
level, right after Forward Lookup Zones and Reverse Lookup Zones) do not
really exist, in DNS only the records exist within a zone and the
dns-managementconsole makes those folders up to navigate easily. The
folders are displayed with every segment distinguished by a .
(dot/point).

 

So for example there's a record

_ldap._tcp.Default-First-Site-Name._sites.example.com IN SRV yadda-yadda

 

Which is displayed in dnsmgmt.msc underneath

 

Example.com

|

+- _sites

| |

| +- Default-First-Site-Name

| | |

| | +- _tcp 

 

However, if you look in the Active Directory Container which holds the zone
(or in the file if DNS is not AD-integrated) you will neither see
subcontainers or objects with the names _tcp... or
Default-First-Site-Name... or _sites... - they are just made up because
there's a single (or multiple records) which have those names between dots.

 

So in your case - if the record was created manually, you might just
recreate it without a .1 at the end (test this and verify the printers
name), if it was registered automatically you need to change the name of the
printer.

Gruesse - Sincerely, 

Ulf B. Simon-Weidner 

  Profile  Publications:
blocked::http://mvp.support.microsoft.com/profile=35E388DE-4885-4308-B489-F
2F1214C811D
http://mvp.support.microsoft.com/profile=35E388DE-4885-4308-B489-F2F1214C811
D   
  Weblog:  blocked::http://msmvps.org/UlfBSimonWeidner
http://msmvps.org/UlfBSimonWeidner
  Website:  blocked::http://www.windowsserverfaq.org/
http://www.windowsserverfaq.org

 

From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of EIS Lists
Sent: Mittwoch, 24. Januar 2007 20:15
To: ActiveDir@mail.activedir.org
Subject: [ActiveDir] [OT] Odd Folder under Forward Lookup Zone

 

Hi -

 

Under one of our forward lookup zones (AD-integrated), we have the usual
folders (_msdcs, _sites, _tcp, _udp, DomainDnsZones, ForestDnsZones) as well
as a single folder just named: 1 (without the quotes). There is a single
A-record  under it for one of our printers. 

 

Any idea what this folder is?

 

Thanks.

 

-- nme

 

 

attachment: winmail.dat

RE: [ActiveDir] [OT] Odd Folder under Forward Lookup Zone

2007-01-24 Thread Ulf B. Simon-Weidner 
No Zone – no properties ;-)

 

From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Al Mulnick
Sent: Mittwoch, 24. Januar 2007 20:24
To: ActiveDir@mail.activedir.org
Subject: Re: [ActiveDir] [OT] Odd Folder under Forward Lookup Zone

 

What are properties of the 1 zone? 

On 1/24/07, EIS Lists [EMAIL PROTECTED] wrote:

Hi -



Under one of our forward lookup zones (AD-integrated), we have the usual
folders (_msdcs, _sites, _tcp, _udp, DomainDnsZones, ForestDnsZones) as well
as a single folder just named: 1 (without the quotes). There is a single 
A-record  under it for one of our printers.



Any idea what this folder is?



Thanks.



-- nme

RE: [ActiveDir] ftp access

2007-01-24 Thread Ulf B. Simon-Weidner 
Did you try to change the local Group Policy of the IIS-Machine not to
prompt the user to change password before it expires? Maybe it's somehow
connected with this mechanism.

 

The GPO is underneath

Computer Configuration / Windows Settings / Security Settings / Local
Policies / Security Options

 

And is named

Interactive logon: Prompt user to change password before expiration

 

Just a guess. 

 

Gruesse - Sincerely, 

Ulf B. Simon-Weidner 

  Profile  Publications:
blocked::http://mvp.support.microsoft.com/profile=35E388DE-4885-4308-B489-F
2F1214C811D
http://mvp.support.microsoft.com/profile=35E388DE-4885-4308-B489-F2F1214C811
D   
  Weblog:  blocked::http://msmvps.org/UlfBSimonWeidner
http://msmvps.org/UlfBSimonWeidner
  Website:  blocked::http://www.windowsserverfaq.org/
http://www.windowsserverfaq.org

 

From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Antonio Aranda
Sent: Montag, 22. Januar 2007 23:52
To: ActiveDir@mail.activedir.org
Subject: [ActiveDir] ftp access

 

I've setup ftp access to users' network drives so they have access to them
remotely.  I recently notice some thing very peculiar.  Their ftp access
stops working when they start getting warnings that their password is going
to expire.  I don't know if this just a coincidence but once they change
their password it starts working again.  If any one knows anything about
this, I would appreciate any advice.

 

Antonio Aranda

Network Analyst

UT-Permian Basin

432-552-2413

RE: [ActiveDir] [OT] Odd Folder under Forward Lookup Zone

2007-01-24 Thread Ulf B. Simon-Weidner 
Just 9:30 pm here, so not really late.

 

Many are mixing up the zones with the “DNS-Subdomains” or whatever they are 
actually called. But in this case he even had it right, he said that under the 
domain zone he has the “_*”-folders as well as a folder “1”. I had to reread 
too ;-)

 

How are things? See you in March?

 

Gruesse - Sincerely, 

Ulf B. Simon-Weidner 

  Profile  Publications:
blocked::http://mvp.support.microsoft.com/profile=35E388DE-4885-4308-B489-F2F1214C811D
 http://mvp.support.microsoft.com/profile=35E388DE-4885-4308-B489-F2F1214C811D  
 
  Weblog:  blocked::http://msmvps.org/UlfBSimonWeidner 
http://msmvps.org/UlfBSimonWeidner
  Website:  blocked::http://www.windowsserverfaq.org/ 
http://www.windowsserverfaq.org

 

From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Al Mulnick
Sent: Mittwoch, 24. Januar 2007 21:17
To: ActiveDir@mail.activedir.org
Subject: Re: [ActiveDir] [OT] Odd Folder under Forward Lookup Zone

 

That's what I would expect.  But since the original poster called it a zone I 
figured I'd ask. What are you doing up so late? :)

On 1/24/07, Ulf B. Simon-Weidner [EMAIL PROTECTED] wrote:

No Zone – no properties ;-)

 

From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Al Mulnick
Sent: Mittwoch, 24. Januar 2007 20:24
To: ActiveDir@mail.activedir.org
Subject: Re: [ActiveDir] [OT] Odd Folder under Forward Lookup Zone

 

What are properties of the 1 zone? 

On 1/24/07, EIS Lists [EMAIL PROTECTED] wrote:

Hi -



Under one of our forward lookup zones (AD-integrated), we have the usual
folders (_msdcs, _sites, _tcp, _udp, DomainDnsZones, ForestDnsZones) as well
as a single folder just named: 1 (without the quotes). There is a single 
A-record  under it for one of our printers.



Any idea what this folder is?



Thanks.



-- nme

RE: [ActiveDir] [OT] Odd Folder under Forward Lookup Zone

2007-01-24 Thread Ulf B. Simon-Weidner 
You're welcome!

 

Ulf

 

From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of EIS Lists
Sent: Mittwoch, 24. Januar 2007 22:29
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] [OT] Odd Folder under Forward Lookup Zone

 

Thanks, all. Ulf, you explanation was great! I am sure it was someone
(probably me!) just typed a .1 in some setting on the printer and allowed it
to register in DNS. 

 

Many thanks.

 

-- nme

 

Noah Eiger

 

  _  

From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Ulf B.
Simon-Weidner
Sent: Wednesday, January 24, 2007 12:29 PM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] [OT] Odd Folder under Forward Lookup Zone

 

Just 9:30 pm here, so not really late.

 

Many are mixing up the zones with the DNS-Subdomains or whatever they are
actually called. But in this case he even had it right, he said that under
the domain zone he has the _*-folders as well as a folder 1. I had to
reread too ;-)

 

How are things? See you in March?

 

Gruesse - Sincerely, 

Ulf B. Simon-Weidner 

  Profile  Publications:
blocked::http://mvp.support.microsoft.com/profile=35E388DE-4885-4308-B489-F
2F1214C811D
http://mvp.support.microsoft.com/profile=35E388DE-4885-4308-B489-F2F1214C811
D   
  Weblog:  blocked::http://msmvps.org/UlfBSimonWeidner
http://msmvps.org/UlfBSimonWeidner
  Website:  blocked::http://www.windowsserverfaq.org/
http://www.windowsserverfaq.org

 

From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Al Mulnick
Sent: Mittwoch, 24. Januar 2007 21:17
To: ActiveDir@mail.activedir.org
Subject: Re: [ActiveDir] [OT] Odd Folder under Forward Lookup Zone

 

That's what I would expect.  But since the original poster called it a
zone I figured I'd ask. What are you doing up so late? :)

On 1/24/07, Ulf B. Simon-Weidner [EMAIL PROTECTED] wrote:

No Zone - no properties ;-)

 

From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Al Mulnick
Sent: Mittwoch, 24. Januar 2007 20:24
To: ActiveDir@mail.activedir.org
Subject: Re: [ActiveDir] [OT] Odd Folder under Forward Lookup Zone

 

What are properties of the 1 zone? 

On 1/24/07, EIS Lists [EMAIL PROTECTED] wrote:

Hi -



Under one of our forward lookup zones (AD-integrated), we have the usual
folders (_msdcs, _sites, _tcp, _udp, DomainDnsZones, ForestDnsZones) as well
as a single folder just named: 1 (without the quotes). There is a single 
A-record  under it for one of our printers.



Any idea what this folder is?



Thanks.



-- nme

RE: [ActiveDir] Question about DNS SRV registration.

2007-01-23 Thread Ulf B. Simon-Weidner 
Hello Yann,

 

this is usual and happens because Site B was configured in Active Directory
before DC B was there and assigned to that site. Automatic Site Coverage is
the process which is taking care of this effect. What it does, is making
sure that every site in Active Directory has DCs. If a DC detects a site
which has no DCs assigned to it, it will try to figure out if he’s a “close”
DC (not crossing multiple site-links) and assigning himself to that site.

 

So since Site B was configured and DC A was the only DC in your environment,
DC A decided to advertise himself as DC in Site B. However since DC B exists
now, DC A will not refresh those records, and if you have aging and
scavenging configured the “old” records of DC A in Site B will vanish.

 

You can also delete those records if you wish, as long as the records of DC
B are registered in Site B you can delete the records of DC A in Site B,
however make sure that you are only deleting the SRV-Records underneath the
DNS-Subdomains of the Site-specific Records in the “Site B”-DNS-Domains
(looks like folders in the DNS Managementconsole).

 

Gruesse - Sincerely, 

Ulf B. Simon-Weidner 

  Profile  Publications:
blocked::http://mvp.support.microsoft.com/profile=35E388DE-4885-4308-B489-F
2F1214C811D
http://mvp.support.microsoft.com/profile=35E388DE-4885-4308-B489-F2F1214C811
D   
  Weblog:  blocked::http://msmvps.org/UlfBSimonWeidner
http://msmvps.org/UlfBSimonWeidner
  Website:  blocked::http://www.windowsserverfaq.org/
http://www.windowsserverfaq.org

 

From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Yann
Sent: Dienstag, 23. Januar 2007 22:28
To: ActiveDir@mail.activedir.org
Subject: [ActiveDir] Question about DNS SRV registration.

 

Hello all and happy new year:-),

 

Say:

- Site A with DCa that is also dns (integrated to AD).

- Site B that is a new site.

my goal: dcpromo a new DC (DCb) in site B.DCb will be also dns (integrated
to AD).

- DCa  DCb belong to the same domain (domain.local).

My AD is w2k3 FFL mode.

 

In order to add the new DCb in the existing domain.com, DCb is  dns client
to DCa.

 

When dcpromo is finished, i configured:

- DCb as dns client for himself 

- DCa as secondary dns sever for DCb.

 

Everything looks good .. BUT:

When clients in site B ask for all DCs in site B (with netlogon process),DCb
returns DCb and DCa !

a  nslookup set type=srv _ldap._tcp.siteB._sites.domain.local shows the 2
DCs

- DCa.domain.local

- DCb.domain.local

 

When i search in dns console, i found that DCa still present in site B, i
think, this is due to the fact that DCb's nic allow dynamic update and thus
dynamically records DCa srv records.

The only way i found to avoid DCb returning DCa to clients in site B is to
delete srv records for DCa in dns (site B).

 

Question:

What is the best practice to avoid DCb to return DCa to clients and where in
the process i'm wrong ?

 

Thanks,

 

Yann

 

 

  

  _  

Découvrez une nouvelle façon d'obtenir des réponses à toutes vos questions !
Profitez des connaissances, des opinions et des expériences des internautes
sur Yahoo! http://fr.rd.yahoo.com/evt=42054/*http:/fr.answers.yahoo.com
Questions/Réponses.

RE: [ActiveDir] Quest Recovery Manager

2007-01-21 Thread Ulf B. Simon-Weidner 
Hi Neil and Joe,

 

what I meant is that I'd evaluate a price-tag of third-party software
against waiting for the next release and deploying the first machine (if
something would be fixed / easier with a single installation of the next
OS).

 

So:

1.   Get the price for the 3rd Party Product

2.   Evaluate if you'd use it with the next version

3.   Evaluate how many machines you'd have to deploy to get the feature

4.   Judge how long it'll take you until the next version is RTM + you
are ready to roll out #3s amount of machines

5.   Compare if you are willing to invest #1 amount of money to get the
feature before #4

 

So if a 3rd Party Vendor is telling me that the time is right to get their
product, I'd still evaluate upper factors before making a decision. If it's
a special offer right now it might affect the math ;-)

Gruesse - Sincerely, 

Ulf B. Simon-Weidner 

  Profile  Publications:
blocked::http://mvp.support.microsoft.com/profile=35E388DE-4885-4308-B489-F
2F1214C811D
http://mvp.support.microsoft.com/profile=35E388DE-4885-4308-B489-F2F1214C811
D   
  Weblog:  blocked::http://msmvps.org/UlfBSimonWeidner
http://msmvps.org/UlfBSimonWeidner
  Website:  blocked::http://www.windowsserverfaq.org/
http://www.windowsserverfaq.org

 

From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of
[EMAIL PROTECTED]
Sent: Montag, 11. Dezember 2006 09:52
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] Quest Recovery Manager

 

I disagree with your disagreement :)

 

How long do you wait? Do you wait until Intel releases a new chip too? What
about the version after Longhorn?? There are always new technologies on the
horizon - my company needs solutions to its problems now, based upon the
technology it uses today.

 

When assessing solutions, I look at the relevant roadmaps and how future
proof that solution might be as well as the solution provider's track record
in the space studied - but the major decision points always rest with its
suitability to the present situation.

 

neil

 

  _  

From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Ulf B.
Simon-Weidner
Sent: 10 December 2006 12:06
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] Quest Recovery Manager

I do disagree since we might have other withes, issues, possibilities with
Longhorn, so I'd wait when spending a lot of money.

 

Gruesse - Sincerely, 

Ulf B. Simon-Weidner 

  Profile  Publications:
BLOCKED::http://mvp.support.microsoft.com/profile=35E388DE-4885-4308-B489-F
2F1214C811D
http://mvp.support.microsoft.com/profile=35E388DE-4885-4308-B489-F2F1214C811
D   
  Weblog:  BLOCKED::http://msmvps.org/UlfBSimonWeidner
http://msmvps.org/UlfBSimonWeidner
  Website:  BLOCKED::http://www.windowsserverfaq.org/
http://www.windowsserverfaq.org

From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Jackson Shaw
Sent: Donnerstag, 7. Dezember 2006 00:51
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] Quest Recovery Manager

 

It is an excellent time to purchase Quest software.

 

(In my opinion, my views do not represent my employer J J)

 

  _  

From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Brian Desmond
Sent: Wednesday, December 06, 2006 1:54 PM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] Quest Recovery Manager

 

Yeah. Sit down with your team and figure out what it is you need - must
have, would like to have, and nice to have. Then, tell all the vendors you
want a little webinar (they love these), and then compare your notes after
each/all of them again. Rule out any ones now that don't do the trick


Then go get ready to have it shoved way up your ass when they give you the
pricing. Then you can suggest (if they haven't already) that they come
discuss it in further and plan on a lunch/dinner or two on their dime while
you further discuss how expensive their stuff is and what they can do for
you to make it more attractive. The Quest guys told me the other day they
had a lot of leeway on some pricing for one of my clients so I'm wondering
if this is the end of the year for the salesmen and they need to make their
year this month (if so this is an excellent time to buy Quest software).

 

Now that said, I've worked in a few large shops, and we haven't had any of
this frilly fancy shit. It's expensive, I hate the per head/per seat/per
whatever pricing, and frankly all I think it does is idiot proof what's
already there. Rather than having something do it for you, why don't you
learn how it does it, because then you'll be smarter, and you can go get a
new better job with your new found talents.

 

That said there is some cool shit from quest and NetIQ and those guys - I'm
into the change control/management stuff in shops where there are too many
cooks in the kitchen. Quest's migration stuff is of course great if you can
afford it.

 

Thanks,

Brian Desmond

[EMAIL PROTECTED]

 

c - 312.731.3132

 

From: [EMAIL PROTECTED]
[mailto

RE: [ActiveDir] release date for W2K3/SP2?

2007-01-21 Thread Ulf B. Simon-Weidner 
I can't remember exactly, but I think I've heard a Q1 at one of the
conferences last year. IIRC.

 

Gruesse - Sincerely, 

Ulf B. Simon-Weidner 

  Profile  Publications:
blocked::http://mvp.support.microsoft.com/profile=35E388DE-4885-4308-B489-F
2F1214C811D
http://mvp.support.microsoft.com/profile=35E388DE-4885-4308-B489-F2F1214C811
D   
  Weblog:  blocked::http://msmvps.org/UlfBSimonWeidner
http://msmvps.org/UlfBSimonWeidner
  Website:  blocked::http://www.windowsserverfaq.org/
http://www.windowsserverfaq.org

 

From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Thommes, Michael M.
Sent: Freitag, 19. Januar 2007 22:17
To: ActiveDir@mail.activedir.org
Subject: [ActiveDir] release date for W2K3/SP2?

 

Has anyone heard of a release date for Windows Server 2003/SP2?  Thanks.

 

Mike Thommes

RE: [ActiveDir] AdminSDHolder orphans

2007-01-21 Thread Ulf B. Simon-Weidner 
Hi Tony,

late response as well - sorry.

I guess why this isn't cleaned up is the same thing as in many other issues.

If you have an admin which is in certain operators groups, and he's
loosing those groups, it's likely that he has been delegated in some other
ways. So not reversing the settings the account is still protected from
malicious delegated admins and someone with higher privileges has to look at
this account and take care of it (e.g. looking if it's still in the right
OU).

On the other hand - and as the others mentioned - this task of cleaning up
should not run as often. And you'll either need to store the previous
permissions (we don't have an attribute for this right now), or reset to
some default permissions (we don't have a container to store them right
now), or force the reset of the inheritance and propagate parent permissions
down. Also how would we decide to reset the inheritance flag automatically -
there might be accounts in the OU which have on purpose the inheritance flag
turned off - so is a prior admin supposed to have inheritance turned on or
off in those OUs?

I don't think the task of resetting the inheritance flag would be
complicated, but it's complicated to generalize that it should be reset in
any case.

Gruesse - Sincerely, 

Ulf B. Simon-Weidner 
  Profile 
Publications:   http://mvp.support.microsoft.com/profile=35E388DE-4885-4308-
B489-F2F1214C811D   
  Weblog: http://msmvps.org/UlfBSimonWeidner
  Website: http://www.windowsserverfaq.org

-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Tony Murray
Sent: Dienstag, 19. Dezember 2006 02:32
To: [EMAIL PROTECTED]
Subject: [ActiveDir] AdminSDHolder orphans


Just wanted to get your opinion on something.

When an object becomes a member of one of the groups protected by the
AdminSDHolder, the next run of the SDProp thread will:

•   Replace the object’s security descriptor with that of the
AdminSDHolder;
•   Disable permissions inheritance on the object;
•   Set a new adminCount attribute with a value  0 on the object.

If the object is then removed from the protected group(s), the changes made
by the AdminSDHolder are not reversed.  In other words, the adminCount value
remains the same, as does the security descriptor.

Is it just me or does anyone think this behaviour a little strange?  What I
am finding in many environments is a large number of these AdminSDHolder
“orphans”.  These can arise quite easily, e.g. an account is made a
temporary member of a privileged group to perform a specific task or someone
changes role within the organisation.  Of course I realise that in a perfect
world these scenarios would be minimised by the use of dual accounts for
splitting standard vs. admin functions, but the reality is that it is all
too common.

The AdminSDHolder orphans can cause problems when troubleshooting delegation
issues.  For example, I came across this issue recently when setting up
permissions for GAL Sync using IIFP.  I had to tidy up before the sync would
complete without errors.

Does anyone run a regular cleanup using the script provided in this article
(or similar)?

http://support.microsoft.com/kb/817433

Do you think the AdminSDHolder behaviour should be changed to clean-up after
itself?  

Tony 





Sent via the WebMail system at mail.activedir.org


 
   

List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive: http://www.mail-archive.com/activedir@mail.activedir.org/

List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive: http://www.activedir.org/ma/default.aspx

RE: [ActiveDir] AdminSDHolder orphans

2007-01-21 Thread Ulf B. Simon-Weidner 
I think you make a great point here. Actually I'd prefer something like this
in the Eventlog:

Event xxx: AdminSDHolder has detected that the following account does not
contain to any administrative groups anymore. Administrative Action is
required to set security on this object as intended. Please set the
attribute admincount to 0 after justifying the security-settings on this
account.

You know - the same thing as we get when we didn't backup for a while, when
clients log on whos IP doesn't belong to any AD-Subnets, ... one of those
maintenance events ;-)

Gruesse - Sincerely, 

Ulf B. Simon-Weidner 
  Profile 
Publications:   http://mvp.support.microsoft.com/profile=35E388DE-4885-4308-
B489-F2F1214C811D   
  Weblog: http://msmvps.org/UlfBSimonWeidner
  Website: http://www.windowsserverfaq.org


-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Tony Murray
Sent: Montag, 22. Januar 2007 01:00
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] AdminSDHolder orphans

Hi Ulf

Thanks for the thoughts.

I can see there could be issues with trying to revert settings after an
object is removed from one of the protected groups.  I'm now leaning towards
the idea of reporting, rather than taking wholesale action.  It would be
good to have a canned report that shows all of the objects currently
protected by the AdminSDHolder, compared with all those that have an
adminCount value of 1 (or higher).  An administrator could then make the
decision to enable permissions inheritance on a case-by-case basis for
objects listed in the second category but not the first.

Sounds like a feature Joe should add to one of his many freeware tools. The
behaviour would be similar to OldCMP.  ;-)

Tony



-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Ulf B.
Simon-Weidner
Sent: Monday, 22 January 2007 11:32 a.m.
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] AdminSDHolder orphans

Hi Tony,

late response as well - sorry.

I guess why this isn't cleaned up is the same thing as in many other issues.

If you have an admin which is in certain operators groups, and he's
loosing those groups, it's likely that he has been delegated in some other
ways. So not reversing the settings the account is still protected from
malicious delegated admins and someone with higher privileges has to look at
this account and take care of it (e.g. looking if it's still in the right
OU).

On the other hand - and as the others mentioned - this task of cleaning up
should not run as often. And you'll either need to store the previous
permissions (we don't have an attribute for this right now), or reset to
some default permissions (we don't have a container to store them right
now), or force the reset of the inheritance and propagate parent permissions
down. Also how would we decide to reset the inheritance flag automatically -
there might be accounts in the OU which have on purpose the inheritance flag
turned off - so is a prior admin supposed to have inheritance turned on or
off in those OUs?

I don't think the task of resetting the inheritance flag would be
complicated, but it's complicated to generalize that it should be reset in
any case.

Gruesse - Sincerely, 

Ulf B. Simon-Weidner
  Profile 
Publications:   http://mvp.support.microsoft.com/profile=35E388DE-4885-4308-
B489-F2F1214C811D
  Weblog: http://msmvps.org/UlfBSimonWeidner
  Website: http://www.windowsserverfaq.org

-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Tony Murray
Sent: Dienstag, 19. Dezember 2006 02:32
To: [EMAIL PROTECTED]
Subject: [ActiveDir] AdminSDHolder orphans


Just wanted to get your opinion on something.

When an object becomes a member of one of the groups protected by the
AdminSDHolder, the next run of the SDProp thread will:

•   Replace the object’s security descriptor with that of the
AdminSDHolder;
•   Disable permissions inheritance on the object;
•   Set a new adminCount attribute with a value  0 on the object.

If the object is then removed from the protected group(s), the changes made
by the AdminSDHolder are not reversed.  In other words, the adminCount value
remains the same, as does the security descriptor.

Is it just me or does anyone think this behaviour a little strange?  What I
am finding in many environments is a large number of these AdminSDHolder
“orphans”.  These can arise quite easily, e.g. an account is made a
temporary member of a privileged group to perform a specific task or someone
changes role within the organisation.  Of course I realise that in a perfect
world these scenarios would be minimised by the use of dual accounts for
splitting standard vs. admin functions, but the reality is that it is all
too common.

The AdminSDHolder orphans can cause problems when troubleshooting delegation
issues.  For example, I came across this issue recently when setting up
permissions for GAL Sync using IIFP.  I

RE: [ActiveDir] AD Schema Extensions and Exchange System Manager

2006-12-18 Thread Ulf B. Simon-Weidner 
Exactly. You need to configure MapiIDs, however there is no supported way to
change the MapiID and (as opposed to LinkIds) there's no procedure to
reserve a MapiID for your internal use. Very old documentation shows a range
marked as private, but I couldn't get any authoritative message from MS that
this is respected.

 

Gruesse - Sincerely,

Ulf B. Simon-Weidner

  Profile  Publications:
BLOCKED::http://mvp.support.microsoft.com/profile=35E388DE-4885-4308-B489-F
2F1214C811D
http://mvp.support.microsoft.com/profile=35E388DE-4885-4308-B489-F2F1214C811
D   
  Weblog:  BLOCKED::http://msmvps.org/UlfBSimonWeidner
http://msmvps.org/UlfBSimonWeidner
  Website:  BLOCKED::http://www.windowsserverfaq.org/
http://www.windowsserverfaq.org

From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Waters, MW (Mike)
Sent: Montag, 18. Dezember 2006 11:17
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] AD Schema Extensions and Exchange System Manager

 

Thanks very much for the pointer ... a quick Google then got me a little
further.

 

I now know how to do it, but not supported by Microsoft is what I'm
hearing. So pause for thought ...

 

Thanks again

 

Mike Waters

 

  _  

From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of joe
Sent: 17 December 2006 01:01
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] AD Schema Extensions and Exchange System Manager

I am not positive on this, but I think you need to look at mAPIIDs.

 

--

O'Reilly Active Directory Third Edition -
http://www.joeware.net/win/ad3e.htm 

 

 

 

  _  

From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Waters, MW (Mike)
Sent: Tuesday, December 05, 2006 5:26 AM
To: ActiveDir@mail.activedir.org
Subject: [ActiveDir] AD Schema Extensions and Exchange System Manager

Excellent mail list ... keep up the good work!

 

But can anyone help me ..

 

For various reasons we have extended the schema in our Active Directory
(test only at present) to add further local attributes to users.

 

All is working well until I attempt to make use of the data in these extra
attributes within Exchange System Manager (ESM). Specifically, I would like
to extend the user template visible from Outlook Address Book to display
information contained in the schema extensions

 

Unfortunately, the ESM only allows a handful of attributes to be picked for
display and none of them our extensions.

 

Anyone know how to coerce ESM to allow other user attributes to be chosen?

 

Regards

 

Mike Waters

RE: [ActiveDir] Delegate VPN rights

2006-12-03 Thread Ulf B. Simon-Weidner 
Correct - however certain things in this tab do update the
userProperties-Attribute. This attribute does not hold clear data. So
depending on the attributes and their requirements you'll have to use other
things than LDP/ADSIEdit or generic scripting without using the supported
interfaces.

 

Ulf

 

From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of steve patrick
Sent: Freitag, 1. Dezember 2006 01:26
To: ActiveDir@mail.activedir.org
Subject: Re: [ActiveDir] Delegate VPN rights

 

Keep in mind that this is only via the ADUC UI - since you have already
delegated this to the user you can use ldp\script etc.. to set the
msNPAllowDialin  == true.

It should reflect properly in ADUC when you next view that user..

 

spat

 

- Original Message - 

From: Ulf B. Simon-Weidner mailto:[EMAIL PROTECTED]  

To: ActiveDir@mail.activedir.org 

Sent: Thursday, November 30, 2006 2:18 PM

Subject: RE: [ActiveDir] Delegate VPN rights

 

Hi Ben,

 

the entire Dial-In Tab doesn't allow granular delegation - you need to
delegate everything which is on the tab since it's writing back all
attributes on the Tab no matter what. If you feel this is wrong open up a
case with PSS and line up in the row of customers which want this changed.
I've had a Critical Design Change Request with an Insurance Group about
this, however it was not requested by other customers at this time and
therefore not changed for a single customer.

 

Some Infos I've wrote once about this issue:

http://www.windowsserverfaq.de/faq/DialInTab.asp

 

Gruesse - Sincerely, 

Ulf B. Simon-Weidner 

  Profile  Publications:
blocked::http://mvp.support.microsoft.com/profile=35E388DE-4885-4308-B489-F
2F1214C811D
http://mvp.support.microsoft.com/profile=35E388DE-4885-4308-B489-F2F1214C811
D   
  Weblog:  blocked::http://msmvps.org/UlfBSimonWeidner
http://msmvps.org/UlfBSimonWeidner
  Website:  blocked::http://www.windowsserverfaq.org/
http://www.windowsserverfaq.org

 

From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of WATSON, BEN
Sent: Donnerstag, 30. November 2006 18:35
To: ActiveDir@mail.activedir.org
Subject: [ActiveDir] Delegate VPN rights

 

I'm attempting to delegate out the permissions to adjust the Remote Access
Permissions under the Dial-In tab in Active Directory for user accounts.
When performing an LDAP query, I notice that changes to this setting are
recorded in the msNPAllowDialin attribute.  Set to False when Deny Access is
set, True when Allow Access is set, and not set when Control Access
through Remote Access Policy is set.

 

However when I attempt to delegate out the rights to a security group so
they can modify this, it is not listed as a selectable property.  Am I
missing something here?  Should I be looking for a different property to
delegate out this right?

 

Thanks,

~Ben Watson

RE: [ActiveDir] Delegate VPN rights

2006-11-30 Thread Ulf B. Simon-Weidner 
Hi Ben,

 

the entire Dial-In Tab doesn't allow granular delegation - you need to
delegate everything which is on the tab since it's writing back all
attributes on the Tab no matter what. If you feel this is wrong open up a
case with PSS and line up in the row of customers which want this changed.
I've had a Critical Design Change Request with an Insurance Group about
this, however it was not requested by other customers at this time and
therefore not changed for a single customer.

 

Some Infos I've wrote once about this issue:

http://www.windowsserverfaq.de/faq/DialInTab.asp

 

Gruesse - Sincerely, 

Ulf B. Simon-Weidner 

  Profile  Publications:
blocked::http://mvp.support.microsoft.com/profile=35E388DE-4885-4308-B489-F
2F1214C811D
http://mvp.support.microsoft.com/profile=35E388DE-4885-4308-B489-F2F1214C811
D   
  Weblog:  blocked::http://msmvps.org/UlfBSimonWeidner
http://msmvps.org/UlfBSimonWeidner
  Website:  blocked::http://www.windowsserverfaq.org/
http://www.windowsserverfaq.org

 

From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of WATSON, BEN
Sent: Donnerstag, 30. November 2006 18:35
To: ActiveDir@mail.activedir.org
Subject: [ActiveDir] Delegate VPN rights

 

I'm attempting to delegate out the permissions to adjust the Remote Access
Permissions under the Dial-In tab in Active Directory for user accounts.
When performing an LDAP query, I notice that changes to this setting are
recorded in the msNPAllowDialin attribute.  Set to False when Deny Access is
set, True when Allow Access is set, and not set when Control Access
through Remote Access Policy is set.

 

However when I attempt to delegate out the rights to a security group so
they can modify this, it is not listed as a selectable property.  Am I
missing something here?  Should I be looking for a different property to
delegate out this right?

 

Thanks,

~Ben Watson

RE: [ActiveDir] ldp in ADAM-SP1

2006-09-30 Thread Ulf B. Simon-Weidner 
Just stepped across this - thanks for fixing it!

Ulf

-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Ulf B.
Simon-Weidner
Sent: Freitag, 4. August 2006 09:26
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] ldp in ADAM-SP1

Hi Dmitri,

And DSAcls still does not display a computer accounts ACL if someone was
being delegated permission to join a computer to this account using ADUC:
http://www.windowsserverfaq.org/faq/CompACLs.asp

Gruesse - Sincerely, 

Ulf B. Simon-Weidner 

  Profile  Publications:
http://mvp.support.microsoft.com/profile=35E388DE-4885-4308-B489-F2F1214C811
D   
  Weblog: http://msmvps.org/UlfBSimonWeidner
  Website: http://www.windowsserverfaq.org


-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Dmitri Gavrilov
Sent: Thursday, July 27, 2006 7:46 PM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] ldp in ADAM-SP1

Guido, which changes to you want to see in dsacls in B3?

-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Grillenmeier, Guido
Sent: Tuesday, July 25, 2006 6:22 AM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] ldp in ADAM-SP1

well, for Win2000 and Win2003 AD that tool is DSACLS for 95% of what you
should need to do. You've already tripped over some of it's limitations
especially around handling the confidential bit - however, I have not seen
many customers that actually leverage the confidential bit yet for anything
else but OS features (for example for PKI credential roaming).
It would be nice to leverage it for many more lockdown scenarios, but you
can't use it for the base schema attributes (category 1), which includes
almost all of the interesting attributes you may want to restrict access to.
Ofcourse you can use it for your own schema extensions.

For file-system ACLing that tool is CALS or XCACLS - probably for 99% of
what you need to do.  Note for the FS you may also want to check out the
betas of either Windows Longhorn or the current Windows 2003 SP2 = they
include a new commandline ACLing tool called Icacls.exe, which can be used
to reset the account control lists (ACL) on files from Recovery Console, and
to back up ACLs. It can also handle replacement of ACLs (much like subinacl)
and works well with either names or SIDs. At last, unlike Cacls.exe,
Icacles.exe preserves canonical ordering of ACEs and thus correctly
propagates changes to and creation of inherited ACLs. 

DSACLs has only been updated slightly in LH, but I hope to see some more
changes prior to beta 3.

At last, depending on your requirements, you may also need to look into
changing the default security descriptor of some of the objects (for
example, check out all the default write permissions, which every user is
granted on it's own object via the SELF security principal; many companies
are still unaware of this). You can check these rights most easily via the
schema mgmt mmc (check properties of a class object, such as user and click
on the Default Security tab). 

So it's fair to say that although handling ACLs remains to be a complex
topic, you can get most of the things done with existing commandline tools
from MSFT. Sometimes it will simply be more appropriate to use the UI for a
few settings. And there is always the option to script setting ACLs if you
really have special requirements.


As for your delegation model = I would not have the goal to teach your
delegated admins how to do ACLing inside AD. I'm fine with a delegated admin
doing the security on a file-server that he completely manages on his own.
But AD security should be kept in the hand of domain and enterprise admins
(partly because it is rather complex and you only want few folks to fiddle
around with it, partly because it is plain risky to do it otherwise).  The
critical piece for most delegation models to succeed is to build a centrally
controlled OU structure (ideally standardized for your different delegated
admin units as I like to call them and not to grant your data admin (= the
delegated admins) any rights to create OUs themselves (otherwise - with the
current ACLing model - you can't prevent them to configure the security of
the OU).
Basically the same is true for any objects they create, but it's the OUs
that allow you to manage the security for multiple child objects at once
(and thus these need to be controlled centrally). Many more things to share
in this respect, but no delegation model is the same as any other so you're
best to understand and plan it from the ground up. There may be similarities
between many models, but for the various infrastructures I've planned, every
customer has had their special requirements.

/Guido


-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Matheesha
Weerasinghe
Sent: Tuesday, July 25, 2006 9:34 AM
To: ActiveDir@mail.activedir.org
Subject: Re: [ActiveDir] ldp in ADAM-SP1

Wow,

Thanks you

RE: [ActiveDir] ldp in ADAM-SP1

2006-08-04 Thread Ulf B. Simon-Weidner 
Hi Dmitri,

And DSAcls still does not display a computer accounts ACL if someone was
being delegated permission to join a computer to this account using ADUC:
http://www.windowsserverfaq.org/faq/CompACLs.asp

Gruesse - Sincerely, 

Ulf B. Simon-Weidner 

  Profile  Publications:
http://mvp.support.microsoft.com/profile=35E388DE-4885-4308-B489-F2F1214C811
D   
  Weblog: http://msmvps.org/UlfBSimonWeidner
  Website: http://www.windowsserverfaq.org


-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Dmitri Gavrilov
Sent: Thursday, July 27, 2006 7:46 PM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] ldp in ADAM-SP1

Guido, which changes to you want to see in dsacls in B3?

-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Grillenmeier, Guido
Sent: Tuesday, July 25, 2006 6:22 AM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] ldp in ADAM-SP1

well, for Win2000 and Win2003 AD that tool is DSACLS for 95% of what you
should need to do. You've already tripped over some of it's limitations
especially around handling the confidential bit - however, I have not seen
many customers that actually leverage the confidential bit yet for anything
else but OS features (for example for PKI credential roaming).
It would be nice to leverage it for many more lockdown scenarios, but you
can't use it for the base schema attributes (category 1), which includes
almost all of the interesting attributes you may want to restrict access to.
Ofcourse you can use it for your own schema extensions.

For file-system ACLing that tool is CALS or XCACLS - probably for 99% of
what you need to do.  Note for the FS you may also want to check out the
betas of either Windows Longhorn or the current Windows 2003 SP2 = they
include a new commandline ACLing tool called Icacls.exe, which can be used
to reset the account control lists (ACL) on files from Recovery Console, and
to back up ACLs. It can also handle replacement of ACLs (much like subinacl)
and works well with either names or SIDs. At last, unlike Cacls.exe,
Icacles.exe preserves canonical ordering of ACEs and thus correctly
propagates changes to and creation of inherited ACLs. 

DSACLs has only been updated slightly in LH, but I hope to see some more
changes prior to beta 3.

At last, depending on your requirements, you may also need to look into
changing the default security descriptor of some of the objects (for
example, check out all the default write permissions, which every user is
granted on it's own object via the SELF security principal; many companies
are still unaware of this). You can check these rights most easily via the
schema mgmt mmc (check properties of a class object, such as user and click
on the Default Security tab). 

So it's fair to say that although handling ACLs remains to be a complex
topic, you can get most of the things done with existing commandline tools
from MSFT. Sometimes it will simply be more appropriate to use the UI for a
few settings. And there is always the option to script setting ACLs if you
really have special requirements.


As for your delegation model = I would not have the goal to teach your
delegated admins how to do ACLing inside AD. I'm fine with a delegated admin
doing the security on a file-server that he completely manages on his own.
But AD security should be kept in the hand of domain and enterprise admins
(partly because it is rather complex and you only want few folks to fiddle
around with it, partly because it is plain risky to do it otherwise).  The
critical piece for most delegation models to succeed is to build a centrally
controlled OU structure (ideally standardized for your different delegated
admin units as I like to call them and not to grant your data admin (= the
delegated admins) any rights to create OUs themselves (otherwise - with the
current ACLing model - you can't prevent them to configure the security of
the OU).
Basically the same is true for any objects they create, but it's the OUs
that allow you to manage the security for multiple child objects at once
(and thus these need to be controlled centrally). Many more things to share
in this respect, but no delegation model is the same as any other so you're
best to understand and plan it from the ground up. There may be similarities
between many models, but for the various infrastructures I've planned, every
customer has had their special requirements.

/Guido


-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Matheesha
Weerasinghe
Sent: Tuesday, July 25, 2006 9:34 AM
To: ActiveDir@mail.activedir.org
Subject: Re: [ActiveDir] ldp in ADAM-SP1

Wow,

Thanks you so much for the detailed info guys. Basically my goal is quite
simple. At least it is in my head. What I want to do, is to go through the
entire case study given in the AD delegation whitepaper, and do all of that
permissions configuration entirely at command line (where

RE: [ActiveDir] Vendor Domain

2006-07-24 Thread Ulf B. Simon-Weidner 








Just a few thoughts to
add since so many others already have given you great answers:



-
Ive heard that any
changes to an network which has production status in a clinic, pharma-manufacturer
or supplier will endanger FDA-approval

-
I know that many clinical devices
are specialized workstations which are controlling a devices, such as modern
x-rays. They do have network access and may be member of a domain to provide doctors
with x-rays a.s.o.



Sounds like your manufacturer is talking about such devices and is
concerned that a change in a GPO which is affecting his appliance
might break its functionality, e.g. putting certain signing or
encryption policies in place, but the workstation talks to its hardware
via proprietary SMB 



I just wanted to throw this into discussion  if we are
talking about such devices/appliances Id also prefer a different domain
or even forest to manage them, or want to know very closely what the
requirements are and keep an extra eye on those machines. Dont put lives
at jeopardy b/c of a misconfigured GPO.





Gruesse - Sincerely, 

Ulf B. Simon-Weidner 

 Profile 
Publications:http://mvp.support.microsoft.com/profile="">
 Weblog: http://msmvps.org/UlfBSimonWeidner
 Website: http://www.windowsserverfaq.org







From:
[EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On
Behalf Of Figueroa, Johnny
Sent: Thursday, July 20, 2006 9:46 PM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] Vendor Domain







Thank you all. 



The vendor in question is bringing in a medical solution. Here is
the response from the vendor so far. Mind you that we have lots of medical
device solutions that exist in our domain, the FDA card is played as a blanket
so you stop asking questions...we ran into the same issue with security
patches. why can't I patch that device?. When we've looked at these
FDA regulations in the past it turned out that there was more liability by not
patching. 



From the vendor:



Let me start by thanking you for considering our support
model and continuing to pursue supporting it in your organization. Our
designers have architected the system to comply with Microsofts best
practices. We have implemented our own .local domain in an effort to
provide solid system integrity founded on Kerberos authentication and a single
sign-on experience for your clinicians. 



Our
system relies heavily on the integrity of the Active Directory structure. We
have integrated the launching of services and control of processes using this
Microsoft recommended model. 



It has
been our experience that relying on a hospitals Active Directory
structure is a dependency that has opened our customers up to
liabilities for the integrity of our regulated medical device. I
liken the servers to a respirator. Having an outside person, no matter how
qualified, work on a respirator would be a concern from a clinical
standpoint. We have witnessed Group Policies applied to servers in a more
open environment. This is a liability we do not want to expose our business
partners to. Any change, no matter how minute to our system, would endanger our
validation and designation as aXXX regulated medical device and would
open you to failing FDA auditing.

Thanks







From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of joe
Sent: Thursday, July 20, 2006 12:12
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] Vendor Domain

I would tend to agree except in the case of Exchange, I am ALL FOR
Exchange being run in a separate single domain forest, it solves an incredible
number of problems such as the GC/NSPI problems as well as administrative
isolation, etc. The exception there is if Exchange is deployed in a
decentralized fashion outto all of the sites you already have DCs at, at
that point, you probably want to fight with the issues with it in the main
forest.



The biggest complaint I have seen for running a separate Single
Domain Forest for Exchange is around provisioning and quite frankly, that
really isn't all that involved and doesn't necessarily need a full blown
MIIS/IIFP solution. It dependson what data isneeded where. If you
need all of the GAL info in the main NOS forest as well as the Exchange forest
then you looking more into metadat sync tools unless your provisioning is all
being handled through a centralized mechanism and then that can be used to send
the info in both directions and actual tie between the domains for syncing
isn't necessarily required.



But if this isn't Exchange, I would be curious to hear the details
of the app and why they want a separate forest. Most vendors if they told me
they did it in a stupid way that had that requirement I would beat and tell
them to fix it. With MSFT and Exchange, that only works a little bit. :)







--

O'Reilly Active Directory Third Edition - http://www.joeware.net/win/ad3e.htm

















From:
[EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On
Behalf Of Grillenmeier, Guido
Sent: Thursday, Ju

RE: [ActiveDir] NTDS.DIT Size

2006-06-29 Thread Ulf B. Simon-Weidner 








Hello Joshua,



Id look at the whitespace to determine when to offline
defrag a DC. You can enable the associated event which will tell you the amount
of whitespace by setting the registry key
HKLM\System\CurrentControlSet\Services\NTDS\Diagnostics\6 Garbage Collection to
1 instead of 0 (which is the default). Regkey might be likely  just typed
it from hard.

This will give you an event every time when garbage collection runs
(every 12 hrs) and tell you the amount of whitespace in the DB.



Whatever needs to be loaded should perform better when smaller.



Ive heard that a DC on x64 will perform better than on 32-bit,
since its very likely you already have some of the newer servers with
x64 Id just give it a try for one DC yourself.





Gruesse - Sincerely, 

Ulf B. Simon-Weidner 

 Profile 
Publications:http://mvp.support.microsoft.com/profile="">
 Weblog: http://msmvps.org/UlfBSimonWeidner
 Website: http://www.windowsserverfaq.org







From:
[EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On
Behalf Of Joshua Coffman
Sent: Thursday, June 29, 2006 10:59 PM
To: ActiveDir@mail.activedir.org
Subject: [ActiveDir] NTDS.DIT Size







Our
AD (NTDS.dit) is at 1.7GB (approx. 250,000 users).

Should an offline defrag be performed at a regular interval?

Some articles I read only say it is only worthwhile if you are running low on
space.We have plenty of drive space and RAM.

At what point should the AD be moved to 64 bit?

Thanks,

Josh

RE: [ActiveDir] New DC can't find the machine account

2006-05-31 Thread Ulf B. Simon-Weidner 
Every joe is someones joe, but Joe McNicholas  Joe joeware Richards

Gruesse - Sincerely, 

Ulf B. Simon-Weidner 

  Profile  Publications:
http://mvp.support.microsoft.com/profile=35E388DE-4885-4308-B489-F2F1214C811
D   
  Weblog: http://msmvps.org/UlfBSimonWeidner
  Website: http://www.windowsserverfaq.org


 

-Original Message-
From: [EMAIL PROTECTED] 
[mailto:[EMAIL PROTECTED] On Behalf Of Brett Shirley
Sent: Wednesday, May 31, 2006 4:11 PM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] New DC can't find the machine account

Is this joe joe or joe someoneelse?  It occured to me, I've 
NEVER seen joe joe's last name ...

-B

On Wed, 31 May 2006, McNicholas, Joe wrote:

 off the top of my head
 
 Is DFS running?
 
 -Original Message-
 From: [EMAIL PROTECTED]
 [mailto:[EMAIL PROTECTED] On Behalf Of Al 
 Lilianstrom
 Sent: 31 May 2006 14:38
 To: ActiveDir@mail.activedir.org
 Subject: [ActiveDir] New DC can't find the machine account
 
 Hi,
 
 I have a Windows 2000 based AD (empty root with 1 child domain) that 
 I'm in the process of upgrading to w2003r2 as a test for our 
 production domain (same configuration). The adprep went fine as well 
 as the dcpromo of the new DC. However when the new DC reboots I get 
 the following messages in the application log:
 
 EVENT TYPE   Error
 SOURCE   Userenv
 EVENT ID 1097
 Windows cannot find the machine account, The Local Security 
Authority 
 cannot be contacted .
 
 and
 
 EVENT TYPE   Error
 SOURCE   Userenv
 EVENT ID 1030
 Windows cannot query for the list of Group Policy objects. Check the 
 event log for possible messages previously logged by the 
policy engine 
 that describes the reason for this.
 
 Neither system has these messages when they were simple 
servers in the 
 domain. They were rebooted several times before becoming DCs to make 
 sure the event logs were clean.
 
 They seem to be functioning as DCs. File replication with 
the orginal 
 w2k dc took a long time to start up.
 
 I added a second w2k3 r2 DC and it is showing the exact same 
messages. 
 Both machines were created from the same sysprep image - the machine 
 that was built as the basis for the sysprep image was never in the 
 domain.
 
 I've been searching Microsoft and came up with one or two applicable 
 docs. One said to make sure that services like netlogon were set to 
 automatic (it is). Another had settings for enabling debug on the 
 netlogon service which I implemented. All that I see in there is 
 netlogon pausing.
 
 Any ideas?
 
  al
 --
 
 Al Lilianstrom
 CD/CSS/CSI
 [EMAIL PROTECTED]
 List info   : http://www.activedir.org/List.aspx
 List FAQ: http://www.activedir.org/ListFAQ.aspx
 List archive: http://www.activedir.org/ml/threads.aspx
 List info   : http://www.activedir.org/List.aspx
 List FAQ: http://www.activedir.org/ListFAQ.aspx
 List archive: http://www.activedir.org/ml/threads.aspx
 

List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive: http://www.activedir.org/ml/threads.aspx

List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive: http://www.activedir.org/ml/threads.aspx

RE: [ActiveDir] AD lag sites and replication

2006-05-31 Thread Ulf B. Simon-Weidner 
Title: AD lag sites and replication








1)
We are talking about blocking
the replication to and from a lag-site, and the good thing about using a
firewall is that we are able to block users and memberservers authenticating against
the lag-site. You do not want anyone to authenticate against a lag-site DC. So
urgent replication is not a issue

2)
Agree to Joe here  Im quite
sure that the rights to force replication are available for at least
dom-admins, and Im very sure that no matter how many you have (OK  more than
yourself) they will forget not to trigger forced replication sometime.

3)
Lag-Sites dont make any sense
if they do replicate in between the scheduled times  so in this scenario you
may worry about both.





Gruesse - Sincerely, 

Ulf B. Simon-Weidner 

 Profile 
Publications:http://mvp.support.microsoft.com/profile="">
 Weblog: http://msmvps.org/UlfBSimonWeidner
 Website: http://www.windowsserverfaq.org







From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Dave Wade
Sent: Tuesday, May 30, 2006 12:59 PM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] AD lag sites and replication







Neil,



1)
If you start setting firewall rules then I am pretty sure you will break things
as you will block urgent replication. What happens if some one changes their
password and then goes to the home site? What about group membership changes?Do
you really want to wait two days before you update these?.



2)
I don't think that normal admins can trigger unscheduled
replication changes. Certainly I am a Domain Admin and I can't trigger
replication changes on our infrastructure, but it is Windows/2000



3)
IMHO you would be better worrying about getting things to replicate when they
are supposed to rather than things replicating when they shouldn't



Dave









From:
[EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On
Behalf Of Ulf B. Simon-Weidner
Sent: 30 May 2006 11:32
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] AD lag sites and replication



Hi Neil,











I'd still go for a
firewall with scheduled rules. IMHO there's no such thing as locked down
replication schedules - as soon as someone is hitting a switch to force
replication across sites. And the firewall will help you to assure no client is
hitting a lag sites DC.



Gruesse - Sincerely, 

Ulf B. Simon-Weidner 

 Profile 
Publications:http://mvp.support.microsoft.com/profile="">
 Weblog: http://msmvps.org/UlfBSimonWeidner
 Website: http://www.windowsserverfaq.org

















From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of [EMAIL PROTECTED]
Sent: Tuesday, May 30, 2006 10:33 AM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] AD lag sites and replication

Thanks Ulf.









I was hoping to avoid NIC disabling and such like. I was looking
for a solution which would enforce the replication schedule between sites, such
that an admin could not 'over ride' it.











I'd rather handle the situation with procedures and policies than
use scripts to disable NICs (or connection objects) at scheduled times :)











neil











From:
[EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On
Behalf Of Ulf B. Simon-Weidner
Sent: 30 May 2006 09:01
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] AD lag sites and replication



You are able to
disable the network interfaces, pretty easy with VMWare or Virtual Server since
you are able to do it from the host via scripting, bit more painfull if you
have to do it from the DC itself since you don't have any remote access when
the nic is disabled (you could use a scheduled task which runs netsh to
activate / deactivate the interface).











Also putting a firewall
with scheduled rules in between would work very well, especially since you can
block everything but RDP at the no-sync times.











As long as you
don't exceed the tombstone-lifetime I don't see any reasons why this should not
be supported since we are just talking about lag-sites without any
memberservers / clients / users who log onto those DCs.



Gruesse - Sincerely, 

Ulf B. Simon-Weidner 

 Profile 
Publications:http://mvp.support.microsoft.com/profile="">
 Weblog: http://msmvps.org/UlfBSimonWeidner
 Website: http://www.windowsserverfaq.org

















From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of [EMAIL PROTECTED]
Sent: Tuesday, May 30, 2006 9:49 AM
To: ActiveDir@mail.activedir.org
Subject: [ActiveDir] AD lag sites and replication

I'm looking
to implement one or more lag sites, with staggered replication schedules. (i.e.
NYC lag replicates tues and thurs, 2-4 am; LON lag replicates mon, wed and fri
2-4 am).

We're
concerned that admins can still force replication outside of these hours using
repadmin or replmon etc. 

Is there a
(supported) way to ensure that replication can ONLY occur within the hours
described above? 

Thanks,

neil 



PLEASE
READ: The information contained in this e

RE: [ActiveDir] Machine Psswd Age

2006-05-31 Thread Ulf B. Simon-Weidner 
 Probably more than you ever wanted to know about machine account password
changes.

Not at all - my brain sucks that stuff in. To be complete: was it the same
with NT4, or was there such a thing as half-time renewal? What's the
required level of netlogon-debug-logging? 1 enough?

Don't you want to share this info on a blog? It's great, and we could give
you credits and avoid typing whenever there's a discussion of that topic.
Might be worth to include the imaged-client and reset password on a
computer account discussions.

Gruesse - Sincerely, 

Ulf B. Simon-Weidner 

  Profile  Publications:
http://mvp.support.microsoft.com/profile=35E388DE-4885-4308-B489-F2F1214C811
D   
  Weblog: http://msmvps.org/UlfBSimonWeidner
  Website: http://www.windowsserverfaq.org


-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Steve Linehan
Sent: Wednesday, May 31, 2006 5:57 AM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] Machine Psswd Age

Just to add some additional detail.  The machine account password is
actually changed every 30 days plus a random offset of up to 24 hours so
~31 days as a maximum by default with Windows 2000 and later OSes.  This is
done by the netlogon service on the client and there is a scavenger thread
that wakes up and performs the reset once this threshold is met.
If the it cannot reach a Domain Controller it will go back to sleep and wake
up every 15 minutes to try and reset the password.  You can see this
behavior by turning up netlogon debug logging and see the following
output:

Success:

05/25 14:48:22 [SESSION] NORTHAMERICA: NlChangePassword: Doing it.
05/25 14:48:22 [SESSION] NORTHAMERICA: NlChangePassword: Flag password
changed in LsaSecret
05/25 14:48:23 [SESSION] NORTHAMERICA: NlChangePassword: Flag password
updated on PDC
05/25 14:48:23 [MISC] NlWksScavenger: Can be called again in 30 days
(0x9a7ec800)

Failure:

05/16 01:13:24 [SESSION] NORTHAMERICA: NlChangePassword: Doing it.
05/16 01:13:24 [SESSION] NORTHAMERICA: NlSessionSetup: Try Session setup
05/16 01:13:24 [SESSION] NORTHAMERICA: NlDiscoverDc: Start Synchronous
Discovery
05/16 01:14:05 [CRITICAL] NORTHAMERICA: NlDiscoverDc: Cannot find DC.
05/16 01:14:05 [CRITICAL] NORTHAMERICA: NlSessionSetup: Session setup:
cannot pick trusted DC
05/16 01:14:05 [MISC] Eventlog: 5719 (1) NORTHAMERICA 0xc05e
c05e   ^...
05/16 01:14:05 [SESSION] NORTHAMERICA: NlSessionSetup: Session setup Failed
05/16 01:14:05 [MISC] NlWksScavenger: Can be called again in 15 minutes
(0xdbba0)

Random Offset:

05/25 15:03:22 [MISC] NlWksScavenger: Can be called again in 30 days
(0x9d671aca) 

Since the value is in milliseconds when converting this you will see in the
random offset case the value is really ~30.56 days where the one in success
is exactly 30 days.  Probably more than you ever wanted to know about
machine account password changes.



Thanks,

-Steve

-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Ulf B.
Simon-Weidner
Sent: Sunday, May 28, 2006 3:45 AM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] Machine Psswd Age

Hmm - I can not find where I got this information from. The KB about
disablePasswordChange has not been updated pretty long (still stated only NT
in the early WS2k3 days). 

The following page even states that the NT4 Workstation changes the password
every 3 days, and retries after another 3 days:
http://www.microsoft.com/technet/archive/winntas/maintain/ntopt4.mspx?mf
r=tr
ue

However I stand corrected - need to update my brains cache from google more
often - to bad brains don't support TTL of websites.

Gruesse - Sincerely, 

Ulf B. Simon-Weidner 

  Profile  Publications:
http://mvp.support.microsoft.com/profile=35E388DE-4885-4308-B489-F2F1214
C811
D   
  Weblog: http://msmvps.org/UlfBSimonWeidner
  Website: http://www.windowsserverfaq.org


 

-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of joe
Sent: Wednesday, May 24, 2006 9:41 PM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] Machine Psswd Age

I agree with Bob. Seven days pre-W2K, 30 days for W2K and better.

I have never seen a machine change its password at the 50% age and I 
have looked at this quite a bit for various[1] reasons.


  joe




[1] OldCmp being one of them...

--
O'Reilly Active Directory Third Edition - 
http://www.joeware.net/win/ad3e.htm
 

-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Free, Bob
Sent: Wednesday, May 24, 2006 3:21 PM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] Machine Psswd Age

The default was 7 days for NT, increased to 30 in W2K and above. See 
http://support.microsoft.com/kb/154501/ or q175468 or any of the old 
domain sizing docs.

-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Ulf B.
Simon-Weidner
Sent: Wednesday, May 24, 2006 11:52 AM
To: ActiveDir@mail.activedir.org

RE: [ActiveDir] AD lag sites and replication

2006-05-30 Thread Ulf B. Simon-Weidner 
Title: AD lag sites and replication



You are able to 
disable the network interfaces, pretty easy with VMWare or Virtual Server since 
you are able to do it from the host via scripting, bit more painfull if you have 
to do it from the DC itself since you don't have any remote access when the nic 
is disabled (you could use a scheduled task which runs netsh to activate / 
deactivate the interface).

Also putting a 
firewall with scheduled rules in between would work very well, especially since 
you can block everything but RDP at the no-sync times.

As long as you 
don't exceed the tombstone-lifetime I don't see any reasons why this should not 
be supported since we are just talking about lag-sites without any memberservers 
/ clients / users who log onto those DCs.
Gruesse - 
Sincerely, 
Ulf B. 
Simon-Weidner 
 Profile 
 Publications:http://mvp.support.microsoft.com/profile=""> Weblog: http://msmvps.org/UlfBSimonWeidner Website: http://www.windowsserverfaq.org


  
  
  From: [EMAIL PROTECTED] 
  [mailto:[EMAIL PROTECTED] On Behalf Of 
  [EMAIL PROTECTED]Sent: Tuesday, May 30, 2006 9:49 
  AMTo: ActiveDir@mail.activedir.orgSubject: [ActiveDir] 
  AD lag sites and replication
  
  I'm looking to implement one or more lag sites, 
  with staggered replication schedules. (i.e. NYC lag replicates tues and thurs, 
  2-4 am; LON lag replicates mon, wed and fri 2-4 am).
  We're concerned that admins can still force 
  replication outside of these hours using repadmin or replmon etc. 
  Is there a (supported) way to ensure that 
  replication can ONLY occur within the hours described above? 
  Thanks, neil 
  PLEASE READ: The 
  information contained in this email is confidential and 
  intended for the 
  named recipient(s) only. If you are not an intended 
  recipient of this 
  email please notify the sender immediately and delete your 

  copy from your 
  system. You must not copy, distribute or take any further 
  action in reliance 
  on it. Email is not a secure method of communication and 
  Nomura 
  International plc ('NIplc') will not, to the extent permitted by law, 
  
  accept 
  responsibility or liability for (a) the accuracy or completeness of, 
  
  or (b) the 
  presence of any virus, worm or similar malicious or disabling 
  
  code in, this 
  message or any attachment(s) to it. If verification of this 
  
  email is sought 
  then please request a hard copy. Unless otherwise stated 
  this email: (1) is 
  not, and should not be treated or relied upon as, 
  investment 
  research; (2) contains views or opinions that are solely those of 
  
  the author and do 
  not necessarily represent those of NIplc; (3) is intended 
  for informational 
  purposes only and is not a recommendation, solicitation or 

  offer to buy or 
  sell securities or related financial instruments. NIplc 
  does not provide 
  investment services to private customers. Authorised and 
  regulated by the 
  Financial Services Authority. Registered in England 
  no. 1550505 VAT 
  No. 447 2492 35. Registered Office: 1 St Martin's-le-Grand, 
  
  London, EC1A 4NP. 
  A member of the Nomura group of companies.

RE: [ActiveDir] AD lag sites and replication

2006-05-30 Thread Ulf B. Simon-Weidner 
Title: AD lag sites and replication



Hi 
Neil,

I'd still go for 
a firewall with scheduled rules. IMHO there's no such thing as "locked down 
replication schedules" - as soon as someone is hitting a switch to force 
replication across sites. And the firewall will help you to assure no client is 
hitting a lag sites DC.
Gruesse - 
Sincerely, 
Ulf B. 
Simon-Weidner 
 Profile 
 Publications:http://mvp.support.microsoft.com/profile=""> Weblog: http://msmvps.org/UlfBSimonWeidner Website: http://www.windowsserverfaq.org


  
  
  From: [EMAIL PROTECTED] 
  [mailto:[EMAIL PROTECTED] On Behalf Of 
  [EMAIL PROTECTED]Sent: Tuesday, May 30, 2006 10:33 
  AMTo: ActiveDir@mail.activedir.orgSubject: RE: 
  [ActiveDir] AD lag sites and replication
  
  Thanks Ulf.
  
  I 
  was hoping to avoid NIC disabling and such like. I was looking for a solution 
  which would enforce the replication schedule between sites, such that an admin 
  could not 'over ride' it.
  
  I'd 
  rather handle the situation with procedures and policies than use scripts to 
  disable NICs (or connection objects) at scheduled times :)
  
  neil
  
  
  
  From: [EMAIL PROTECTED] 
  [mailto:[EMAIL PROTECTED] On Behalf Of Ulf B. 
  Simon-WeidnerSent: 30 May 2006 09:01To: 
  ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] AD lag sites 
  and replication
  
  You are able to 
  disable the network interfaces, pretty easy with VMWare or Virtual Server 
  since you are able to do it from the host via scripting, bit more painfull if 
  you have to do it from the DC itself since you don't have any remote access 
  when the nic is disabled (you could use a scheduled task which runs netsh to 
  activate / deactivate the interface).
  
  Also putting a 
  firewall with scheduled rules in between would work very well, especially 
  since you can block everything but RDP at the no-sync 
  times.
  
  As long as you 
  don't exceed the tombstone-lifetime I don't see any reasons why this should 
  not be supported since we are just talking about lag-sites without any 
  memberservers / clients / users who log onto those DCs.
  Gruesse - 
  Sincerely, 
  Ulf B. 
  Simon-Weidner 
   Profile 
   Publications:http://mvp.support.microsoft.com/profile=""> Weblog: http://msmvps.org/UlfBSimonWeidner Website: http://www.windowsserverfaq.org
  
  


From: [EMAIL PROTECTED] 
[mailto:[EMAIL PROTECTED] On Behalf Of 
[EMAIL PROTECTED]Sent: Tuesday, May 30, 2006 9:49 
AMTo: ActiveDir@mail.activedir.orgSubject: [ActiveDir] 
AD lag sites and replication

I'm looking to implement one or more lag sites, 
with staggered replication schedules. (i.e. NYC lag replicates tues and 
thurs, 2-4 am; LON lag replicates mon, wed and fri 2-4 am).
We're concerned that admins can still force 
replication outside of these hours using repadmin or replmon etc. 

Is there a (supported) way to ensure that 
replication can ONLY occur within the hours described above? 
Thanks, neil 
PLEASE READ: The 
information contained in this email is confidential and 
intended for the 
named recipient(s) only. If you are not an intended 
recipient of 
this email please notify the sender immediately and delete your 

copy from your 
system. You must not copy, distribute or take any further 

action in 
reliance on it. Email is not a secure method of communication and 

Nomura 
International plc ('NIplc') will not, to the extent permitted by law, 

accept 
responsibility or liability for (a) the accuracy or completeness of, 

or (b) the 
presence of any virus, worm or similar malicious or disabling 

code in, this 
message or any attachment(s) to it. If verification of this 

email is sought 
then please request a hard copy. Unless otherwise stated 

this email: (1) 
is not, and should not be treated or relied upon as, 
investment 
research; (2) contains views or opinions that are solely those of 

the author and 
do not necessarily represent those of NIplc; (3) is intended 

for 
informational purposes only and is not a recommendation, solicitation or 

offer to buy or 
sell securities or related financial instruments. NIplc 
does not provide 
investment services to private customers. Authorised and 

regulated by the 
Financial Services Authority. Registered in England 
no. 1550505 VAT 
No. 447 2492 35. Registered Office: 1 St Martin's-le-Grand, 

London, EC1A 
4NP. A member of the Nomura group of companies. 
  
  PLEASE READ: The 
  information contained in this email is confidential and 
  intended for the 
  named recipient(s) only. If you are not an intended 
  recipient of this 
  email please notify the sender immediately and delete your 

  copy from your 
  system. You must not copy, distribute or ta

RE: [ActiveDir] AD lag sites and replication

2006-05-30 Thread Ulf B. Simon-Weidner 
I have to agree to the second option - they may not even know that they do it. 
Over the time people tend to forget about lag sites, want to force replication 
once in a while, and what the ... Are those checkboxes in replmon for? Do I 
want the information to replicate across sites? Sure!
And right after hitting OK there's a head banging against the monitor-sound - 
Aahrg - Lag sites.

Gruesse - Sincerely, 

Ulf B. Simon-Weidner 

  Profile  Publications:   
http://mvp.support.microsoft.com/profile=35E388DE-4885-4308-B489-F2F1214C811D   
  Weblog: http://msmvps.org/UlfBSimonWeidner
  Website: http://www.windowsserverfaq.org


 

-Original Message-
From: [EMAIL PROTECTED] 
[mailto:[EMAIL PROTECTED] On Behalf Of Mark Parris
Sent: Tuesday, May 30, 2006 7:26 PM
To: ActiveDir.org
Subject: Re: [ActiveDir] AD lag sites and replication

Imagine a glass ceiling with a girl in a skirt standing on 
it\man in a kilt standing on it and you're standing under the 
ceiling someone tells you not to look up. Do you not lookup or 
at somepoint  lookup ? - even if you did not mean to - via a 
mirror or some other third party method. The fact that you can 
means at somestage you may do what you were not supposed to 
see even if if you had no intention of doing so. Applying this 
analogy to Mr Rustons scenario they may be trusted and do it 
or they may have no intention of doing so -  but have the 
interlect of a tibetian Yak and do it anyway. Another Guinness 
please..


-Original Message-
From: Molkentin, Steve [EMAIL PROTECTED]
Date: Wed, 31 May 2006 02:52:28
To:ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] AD lag sites and replication

Neil asked... 
  
 I'm looking to implement one or more lag sites, with staggered 
 replication schedules. (i.e. NYC lag replicates tues and thurs, 2-4 
 am; LON lag replicates mon, wed and fri 2-4 am).
  
 We're concerned that admins can still force replication outside of 
 these hours using repadmin or replmon etc.
  
 Is there a (supported) way to ensure that replication can ONLY occur 
 within the hours described above?

Tell them not to?

Seriously, if something is being put in place for a reason and 
it is explained to them, why would they want to go and work 
against it? Isn't the person implementing it someone in a 
position of authority to say this is how we'll solve this problem?

As always... there are seldom good technological solutions to 
behavioural problems.

Given this is all hypothetical, and yet to be a problem, but 
you get what I am regurgitating here.

My $0.02 inc GST.

themolk.
List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive: http://www.activedir.org/ml/threads.aspx

[EMAIL PROTECTED]
r¯zm§ÿðÃœ¶+Þv*è®æ—ûa­æ±«)

List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive: http://www.activedir.org/ml/threads.aspx

RE: [ActiveDir] [OT]Identity Access Mangement

2006-05-28 Thread Ulf B. Simon-Weidner 
There's a basic workflow example available, IIRC either with SP1 or a
Reskit. It's webbased and easy to modify/adjust. A workflow engine is
supposed to ship with Gemini (the next full version of MIIS). This was
mentioned in the TechEds and IT-Forums of the last two years (at least), so
anyone who did attend should be able to find the sessions. Currently you are
able to use Biztalk as workflow engine, or the Office 2007 workflow engine
when available.

Gruesse - Sincerely, 

Ulf B. Simon-Weidner 

  Profile  Publications:
http://mvp.support.microsoft.com/profile=35E388DE-4885-4308-B489-F2F1214C811
D   
  Weblog: http://msmvps.org/UlfBSimonWeidner
  Website: http://www.windowsserverfaq.org


 

-Original Message-
From: [EMAIL PROTECTED] 
[mailto:[EMAIL PROTECTED] On Behalf Of Tomasz Onyszko
Sent: Thursday, May 25, 2006 12:00 PM
To: ActiveDir@mail.activedir.org
Subject: Re: [ActiveDir] [OT]Identity Access Mangement

On Thu, 25 May 2006 11:53:43 +0200, Carlos Magalhaes wrote
 Not yet no but we both know thats in the pipe line for SP2. I still 
 would like to know why MIIS was not an option.C

Workflow is not included in SP2, some solution is planned in 
Gemini time frame 

--
Tomasz Onyszko
http://www.w2k.pl/ (PL blog)
http://blogs.dirteam.com/blogs/tomek (EN blog)

List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive: http://www.activedir.org/ml/threads.aspx

List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive: http://www.activedir.org/ml/threads.aspx

RE: [ActiveDir] OT help with VBS/WMI Script

2006-05-28 Thread Ulf B. Simon-Weidner 
I'm usually prefering not to use CMD-Commands out of VBS if not necessary
(there are many areas where it's really handy, but a ping is not one of
them).

You can also use WMI to ping the machine - works fast and you don't have to
text-analyze the output of the ping-command. I've just dug out an example
for you at
http://msdn.microsoft.com/library/default.asp?url=/library/en-us/wmisdk/wmi/
wmi_tasks__networking.asp - look at the last example.

Gruesse - Sincerely, 

Ulf B. Simon-Weidner 

  Profile  Publications:
http://mvp.support.microsoft.com/profile=35E388DE-4885-4308-B489-F2F1214C811
D   
  Weblog: http://msmvps.org/UlfBSimonWeidner
  Website: http://www.windowsserverfaq.org


 

-Original Message-
From: [EMAIL PROTECTED] 
[mailto:[EMAIL PROTECTED] On Behalf Of 
Bernier, Brandon (.)
Sent: Thursday, May 25, 2006 6:59 PM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] OT help with VBS/WMI Script


If your concerned about the server being up, incorporate this 
into your script. It will ping the box and execute your logic 
if its up. This is just an example, it wouldn't actually work 
if you cut and paste it.


Set objShell = CreateObject(WScript.Shell)

For Each strServerName in colServerList
   Set objScriptExec = objShell.Exec(ping -n 2 -w 1000  
servername)
   strPingResults = LCase(objScriptExec.StdOut.ReadAll)
   If InStr(strPingResults, reply from) Then
   Put your OS version WMI code here, call
a function preferably. 
   Else
   Wscript.Echo Error:  
Err.Description (something like this)
   
   End if
Next

Set objShell = Nothing

-Brandon

-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Hutchins, Mike
Sent: Thursday, May 25, 2006 12:46 PM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] OT help with VBS/WMI Script

If I use this, everything gets Server1++ nothing ever gets anywhere.
:-) 

-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Timo Ed
Sent: Wednesday, May 24, 2006 4:22 PM
To: ActiveDir@mail.activedir.org
Subject: Re: [ActiveDir] OT help with VBS/WMI Script

'=
For Each strComputer In serverList
   Set colSettings = 
   Set objWMIService = GetObject(winmgmts: _
{impersonationLevel=impersonate}!\\  strComputer 
\root\cimv2)
  Set colSettings = objWMIService.ExecQuery _
   (Select * from Win32_OperatingSystem)

 If err then
  WScript.Echo strComputer + ++
 else
 Set colSettings = objWMIService.ExecQuery _
(Select * from Win32_OperatingSystem)
For Each OS In colSettings'
   WScript.Echo strComputer + + + OS.Caption + + + 
OS.Version
Next
 end if
Next
'=

Rgds,
Tim


On 5/25/06, Hutchins, Mike [EMAIL PROTECTED] wrote:
 So I am trying to get some information from a gigantic list of
machines.
 Problem is that if the machine isn't up, the script retains the 
 previous values. Example

 server1+Microsoft(R) Windows(R) Server 2003, Enterprise
 server1+Edition+5.2.3790
 server2+Microsoft(R) Windows(R) Server 2003, Enterprise
 server2+Edition+5.2.3790

 In this example Server1 is Accurate (the + is a delimiter)
 Server2 is not online so the script retained the OS.Caption and 
 OS.Version part. I would rather it be blank like;

 server2++

 Here is the script part that this lies in. Any suggestions greatly 
 appreciated.

 For Each strComputer In serverList
Set colSettings = 
Set objWMIService = GetObject(winmgmts: _
 {impersonationLevel=impersonate}!\\  strComputer 
 \root\cimv2)
Set colSettings = objWMIService.ExecQuery _
(Select * from Win32_OperatingSystem)
For Each OS In colSettings
WScript.Echo strComputer + + + OS.Caption + + + OS.Version
Next
 Next
List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive:
http://www.mail-archive.com/activedir%40mail.activedir.org/

List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive: http://www.activedir.org/ml/threads.aspx


List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive: http://www.activedir.org/ml/threads.aspx

List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive: http://www.activedir.org/ml/threads.aspx

RE: [ActiveDir] OT help with VBS/WMI Script

2006-05-28 Thread Ulf B. Simon-Weidner 
You can also use WMI to ping the machine - works fast and you 
don't have to text-analyze the output of the ping-command. 
I've just dug out an example for you at 
http://msdn.microsoft.com/library/default.asp?url=/library/en-u
s/wmisdk/wmi/
wmi_tasks__networking.asp - look at the last example.


Before getting corrected: first example of the last question / howto on that
page.

Ulf

List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive: http://www.activedir.org/ml/threads.aspx

RE: [ActiveDir] Machine Psswd Age

2006-05-28 Thread Ulf B. Simon-Weidner 
Hmm - I can not find where I got this information from. The KB about
disablePasswordChange has not been updated pretty long (still stated only NT
in the early WS2k3 days). 

The following page even states that the NT4 Workstation changes the password
every 3 days, and retries after another 3 days:
http://www.microsoft.com/technet/archive/winntas/maintain/ntopt4.mspx?mfr=tr
ue

However I stand corrected - need to update my brains cache from google more
often - to bad brains don't support TTL of websites.

Gruesse - Sincerely, 

Ulf B. Simon-Weidner 

  Profile  Publications:
http://mvp.support.microsoft.com/profile=35E388DE-4885-4308-B489-F2F1214C811
D   
  Weblog: http://msmvps.org/UlfBSimonWeidner
  Website: http://www.windowsserverfaq.org


 

-Original Message-
From: [EMAIL PROTECTED] 
[mailto:[EMAIL PROTECTED] On Behalf Of joe
Sent: Wednesday, May 24, 2006 9:41 PM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] Machine Psswd Age

I agree with Bob. Seven days pre-W2K, 30 days for W2K and better.

I have never seen a machine change its password at the 50% age 
and I have looked at this quite a bit for various[1] reasons. 


  joe




[1] OldCmp being one of them...

--
O'Reilly Active Directory Third Edition - 
http://www.joeware.net/win/ad3e.htm 
 

-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Free, Bob
Sent: Wednesday, May 24, 2006 3:21 PM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] Machine Psswd Age

The default was 7 days for NT, increased to 30 in W2K and 
above. See http://support.microsoft.com/kb/154501/ or q175468 
or any of the old domain sizing docs.

-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Ulf B.
Simon-Weidner
Sent: Wednesday, May 24, 2006 11:52 AM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] Machine Psswd Age

AFAIK the password change interval is set to 30 in XP (15 in 
NT, W2k), but the computer accounts starts to request renewal 
after 50% of the time is over. After 30 days it'll change it 
if being logged onto the domain for sure (unless otherwise 
configured or connected).

Gruesse - Sincerely, 

Ulf B. Simon-Weidner 

  Profile  Publications:
http://mvp.support.microsoft.com/profile=35E388DE-4885-4308-B48
9-F2F1214
C811
D   
  Weblog: http://msmvps.org/UlfBSimonWeidner
  Website: http://www.windowsserverfaq.org


 

-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Za Vue
Sent: Wednesday, May 24, 2006 5:04 PM
To: ActiveDir@mail.activedir.org
Subject: [ActiveDir] Machine Psswd Age

Anyone know how often machine passwords are renew/reset in the domain?

-Z.V.


List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive: 
http://www.mail-archive.com/activedir%40mail.activedir.org/

List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive: http://www.activedir.org/ml/threads.aspx

RE: [ActiveDir] Machine Psswd Age

2006-05-24 Thread Ulf B. Simon-Weidner 
AFAIK the password change interval is set to 30 in XP (15 in NT, W2k), but
the computer accounts starts to request renewal after 50% of the time is
over. After 30 days it'll change it if being logged onto the domain for sure
(unless otherwise configured or connected).

Gruesse - Sincerely, 

Ulf B. Simon-Weidner 

  Profile  Publications:
http://mvp.support.microsoft.com/profile=35E388DE-4885-4308-B489-F2F1214C811
D   
  Weblog: http://msmvps.org/UlfBSimonWeidner
  Website: http://www.windowsserverfaq.org


 

-Original Message-
From: [EMAIL PROTECTED] 
[mailto:[EMAIL PROTECTED] On Behalf Of Za Vue
Sent: Wednesday, May 24, 2006 5:04 PM
To: ActiveDir@mail.activedir.org
Subject: [ActiveDir] Machine Psswd Age

Anyone know how often machine passwords are renew/reset in the domain?

-Z.V.

List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive: 
http://www.mail-archive.com/activedir%40mail.activedir.org/

List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/

RE: [ActiveDir] Delete only one object in the Tombstone.

2006-05-22 Thread Ulf B. Simon-Weidner 



Hello 
Tiroa,

it is not 
possible to purge Tombstones, no matter if one or all. For all you'd be able to 
modify tombstone lifetime and the system time, however I strongly doubt this 
would be supported by MS (tombstone-lifetime is supported, modifying systemtime 
to enforce garbage collection of tombstones most likely 
not).
Gruesse - 
Sincerely, 
Ulf B. 
Simon-Weidner 
 Profile 
 Publications:http://mvp.support.microsoft.com/profile=""> Weblog: http://msmvps.org/UlfBSimonWeidner Website: http://www.windowsserverfaq.org


  
  
  From: [EMAIL PROTECTED] 
  [mailto:[EMAIL PROTECTED] On Behalf Of TIROA 
  YANNSent: Monday, May 22, 2006 10:59 AMTo: 
  ActiveDir@mail.activedir.orgSubject: [ActiveDir] Delete only one 
  object in the Tombstone.
  
  Hello,
  
  I'd like to know if it is possible to delete 
  *only one* object in the tombstone instead of purging all the objects 
  ?
  
  Thanks,
  
  Yann

RE: [ActiveDir] Delete only one object in the Tombstone.

2006-05-22 Thread Ulf B. Simon-Weidner 
You're welcome, and have a nice day too!
 

Gruesse - Sincerely, 

Ulf B. Simon-Weidner 

  Profile  Publications:
blocked::http://mvp.support.microsoft.com/profile=35E388DE-4885-4308-B489-F
2F1214C811D
http://mvp.support.microsoft.com/profile=35E388DE-4885-4308-B489-F2F1214C811
D   
  Weblog:  blocked::http://msmvps.org/UlfBSimonWeidner
http://msmvps.org/UlfBSimonWeidner
  Website:  blocked::http://www.windowsserverfaq.org/
http://www.windowsserverfaq.org


 


  _  

From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of TIROA YANN
Sent: Monday, May 22, 2006 10:56 PM
To: ActiveDir@mail.activedir.org
Subject: RE : [ActiveDir] Delete only one object in the Tombstone.


Hello Ulf,
 
Thank you very much for your answer and have a nice day.
 
Best Regards,
 
Yann

  _  

De: [EMAIL PROTECTED] de la part de Ulf B. Simon-Weidner
Date: lun. 22/05/2006 14:34
À: ActiveDir@mail.activedir.org
Objet : RE: [ActiveDir] Delete only one object in the Tombstone.


Hello Tiroa,
 
it is not possible to purge Tombstones, no matter if one or all. For all
you'd be able to modify tombstone lifetime and the system time, however I
strongly doubt this would be supported by MS (tombstone-lifetime is
supported, modifying systemtime to enforce garbage collection of tombstones
most likely not).

Gruesse - Sincerely, 

Ulf B. Simon-Weidner 

  Profile  Publications:
http://mvp.support.microsoft.com/profile=35E388DE-4885-4308-B489-F2F1214C811
D   
  Weblog: http://msmvps.org/UlfBSimonWeidner
  Website: http://www.windowsserverfaq.org


 


  _  

From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of TIROA YANN
Sent: Monday, May 22, 2006 10:59 AM
To: ActiveDir@mail.activedir.org
Subject: [ActiveDir] Delete only one object in the Tombstone.


Hello,
 
I'd like to know if it is possible to delete *only one* object in the
tombstone instead of purging all the objects ?
 
Thanks,
 
Yann

attachment: winmail.dat

RE: [ActiveDir] OldCmp question

2006-05-22 Thread Ulf B. Simon-Weidner 
Big fat ditto - and even better in the support tools.

Gruesse - Sincerely, 

Ulf B. Simon-Weidner 

  Profile  Publications:
http://mvp.support.microsoft.com/profile=35E388DE-4885-4308-B489-F2F1214C811
D   
  Weblog: http://msmvps.org/UlfBSimonWeidner
  Website: http://www.windowsserverfaq.org


 

-Original Message-
From: [EMAIL PROTECTED] 
[mailto:[EMAIL PROTECTED] On Behalf Of joe
Sent: Tuesday, May 23, 2006 5:31 AM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] OldCmp question

I wouldn't be adverse to seeing at least adfind and admod in 
the support or resource kit tools. :) 


--
O'Reilly Active Directory Third Edition - 
http://www.joeware.net/win/ad3e.htm 
 

-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Ulf B.
Simon-Weidner
Sent: Sunday, May 21, 2006 11:06 AM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] OldCmp question

I agree that ds-tools lack some possibilities, and I'd prefer 
MS putting your tools into their product, however in most 
scenarios I've been working in they are not allowed to put 
additional software in their domain unless it's prooved, and 
the use of your tools is not important enough the justify this 
hazzle. So I'm mainly limited to ds-tools or vbs.

Something like this should work:

Dsquery user -stalepwd 90 | dsget user -dn -disabled | find No

Gruesse - Sincerely, 

Ulf B. Simon-Weidner 

  Profile  Publications:
http://mvp.support.microsoft.com/profile=35E388DE-4885-4308-B48
9-F2F1214C811
D   
  Weblog: http://msmvps.org/UlfBSimonWeidner
  Website: http://www.windowsserverfaq.org


 

-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of joe
Sent: Saturday, May 20, 2006 6:24 PM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] OldCmp question

Hmm good point... Well except we were talking about oldcmp instead of 
adfind... Fun though that the switches are so close...

So what are the switches and the filter to use with dsquery to get an 
html listing of all enabled users whose password age is 90 days or 
older?


:)

 


--
O'Reilly Active Directory Third Edition - 
http://www.joeware.net/win/ad3e.htm
 

-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Ulf B.
Simon-Weidner
Sent: Saturday, May 20, 2006 2:56 AM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] OldCmp question

I didn't catch it because I didn't bother enough to read the adfind 
syntax.
If you'd provided a standard LDAP-Filter with DSQuery ...

;-)

Gruesse - Sincerely,

Ulf B. Simon-Weidner

  Profile  Publications:
http://mvp.support.microsoft.com/profile=35E388DE-4885-4308-B48
9-F2F1214C811
D   
  Weblog: http://msmvps.org/UlfBSimonWeidner
  Website: http://www.windowsserverfaq.org


 

-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of joe
Sent: Friday, May 19, 2006 9:41 PM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] OldCmp question

I just realized I told you how to INCLUDE disabled accounts -
you want
NOT DISABLED accounts. So you want to NOT what I indicated,
however you
have to add to it to avoid a false positive.

-af ((useraccountcontrol=*)(!(useraccountcontrol:AND:=2)))


One thing to note with NOT filters... Well two actually...

1. NOT filters are inefficient. But then so are bitwise
filters. ;o) 2. 
NOT filters can have false positives. An account could have 
the value 
set that you are trying to avoid but if the account trying to access 
the info doesn't have the access to see that value, it will
be still be
returned.
This is why the extra useraccountcontrol=* in the filter.

The list is sleeping, they should have been all over me on that dork 
up.
eg


Too late now Al, Dean and Deji Princess, don't worry I
will explain
it to you next time I see you. ;o)


  joe

--
I am 78% Evil Genius

I am pure evil. I lie awake at night devising schemes of world 
domination, and I will not rest until all living souls bend
to my will.

Take the Evil Genius Test at fuali.com



-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of joe
Sent: Friday, May 19, 2006 11:41 AM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] OldCmp question

Disabled accounts are marked by having bit 1 list on
userAccountControl
(value 2)

To exclude them you want -af useraccountcontrol:AND:=2 and -bit


I just realized I have an -onlydisabled switch, I should add a 
-onlynotdisabled I guess...



--
O'Reilly Active Directory Third Edition - 
http://www.joeware.net/win/ad3e.htm
 

-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Rimmerman, 
Russ
Sent: Friday, May 19, 2006 11:25 AM
To: ActiveDir@mail.activedir.org
Subject: [ActiveDir] OldCmp question

Anyone know a way to easibly filter out disabled accounts from the 
oldcmp -users report?  Would one have to use some sort of bitwise 
filter from a translation

RE: [ActiveDir] OldCmp question

2006-05-21 Thread Ulf B. Simon-Weidner 
I agree that ds-tools lack some possibilities, and I'd prefer MS putting
your tools into their product, however in most scenarios I've been working
in they are not allowed to put additional software in their domain unless
it's prooved, and the use of your tools is not important enough the justify
this hazzle. So I'm mainly limited to ds-tools or vbs.

Something like this should work:

Dsquery user -stalepwd 90 | dsget user -dn -disabled | find No

Gruesse - Sincerely, 

Ulf B. Simon-Weidner 

  Profile  Publications:
http://mvp.support.microsoft.com/profile=35E388DE-4885-4308-B489-F2F1214C811
D   
  Weblog: http://msmvps.org/UlfBSimonWeidner
  Website: http://www.windowsserverfaq.org


 

-Original Message-
From: [EMAIL PROTECTED] 
[mailto:[EMAIL PROTECTED] On Behalf Of joe
Sent: Saturday, May 20, 2006 6:24 PM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] OldCmp question

Hmm good point... Well except we were talking about oldcmp 
instead of adfind... Fun though that the switches are so close...

So what are the switches and the filter to use with dsquery to 
get an html listing of all enabled users whose password age is 
90 days or older?


:)

 


--
O'Reilly Active Directory Third Edition - 
http://www.joeware.net/win/ad3e.htm 
 

-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Ulf B.
Simon-Weidner
Sent: Saturday, May 20, 2006 2:56 AM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] OldCmp question

I didn't catch it because I didn't bother enough to read the 
adfind syntax.
If you'd provided a standard LDAP-Filter with DSQuery ...

;-)

Gruesse - Sincerely, 

Ulf B. Simon-Weidner 

  Profile  Publications:
http://mvp.support.microsoft.com/profile=35E388DE-4885-4308-B48
9-F2F1214C811
D   
  Weblog: http://msmvps.org/UlfBSimonWeidner
  Website: http://www.windowsserverfaq.org


 

-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of joe
Sent: Friday, May 19, 2006 9:41 PM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] OldCmp question

I just realized I told you how to INCLUDE disabled accounts - 
you want 
NOT DISABLED accounts. So you want to NOT what I indicated, 
however you 
have to add to it to avoid a false positive.

-af ((useraccountcontrol=*)(!(useraccountcontrol:AND:=2)))


One thing to note with NOT filters... Well two actually...

1. NOT filters are inefficient. But then so are bitwise 
filters. ;o) 2. 
NOT filters can have false positives. An account could have the value 
set that you are trying to avoid but if the account trying to access 
the info doesn't have the access to see that value, it will 
be still be 
returned.
This is why the extra useraccountcontrol=* in the filter.

The list is sleeping, they should have been all over me on that dork 
up.
eg


Too late now Al, Dean and Deji Princess, don't worry I 
will explain 
it to you next time I see you. ;o)


  joe

--
I am 78% Evil Genius

I am pure evil. I lie awake at night devising schemes of world 
domination, and I will not rest until all living souls bend 
to my will.

Take the Evil Genius Test at fuali.com



-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of joe
Sent: Friday, May 19, 2006 11:41 AM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] OldCmp question

Disabled accounts are marked by having bit 1 list on 
userAccountControl 
(value 2)

To exclude them you want -af useraccountcontrol:AND:=2 and -bit


I just realized I have an -onlydisabled switch, I should add a 
-onlynotdisabled I guess...



--
O'Reilly Active Directory Third Edition - 
http://www.joeware.net/win/ad3e.htm
 

-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Rimmerman, 
Russ
Sent: Friday, May 19, 2006 11:25 AM
To: ActiveDir@mail.activedir.org
Subject: [ActiveDir] OldCmp question

Anyone know a way to easibly filter out disabled accounts from the 
oldcmp -users report?  Would one have to use some sort of bitwise 
filter from a translation of a useraccountcontrol
66048 value or something?


~~
This e-mail is confidential, may contain proprietary information of 
Cameron and its operating Divisions and may be confidential or 
privileged.

This e-mail should be read, copied, disseminated and/or used only by 
the addressee. If you have received this message in error 
please delete 
it, together with any attachments, from your system.
~~

List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive: 
http://www.mail-archive.com/activedir%40mail.activedir.org/

List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive: 
http://www.mail-archive.com/activedir%40mail.activedir.org/

List info   : http://www.activedir.org/List.aspx
List FAQ: http

RE: [ActiveDir] OldCmp question

2006-05-20 Thread Ulf B. Simon-Weidner 
I didn't catch it because I didn't bother enough to read the adfind syntax.
If you'd provided a standard LDAP-Filter with DSQuery ...

;-)

Gruesse - Sincerely, 

Ulf B. Simon-Weidner 

  Profile  Publications:
http://mvp.support.microsoft.com/profile=35E388DE-4885-4308-B489-F2F1214C811
D   
  Weblog: http://msmvps.org/UlfBSimonWeidner
  Website: http://www.windowsserverfaq.org


 

-Original Message-
From: [EMAIL PROTECTED] 
[mailto:[EMAIL PROTECTED] On Behalf Of joe
Sent: Friday, May 19, 2006 9:41 PM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] OldCmp question

I just realized I told you how to INCLUDE disabled accounts - 
you want NOT DISABLED accounts. So you want to NOT what I 
indicated, however you have to add to it to avoid a false positive.

-af ((useraccountcontrol=*)(!(useraccountcontrol:AND:=2)))


One thing to note with NOT filters... Well two actually...

1. NOT filters are inefficient. But then so are bitwise 
filters. ;o) 2. NOT filters can have false positives. An 
account could have the value set that you are trying to avoid 
but if the account trying to access the info doesn't have the 
access to see that value, it will be still be returned.
This is why the extra useraccountcontrol=* in the filter.

The list is sleeping, they should have been all over me on 
that dork up.
eg


Too late now Al, Dean and Deji Princess, don't worry I 
will explain it to you next time I see you. ;o)


  joe

--
I am 78% Evil Genius

I am pure evil. I lie awake at night devising schemes of world 
domination, and I will not rest until all living souls bend to my will.

Take the Evil Genius Test at fuali.com 



-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of joe
Sent: Friday, May 19, 2006 11:41 AM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] OldCmp question

Disabled accounts are marked by having bit 1 list on 
userAccountControl (value 2)

To exclude them you want -af useraccountcontrol:AND:=2 and -bit


I just realized I have an -onlydisabled switch, I should add a 
-onlynotdisabled I guess...



--
O'Reilly Active Directory Third Edition - 
http://www.joeware.net/win/ad3e.htm 
 

-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of 
Rimmerman, Russ
Sent: Friday, May 19, 2006 11:25 AM
To: ActiveDir@mail.activedir.org
Subject: [ActiveDir] OldCmp question

Anyone know a way to easibly filter out disabled accounts from 
the oldcmp -users report?  Would one have to use some sort of 
bitwise filter from a translation of a useraccountcontrol 
66048 value or something?


~~
This e-mail is confidential, may contain proprietary 
information of Cameron and its operating Divisions and may be 
confidential or privileged.

This e-mail should be read, copied, disseminated and/or used 
only by the addressee. If you have received this message in 
error please delete it, together with any attachments, from 
your system.
~~

List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive: 
http://www.mail-archive.com/activedir%40mail.activedir.org/

List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive: 
http://www.mail-archive.com/activedir%40mail.activedir.org/

List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/

RE: [ActiveDir] DSACLS bug maybe?

2006-05-19 Thread Ulf B. Simon-Weidner 
Title: DSACLS bug maybe?



Yes- I've 
found this bug in 2k4 and have reported it to Microsoft. Recently I have been 
approached (after complaining to someone in the DS-Group at MS) if this bug is 
still there, and I've confirmed that's it's still there with R2 and was told it 
will be looked into.

Basically ADUC 
creates three wrong ACEs, where the ace.flags states that 
ace.inhertitedObjectType is present. Since it's not present nor needed it's 
reported back to the interfaces with a zero-filled-GUID. This field is supposed 
to map to a schemaIdGUID of an attribute, and there's no attribute like that. 
Some components do the error handling well and display the remaining SD, some 
(as dsacls) dont. Actually the RTM-Version of DSAcls was even giving out a very 
serious AD-Error in an error-box. After reporting the bug in 2k4 only dsacls was 
partly fixed, not the issue itself.

I've published 
more details and a script to fix the ACLs on my website, and also mentioned it 
during one of my sessions at DEC:
http://windowsserverfaq.de/faq/CompACLs.asp
Gruesse - 
Sincerely, 
Ulf B. 
Simon-Weidner 
 Profile 
 Publications:http://mvp.support.microsoft.com/profile=""> Weblog: http://msmvps.org/UlfBSimonWeidner Website: http://www.windowsserverfaq.org


  
  
  From: [EMAIL PROTECTED] 
  [mailto:[EMAIL PROTECTED] On Behalf Of Bernier, 
  Brandon (.)Sent: Friday, May 19, 2006 2:48 PMTo: 
  ActiveDir@mail.activedir.orgSubject: [ActiveDir] DSACLS bug 
  maybe?
  
  Has anyone seen this issue before? 
  If you create a computer account in ADUC, then 
  type "DSACLS DnOfComputerObject" it will spit out the ACL's on it. However, if 
  you create another computer account and delegate out who can join it DSACLS 
  can't spit out the ACL's.

RE: [ActiveDir][OT] DNS on a DC or NOT

2006-05-17 Thread Ulf B. Simon-Weidner 
Hi Mark,

You are right - Exchange is great - what I love especially is it's
capabilities of administrative delegation.

See you in Boston?

Gruesse - Sincerely, 

Ulf B. Simon-Weidner 

  Profile  Publications:
http://mvp.support.microsoft.com/profile=35E388DE-4885-4308-B489-F2F1214C811
D   
  Weblog: http://msmvps.org/UlfBSimonWeidner
  Website: http://www.windowsserverfaq.org


 

-Original Message-
From: [EMAIL PROTECTED] 
[mailto:[EMAIL PROTECTED] On Behalf Of Mark Arnold
Sent: Wednesday, May 17, 2006 11:29 PM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir][OT] DNS on a DC or NOT

Laura, a Mucker is, in English, a good friend.
You are probably not to be termed a Mucker, other words might 
apply, but Jimmy is one of mine and Dean/Joe is one of yours.

Oh, and Joe is old and smells of wee, so pay no heed to his 
Exchange rants.
Exchange is indeed special because it's such a wonderful 
solution. OK, I should shut up now and go back to my padded cell.

-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Laura 
E. Hunter
Sent: 17 May 2006 21:39
To: ActiveDir@mail.activedir.org
Subject: Re: [ActiveDir][OT] DNS on a DC or NOT

 BTW, anyone know what a mucker is? I am trying to figure out if I am 
 supposed to be morally outraged. eg

  joe


I use mucker as a compliment, but in my vernacular it's used 
in reference to a semi-skilled hockey player whose lack of 
scoring ability is balanced by his ability to check an 
opposing player into sometime next week.

So I guess what I'm saying is...draw your own conclusions.  :-)
List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive: 
http://www.mail-archive.com/activedir%40mail.activedir.org/



This message has been scanned by Antigen. Every effort has 
been made to ensure it is clean.


List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/

RE: [ActiveDir][OT] Is there a way to force users to logon to domain?

2006-05-16 Thread Ulf B. Simon-Weidner 



I 
can't see them as well, OL2k3 into POP, provider is using ESMTP (Nemesis) and 
POP appears to be mimap12 (at least that's what telnetting against the pop tells 
me).
Gruesse - 
Sincerely, 
Ulf B. 
Simon-Weidner 
 Profile 
 Publications:http://mvp.support.microsoft.com/profile=""> Weblog: http://msmvps.org/UlfBSimonWeidner Website: http://www.windowsserverfaq.org


  
  
  From: [EMAIL PROTECTED] 
  [mailto:[EMAIL PROTECTED] On Behalf Of 
  joeSent: Tuesday, May 16, 2006 2:33 AMTo: 
  ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir][OT] Is there a 
  way to force users to logon to domain?
  
  Interesting, for the O2K3 via POP3 what is the backend? I 
  am doing O2K3 via POP3 backended into Exchange 2003 and getting the blanks. 
  
  
  
  --
  O'Reilly Active Directory Third Edition - http://www.joeware.net/win/ad3e.htm
  
  
  
  
  From: [EMAIL PROTECTED] 
  [mailto:[EMAIL PROTECTED] On Behalf Of Ayers, 
  DianeSent: Monday, May 15, 2006 8:28 PMTo: 
  ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir][OT] Is there a 
  way to force users to logon to domain?
  
  I'm getting the list at home and at 
  work. Outlook 2K3 via POP3 is coming in fine. Outlook 2K3 via 
  Exchange and MAPI is coming in blank. Both the non-SP standard builds of 
  Outlook. Exchange is still @ E2K...
  
  Diane
  
  
  
  From: [EMAIL PROTECTED] 
  [mailto:[EMAIL PROTECTED] On Behalf Of 
  joeSent: Monday, May 15, 2006 4:36 PMTo: 
  ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir][OT] Is there a 
  way to force users to logon to domain?
  
  I just verified and OWA is also throwing garbage 
  characters on the end of the message and when looking at the raw stream it is 
  the list banner.
  
  How is O2K7 displaying it?
  
  Anyone understand what the full spec is for a message is 
  and how to (or if you can) mix MIME with plain text? I expect either the plain 
  text banner isn't allowed or the list software isn't modifying the header 
  properly for it to tell the clients to expect it.
  
   joe
  
  
  
  Here is Al's message straight from POP without 
  interpretation:
  
  
  retr 39+OKReceived: from 
  mail.activedir.org ([12.168.66.190]) by mbx01.joeware.local with Microsoft 
  SMTPSVC(6.0.3790.211); 
  Mon, 15 May 2006 16:44:34 -0400Received: from wr-out-0506.google.com 
  [64.233.184.234] by mail.activedir.org with ESMTP (SMTPD32-8.15) id 
  A6B67EC012E; Mon, 15 May 2006 16:38:14 -0400Received: by 
  wr-out-0506.google.com with SMTP id 
  i30so871233wra for ActiveDir@mail.activedir.org; Mon, 15 May 2006 13:38:12 -0700 
  (PDT)DomainKey-Signature: a=rsa-sha1; q=dns; 
  c=nofws; s=beta; 
  d=gmail.com; 
  h=received:message-id:date:from:to:subject:in-reply-to:mime-version:content-type:content-transfer-encoding:content-disposition:references; 
  b=otNmqTOJtu6h3lzy946aXK9yGTM5JFr0xZLRCRvkC4134GXBlEVFGTm01oR6Q0alNwcgsKlCdGaf7Oc0P7XzMRmR5td5nR1iLsJQ+rx/bxz1c1RTzynDUZSfLeogbMBIzdfTwsmUbAV2+gfnxk19fHg0GT0mFn8dk97+KotFwWM=Received: 
  by 10.64.10.15 with SMTP id 
  15mr2454953qbj; Mon, 15 May 2006 
  13:38:12 -0700 (PDT)Received: by 10.65.253.12 with HTTP; Mon, 15 May 2006 
  13:38:12 -0700 (PDT)Message-ID: [EMAIL PROTECTED]Date: Mon, 15 May 2006 16:38:12 
  -0400From: "Al Mulnick" [EMAIL PROTECTED]To: ActiveDir@mail.activedir.orgSubject: Re: [ActiveDir] Is there a way to 
  force users to logon to domain?In-Reply-To: [EMAIL PROTECTED]MIME-Version: 1.0Content-Type: 
  text/plain; charset=UTF-8; format=flowedContent-Transfer-Encoding: 
  base64Content-Disposition: inlineReferences: [EMAIL PROTECTED]Precedence: bulkSender: [EMAIL PROTECTED]Reply-To: ActiveDir@mail.activedir.orgReturn-Path: [EMAIL PROTECTED]X-OriginalArrivalTime: 15 May 2006 
  20:44:34.0134 (UTC) FILETIME=[5F845760:01C67860]
  
  SSB0aGluayB5b3UndmUgc2VlbiBzZXZlcmFsIHdheXMgb2YgYWNoaWV2aW5nIHNvbWV0aGluZyBzaW1pbGFyIHRvCndoYXQgeW91J3ZlIGFza2VkIGZvci4gIEJ1dCBJJ20gY3VyaW91cyBhcyB0byB3aGF0IHlvdSByZWFsbHkgd2FudCB0bwphY2NvbXBsaXNoLiAgWW91J3ZlIHB1dCBzb21ldGhpbmcgdmVyeSBzcGVjaWZpYywgYnV0IHdoYXQgbWFrZXMgeW91CndhbnQgdG8gZm9yY2UgdGhlIGxvZ29uPyAgV2hhdCdzIHRoZSBiYWNrc3Rvcnk/CgpBbAoKT24gNS8xNS8wNiwgSm9lIExhZ3JlY2EgPGxhZ3JlY2FAZ21haWwuY29tPiB3cm90ZToKPiBJcyB0aGVyZSBhIHdheSB0byBmb3JjZSB1c2VycyB0byBsb2dvbiB0byBkb21haW4sIG9yIHRvIGRpc2FibGUgbG9naW5nIGludG8KPiBsb2NhbCBjb21wdXRlciBhY2NvdW50cyB2aWEgR1BPPwo+Cj4gVGhhbmtzLgo+Cg==List 
  info : http://www.activedir.org/List.aspxList FAQ : http://www.activedir.org/ListFAQ.aspxList archive: http://www.mail-archive.com/activedir%40mail.activedir.org/.
  
  
  
  
  
  
  --
  O'Reilly Active Directory Third Edition - http://www.joeware.net/win/ad3e.htm
  
  
  
  
  From: joe [mailto:[EMAIL PROTECTED] 
  Sent: Monday, May 15, 2006 7:28 PMTo: 
  'ActiveDir@mail.activedir.org'Subject: RE: [ActiveDir][OT] Is there 
  a way to force users to logon to domain?
  
  Al is sending from GMAIL.
  
  It appears that GMAIL is mime encoding the messages, and 
  then the list attaches the plain text banner on i

RE: [ActiveDir][OT] Is there a way to force users to logon to domain?

2006-05-16 Thread Ulf B. Simon-Weidner 



If 
all of those were intended I did get everything correct as well. Mainly one 
thread IIRC.
Gruesse - 
Sincerely, 
Ulf B. 
Simon-Weidner 
 Profile 
 Publications:http://mvp.support.microsoft.com/profile=""> Weblog: http://msmvps.org/UlfBSimonWeidner Website: http://www.windowsserverfaq.org


  
  
  From: [EMAIL PROTECTED] 
  [mailto:[EMAIL PROTECTED] On Behalf Of Brian A. 
  ClineSent: Tuesday, May 16, 2006 2:13 PMTo: 
  ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir][OT] Is there a 
  way to force users to logon to domain?
  
  I'm on O2K3 SP1 via E2K3 SP2, and the only blanks 
  I've ever seen on this list were the long string ofintentionally 
  blankemails. ;-) I did, however, see strange characters at the end 
  of Al's last message, and what's interesting is they were different characters 
  than the ones Susan forwarded.Brian 
  
  
  
  From: [EMAIL PROTECTED] 
  [mailto:[EMAIL PROTECTED] On Behalf Of 
  joeSent: Monday 15 May 2006 20:33To: 
  ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir][OT] Is there a 
  way to force users to logon to domain?
  
  Interesting, for the O2K3 via POP3 what is the backend? I 
  am doing O2K3 via POP3 backended into Exchange 2003 and getting the blanks. 
  
  
  
  --
  O'Reilly Active Directory Third Edition - http://www.joeware.net/win/ad3e.htm
  
  
  
  
  From: [EMAIL PROTECTED] 
  [mailto:[EMAIL PROTECTED] On Behalf Of Ayers, 
  DianeSent: Monday, May 15, 2006 8:28 PMTo: 
  ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir][OT] Is there a 
  way to force users to logon to domain?
  
  I'm getting the list at home and at 
  work. Outlook 2K3 via POP3 is coming in fine. Outlook 2K3 via 
  Exchange and MAPI is coming in blank. Both the non-SP standard builds of 
  Outlook. Exchange is still @ E2K...
  
  Diane
  
  
  
  From: [EMAIL PROTECTED] 
  [mailto:[EMAIL PROTECTED] On Behalf Of 
  joeSent: Monday, May 15, 2006 4:36 PMTo: 
  ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir][OT] Is there a 
  way to force users to logon to domain?
  
  I just verified and OWA is also throwing garbage 
  characters on the end of the message and when looking at the raw stream it is 
  the list banner.
  
  How is O2K7 displaying it?
  
  Anyone understand what the full spec is for a message is 
  and how to (or if you can) mix MIME with plain text? I expect either the plain 
  text banner isn't allowed or the list software isn't modifying the header 
  properly for it to tell the clients to expect it.
  
   joe
  
  
  
  Here is Al's message straight from POP without 
  interpretation:
  
  
  retr 39+OKReceived: from 
  mail.activedir.org ([12.168.66.190]) by mbx01.joeware.local with Microsoft 
  SMTPSVC(6.0.3790.211); 
  Mon, 15 May 2006 16:44:34 -0400Received: from wr-out-0506.google.com 
  [64.233.184.234] by mail.activedir.org with ESMTP (SMTPD32-8.15) id 
  A6B67EC012E; Mon, 15 May 2006 16:38:14 -0400Received: by 
  wr-out-0506.google.com with SMTP id 
  i30so871233wra for ActiveDir@mail.activedir.org; Mon, 15 May 2006 13:38:12 -0700 
  (PDT)DomainKey-Signature: a=rsa-sha1; q=dns; 
  c=nofws; s=beta; 
  d=gmail.com; 
  h=received:message-id:date:from:to:subject:in-reply-to:mime-version:content-type:content-transfer-encoding:content-disposition:references; 
  b=otNmqTOJtu6h3lzy946aXK9yGTM5JFr0xZLRCRvkC4134GXBlEVFGTm01oR6Q0alNwcgsKlCdGaf7Oc0P7XzMRmR5td5nR1iLsJQ+rx/bxz1c1RTzynDUZSfLeogbMBIzdfTwsmUbAV2+gfnxk19fHg0GT0mFn8dk97+KotFwWM=Received: 
  by 10.64.10.15 with SMTP id 
  15mr2454953qbj; Mon, 15 May 2006 
  13:38:12 -0700 (PDT)Received: by 10.65.253.12 with HTTP; Mon, 15 May 2006 
  13:38:12 -0700 (PDT)Message-ID: [EMAIL PROTECTED]Date: Mon, 15 May 2006 16:38:12 
  -0400From: "Al Mulnick" [EMAIL PROTECTED]To: ActiveDir@mail.activedir.orgSubject: Re: [ActiveDir] Is there a way to 
  force users to logon to domain?In-Reply-To: [EMAIL PROTECTED]MIME-Version: 1.0Content-Type: 
  text/plain; charset=UTF-8; format=flowedContent-Transfer-Encoding: 
  base64Content-Disposition: inlineReferences: [EMAIL PROTECTED]Precedence: bulkSender: [EMAIL PROTECTED]Reply-To: ActiveDir@mail.activedir.orgReturn-Path: [EMAIL PROTECTED]X-OriginalArrivalTime: 15 May 2006 
  20:44:34.0134 (UTC) FILETIME=[5F845760:01C67860]
  
  SSB0aGluayB5b3UndmUgc2VlbiBzZXZlcmFsIHdheXMgb2YgYWNoaWV2aW5nIHNvbWV0aGluZyBzaW1pbGFyIHRvCndoYXQgeW91J3ZlIGFza2VkIGZvci4gIEJ1dCBJJ20gY3VyaW91cyBhcyB0byB3aGF0IHlvdSByZWFsbHkgd2FudCB0bwphY2NvbXBsaXNoLiAgWW91J3ZlIHB1dCBzb21ldGhpbmcgdmVyeSBzcGVjaWZpYywgYnV0IHdoYXQgbWFrZXMgeW91CndhbnQgdG8gZm9yY2UgdGhlIGxvZ29uPyAgV2hhdCdzIHRoZSBiYWNrc3Rvcnk/CgpBbAoKT24gNS8xNS8wNiwgSm9lIExhZ3JlY2EgPGxhZ3JlY2FAZ21haWwuY29tPiB3cm90ZToKPiBJcyB0aGVyZSBhIHdheSB0byBmb3JjZSB1c2VycyB0byBsb2dvbiB0byBkb21haW4sIG9yIHRvIGRpc2FibGUgbG9naW5nIGludG8KPiBsb2NhbCBjb21wdXRlciBhY2NvdW50cyB2aWEgR1BPPwo+Cj4gVGhhbmtzLgo+Cg==List 
  info : http://www.activedir.org/List.aspxList FAQ : http://www.activedir.org/ListFAQ.aspxList archive: http://www.mail-archive.com/actived

RE: [ActiveDir] User Accounts

2006-05-15 Thread Ulf B. Simon-Weidner 
Nice - poking with the finger works - give it to me babe ;-)

I wasn't aware that ADSI is 100% LDAP, I thought it's just 9x% + some
special stuff (AFAIK setting pwds directly with LDAP doesn't work), so I
thought there's some stuff which supports it server side.

Seems like you guys have a pretty good definition of the layers, would be
great if you get the time to create a diagram or just dump thoughts to us
and we'll handle visio. Having a diagram of the layers (even if not 100%
correct) would make some things easier to explain. E.g. the replication -
it's pretty hard for many to understand that it's not handled in the DB -
they just think AD and don't get that the DB is different on each server.

Resetting DNTs: OK - if DNT is a auto-incrementing primary key (compared
with SQL) there's a third option: reading the backup db and writing it into
the real, while keeping a dnt-translation table during the process. However
would slow down dcpromo /IFM (OK - not correct - you know what I mean) and
really doesn't make any sense since it would be way easier to have larger
values. And there would be other options in the future, but mentioning those
would make me look like and alcoholic (and it's actually way to early here
to handle thinking like that).

Gruesse - Sincerely, 

Ulf B. Simon-Weidner 

  Profile  Publications:
http://mvp.support.microsoft.com/profile=35E388DE-4885-4308-B489-F2F1214C811
D   
  Weblog: http://msmvps.org/UlfBSimonWeidner
  Website: http://www.windowsserverfaq.org


 

-Original Message-
From: [EMAIL PROTECTED] 
[mailto:[EMAIL PROTECTED] On Behalf Of Brett Shirley
Sent: Monday, May 15, 2006 7:57 AM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] User Accounts

Hmmm, you've actually combined too many layers in my opinion 
... ADSI is client side, and based entirely on LDAP, and there 
is an LDAP marshalling component both on the client and LDAP 
server.  Having an arch diagram where you don't clearly 
differentiate where the network interfaces is, seems 
confusing.  The replication logic is actually split fairly 
evenly between the Directory and DBLAYER.  USNs are in the 
dblayer for instance, while things like instanceType are 
handled in the Directory layer.

With the current ESE level schema defined for the ntds.dit by 
AD you could not reuse DNTs, even after IFM.  This is because 
AD creates the DNT column with the JET_bitColumnAutoincrement, 
so the auto-increment-ness is done in the ESE layer.  I don't 
believe (though not 93% sure on this) that ESE provides a way 
to explicit set an auto-increment column, so you're stuck 
losing those DNT values.  You would either have to add the 
ability to reuse orphaned auto-inc's in ESE, or make AD define 
the column as a regular integer, and manage the auto-inc'ness 
and reuse itself.  Neither of those options is probably as 
good as making AD just have 64-bit DNTs.

I'll try to write up a more explicit arch diagram, that is a 
little more accurate if it doesn't take me too long ...

Cheers,
BrettSh [msft]


On Sun, 14 May 2006, Ulf B. Simon-Weidner wrote:

 Agreed - very good thread. Let's extend the model a bit:
 
 ---
 | ... |
 | LDAP/NETLOGON/ADSI  |- Services using the 
Dir/providing interfaces
 | ... |
 ---
 | |   The Directory provider itself
 |  Directory  |- Replication works in here, so 
everything below
 is local to the DC
 | |   Version numbers, USN,.. are 
managed here
 ---
 | |
 |   DBLAYER   |- Gluepart between Directory and DB
 | |   (P)DNTs, Links, SIS-SDs,.. are 
managed here
 ---
 | |
 | DB  |- Just the ESE with it's 
features, such as
 defrag
 | |
 ---
 
 I also believe that the not reused DNTs on IFM is by design, IMHO 
 there would be a possibility to reset DNTs programmatically 
after IFM, 
 however this would need additional code and time after 
reading the DB 
 and rebooting the DC for the first time.
 
 Gruesse - Sincerely,
 
 Ulf B. Simon-Weidner
 
   Profile  Publications:
 
http://mvp.support.microsoft.com/profile=35E388DE-4885-4308-B48
9-F2F1214C811
 D   
   Weblog: http://msmvps.org/UlfBSimonWeidner
   Website: http://www.windowsserverfaq.org
 
 
  
 
 -Original Message-
 From: [EMAIL PROTECTED]
 [mailto:[EMAIL PROTECTED] On Behalf Of joe
 Sent: Friday, April 28, 2006 10:36 PM
 To: 'Send - AD mailing list'
 Subject: RE: [ActiveDir] User Accounts
 
 This is a good thread, I should have kept up with it. :)
 
 I think some of the problem is resulting from language 
 interpretation. When I visualize AD in regards to the 
topics in this 
 thread I think of it sort of like
 
 ---
 | |
 |  AD   |
 | |
 ---
 | |
 | DBLAYER

RE: [ActiveDir] Group Name (Pre-Win2k) - Is it important

2006-05-15 Thread Ulf B. Simon-Weidner 



Usually not, but you may have some scripts (logon-script: 
ifmember)or 3rd party code which relies on the name. You should also make 
sure that you translate them in the GPOs, otherwise you might get weired 
issues.

Access is usually based on SIDs - during logon the token of the user is 
created which lists all of his SIDs and groups belonging to (generally - there 
are exceptions such as lokal groups). When accessing a ressource the 
ntsecuritydescriptor of the ressource is compared against the users token, and 
based on the SIDs listed in both access is granted or 
denied.

Gruesse - 
Sincerely, 
Ulf B. 
Simon-Weidner 
 Profile 
 Publications:http://mvp.support.microsoft.com/profile=""> Weblog: http://msmvps.org/UlfBSimonWeidner Website: http://www.windowsserverfaq.org


  
  
  From: [EMAIL PROTECTED] 
  [mailto:[EMAIL PROTECTED] On Behalf Of Teo De Las 
  HerasSent: Monday, May 15, 2006 2:42 PMTo: 
  ActiveDir@mail.activedir.orgSubject: [ActiveDir] Group Name 
  (Pre-Win2k) - Is it important
  
  We're making changes to group names in Active Directory. Is it 
  important to keep the Pre-Win2k names the same?
  
  Teo

RE: [ActiveDir] Group Name (Pre-Win2k) - Is it important

2006-05-15 Thread Ulf B. Simon-Weidner 



GREP? 
Whats GREP! ;-)

Great 
idea- forgot about that one.

GPOs 
are really a big point here - I've seen an enterprise going down because of 
that.

GPMC 
with backup / import (instead of backup / restore) might help here as 
well.

Gruesse - 
Sincerely, 
Ulf B. 
Simon-Weidner 
 Profile 
 Publications:http://mvp.support.microsoft.com/profile=""> Weblog: http://msmvps.org/UlfBSimonWeidner Website: http://www.windowsserverfaq.org


  
  
  From: [EMAIL PROTECTED] 
  [mailto:[EMAIL PROTECTED] On Behalf Of 
  joeSent: Monday, May 15, 2006 3:56 PMTo: 
  ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] Group Name 
  (Pre-Win2k) - Is it important
  
  Windows itself will mostlynot have an issue if you 
  don't. Some things that might are custom scripts, batch files, tools, 
  applications, etc that you have written to use those names. The one place I 
  can think of off the top of my head that might have an issue in Windows is if 
  you have set up restricted groups and didn't browse for the group name and 
  instead, simply typed it in, the restricted groupmay be specified by 
  legacy name instead of SID in the policy files.You can easily find this 
  by GREPping your sysvol with an ID that has suitable permissions to see 
  all policies files for the string that represents the group name. If you know 
  you have used the group that way you may also want positive affirmation that 
  is isn't there by name by also GREPping by the SID.
  
   joe
  
  
  --
  O'Reilly Active Directory Third Edition - http://www.joeware.net/win/ad3e.htm
  
  
  
  
  From: [EMAIL PROTECTED] 
  [mailto:[EMAIL PROTECTED] On Behalf Of Teo De Las 
  HerasSent: Monday, May 15, 2006 8:42 AMTo: 
  ActiveDir@mail.activedir.orgSubject: [ActiveDir] Group Name 
  (Pre-Win2k) - Is it important
  
  We're making changes to group names in Active Directory. Is it 
  important to keep the Pre-Win2k names the same?
  
  Teo

RE: [ActiveDir] Is there a way to force users to logon to domain?

2006-05-15 Thread Ulf B. Simon-Weidner 



What 
about the origin - are they created using OL2k7? If so must be a new bug - I was 
using a bit older version for quite a while (and everything was readable), but 
it almost corupted my mailstore - so I switched temporarily 
back.
Gruesse - 
Sincerely, 
Ulf B. 
Simon-Weidner 
 Profile 
 Publications:http://mvp.support.microsoft.com/profile=""> Weblog: http://msmvps.org/UlfBSimonWeidner Website: http://www.windowsserverfaq.org


  
  
  From: [EMAIL PROTECTED] 
  [mailto:[EMAIL PROTECTED] On Behalf Of Tony 
  MurraySent: Tuesday, May 16, 2006 12:10 AMTo: 
  ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] Is there a way 
  to force users to logon to domain?
  
  
  I have a rule that 
  auto-deletes Als emails as a matter of course. J
  
  I can confirm what 
  others have said  that the emails are visible in Outlook 2007. 
  Still checking to see if there is a way to resolve this on the list server 
  side, but havent found anything yet.
  
  Tony
  
  
  
  
  
  From: 
  [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] 
  On Behalf Of joeSent: Tuesday, 16 May 2006 9:42 
  a.m.To: ActiveDir@mail.activedir.orgSubject: RE: 
  [ActiveDir] Is there a way to force users to logon to 
  domain?
  
  Crap, more blank 
  emails from Al. Al, use hotmail or something. ;)
  
  
  --
  O'Reilly Active 
  Directory Third Edition - http://www.joeware.net/win/ad3e.htm
  
  
  
  
  
  
  
  From: 
  [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] 
  On Behalf Of Al MulnickSent: Monday, May 15, 2006 4:38 
  PMTo: ActiveDir@mail.activedir.orgSubject: Re: 
  [ActiveDir] Is there a way to force users to logon to 
  domain?
  This communication, including any attachments, is confidential. If you are not the intended recipient, you should not read it - please contact me immediately, destroy it, and do not copy or use any part of this communication or disclose anything about it. Thank you. Please note that this communication does not designate an information system for the purposes of the Electronic Transactions Act 2002.

RE: [ActiveDir] Is it important to keep correct timezone settings on DC?

2006-05-14 Thread Ulf B. Simon-Weidner 
Title: Is it important to keep correct timezone settings on DC?



Hi 
Freddy,

it 
doesn't make any sense to retrieve the timezone settings from the DC, since the 
clients may be on other timezones than the DC they are authenticating against. 
And speaking about traveling users, they may want to adjust the timezone to 
their current location, which would keep international invitations and 
appointments happy.

The 
time  timezone need to be set correctly, so that all machines in the domain 
are about the same time with respect to the timezone.

Speaking about GPOs - for international or cross-timezone organisations 
you may want to set those based on the site (considering the best practices when 
it comes to GPOs linked to sites), however to enable traveling users to adjust 
their timezone I'd recommend setting the time correctly automatically and 
disabling the users to change the time, but allow them to adjust the 
timezone.
Gruesse - 
Sincerely, 
Ulf B. 
Simon-Weidner 
 Profile 
 Publications:http://mvp.support.microsoft.com/profile=""> Weblog: http://msmvps.org/UlfBSimonWeidner Website: http://www.windowsserverfaq.org


  
  
  From: [EMAIL PROTECTED] 
  [mailto:[EMAIL PROTECTED] On Behalf Of Freddy 
  HARTONOSent: Thursday, May 11, 2006 10:42 AMTo: 
  ActiveDir@mail.activedir.orgSubject: [ActiveDir] Is it important to 
  keep correct timezone settings on DC?
  
  Hi all, 
  Does the client takes timezone and daylight savings 
  changes from the DC? 
  I was under the impression that timezones and 
  daylight savings changes are local to the pc and the dc ntp server runs 
  on a Zulu timezone?
  Just curious as I had an issue with a remote site 
  today due to daylight savings tickbox. 
  Thank you and have a splendid day!  Kind 
  Regards,  Freddy Hartono Group Support 
  Engineer InternationalSOS Pte Ltd 
  mail: [EMAIL PROTECTED] 
  phone: (+65) 6330-9785

RE: [ActiveDir] User Accounts

2006-05-14 Thread Ulf B. Simon-Weidner 
Agreed - very good thread. Let's extend the model a bit:

---
| ... |
| LDAP/NETLOGON/ADSI  |- Services using the Dir/providing interfaces
| ... |
---
| |   The Directory provider itself
|  Directory  |- Replication works in here, so everything below
is local to the DC
| |   Version numbers, USN,.. are managed here
---
| |
|   DBLAYER   |- Gluepart between Directory and DB
| |   (P)DNTs, Links, SIS-SDs,.. are managed here
---
| |
| DB  |- Just the ESE with it's features, such as
defrag
| |
---

I also believe that the not reused DNTs on IFM is by design, IMHO there
would be a possibility to reset DNTs programmatically after IFM, however
this would need additional code and time after reading the DB and rebooting
the DC for the first time.

Gruesse - Sincerely, 

Ulf B. Simon-Weidner 

  Profile  Publications:
http://mvp.support.microsoft.com/profile=35E388DE-4885-4308-B489-F2F1214C811
D   
  Weblog: http://msmvps.org/UlfBSimonWeidner
  Website: http://www.windowsserverfaq.org


 

-Original Message-
From: [EMAIL PROTECTED] 
[mailto:[EMAIL PROTECTED] On Behalf Of joe
Sent: Friday, April 28, 2006 10:36 PM
To: 'Send - AD mailing list'
Subject: RE: [ActiveDir] User Accounts

This is a good thread, I should have kept up with it. :) 

I think some of the problem is resulting from language 
interpretation. When I visualize AD in regards to the topics 
in this thread I think of it sort of like

---
| |
|  AD   |
| |
---
| |
| DBLAYER |
| |
---
| |
|   DB|
| |
---


Depending on who you are you make look at all three boxes as 
AD and truly for most everyone that is the case. However when 
speaking at the internal component level these are three main 
areas, it could be broken up into even more like for instance 
SAM, Kerb, Replication, LDAP, etc.

But I think where some confusion may have come in when saying 
AD dblayer. To many that would read as the DB. But I am 
reading it as the layer that interfaces or more properly 
abstracts the the lower DB portions from the high level AD 
stuff. That way you could jack up AD and slide another DB 
under it say something good like Oracle or MySQL or notepad or 
something eg and make most adjustments at the dblayer, sort 
of like a HAL. So we could call the dblayer something more 
like DBAL. I expect the abstraction isn't that fully fleshed 
out and there is still dependencies based on the underlying DB 
tech but I expect that could be worked through rather 
speedily, those AD Dev guys are a generally smart bunch.

Microsoft could look into a reuse system for older DNTs but it 
would be more logical, IMO, to just expand the bit size of the 
variable. Since again, these DNTs are local it wouldn't be an 
issue except in the case of IFM promos, you would now be in a 
situation where you could IFM from a machine with a 32 bit DNT 
to one with 32 bit DNTs or 64 Bit DNTs but if you have a 
backup from a 64 bit machine you could only IFM with another 
64 bit machine (even that could be made to work if you could 
guarantee that the high half of the variable wasn't being used 
but you would be silly to even start going in that direction). 

Anyway... Chase down the guy who stole the bit and get it back 
and we double the DNTs, fire someone and get another bit and 
double again (and you thought bits were just small little 
things...). Get it over with and go to 64 bits or really have 
fun and use 128. Of course this has implications on 
performance on 32 bit machines but those should be dropping 
off now that we are saying people need to load 64 bit OSes 
anyway - who is going to want to run 32 bit DCs with 64 bit 
Exchange pounding on them[1]? MS did it for Exchange, why not 
force the issue with AD as well in LH? Exchange 12 is due out 
before LH isn't it? Everyone should be used to being slapped 
and told they have to say they like it by then. :)

  joe



[1] Being facetious here, though I don't really expect MS Exch 
Dev to change how they recommend DC hardware for Exchange.

--
O'Reilly Active Directory Third Edition - 
http://www.joeware.net/win/ad3e.htm 
 

-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Dean Wells
Sent: Wednesday, April 19, 2006 10:46 AM
To: Send - AD mailing list
Subject: RE: [ActiveDir] User Accounts

Inline ...

--
Dean Wells
MSEtechnology
* Email: [EMAIL PROTECTED]
http://msetechnology.com

 

 -Original Message-
 From: [EMAIL PROTECTED]
 [mailto:[EMAIL PROTECTED] On Behalf Of Ulf B. 
 Simon-Weidner
 Sent: Wednesday, April 19, 2006 2:40 AM
 To: ActiveDir@mail.activedir.org
 Subject: RE: [ActiveDir] User

RE: [ActiveDir] R2 Upgrade or install?

2006-05-14 Thread Ulf B. Simon-Weidner 
Just depends on when you Dcpromo it.

On the first DC in the Forest:
WS2k3 then SP1 then DCPromo: 180 days
WS2k3 then dcpromo then SP1: 60 days
WS2k3 w/ slipstreamed SP1, then DCPromo: 180 days

However as I understand SBS-Land you are unable to do SBS then SP1 then
dcpromo w/o slipstreaming.

Gruesse - Sincerely, 

Ulf B. Simon-Weidner 

  Profile  Publications:
http://mvp.support.microsoft.com/profile=35E388DE-4885-4308-B489-F2F1214C811
D   
  Weblog: http://msmvps.org/UlfBSimonWeidner
  Website: http://www.windowsserverfaq.org


 

-Original Message-
From: [EMAIL PROTECTED] 
[mailto:[EMAIL PROTECTED] On Behalf Of Susan 
Bradley, CPA aka Ebitz - SBS Rocks [MVP]
Sent: Monday, May 01, 2006 4:13 PM
To: ActiveDir@mail.activedir.org
Subject: Re: [ActiveDir] R2 Upgrade or install?

Tombstone of 180 days for one.  Slip sp1 has some slight 
different values than 2k3 + sp1.

Bahta, Nathaniel V CTR USAF NASIC/SCNA wrote:
 Is there any reason for your preference to use R2 disk 1 for a fresh 
 install, rather than installing from a 2003 CD and then loading the 
 Service pack?  If I understand correctly the R2 disk 1 is just 2003 
 with SP1 slipstreamed into it, am I correct?

 Thanks,
 Nate Bahta

 -Original Message-
 From: [EMAIL PROTECTED]
 [mailto:[EMAIL PROTECTED] On Behalf Of 
Brian Desmond
 Sent: Friday, April 28, 2006 7:01 PM
 To: ActiveDir@mail.activedir.org
 Subject: RE: [ActiveDir] R2 Upgrade or install?

 I do option 2 for existing installs that need it and option 3 for 
 anything that needs a rebuild excuse or is fresh.

 Thanks,
 Brian Desmond
 [EMAIL PROTECTED]
  
 c - 312.731.3132
  
  

   
 -Original Message-
 From: [EMAIL PROTECTED] [mailto:ActiveDir- 
 [EMAIL PROTECTED] On Behalf Of Bahta, Nathaniel V CTR USAF 
 NASIC/SCNA
 Sent: Friday, April 28, 2006 1:18 PM
 To: ActiveDir@mail.activedir.org
 Subject: [ActiveDir] R2 Upgrade or install?

 Hey all,

 I am having a debate and wondering if the following is true:

 1)You must upgrade your 2003 servers to SP1 before going to R2.

 2)You can upgrade a existing 2003 server to SP1 and then load the 
 components from R2 onto it from R2 disk 2.

 Or

 3)Must you load the R2 disk 1 2003 Operating System disk with SP1 
 embedded and then load R2 disk 2 onto it.

 Just trying to figure out if we need to upgrade to SP1 and then we 
 can load the components of R2 onto our existing 2003 servers, or if 
 we
 
 need
   
 to load the R2 disk 1 operating system, which contains SP1 already,
 
 and
   
 then R2 disk 2.

 Does anyone have any ideas?

 Thanks,
 Nate Bahta
 List info   : http://www.activedir.org/List.aspx
 List FAQ: http://www.activedir.org/ListFAQ.aspx
 List archive: http://www.mail-
 archive.com/activedir%40mail.activedir.org/
 
 List info   : http://www.activedir.org/List.aspx
 List FAQ: http://www.activedir.org/ListFAQ.aspx
 List archive: 
http://www.mail-archive.com/activedir%40mail.activedir.org/
 List info   : http://www.activedir.org/List.aspx
 List FAQ: http://www.activedir.org/ListFAQ.aspx
 List archive: 
 http://www.mail-archive.com/activedir%40mail.activedir.org/

   
List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive: 
http://www.mail-archive.com/activedir%40mail.activedir.org/

List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/

RE: [ActiveDir] R2 Upgrade or install?

2006-05-01 Thread Ulf B. Simon-Weidner 
Also the uninstall-files and all the previous garbage which isn't needed
won't install when using a slipstreamed media.

Ulf
 

-Original Message-
From: [EMAIL PROTECTED] 
[mailto:[EMAIL PROTECTED] On Behalf Of Freddy HARTONO
Sent: Monday, May 01, 2006 3:23 PM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] R2 Upgrade or install?

Theres quite a few behaviours that are different when SP1 is 
slipstreamed and isnt, found out a few things on IIS behaviour 
with Integrated Authentication for example.

http://www.microsoft.com/technet/prodtechnol/WindowsServer2003/
Library/IIS/5
23ae943-5e6a-4200-9103-9808baa00157.mspx?mfr=true

Does anyone has a complete list of differences? Been wanting 
to have it for quite sometime..


Thank you and have a splendid day!
 
Kind Regards,
 
Freddy Hartono
Group Support Engineer
InternationalSOS Pte Ltd
mail: [EMAIL PROTECTED]
phone: (+65) 6330-9785
 

-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of 
Bahta, Nathaniel V CTR USAF NASIC/SCNA
Sent: Monday, May 01, 2006 5:36 PM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] R2 Upgrade or install?

Is there any reason for your preference to use R2 disk 1 for a 
fresh install, rather than installing from a 2003 CD and then 
loading the Service pack?  If I understand correctly the R2 
disk 1 is just 2003 with SP1 slipstreamed into it, am I correct?

Thanks,
Nate Bahta 

-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Brian Desmond
Sent: Friday, April 28, 2006 7:01 PM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] R2 Upgrade or install?

I do option 2 for existing installs that need it and option 3 
for anything that needs a rebuild excuse or is fresh. 

Thanks,
Brian Desmond
[EMAIL PROTECTED]
 
c - 312.731.3132
 
 

 -Original Message-
 From: [EMAIL PROTECTED] [mailto:ActiveDir- 
 [EMAIL PROTECTED] On Behalf Of Bahta, Nathaniel V CTR USAF 
 NASIC/SCNA
 Sent: Friday, April 28, 2006 1:18 PM
 To: ActiveDir@mail.activedir.org
 Subject: [ActiveDir] R2 Upgrade or install?
 
 Hey all,
 
 I am having a debate and wondering if the following is true:
 
 1)You must upgrade your 2003 servers to SP1 before going to R2.
 
 2)You can upgrade a existing 2003 server to SP1 and then load the 
 components from R2 onto it from R2 disk 2.
 
 Or
 
 3)Must you load the R2 disk 1 2003 Operating System disk with SP1 
 embedded and then load R2 disk 2 onto it.
 
 Just trying to figure out if we need to upgrade to SP1 and 
then we can 
 load the components of R2 onto our existing 2003 servers, or if we
need
 to load the R2 disk 1 operating system, which contains SP1 already,
and
 then R2 disk 2.
 
 Does anyone have any ideas?
 
 Thanks,
 Nate Bahta
 List info   : http://www.activedir.org/List.aspx
 List FAQ: http://www.activedir.org/ListFAQ.aspx
 List archive: http://www.mail-
 archive.com/activedir%40mail.activedir.org/
List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive: 
http://www.mail-archive.com/activedir%40mail.activedir.org/
List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive: 
http://www.mail-archive.com/activedir%40mail.activedir.org/
List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive: 
http://www.mail-archive.com/activedir%40mail.activedir.org/

List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/

RE: [ActiveDir] logging users out

2006-04-24 Thread Ulf B. Simon-Weidner 



Did 
you try shutdown.exe? The parameters /l /f /t 3600 allow you to time it for an 
hour after executing it, and to force a logoff. No need to script around using 
additional timers or scripts.
Gruesse - Sincerely, 
Ulf B. Simon-Weidner 
 MVP-Book "Windows XP - Die Expertentipps": 
http://tinyurl.com/44zcz Weblog: 
http://msmvps.org/UlfBSimonWeidner Website: http://www.windowsserverfaq.org Profile:http://mvp.support.microsoft.com/profile="">


  
  
  From: [EMAIL PROTECTED] 
  [mailto:[EMAIL PROTECTED] On Behalf Of shereen 
  naserSent: Monday, April 24, 2006 6:07 AMTo: 
  ActiveDir@mail.activedir.orgSubject: Re: [ActiveDir] logging users 
  out
  
  Thank you all for the helpful hints,
  Yes exactly, I want it to log of users whether they object or not, please 
  can you post it or send it to me?
  Thanks
  
  On 4/23/06, joe 
  [EMAIL PROTECTED] 
  wrote: 
  

Do you 
want this to be something that logs the user off whether or not they object? 
If so, I have a qlogoff tool that will log someone off immediately and they 
will lose whatever they are working on. I thought I posted it to the website 
but I don't see it. But I can post it. 

Firing 
it after one hour will be a little involved. You will have to have some sort 
of timer app running in the background.



--
O'Reilly 
Active Directory Third Edition - http://www.joeware.net/win/ad3e.htm





From: [EMAIL PROTECTED] [mailto: [EMAIL PROTECTED]] On Behalf Of 
shereen naser
Sent: Saturday, April 22, 2006 3:38 
AM
To: ActiveDir@mail.activedir.org
Subject: [ActiveDir] 
logging users out



Hi list,
how can I set Active directory to log out users after a specific period 
of time, say an internet cafe wants to log the users out after one hour? I 
don't want to use account expires, I want the account to be still active but 
to log the users out and they can re-login after that no problem.

RE: [ActiveDir] logging users out

2006-04-22 Thread Ulf B. Simon-Weidner 



Guess 
you'll have to do that by yourself, e.g. logon-script shutdown -l -t 
3600

Gruesse - Sincerely, 
Ulf B. Simon-Weidner 
 MVP-Book "Windows XP - Die Expertentipps": 
http://tinyurl.com/44zcz Weblog: 
http://msmvps.org/UlfBSimonWeidner Website: http://www.windowsserverfaq.org Profile:http://mvp.support.microsoft.com/profile="">


  
  
  From: [EMAIL PROTECTED] 
  [mailto:[EMAIL PROTECTED] On Behalf Of shereen 
  naserSent: Saturday, April 22, 2006 9:38 AMTo: 
  ActiveDir@mail.activedir.orgSubject: [ActiveDir] logging users 
  out
  
  Hi list,
  how can I set Active directory to log out users after a specific period 
  of time, say an internet cafe wants to log the users out after one hour? I 
  don't want to use account expires, I want the account to be still active but 
  to log the users out and they can re-login after that no problem.

RE: [ActiveDir] Can We configure Romaing Profiles using Script

2006-04-22 Thread Ulf B. Simon-Weidner 
Hello Ravi,

It's basically a setting of the useraccount, so you can create a share,
allow everyone Full Control on the share, then change the useraccounts using
ADUC Mulitselect/Multiedit or with the ds-tools:

Dsmod user distinguishedname_of_user -profile \\server\profile$\$username$

Gruesse - Sincerely, 

Ulf B. Simon-Weidner 

  MVP-Book Windows XP - Die Expertentipps: http://tinyurl.com/44zcz
  Weblog: http://msmvps.org/UlfBSimonWeidner
  Website: http://www.windowsserverfaq.org
  Profile:
http://mvp.support.microsoft.com/profile=35E388DE-4885-4308-B489-F2F1214C811
D   

 

|-Original Message-
|From: [EMAIL PROTECTED] 
|[mailto:[EMAIL PROTECTED] On Behalf Of Ravi Dogra
|Sent: Saturday, April 22, 2006 8:58 PM
|To: ActiveDir@mail.activedir.org
|Subject: [ActiveDir] Can We configure Romaing Profiles using Script
|
|Hi Champs,
|
|Can we configure Roaming Profiles using Script. I am in need 
|of this because we are migrating to ThinClient and want all 
|our users to have a Roaming Profile.
|
|Kindly update if there is a way out. i have 3 days with me to 
|comeup with a solution.
|
|I Know someone there has a solution.
|
|We have Win2k3 DC's and Windows XP Embedded (ThinClients).
|
|--
|Ravi Dogra
|List info   : http://www.activedir.org/List.aspx
|List FAQ: http://www.activedir.org/ListFAQ.aspx
|List archive: 
|http://www.mail-archive.com/activedir%40mail.activedir.org/

List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/

RE: [ActiveDir] Can We configure Romaing Profiles using Script

2006-04-22 Thread Ulf B. Simon-Weidner 
Hello Ravi,

the easiest way is using the gui, by selecting all users in question in
Active Directory Users and Computers, then choose Properties and set the
checkbox next to the profile field and enter the profilepath in there. You
can use %username% in there as well. Will set it for all users.

You can also combine the dstools:

Dsquery user ou=whatever,dc=example,dc=com -limit 0 | dsmod -profile ... 

This should give you an example how to do this.

Gruesse - Sincerely, 

Ulf B. Simon-Weidner 

  MVP-Book Windows XP - Die Expertentipps: http://tinyurl.com/44zcz
  Weblog: http://msmvps.org/UlfBSimonWeidner
  Website: http://www.windowsserverfaq.org
  Profile:
http://mvp.support.microsoft.com/profile=35E388DE-4885-4308-B489-F2F1214C811
D   

 

|-Original Message-
|From: [EMAIL PROTECTED] 
|[mailto:[EMAIL PROTECTED] On Behalf Of Ravi Dogra
|Sent: Saturday, April 22, 2006 9:52 PM
|To: ActiveDir@mail.activedir.org
|Subject: Re: [ActiveDir] Can We configure Romaing Profiles using Script
|
|Hi Ulf,
|
|Do i need to run same command for all my users. I think there 
|should be a better way to just run a single command over OU or 
|Group or List of Users.
|
|Update me if i am wrong.
|
|Dsmod user distinguishedname_of_user -profile 
|\\server\profile$\$username$
|
|Thanks
|Ravi Dogra
|List info   : http://www.activedir.org/List.aspx
|List FAQ: http://www.activedir.org/ListFAQ.aspx
|List archive: 
|http://www.mail-archive.com/activedir%40mail.activedir.org/

List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/

RE: [ActiveDir] User Accounts

2006-04-19 Thread Ulf B. Simon-Weidner 
* DNTs (to me) are _not_ a component of the directory

IIRC they are like a (primary/foreign) key in a database. Technically not
needed by the database layer, and not needed by the application, but needed
to keep the data together for the application. So if you look at AD from the
outside it won't be referenced, if you look at ESE it's just a DB and
doesn't care about the data stored within, but you still need it in between
to store the AD in the ESE.
Right?

* DNTs are not reusable

Unique per Server and don't provide any reference across servers. If AD
looks for a parent object by looking up it's known DNT (stored with the
child), ESE would fail in that moment, AD would not able to go to another
server and look up the same DNT in it's database. The AD is distributed, the
ESE is local, and DNTs are part of the local table.

If I understand correctly:
DNTs are reusable in ESE, however ADs implementation does not allow DNTs to
be released / reused on a single server, and the database will only reuse
them if you recreate the DB by repromoting (cause the data is replicated
from other servers into a virgin ESE, and DNTs are assigned from the
beginning at this point).

Right?

Gruesse - Sincerely, 

Ulf B. Simon-Weidner 

  MVP-Book Windows XP - Die Expertentipps: http://tinyurl.com/44zcz
  Weblog: http://msmvps.org/UlfBSimonWeidner
  Website: http://www.windowsserverfaq.org
  Profile:
http://mvp.support.microsoft.com/profile=35E388DE-4885-4308-B489-F2F1214C811
D   

 

|-Original Message-
|From: [EMAIL PROTECTED] 
|[mailto:[EMAIL PROTECTED] On Behalf Of Dean Wells
|Sent: Wednesday, April 19, 2006 1:18 AM
|To: Send - AD mailing list
|Subject: RE: [ActiveDir] User Accounts
|
|Inline is my take on an IM conv. Brett and I just had, the 
|result and content of which turned up some interesting (to me 
|at least) implementation details.  The short story is -
|
|* DNTs (to me) are _not_ a component of the directory
|   - they _are_ a component of the layer that bridges the 
|two (dblayer)
|   - to Brett, I believe he sees them within the sum of 
|what is the directory
|* DNTs (to both Brett and I) are not part of ESE
|* DNTs are limited (as Eric says) to 2^31 (~2.1 billion rows)
|* DNTs are not reusable
|
|I hope the summary and conversational text inline proves useful.
|
|--
|Dean Wells
|MSEtechnology
|* Email: [EMAIL PROTECTED]
|http://msetechnology.com
|
| 
|
| -Original Message-
| From: [EMAIL PROTECTED]
| [mailto:[EMAIL PROTECTED] On Behalf Of 
|Brett Shirley
| Sent: Tuesday, April 18, 2006 5:11 PM
| To: ActiveDir@mail.activedir.org
| Cc: Send - AD mailing list
| Subject: RE: [ActiveDir] User Accounts
| 
| 
| Dean, I didn't understand this comment ...
|   But, dude, seriously, you weren't aware that AD's ESE 
|used a 32 bit 
| DNT?
|   Methinks perhaps you're muddling in the realms of personal 
| interpretation   ... though I'm quite certain you'll argue that too 
| ... ESE purist :0p
| 
| Are you claiming that ESE knows what a DNT is?
|
|Not at all ... but IMO, neither does the directory ... and per 
|our IM, the dblayer knows what they are (after all, DNT = 
|distinguished name tag ...
|blatantly not an ESE term ... and dblayer = database layer ... 
|not a directory term ... hmmm)
|
| A DNT is an entirely AD concept, ESE has no idea what a DNT is.
|
|Nod.
|
| ESE also has no concept of linked-values, or the link_table.
|
|Now this was news to me, so here's the summary: ESE has tables 
|+ columns + indices over columns.  The dblayer forms the 
|bridge between two technologies, one molding the behavior of 
|the other (dblayer molds ESE).
|ESE maintains no referential integrity, the dblayer does this 
|... including link-pairs -- this part was especially surprising to me.
|
| This is the 2nd time you've confused the AD dblayer (what maintains 
| the AD schema on an ESE
| database) and the ESE database layer.  
|
|Don't know that I'd agree with that since on neither occasion 
|was the dblayer specifically referenced .. but it's moot for 
|the moment since I'm still mulling over whether my new-found 
|knowledge pertaining to link-pairs influences my opinion on 
|where DNTs lie; directory or database.
|
|
|
|List info   : http://www.activedir.org/List.aspx
|List FAQ: http://www.activedir.org/ListFAQ.aspx
|List archive: 
|http://www.mail-archive.com/activedir%40mail.activedir.org/

List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/

RE: [ActiveDir] User Accounts

2006-04-19 Thread Ulf B. Simon-Weidner 
Ok - thinking over it it's understandable that IFM does not touch DNTs but
rather use the backup as default dit to start from. Obviously you are not
creating a default dit and open up a second dit to do a local sync. How are
you handling server specific settings? Delete/change those right at the
beginning of a IFM, then go ahead with the default replication to figure out
the changes? Guess USNs and watermark vectors can be kept and are the same
at the beginning of IFM.

However, thanks Eric and Dean for verification and additional thoughts.

Ulf

 

|-Original Message-
|From: [EMAIL PROTECTED] 
|[mailto:[EMAIL PROTECTED] On Behalf Of Eric 
|Fleischman
|Sent: Wednesday, April 19, 2006 4:39 PM
|To: ActiveDir@mail.activedir.org
|Subject: RE: [ActiveDir] User Accounts
|
| DNTs are reusable in ESE, however ADs implementation does not allow
|DNTs
| to be released / reused on a single server, and the database 
|will only 
| reuse them if you recreate the DB by repromoting (cause 
|the data is 
| replicated from other servers into a virgin ESE, and DNTs 
|are assigned 
| from the beginning at this point).
|
|Basically, yes. Though I would point out, this is hardly 
|reusing DNTs...this is more starting over. :) For the sake of 
|clarity I would point out that such a re-promotion would need 
|to be over the wire and not IFM. IFM just picks up where the 
|last left off, as you are using the old database again, and so 
|the same AD level rules apply.
|
|~Eric
|
|
|-Original Message-
|From: [EMAIL PROTECTED]
|[mailto:[EMAIL PROTECTED] On Behalf Of Ulf B.
|Simon-Weidner
|Sent: Tuesday, April 18, 2006 11:40 PM
|To: ActiveDir@mail.activedir.org
|Subject: RE: [ActiveDir] User Accounts
|
|* DNTs (to me) are _not_ a component of the directory
|
|IIRC they are like a (primary/foreign) key in a database. 
|Technically not needed by the database layer, and not needed 
|by the application, but needed to keep the data together for 
|the application. So if you look at AD from the outside it 
|won't be referenced, if you look at ESE it's just a DB and 
|doesn't care about the data stored within, but you still need 
|it in between to store the AD in the ESE.
|Right?
|
|* DNTs are not reusable
|
|Unique per Server and don't provide any reference across 
|servers. If AD looks for a parent object by looking up it's 
|known DNT (stored with the child), ESE would fail in that 
|moment, AD would not able to go to another server and look up 
|the same DNT in it's database. The AD is distributed, the ESE 
|is local, and DNTs are part of the local table.
|
|If I understand correctly:
|DNTs are reusable in ESE, however ADs implementation does not 
|allow DNTs to be released / reused on a single server, and the 
|database will only reuse
|them if you recreate the DB by repromoting (cause the data is 
|replicated from other servers into a virgin ESE, and DNTs are 
|assigned from the beginning at this point).
|
|Right?
|
|Gruesse - Sincerely, 
|
|Ulf B. Simon-Weidner 
|
|  MVP-Book Windows XP - Die Expertentipps: http://tinyurl.com/44zcz
|  Weblog: http://msmvps.org/UlfBSimonWeidner
|  Website: http://www.windowsserverfaq.org
|  Profile:
|http://mvp.support.microsoft.com/profile=35E388DE-4885-4308-B48
9-F2F1214
|C811
|D   
|
| 
|
||-Original Message-
||From: [EMAIL PROTECTED]
||[mailto:[EMAIL PROTECTED] On Behalf Of Dean Wells
||Sent: Wednesday, April 19, 2006 1:18 AM
||To: Send - AD mailing list
||Subject: RE: [ActiveDir] User Accounts
||
||Inline is my take on an IM conv. Brett and I just had, the result and 
||content of which turned up some interesting (to me at least) 
||implementation details.  The short story is -
||
||* DNTs (to me) are _not_ a component of the directory
||  - they _are_ a component of the layer that bridges the 
|two (dblayer)
||  - to Brett, I believe he sees them within the sum of 
|what is the 
||directory
||* DNTs (to both Brett and I) are not part of ESE
||* DNTs are limited (as Eric says) to 2^31 (~2.1 billion rows)
||* DNTs are not reusable
||
||I hope the summary and conversational text inline proves useful.
||
||--
||Dean Wells
||MSEtechnology
||* Email: [EMAIL PROTECTED]
||http://msetechnology.com
||
|| 
||
|| -Original Message-
|| From: [EMAIL PROTECTED]
|| [mailto:[EMAIL PROTECTED] On Behalf Of
||Brett Shirley
|| Sent: Tuesday, April 18, 2006 5:11 PM
|| To: ActiveDir@mail.activedir.org
|| Cc: Send - AD mailing list
|| Subject: RE: [ActiveDir] User Accounts
|| 
|| 
|| Dean, I didn't understand this comment ...
||   But, dude, seriously, you weren't aware that AD's ESE
||used a 32 bit
|| DNT?
||   Methinks perhaps you're muddling in the realms of personal 
|| interpretation   ... though I'm quite certain you'll argue 
|that too 
|| ... ESE purist :0p
|| 
|| Are you claiming that ESE knows what a DNT is?
||
||Not at all ... but IMO, neither does the directory ... and 
|per our IM, 
||the dblayer knows what they are (after all, DNT = distinguished name 
||tag

RE: [ActiveDir] Anomoly in application of Permissions by adminSDHolder

2006-04-19 Thread Ulf B. Simon-Weidner 
Hi Richard,

You can change the settings by delegating write access to lockoutTime on the
adminSDHolder-Object in the system container. After doing that your helpdesk
will be able to unlock any administrative account anywhere in the domain.

For more information query my blog for adminSdHolder or use google, which
will bring it up as well.

Gruesse - Sincerely, 

Ulf B. Simon-Weidner 

  MVP-Book Windows XP - Die Expertentipps: http://tinyurl.com/44zcz
  Weblog: http://msmvps.org/UlfBSimonWeidner
  Website: http://www.windowsserverfaq.org
  Profile:
http://mvp.support.microsoft.com/profile=35E388DE-4885-4308-B489-F2F1214C811
D   

 

|-Original Message-
|From: [EMAIL PROTECTED] 
|[mailto:[EMAIL PROTECTED] On Behalf Of 
|Richard Bowersox
|Sent: Wednesday, April 19, 2006 10:09 PM
|To: ActiveDir@mail.activedir.org
|Subject: [ActiveDir] Anomoly in application of Permissions by 
|adminSDHolder
|
|I have noticed what appears to be an anomoly in the way that 
|adminSDHolder is applying object permissions and was wondering 
|if anybody else has seen something similar or has a workaround.
|
|We want our internal helpdesk staff to be able to unlock any 
|users account, even privliged accounts that are protected by 
|adminSDHolder 'inheritance'.
|The HELPDESK group has been give Read/Write permissions on the 
|lockoutTime attribute for User Objects protected by 
|adminSDHolder.  However, when members of HELPDESK go to unlock 
|a locked account of this type, the choice is grayed out.  (The 
|same permissions given to the same group for accounts not 
|protected by adminSDHolder allow the HELPDESK to unlock those 
|accounts without any problem.)
|
|When I look at the permissions applied to the specific user 
|object it shows that the HELPDESK group has Read/Write on the 
|lockoutTime attribute as expected. The only way that members 
|of the HELPDESK group can gain access to the account lockout 
|box is to set the security on a specific account for the 
|lockoutTime READ/WRITE permission to apply to 'This Object' 
|rather than the User Objects' choice.
|
|Unfortunately, when setting the security on the adminSDHolder 
|container, I cannot use the This object and all child 
|objects choice because when that is selected, the lockoutTime 
|attribute is not an available option. 
|
|
|
|Rick Bowersox
|Rockwell Collins
|
|If you cannot convince them, confuse them.
|--
|Harry S Truman
|
|
|List info   : http://www.activedir.org/List.aspx
|List FAQ: http://www.activedir.org/ListFAQ.aspx
|List archive: 
|http://www.mail-archive.com/activedir%40mail.activedir.org/

List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/

RE: [ActiveDir] Tombstone attributes

2006-04-18 Thread Ulf B. Simon-Weidner 
Unfortunately the passwords is the same attribute for users and computers. I
thought recently to put the password in the tombstone to ease computer
account reanimation - after the account is deleted the computer is not able
to change it's password, and if it was deleted accidentally it's easy to
reanimate the account and the computer will still be happy.

I know that it'll be easy to put the computers in the domain again, however
I've had a customer with hundreds of sites which lost a couple hundred
computer accounts across those sites, and bandwidth didn't allow to remotly
script the addition of the computer accounts to the domain via netdom. We
were able to perform an authoritative restore, and were lucky that we lost
almost no computer accounts due to changed password, however this was a
unlikely event with the computers recently joined the newly created domain.
In running domains we'd have to calculate an average of 1/15th of computers
per day of the age of the backup to join manually.

I agree on user objects - and if I'd decide to keep the password for
computer account in the tombstone I'd would prefer to put a procedure in
place to change a users password before deleting it.

Gruesse - Sincerely, 

Ulf B. Simon-Weidner 

  MVP-Book Windows XP - Die Expertentipps: http://tinyurl.com/44zcz
  Weblog: http://msmvps.org/UlfBSimonWeidner
  Website: http://www.windowsserverfaq.org
  Profile:
http://mvp.support.microsoft.com/profile=35E388DE-4885-4308-B489-F2F1214C811
D   

 

|-Original Message-
|From: [EMAIL PROTECTED] 
|[mailto:[EMAIL PROTECTED] On Behalf Of Tomasz Onyszko
|Sent: Tuesday, April 18, 2006 11:19 PM
|To: ActiveDir@mail.activedir.org
|Subject: Re: [ActiveDir] Tombstone attributes
|
|Steele, Aaron [BSD] - ADM wrote:
| Hi there all,
|  
| Does anyone here know why Microsoft chose not to include the 
| attributes related to user password and sidHistory in the 
|tombstone of 
| an object upon deletion?
| Was it a security decision?
| I would like to get some input from people here before I go 
|and update 
| my schema to enable the restoration of these properties from the 
| tombstone'd object.
|
|Personally I would not like to preserve password attribute on tombstone
|- I don't see a reason for that, and yes, IMO it can be seen 
|as possible 
|   security threat. If user is deleted and restoring it 
|requires admin action it is just another logical step to reset 
|it's password.
|
|SID History attribute is preserved as with SP1 on Windows 2003 
|DC. ~Eric wrote about it some time ago:
|http://blogs.technet.com/efleis/archive/2005/07/12/407648.aspx
|
|and this is OK - when you want to restore object and probably 
|it's group membership etc. preserving SID History is good solution.
|
|--
|Tomasz Onyszko
|http://www.w2k.pl/blog/ - (PL)
|http://blogs.dirteam.com/blogs/tomek/ - (EN)
|List info   : http://www.activedir.org/List.aspx
|List FAQ: http://www.activedir.org/ListFAQ.aspx
|List archive: 
|http://www.mail-archive.com/activedir%40mail.activedir.org/

List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/

RE: [ActiveDir] Tombstone attributes

2006-04-18 Thread Ulf B. Simon-Weidner 
Agreed - as I said I'd put procedures in place to protect user account
passwords, but would use tombstones to ease computer account restores.

Ulf

 

|-Original Message-
|From: [EMAIL PROTECTED] 
|[mailto:[EMAIL PROTECTED] On Behalf Of Tomasz Onyszko
|Sent: Wednesday, April 19, 2006 12:43 AM
|To: ActiveDir@mail.activedir.org
|Subject: Re: [ActiveDir] Tombstone attributes
|
|Ulf B. Simon-Weidner wrote:
| Unfortunately the passwords is the same attribute for users and 
| computers. I thought recently to put the password in the 
|tombstone to 
| ease computer account reanimation - after the account is deleted the 
| computer is not able to change it's password, and if it was deleted 
| accidentally it's easy to reanimate the account and the 
|computer will still be happy.
| 
| I know that it'll be easy to put the computers in the domain again, 
| however I've had a customer with hundreds of sites which 
|lost a couple 
| hundred computer accounts across those sites, and bandwidth didn't 
| allow to remotly script the addition of the computer accounts to the 
| domain via netdom. We were able to perform an authoritative restore, 
| and were lucky that we lost almost no computer accounts due 
|to changed 
| password, however this was a unlikely event with the 
|computers recently joined the newly created domain.
| In running domains we'd have to calculate an average of 1/15th of 
| computers per day of the age of the backup to join manually.
| 
| I agree on user objects - and if I'd decide to keep the password for 
| computer account in the tombstone I'd would prefer to put a 
|procedure 
| in place to change a users password before deleting it.
| 
|
|Jup, I can agree with it - but still I don't like idea of 
|restoring the user with old password. What about password age 
|and complying with security policy - I can imagine situation 
|in which user's password was
|89 day's old (wit 90 days maximum password age), then was 
|deleted an restored - password will be valid for another 90 
|days. What about complexity requirements ?
|
|
|
|--
|Tomasz Onyszko
|http://www.w2k.pl/blog/ - (PL)
|http://blogs.dirteam.com/blogs/tomek/ - (EN)
|List info   : http://www.activedir.org/List.aspx
|List FAQ: http://www.activedir.org/ListFAQ.aspx
|List archive: 
|http://www.mail-archive.com/activedir%40mail.activedir.org/

List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/

RE: [ActiveDir] User Accounts

2006-04-17 Thread Ulf B. Simon-Weidner 
Very interesting again, thanks for those explainations.

So you've seen Ads with 50M - 100M Objects. This makes the theoretical part
of my brain a bit anxious - theoretically ;-)

Were these real objects, or what the regular AD-Guy would refer to (Sum of
users, computers, groups, a.s.o - leaving out technical objects like
phantoms, objects in the C-NC, S-NC, D-NC/System,.. dnsNode-Objects [1],..)?

That means they'll have issues after a account overturn [2] of 20-40 (or
10 if 100M Objects and you feel comfortable with 1.07B) because then they
hit the unreleased DNTs and have to start repromoting DCs to get them
back.
OK - while a account overturn of 20 seems very long term - I doubt that
DNTs are being released by inplace upgrades and I don't look very happy
imagining running ADMT or some other migration tool against 100M Object ADs.
And the limit is still the forest, not the domain.

So in the long term they might be even hitting the DNT-Limit, without even
creating a bigger AD DIT (considering they perform regular DIT-maintenance)
- just by deleting and recreating each object b/c of its natural overturn up
to 40 times and not releasing their DNTs. However long term - if we assume
100M Objects and a object overturn about 10yrs we'll have 20 cycles and 200
yrs to figure that out - or just get the last bit back and rethink.

Limit on RIDs - this one is interesting as well, since we only need to
create 2147483 DCs and create 325 objects on the last one. Anyone out there
to borrow me some hardware ;-)

However I'm still curious what would happen when we have the 2^31+1 newly
created objects (handled error, major bang of the server against the wall)
(no matter how many are currently existing - same issue whold happen with
lower numbers of objects and frequent deletion/creation)?
Also - as Dean mentioned - what would happen when we have more than
2^30-1000+1 Security Principles - Bang boom bang - or start the RIDs over at
1000, or overflow which would cause the RIDs to start at 1(yeah - I'd like
to be the 2^30-1000+500 user then)?

OK - everything extremely unlikely - but the d... [3] thing is that my brain
wants to know that now - and I can't find the soft reset ;-)

[1] Uupsi - they tend to be deleted and recreated quite frequently (compared
to accounts)

[2] How would you call this? Inventory overturn comes to my mind (the
cycle when a warehouse has all inventory sold and new one in there), so
account overturn may be appropriate defining when each account has been
dismissed and a new one created (however technically I'm talking to object
overturn) - people leave and people join - people die and people are being
instantiated (aka born).

[3] Swearword? Do clue - I'm german - we have our own - can't keep a
dictionary of approabriate words in foreign languages  in the same brain
which is interested in those answers.

Gruesse - Sincerely, 

Ulf B. Simon-Weidner 

  MVP-Book Windows XP - Die Expertentipps: http://tinyurl.com/44zcz
  Weblog: http://msmvps.org/UlfBSimonWeidner
  Website: http://www.windowsserverfaq.org
  Profile:
http://mvp.support.microsoft.com/profile=35E388DE-4885-4308-B489-F2F1214C811
D   

 

|-Original Message-
|From: [EMAIL PROTECTED] 
|[mailto:[EMAIL PROTECTED] On Behalf Of Brett Shirley
|Sent: Monday, April 17, 2006 2:47 AM
|To: ActiveDir@mail.activedir.org
|Subject: RE: [ActiveDir] User Accounts
|
|
|Eric's quoting didn't come across in pine so well, so I've 
|improved it by using  where he was quoting others ...
|
|*Ahem* ... for the hex heads ...
|
|ESE limits:
|
|The underlying store (aka ESE or JET Blue) does not have a 4.2 
|billion row constraint to the # of rows in a single table ... 
|ESE will support from
|2^1 up to 2^(~240*8) rows in a single table, _depending upon 
|your primary key_ ... and if you found ESE's old max 9.95e+583 
|rows to be woefully under sized, you'll be able to go to 
|around _I think_ 2^(~1875*8) rows in Vista ... if you can find 
|the storage for it [1].
|
|AD design limits:
|
|Active Directory however choose a primary key (The DNT) that 
|has only 32 bits, and is signed, so limiting to positive 
|values is limited to 2.1 billion rows (as ~Eric mentions), but 
|this is not ESE's fault, nor an ESE limitation.  Exchange for 
|example choose a 63-bit message ID on thier message table 
|(called 1-23 IIRC), and is thus limited to no more than
|2^63 / 9.22 quintillion rows (though probably a bit less due 
|to the way they parse up the message ID).
|
|Clearly the Exchange limit of # of message rows, shows that 
|ESE is not limited to 2.1 or 4.2 billion rows in a single 
|table, this is why it is crucial to be able to distinguish how 
|ESE differs from the data layer / schema (of AD) constructed 
|on top of ESE.
|
|At this point we think we've established the max # of objects 
|in an AD database, BUT the actual hard limitation would be the 
|minimum of several competing constraints, any which could 
|reduce us far lower ...
|
|Actual hard limitation

RE: [ActiveDir] User Accounts

2006-04-17 Thread Ulf B. Simon-Weidner 
Hi Brett,

I don't want you to say or admit anything - I'm just curious and having a
conversation here ;-)

I was refering to your sentence
 I've heard of two production ADs in excess of 50 M (less than 100 M
though)
Which really made me curious and I started to think that these are not that
unlikely to hit the limit. Rest of the conversation is just curiousity and
for the sake of being interested - no real scenario - just interested in
opinions.

Never take me to serious - I'm german but that wasn't my fault ;-) I like to
discuss what-if scenarios and am mainly interested in geeky chit-chat.

And I've never and will never ask someone of your group or company to
confess something in public. We are just chatting here.

Ulf

 

|-Original Message-
|From: [EMAIL PROTECTED] 
|[mailto:[EMAIL PROTECTED] On Behalf Of Brett Shirley
|Sent: Tuesday, April 18, 2006 12:32 AM
|To: ActiveDir@mail.activedir.org
|Subject: RE: [ActiveDir] User Accounts
|
|
|In my experience the type of forest you're thinking about is a 
|different beast, Ulf ...
|
|I don't know a single customer that has a NOS / IT 
|infrastructure forest with 10M objects, in fact I can't even 
|think of one with 5 M.  Anything north of 5M - 10M objects is 
|almost assuredly e-commerce, internet facing web portal type stuff ...
|
|There is natural churn because of user accounts on the web 
|facing stuff churn, multiple personas, forgotten password, 
|what ever, but they don't get any of the normal churn you 
|associate with the IT infrastructure (DNS objects, computer 
|accounts join/unjoin, MIIS or HR control system
|injected changes, etc).  They're basically using it like a 
|specialized database.
|
|They are more prone to IFM though, which doesn't recycle DNTs. 
| But all things consider the object churn seems to be less ... 
|I believe the churn isn't too ridiculous.
|
|But it seems you just want to say or me to admit, yes if you 
|hit this limit you will need to repromote.  That is true.  
|People dealt w/ NT4 SAM when it balked at 70k accounts or 
|whatever, people will have to deal w/ AD when they use 2B RDNs 
|... if you're actually dealing with numbers that ballpark into 
|that area, I'd be curious to hear about your scenario, but I 
|suspect no one is doing that ... yet.
|
|Cheers,
|-BrettSh
|
|On Mon, 17 Apr 2006, Ulf B. Simon-Weidner wrote:
|
| Hi ~eric,
|  
|  I don't look very happy
|  imagining running ADMT or some other migration tool against 100M 
|  Object
| ADs
| 
|  You don't need to think about anything like ADMT. In your 
|scenario, 
|  with
| object overturn and DNT depletion, you would simply need to 
|re-promote 
| the machines
|  slowly over time, perhaps when doing OS version upgrades or 
|  something, and
| not use IFM.
|  This is not a forest concept, nor domain, nor NC.this is a DB 
|  instance
| concept. DNTs are different in each instance in your forest. 
|They are 
| not replicated.
|  
| Yes - agree. My intend was to outline that we might approach the 
| DNT-limit with directories this large because:
| - they might run for a longer time
| - object overturn will happen
| - AD will stay over time since I doubt a upgrade will touch the dit 
| and recycle DNTs, and companies with that large forests will rather 
| upgrade to a new OS than using ADMT
|  
| I'm aware that a repromote of the DCs will take care of it. I just 
| tried to say that there might be the time when a repromote 
|because of 
| DNTs might be necessary in some larger domains. However still 
| unlikely, but not that much away from reality if you look at the 
| numbers posted (100M Objects are 5-10% of the limit, employees and 
| customers as well as other objects (DNS) tend to change, and 
|the limit is the forest (b/c total number of objects on a GC)).
|  
|  Were these real objects, or what the regular AD-Guy would refer to
| 
|  Yes, but I don't understand why this matters to you?
|  
| Just being curious if Brad was talking about 50M+ Accounts 
|or Objects 
| - main reason because of plain curiousity to figure out if we are 
| talking about
| 50M+ Objects or 50M+ Accounts + another couple M 
|dnsNodes/phantoms/...
| 
| Gruesse - Sincerely,
| 
| Ulf B. Simon-Weidner
| 
|   MVP-Book Windows XP - Die Expertentipps:  
| http://tinyurl.com/44zcz http://tinyurl.com/44zcz
|   Weblog:  http://msmvps.org/UlfBSimonWeidner
| http://msmvps.org/UlfBSimonWeidner
|   Website:  http://www.windowsserverfaq.org/
| http://www.windowsserverfaq.org
|   Profile:
| 
|http://mvp.support.microsoft.com/profile=35E388DE-4885-4308-B489-F2F1
| 214C81
| 1D
| 
|http://mvp.support.microsoft.com/profile=35E388DE-4885-4308-B48
|9-F2F1214C811
| D   
| 
|  
| 
| 
|   _
| 
| From: [EMAIL PROTECTED]
| [mailto:[EMAIL PROTECTED] On Behalf Of Eric 
| Fleischman
| Sent: Monday, April 17, 2006 4:43 PM
| To: ActiveDir@mail.activedir.org; ActiveDir@mail.activedir.org
| Subject: RE: [ActiveDir] User Accounts
| 
| 
|  I don't look very happy
|  imagining running ADMT or some other

RE: [ActiveDir] User Accounts

2006-04-17 Thread Ulf B. Simon-Weidner 
Never take me to serious

Seriously?  :)

Absolutely ;)

(Great thread by the way)

I agree!

Ulf

 

|-Original Message-
|From: [EMAIL PROTECTED] 
|[mailto:[EMAIL PROTECTED] On Behalf Of 
|Crawford, Scott
|Sent: Tuesday, April 18, 2006 1:16 AM
|To: ActiveDir@mail.activedir.org
|Subject: RE: [ActiveDir] User Accounts
|
|Never take me to serious
|
|Seriously?  :)
|
|(Great thread by the way)
|
|-Original Message-
|From: [EMAIL PROTECTED]
|[mailto:[EMAIL PROTECTED] On Behalf Of Ulf B.
|Simon-Weidner
|Sent: Monday, April 17, 2006 6:06 PM
|To: ActiveDir@mail.activedir.org
|Subject: RE: [ActiveDir] User Accounts
|
|Hi Brett,
|
|I don't want you to say or admit anything - I'm just curious 
|and having a conversation here ;-)
|
|I was refering to your sentence
| I've heard of two production ADs in excess of 50 M (less than 100 M
|though)
|Which really made me curious and I started to think that these 
|are not that unlikely to hit the limit. Rest of the 
|conversation is just curiousity and for the sake of being 
|interested - no real scenario - just interested in opinions.
|
|Never take me to serious - I'm german but that wasn't my fault 
|;-) I like to discuss what-if scenarios and am mainly 
|interested in geeky chit-chat.
|
|And I've never and will never ask someone of your group or 
|company to confess something in public. We are just chatting here.
|
|Ulf
|
| 
|
||-Original Message-
||From: [EMAIL PROTECTED]
||[mailto:[EMAIL PROTECTED] On Behalf Of Brett Shirley
||Sent: Tuesday, April 18, 2006 12:32 AM
||To: ActiveDir@mail.activedir.org
||Subject: RE: [ActiveDir] User Accounts
||
||
||In my experience the type of forest you're thinking about is a 
||different beast, Ulf ...
||
||I don't know a single customer that has a NOS / IT infrastructure 
||forest with 10M objects, in fact I can't even think of one with 5 M.  
||Anything north of 5M - 10M objects is almost assuredly e-commerce, 
||internet facing web portal type stuff ...
||
||There is natural churn because of user accounts on the web 
|facing stuff 
||churn, multiple personas, forgotten password, what ever, but 
|they don't 
||get any of the normal churn you associate with the IT infrastructure 
||(DNS objects, computer accounts join/unjoin, MIIS or HR control 
||system
||injected changes, etc).  They're basically using it like a 
|specialized 
||database.
||
||They are more prone to IFM though, which doesn't recycle DNTs. 
|| But all things consider the object churn seems to be less ... 
||I believe the churn isn't too ridiculous.
||
||But it seems you just want to say or me to admit, yes if you hit this 
||limit you will need to repromote.  That is true.
||People dealt w/ NT4 SAM when it balked at 70k accounts or whatever, 
||people will have to deal w/ AD when they use 2B RDNs ... if you're 
||actually dealing with numbers that ballpark into that area, I'd be 
||curious to hear about your scenario, but I suspect no one is 
|doing that 
||... yet.
||
||Cheers,
||-BrettSh
||
||On Mon, 17 Apr 2006, Ulf B. Simon-Weidner wrote:
||
|| Hi ~eric,
||  
||  I don't look very happy
||  imagining running ADMT or some other migration tool against 100M 
||  Object
|| ADs
|| 
||  You don't need to think about anything like ADMT. In your
||scenario,
||  with
|| object overturn and DNT depletion, you would simply need to
||re-promote
|| the machines
||  slowly over time, perhaps when doing OS version upgrades or 
||  something, and
|| not use IFM.
||  This is not a forest concept, nor domain, nor NC.this is a DB 
||  instance
|| concept. DNTs are different in each instance in your forest. 
||They are
|| not replicated.
||  
|| Yes - agree. My intend was to outline that we might approach the 
|| DNT-limit with directories this large because:
|| - they might run for a longer time
|| - object overturn will happen
|| - AD will stay over time since I doubt a upgrade will touch the dit 
|| and recycle DNTs, and companies with that large forests will rather 
|| upgrade to a new OS than using ADMT
||  
|| I'm aware that a repromote of the DCs will take care of it. I just 
|| tried to say that there might be the time when a repromote
||because of
|| DNTs might be necessary in some larger domains. However still 
|| unlikely, but not that much away from reality if you look at the 
|| numbers posted (100M Objects are 5-10% of the limit, employees and 
|| customers as well as other objects (DNS) tend to change, and
||the limit is the forest (b/c total number of objects on a GC)).
||  
||  Were these real objects, or what the regular AD-Guy 
|would refer to
|| 
||  Yes, but I don't understand why this matters to you?
||  
|| Just being curious if Brad was talking about 50M+ Accounts
||or Objects
|| - main reason because of plain curiousity to figure out if we are 
|| talking about
|| 50M+ Objects or 50M+ Accounts + another couple M
||dnsNodes/phantoms/...
|| 
|| Gruesse - Sincerely,
|| 
|| Ulf B. Simon-Weidner
|| 
||   MVP-Book Windows XP - Die

RE: [ActiveDir] User Accounts

2006-04-17 Thread Ulf B. Simon-Weidner 
Hi ~eric,

Thanks for the answer.

Ulf

 

|-Original Message-
|From: [EMAIL PROTECTED] 
|[mailto:[EMAIL PROTECTED] On Behalf Of Eric 
|Fleischman
|Sent: Tuesday, April 18, 2006 4:05 AM
|To: ActiveDir@mail.activedir.org
|Subject: RE: [ActiveDir] User Accounts
|
|Yes, both Brett and I have seen large directories in this range.
|All of my experience with directories 25M objects was outward facing.
|IE, internet portal types, like Brett was talking about.
|
|~Eric
|
|
|-Original Message-
|From: [EMAIL PROTECTED]
|[mailto:[EMAIL PROTECTED] On Behalf Of Ulf B.
|Simon-Weidner
|Sent: Monday, April 17, 2006 4:06 PM
|To: ActiveDir@mail.activedir.org
|Subject: RE: [ActiveDir] User Accounts
|
|Hi Brett,
|
|I don't want you to say or admit anything - I'm just curious 
|and having a conversation here ;-)
|
|I was refering to your sentence
| I've heard of two production ADs in excess of 50 M (less than 100 M
|though)
|Which really made me curious and I started to think that these 
|are not that unlikely to hit the limit. Rest of the 
|conversation is just curiousity and for the sake of being 
|interested - no real scenario - just interested in opinions.
|
|Never take me to serious - I'm german but that wasn't my fault 
|;-) I like to discuss what-if scenarios and am mainly 
|interested in geeky chit-chat.
|
|And I've never and will never ask someone of your group or 
|company to confess something in public. We are just chatting here.
|
|Ulf
|
| 
|
||-Original Message-
||From: [EMAIL PROTECTED]
||[mailto:[EMAIL PROTECTED] On Behalf Of Brett Shirley
||Sent: Tuesday, April 18, 2006 12:32 AM
||To: ActiveDir@mail.activedir.org
||Subject: RE: [ActiveDir] User Accounts
||
||
||In my experience the type of forest you're thinking about is a 
||different beast, Ulf ...
||
||I don't know a single customer that has a NOS / IT infrastructure 
||forest with 10M objects, in fact I can't even think of one with 5 M.  
||Anything north of 5M - 10M objects is almost assuredly e-commerce, 
||internet facing web portal type stuff ...
||
||There is natural churn because of user accounts on the web 
|facing stuff 
||churn, multiple personas, forgotten password, what ever, but 
|they don't 
||get any of the normal churn you associate with the IT infrastructure 
||(DNS objects, computer accounts join/unjoin, MIIS or HR control 
||system
||injected changes, etc).  They're basically using it like a 
|specialized 
||database.
||
||They are more prone to IFM though, which doesn't recycle DNTs. 
|| But all things consider the object churn seems to be less ... 
||I believe the churn isn't too ridiculous.
||
||But it seems you just want to say or me to admit, yes if you hit this 
||limit you will need to repromote.  That is true.
||People dealt w/ NT4 SAM when it balked at 70k accounts or whatever, 
||people will have to deal w/ AD when they use 2B RDNs ... if you're 
||actually dealing with numbers that ballpark into that area, I'd be 
||curious to hear about your scenario, but I suspect no one is 
|doing that 
||... yet.
||
||Cheers,
||-BrettSh
||
||On Mon, 17 Apr 2006, Ulf B. Simon-Weidner wrote:
||
|| Hi ~eric,
||  
||  I don't look very happy
||  imagining running ADMT or some other migration tool against 100M 
||  Object
|| ADs
|| 
||  You don't need to think about anything like ADMT. In your
||scenario,
||  with
|| object overturn and DNT depletion, you would simply need to
||re-promote
|| the machines
||  slowly over time, perhaps when doing OS version upgrades or 
||  something, and
|| not use IFM.
||  This is not a forest concept, nor domain, nor NC.this is a DB 
||  instance
|| concept. DNTs are different in each instance in your forest. 
||They are
|| not replicated.
||  
|| Yes - agree. My intend was to outline that we might approach the 
|| DNT-limit with directories this large because:
|| - they might run for a longer time
|| - object overturn will happen
|| - AD will stay over time since I doubt a upgrade will touch the dit 
|| and recycle DNTs, and companies with that large forests will rather 
|| upgrade to a new OS than using ADMT
||  
|| I'm aware that a repromote of the DCs will take care of it. I just 
|| tried to say that there might be the time when a repromote
||because of
|| DNTs might be necessary in some larger domains. However still 
|| unlikely, but not that much away from reality if you look at the 
|| numbers posted (100M Objects are 5-10% of the limit, employees and 
|| customers as well as other objects (DNS) tend to change, and
||the limit is the forest (b/c total number of objects on a GC)).
||  
||  Were these real objects, or what the regular AD-Guy 
|would refer to
|| 
||  Yes, but I don't understand why this matters to you?
||  
|| Just being curious if Brad was talking about 50M+ Accounts
||or Objects
|| - main reason because of plain curiousity to figure out if we are 
|| talking about
|| 50M+ Objects or 50M+ Accounts + another couple M
||dnsNodes/phantoms/...
|| 
|| Gruesse

RE: [ActiveDir] User Accounts

2006-04-16 Thread Ulf B. Simon-Weidner 
Title: User Accounts



So 
you saved the negative DNTs for Longhorn or Blackcomb - if you realize that 
someone is getting to close to that limit in his forest? Interested in sharing 
the reason?

What 
are you going to do if someone asks nicely (to get the bit back)? Sounds deeper 
in the system as some hotfix or sp can fix - err - change.

When 
will you relase the whitepaper "Maintaining Active Directory Forests at the DITs 
Limit" which states to regulary repromote DCs in the intervals of 
garbage-collection (to release unused DNTs)? (And note that this will be the 
introduction of implementing manuall processes for floating 
roles)

And 
just in case:
;-)


Gruesse - Sincerely, 
Ulf B. Simon-Weidner 
 MVP-Book "Windows XP - Die Expertentipps": 
http://tinyurl.com/44zcz Weblog: 
http://msmvps.org/UlfBSimonWeidner Website: http://www.windowsserverfaq.org Profile:http://mvp.support.microsoft.com/profile="">


  
  
  From: [EMAIL PROTECTED] 
  [mailto:[EMAIL PROTECTED] On Behalf Of Eric 
  FleischmanSent: Sunday, April 16, 2006 2:58 AMTo: 
  ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] User 
  Accounts
  
  
  Good 
  thread.
  
  A few corrections, 
  for the sake of keeping the search engines 
fresh.
  
  The 
  underlying store used by AD supports a theoretical maximum of 4.2 billion 
  rows (limited by the 32 bit DNT or distinguished name 
  tag)
  
  Actually, you can 
  only have 2^31 DNTs. This is because we start at 1, but it is actually a 
  signed int. So we only get up to ~2bil or so, and dont use the negative side. 
  Sorry, you cant have the bit back, unless you ask REALLY nicely. 
  g
  
  A row 
  could be said to correlate to an object but it's certainly not a one-to-one 
  relationship since rows also house many other structures such as tables, 
  long-values, etc
  
  Ah, no, not quite 
  (thankfully J).
  There is a similar 
  limit for # of long values (doesnt work the same, but mechanics omitted for 
  the sake of brevity), but it has nothing to do with row count in the data 
  table. Long values are burst out to their own b-tree, and as such would not be 
  related to the DNT count max that you were talking about before. In fact, the 
  LID concept is entirely orthogonal to the max row count governed by DNTs that 
  was being discussed.
  Dean and I also IMd 
  on this thread some, and the concept of link value also came up. Rest assured, 
  link values also do not consume DNTs, they are stored entirely 
  differently.
  
  But, I do agree with 
  the general feeling here, though for a slightly different reason. :) A row 
  being used on a DC does not necessarily correlate with only what people think 
  of as their objects hosted by that particular server. You have phantoms, 
  structural phantoms, schema definitions, etc. Further, GCs of course drive the 
  limitation in large forests, when the # of objects that is large are in domain 
  NCs, of course (more on this below).
  
  So ... 
  to my knowledge, there's no user-related maximum other than the ESE 
  constraints outlined above. Hundreds of millions of users seems 
  perfectly practical. I personally have no first-hand experience of a 
  directory of that scale butif memory serves I believe public 
  documentation does exist referencing either (or both) test or production 
  directories well within this arena.
  
  There is actually a 
  subtle point here.there is max # of users in a single directory instance (ie, 
  on one given DC/ADAM instance), and max # in the entire distributed system. 
  They are somewhat different.
  In the ADAM world 
  (read: no GCs), it is entirely possible to have a series of instances, each of 
  which house different NCs, and each NC approaches the limits mentioned in this 
  thread (ie, each has 2bil objects say). So long as no one instances breaks the 
  thresholds, you are golden.
  It is only AD that 
  cant play this game because GCs of course have partial NCs. But ADAM, no 
  worries. Well, unless your large # of objects in AD are in 
  NDNCs.
  
  The larger 
  directories I have worked with had ~100M objects on a single server. I havent 
  seen people break that on a single box.but I dont deny it has been done, I 
  just havent seen it. J
  
  Oh yea, the concept 
  of negative linkIDs somehow came up in conversation as well. Ill blog about 
  that I think. Perhaps even tonight, if I get my stuff 
  done.
  
  ~Eric
  
  
  
  
  
  
  
  From: 
  [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] 
  On Behalf Of joeSent: Saturday, April 15, 2006 11:15 
  AMTo: ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] User 
  Accounts
  
  Actually I am going 
  to bust myself here before Dean or someone else does. The SIDS are going to be 
  limited into the billions. Not due to the SID structure, but due to locations 
  where RIDs are stored as DWORDs (32 bits) instead of as 6 bytes (48 bits). 
  ADAM thoughts still stand as they use the

RE: [ActiveDir] OU's Structure

2006-04-13 Thread Ulf B. Simon-Weidner 



Yes - 
prio 1 is delegation, prio 2 GPOs since you have multiple ways to influence 
GPOs.

Gruesse - Sincerely, 
Ulf B. Simon-Weidner 
 MVP-Book "Windows XP - Die Expertentipps": 
http://tinyurl.com/44zcz Weblog: 
http://msmvps.org/UlfBSimonWeidner Website: http://www.windowsserverfaq.org Profile:http://mvp.support.microsoft.com/profile="">


  
  
  From: [EMAIL PROTECTED] 
  [mailto:[EMAIL PROTECTED] On Behalf Of Dave 
  WadeSent: Thursday, April 13, 2006 9:22 AMTo: 
  ActiveDir@mail.activedir.orgSubject: Re: [ActiveDir] OU's 
  Structure
  
  Joe,
  The problem is that, as some 
  one else mentioned your OU structure serveves two purposes:-
  
  1) To delegate 
  authourity
  2) To apply rights and restrictions 
  via GPO's
  
  Now if you are going to delegate 
  authourity, as far as I can see, the only way to do that is via OU's. You 
  could apply specific rights to indivual users, but thats messy to manage and 
  impractical. On the other hand users get many rights already because of group 
  membership, so its (more?) natural to apply GPOs based on group 
  membership rather than having rights or restrictions "drop on you from above" 
  because of where you are in AD. Mind you of course NTFS rights may also 
  descend from above.
  
  Dave.
  
  
As a general rule, I am much more a fan of setting 
up my GPO structure on an OU basis versus a group filtering basis. If 
anything applying a bunch of GPOs to an OU a user is in and then filtering 
out which ones they really have access to with groups would be slower than 
having multiple OU levels because there are more GPOs to loop through and 
check. I doubt it would add very much overhead but there would certainly be 
more than a deployment based on thehierarchical structure would 
have.

RE: [ActiveDir] Changing a users password

2006-04-12 Thread Ulf B. Simon-Weidner 
Hi Oliver,

First of all the receptionist needs to be delegated the rights to reset
users passwords, as well as being made aware of the consequences (local
credential cache of the users f.e.).

To reset the password you can use commands like net user username password
/domain or you can use AD-Tools like ADUC, dsquery user domainroot -name
whatever | dsmod -pwd newpass -mustchangepwd yes, or you can create your
own script which searches for the user and changes password after asking for
approval. Www.microsoft.com/technet/scriptcenter provides the examples you
have to glue together for this.

Gruesse - Sincerely, 

Ulf B. Simon-Weidner 

  MVP-Book Windows XP - Die Expertentipps: http://tinyurl.com/44zcz
  Weblog: http://msmvps.org/UlfBSimonWeidner
  Website: http://www.windowsserverfaq.org
  Profile:
http://mvp.support.microsoft.com/profile=35E388DE-4885-4308-B489-F2F1214C811
D   

 

|-Original Message-
|From: [EMAIL PROTECTED] 
|[mailto:[EMAIL PROTECTED] On Behalf Of 
|Oliver Marshall
|Sent: Wednesday, April 12, 2006 1:56 AM
|To: ActiveDir@mail.activedir.org
|Subject: [ActiveDir] Changing a users password
|
|Hi,
|
|I want to create a script that will allow a user here to 
|change the password of any other user. 
|
|I have found several examples, most based on the examples on 
|the MS site. Thing is, they all depend on knowing the 
|Distinguished Name of the user, and the poor old receptionist 
|wont have a clue what that is.
|
|Can anyone help me with a script that will change the password 
|of a user just knowing the username of the user ? At the least 
|I'm after some code to find the DN of a user from their 
|username, and I can then use that with the code I already have 
|(I think).
|
|
|Thanks
|
|Olly
|List info   : http://www.activedir.org/List.aspx
|List FAQ: http://www.activedir.org/ListFAQ.aspx
|List archive: 
|http://www.mail-archive.com/activedir%40mail.activedir.org/

List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/

RE: [ActiveDir] Extending the schema

2006-04-11 Thread Ulf B. Simon-Weidner 
Well designed schema updates will not conflict with existing ones - so you
shouldn't have any issues - and if you have issues it's most likely another
non-MS schema extension.

Gruesse - Sincerely, 

Ulf B. Simon-Weidner 

  MVP-Book Windows XP - Die Expertentipps: http://tinyurl.com/44zcz
  Weblog: http://msmvps.org/UlfBSimonWeidner
  Website: http://www.windowsserverfaq.org
  Profile:
http://mvp.support.microsoft.com/profile=35E388DE-4885-4308-B489-F2F1214C811
D   

 

|-Original Message-
|From: [EMAIL PROTECTED] 
|[mailto:[EMAIL PROTECTED] On Behalf Of 
|Rimmerman, Russ
|Sent: Wednesday, April 12, 2006 12:59 AM
|To: ActiveDir@mail.activedir.org
|Subject: [ActiveDir] Extending the schema
|
|~~
|This e-mail is confidential, may contain proprietary 
|information of the Cooper Cameron Corporation and its 
|operating Divisions and may be confidential or privileged.
|
|This e-mail should be read, copied, disseminated and/or used 
|only by the addressee. If you have received this message in 
|error please delete it, together with any attachments, from 
|your system.
|~~

List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/

RE: [ActiveDir] default values for net time /querysntp on new systems?

2006-04-11 Thread Ulf B. Simon-Weidner 
Actually type NTP or AllSync may use the NTP-Server. AllSync is the
reg-setting for w32tm /syncfromflags:MANUAL,DOMHIER (so it's a combination
of NTP and NT5DS). If the setting is NoSync or NT5DS the NTP-Server setting
is not being used.

Ulf
 

|-Original Message-
|From: [EMAIL PROTECTED] 
|[mailto:[EMAIL PROTECTED] On Behalf Of David Adner
|Sent: Wednesday, April 12, 2006 12:48 AM
|To: ActiveDir@mail.activedir.org
|Subject: RE: [ActiveDir] default values for net time 
|/querysntp on new systems?
|
|time.windows.com,0x1 is the default value for XP and 2003 
|computers.  The fact that it's not set on some of your servers 
|could be because they were upgraded in place from 2000 or 
|someone's (or something, like a GPO, for
|example) has reset them using any number of means; the net 
|time command, w32tm.exe, modifying the Registry, etc.
|
|All the command that you're running is telling you is what the 
|NtpServer Registry value is set to.  It is NOT telling you 
|that your computers are necessarily using those sources to 
|synchronize time.  Try running w32tm.exe /dumpreg /subkey:parameters
|
|Look at the Type value.  If it says NT5DS then it's using the 
|domain hierarchy and ignoring the NtpServer value.  If it says 
|NTP then it's using that value.
|
| -Original Message-
| From: [EMAIL PROTECTED]
| [mailto:[EMAIL PROTECTED] On Behalf Of Thommes, 
| Michael M.
| Sent: Tuesday, April 11, 2006 5:30 PM
| To: ActiveDir@mail.activedir.org
| Subject: [ActiveDir] default values for net time /querysntp 
| on new systems?
| 
| Hi,
|I've noticed in our Active Directory environment default settings 
| on Windows XP and Server 2003 computers for net time /querysntp to 
| be one of two values:
| 
| net time /querysntp
| The current SNTP value is: time.windows.com,0x1
| 
| net time /querysntp
| This computer is not currently configured to use a specific SNTP 
| server.
| 
| The value does not seem to correspond to new vs. upgraded systems.
| 
| Our PDC emulator role holder, as recommended, is set to an outside 
| time source.
| 
| Does the value time.windows.com,0x1 have some special significance 
| like obtain your time through normal AD channels, but just in case 
| there is a problem, go to time.windows.com?
| 
| There are no time problems in my environment that I am aware of.  
| Thanks for any enlightenment!
| 
| Mike Thommes
| 
| List info   : http://www.activedir.org/List.aspx
| List FAQ: http://www.activedir.org/ListFAQ.aspx
| List archive: 
| http://www.mail-archive.com/activedir%40mail.activedir.org/
|
|List info   : http://www.activedir.org/List.aspx
|List FAQ: http://www.activedir.org/ListFAQ.aspx
|List archive: 
|http://www.mail-archive.com/activedir%40mail.activedir.org/

List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/

RE: [ActiveDir] Server 2003 DNS Admins group permissions

2006-04-06 Thread Ulf B. Simon-Weidner 
Might be - you know that you can delegate any eventlog by adjusting the
CustomSD Registrykey underneath the specific eventlog in the registry?

Gruesse - Sincerely, 

Ulf B. Simon-Weidner 

  MVP-Book Windows XP - Die Expertentipps: http://tinyurl.com/44zcz
  Weblog: http://msmvps.org/UlfBSimonWeidner
  Website: http://www.windowsserverfaq.org
  Profile:
http://mvp.support.microsoft.com/profile=35E388DE-4885-4308-B489-F2F1214C811
D   

 

|-Original Message-
|From: [EMAIL PROTECTED] 
|[mailto:[EMAIL PROTECTED] On Behalf Of 
|Thommes, Michael M.
|Sent: Thursday, April 06, 2006 5:54 PM
|To: ActiveDir@mail.activedir.org
|Subject: [ActiveDir] Server 2003 DNS Admins group permissions
|
|The default DNS Admins group has permission to use the DNS GUI
|(dnsmgmt.msc) and to make changes in it but does not have 
|permission to view the DNS event log (DnsEvent.Evt).  Would 
|this just be an oversight on Microsoft's part?
|
|TIA,
|Mike Thommes
|List info   : http://www.activedir.org/List.aspx
|List FAQ: http://www.activedir.org/ListFAQ.aspx
|List archive: 
|http://www.mail-archive.com/activedir%40mail.activedir.org/

List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/

RE: [ActiveDir] 2003 DFS/open files

2006-04-05 Thread Ulf B. Simon-Weidner 



I guess it also depends on the application he's using to 
open the file and when it's written by the other (before or after 
replication).

If the file is replicated between the servers before the 
first user is closing (saving) the file, and the application is able to handle 
it, it will inform the user that there's a different version of the file on the 
server and offer him to reload. But apps which are doing this are pretty 
rare.
Gruesse - Sincerely, 
Ulf B. Simon-Weidner 
 MVP-Book "Windows XP - Die Expertentipps": 
http://tinyurl.com/44zcz Weblog: 
http://msmvps.org/UlfBSimonWeidner Website: http://www.windowsserverfaq.org Profile:http://mvp.support.microsoft.com/profile="">


  
  
  From: [EMAIL PROTECTED] 
  [mailto:[EMAIL PROTECTED] On Behalf Of Tim Vander 
  KooiSent: Wednesday, April 05, 2006 5:00 PMTo: 
  ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] 2003 DFS/open 
  files
  
  If running DFS on R2 the last write wins, but the first 
  write is put into the Conflict and Deleted folder on the server, so that it 
  can be retrieved if necessary, depending on available space, quotas, 
  etc.
  HTH,
  Tim
  
  
  From: [EMAIL PROTECTED] 
  [mailto:[EMAIL PROTECTED] On Behalf Of mike 
  klineSent: Wednesday, April 05, 2006 9:43 AMTo: 
  ActiveDir@mail.activedir.orgSubject: Re: [ActiveDir] 2003 DFS/open 
  files
  
  The person that saves the file last will win. So the last write 
  will win. Take a look at this article for more info
  
  http://support.microsoft.com/?kbid=221089
  
  Thanks
  Mike
  On 4/5/06, Thommes, 
  Michael M. [EMAIL PROTECTED] 
  wrote: 
  Can 
someone tell me what happens with DFS/replication when a file isupdated 
on one DFS server and a client has that same file open on another DFS 
server?TIA!Mike ThommesList info : http://www.activedir.org/List.aspxList 
FAQ: http://www.activedir.org/ListFAQ.aspx 
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/

RE: [ActiveDir] View Delegated Tasks?

2006-04-05 Thread Ulf B. Simon-Weidner 



Sounds like
http://www.dec2006.com/abstracts.cfm#directorysimonweidner

;-)

Ulf


  
  
  From: [EMAIL PROTECTED] 
  [mailto:[EMAIL PROTECTED] On Behalf Of Dan 
  HolmeSent: Wednesday, March 29, 2006 8:49 AMTo: 
  ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] View Delegated 
  Tasks?
  
  
  teaser
  
  For anyone whos 
  going to Windows Connections in Orlando, come to my Advanced Delegation 
  session. Ill show you an option that is so simple and powerful for 
  delegating and then being able to pull reports on your delegation that it will 
  blow your mind. Believe me Im not tooting my own horn Im no 
  brainiac the key word was SIMPLE 
  
  /teaser
  
  Dan
  
  
  
  
  
  
  From: 
  [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] 
  On Behalf Of Steve 
  LinehanSent: Thursday, March 
  23, 2006 5:06 PMTo: 
  ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] View Delegated 
  Tasks?
  
  You can however use 
  something like DSRevoke to build a report: http://www.microsoft.com/downloads/details.aspx?FamilyID=77744807-c403-4bda-b0e4-c2093b8d6383DisplayLang=en.
  
  Thanks,
  
  -Steve
  
  
  
  
  From: 
  [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] 
  On Behalf Of Lee, 
  WookSent: Thursday, March 
  23, 2006 4:40 PMTo: 
  ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] View Delegated 
  Tasks?
  
  
  You can't. The 
  delegate wizard is write only. You have to look at the security descriptor on 
  the OU and figure out what changes were 
  made.
  
  
  
  Wook 
  Lee
  
  AD Architect - HP 
  IT
  
  
  
  
  
  From: 
  [EMAIL PROTECTED] on behalf of Harding, DevonSent: Fri 3/17/2006 10:52 AMTo: ActiveDir@mail.activedir.orgSubject: [ActiveDir] View Delegated 
  Tasks?
  
  When I delegate permissions to a 
  group in ADUC to a specific OU (using the Delegate Wizard), how can I go back 
  and see who was delegated and the permissions?
  
  Devon 
  Harding
  Windows Systems 
  Engineer
  Southern Wine  
  Spirits - BSG
  954-602-2469
  
  
  
  
  
  __This message and any attachments are solely for the 
  intendedrecipient and may contain confidential or privileged 
  information.If 
  you are not the intended recipient, any disclosure, copying, 
  useor 
  distribution of the information included in the message and 
  anyattachments 
  is prohibited. If you have received this 
  communicationin error, please notify us by reply e-mail and 
  immediately andpermanently delete this message and any attachments. 
  Thank 
You.

RE: [ActiveDir] Empty hostname for a Win 2003 server belonging to an AD domain

2006-04-04 Thread Ulf B. Simon-Weidner 



How about
dsquery * domainroot -Filter 
((objectCategory=Computer)(sAMAccountName=computername)) -attr 
objectSID

Gruesse - Sincerely, 
Ulf B. Simon-Weidner 
 MVP-Book "Windows XP - Die Expertentipps": 
http://tinyurl.com/44zcz Weblog: 
http://msmvps.org/UlfBSimonWeidner Website: http://www.windowsserverfaq.org Profile:http://mvp.support.microsoft.com/profile="">


  
  
  From: [EMAIL PROTECTED] 
  [mailto:[EMAIL PROTECTED] On Behalf Of Thommes, 
  Michael M.Sent: Tuesday, April 04, 2006 6:45 PMTo: 
  ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] Empty hostname 
  for a Win 2003 server belonging to an AD domain
  
  
  How 
  about:
  dsquery computer 
  -samid computer_name_here | dsget computer 
sid
  
  Mike 
  Thommes
  
  
  
  
  
  From: 
  [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] 
  On Behalf Of matheesha 
  weerasingheSent: Tuesday, 
  April 04, 2006 10:56 AMTo: 
  ActiveDir@mail.activedir.orgSubject: Re: [ActiveDir] Empty hostname 
  for a Win 2003 server belonging to an AD domain
  
  
  No it works fine as computer$. He wanted MS tools only 
  remember? ;-)
  
  
  
  M@
  
  On 04/04/06, Freddy HARTONO [EMAIL PROTECTED] 
  wrote: 
  
  if getsid doesnt work 
  (if i remember correctly this is only for user accounts not comp)- try 
  psgetsid or newsid.exe
  
  
  
  
  Thank you and have a splendid 
  day!
  
  Kind Regards,
  
  Freddy Hartono
  Group Support 
  Engineer
  InternationalSOS Pte 
  Ltd
  mail: [EMAIL PROTECTED]
  phone: (+65) 
  6330-9785
  
  
  
  
  
  
  
  
  From: [EMAIL PROTECTED] [mailto: 
  [EMAIL PROTECTED]] On 
  Behalf Of matheesha weerasingheSent: Tuesday, April 04, 2006 10:40 
  PM
  
  To: ActiveDir@mail.activedir.org
  
  Subject: Re: 
  [ActiveDir] Empty hostname for a Win 2003 server belonging to an AD 
  domain
  
  
  Use getsid.exe of the support 
  tools.
  
  
  
  How come you are using regmon. I thought sysinternals 
  was a no no :0)M@
  
  
  
  
  
  On 02/04/06, Rodrigo Blanco [EMAIL PROTECTED]  wrote: 
  
  Freddy,is there any stadard way (tools 
  included in the W2K3 OS) to verify theSID of a machine? I am not allowed 
  to install or use any external software, such as sysinternals, for 
  instance.Joe,I believe that the application is using the 
  wINSOCK API too. TCP/IP isworking fine and the setting are just are they 
  should be... :-/ So Iwill do a regmon on a good machine and extract the 
  differences with mine.Thank you very much,Best 
  regards,Rodrigo.On 02/04/06, joe [EMAIL PROTECTED]  
  wrote: I believe that tool is using the gethostname WINSOCK API call, 
  I expect you  are hitting an error and it isn't handling it 
  gracefully. Is TCP/IP working properly on that machine? Are 
  all of the TCP/IP settings  correct? If everything 
  looks ok, I would recommend running regmon on a known good  machine 
  and then do the same on the troublesome machine and see what the 
  differences are in the requests, you might get a hint there. 
  joe -- 
  O'Reilly Active Directory Third Edition -  http://www.joeware.net/win/ad3e.htm 
  -Original Message- From: [EMAIL PROTECTED]  [mailto:[EMAIL PROTECTED]] On Behalf Of Rodrigo 
  Blanco  Sent: Tuesday, March 28, 2006 6:54 AM To: ActiveDir@mail.activedir.org Subject: [ActiveDir] 
  Empty hostname for a Win 2003 server belonging to an AD  
  domain Hello list, I am currently having a 
  problem with a Windows 2003 server inside a Windows  2003 server-based 
  Active Directory domain. The problem is that when I run the "hostname" 
  command, it is empty: C:\hostname 
  C:\ I suspect this happened after doing a clone of the VM 
  machine and, by error,  starting it and changing its name in the same 
  network of the original one  (this should have happened in an off-line 
  network). I have tried to take it out from the domain and 
  register it again in it, but  his will not help. There is no conflict 
  between the DNS and the local hosts  file on the server. The server is 
  registered in both the direct and inverse DNS lookup 
  zones. If I look in System  Properties  Computer Name, 
  everything looks  fine: hostname and domain are correctly configured. 
   Any help will more than welcome. Thanks in 
  advance and best regards, Rodrigo. List info : http://www.activedir.org/List.aspx List 
  FAQ: http://www.activedir.org/ListFAQ.aspx  List archive: 
  http://www.mail-archive.com/activedir%40mail.activedir.org/ 
   List info : http://www.activedir.org/List.aspx List 
  FAQ: http://www.activedir.org/ListFAQ.aspx List archive: 
  http://www.mail-archive.com/activedir%40mail.activedir.org/ 
  List info : http://www.activedir.org/List.aspxList 
  FAQ: http://www.activedir.org/ListFAQ.aspxList archive: http://www.mail-archive.com/activedir%40mail.activedir.org/

RE: [ActiveDir] Finding best way to list servers in AD.

2006-04-03 Thread Ulf B. Simon-Weidner 
Why not 

((objectCategory=computer)(|(operatingSystem=Windows 2000
Server)(operatingSystem=Windows Server 20003)))

This is at least limited to computer objects and should be slightly better.

Gruesse - Sincerely, 

Ulf B. Simon-Weidner 

  MVP-Book Windows XP - Die Expertentipps: http://tinyurl.com/44zcz
  Weblog: http://msmvps.org/UlfBSimonWeidner
  Website: http://www.windowsserverfaq.org
  Profile:
http://mvp.support.microsoft.com/profile=35E388DE-4885-4308-B489-F2F1214C811
D   

 

|-Original Message-
|From: [EMAIL PROTECTED] 
|[mailto:[EMAIL PROTECTED] On Behalf Of Paul Williams
|Sent: Monday, April 03, 2006 10:05 PM
|To: ActiveDir@mail.activedir.org
|Subject: Re: [ActiveDir] Finding best way to list servers in AD.
|
|I usually use:
|
|((objectCategory=computer)(operatingSystem=*Server*))
|
|
|But this is a lot more efficient:
|
|(|(operatingSystem=Windows 2000 Server)(operatingSystem=Windows Server
|20003))
|
|
|Although it' still not great as there's no indexed attribute.
|
|
|- Original Message - 
|From: AD [EMAIL PROTECTED]
|To: ActiveDir@mail.activedir.org
|Sent: Monday, April 03, 2006 7:48 PM
|Subject: [ActiveDir] Finding best way to list servers in AD.
|
|
| Ok ladies and gentlemen,
|
| Once again I need your help. What would be the best query to 
|list all 
| servers in Active Directory knowing that no additional 
|indexes have been 
| added from the default install?
|
| 1. ((|(operatingSystem=Windows 2000 Server)(operatingSystem=Windows 
| Server 20003))
|
| 2. ((ObjectCategory=Computer)(OperationSystem=*Server*))
|
| I do not know of any other attribute to use other then 
|operationSystem 
| which limits your options.
|
| Thanks
|
| Yves St-Cyr
| List info   : http://www.activedir.org/List.aspx
| List FAQ: http://www.activedir.org/ListFAQ.aspx
| List archive: 
|http://www.mail-archive.com/activedir%40mail.activedir.org/ 
|
|List info   : http://www.activedir.org/List.aspx
|List FAQ: http://www.activedir.org/ListFAQ.aspx
|List archive: 
|http://www.mail-archive.com/activedir%40mail.activedir.org/

List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/

RE: [ActiveDir] CNF entries and LDIFDE.

2006-04-02 Thread Ulf B. Simon-Weidner 



Excellent writing buddy - hope you are keeping snippets 
like this for the forth edition ;-)

Gruesse - Sincerely, 
Ulf B. Simon-Weidner 
 MVP-Book "Windows XP - Die Expertentipps": 
http://tinyurl.com/44zcz Weblog: 
http://msmvps.org/UlfBSimonWeidner Website: http://www.windowsserverfaq.org Profile:http://mvp.support.microsoft.com/profile="">


  
  
  From: [EMAIL PROTECTED] 
  [mailto:[EMAIL PROTECTED] On Behalf Of 
  joeSent: Sunday, April 02, 2006 5:18 AMTo: 
  ActiveDir@mail.activedir.orgSubject: [ActiveDir] CNF entries and 
  LDIFDE.
  
  Howdy.
  
  At 
  DEC I was approached concerning a problem where an admin was having with 
  LDIFDE and importing CNF (conflict) objects, basically LDIFDE hits an error 
  and stops when it processes one of these DNs. That is not generally the result 
  you are looking for. It certainly puts a crimp in your productivity for the 
  day if it keeps happening and you can't stop it.
  
  
  First some background, these objects appear when an object is created 
  with the same DN on multiple DSAs (Directory Service Agents aka DCs or ADAM 
  instances) within the same replication convergence interval. They replicate 
  and eventually collide and following standard collision rules, the loser gets 
  marked with a newline (\0A), the string literal 'CNF:' and the objectGUID 
  value in friendly format. Looking something like
  
  CN=collision\0ACNF:efc83ba9-412f-452e-ad49-72f91d31c201,CN=Users,DC=duck,DC=com
  
  The 
  winner of the collision is usually determined by the timestamp of the RDN on 
  the various servers because the version of the RDN of both objects is almost 
  always 1 making the version slightly less than helpful for the comparison. 
  Note I was careful not to say the second one created will win, it is the one 
  with the later timestamp, if servers are out of sync in time with each other, 
  it could confuse the situation. However, assuming you have a good time 
  structure, the object created first shouldbe renamed and the object 
  created second will have the "clean" name.
  
  So 
  the problem with LDIFDE is related to that darn NEWLINE character. That isn't 
  something you can generally import in for a name and Microsoft specifically 
  used that character to get your attention. When LDIFDE tries to importan 
  object like that the DSA says "No way Jose!". Well it isa little more 
  professional and says NAMING_VIOLATION with an error of 200B which is 
  
  G:\granamigodelpatoerr 200b# for hex 0x200b / decimal 8203 
  : 
  ERROR_DS_INVALID_ATTRIBUTE_SYNTAX 
  winerror.h# The attribute syntax specified to the directory service 
  is# invalid.# 1 matches found for 
  "200b"
  
  
  
  You 
  do occasionally (or more or less often - YMMV) get these objects in your 
  directory. As a general rule, clean them up when you find them. How you do 
  that is very specific to the objects, you will have to use some judgement and 
  try to figure out which is the right object to keep, the non-CNF stamped 
  object or the CNF stamped object. About the only incorrect answer here is to 
  say that you always keep one or the other simply based on whether it has the 
  CNF or not. As the name indicates they are indicative of a collision 
  andthey are a mechanismto protect you from something that could 
  possibly have really hurt. Don't like collision objects you say?? Consider the 
  alternatives which are thatsomething disappears or you get some sort of 
  odd amalgamation of two different objects. Both of those alternatives suck 
  because they aremuch worse than just having a CNF object. With a CNF 
  object at least you have something you can detect and have a fighting chance 
  to correct.
  
  
  So 
  the admin is having troubles importing the objects because he keeps hitting 
  CNF objects. It would be nice if LDIFDE handled this situation 
  gracefully. And guess what... it can. :o) The latest version of LDIFDE 
  which isin the ADAM SP1 or R2 release has a version of LDIFDE dated 
  2005/11/23 with a file version of 1.1.3790.2075 which has a '-z' option 
  whichtellsldifde to continue importing regardless of 
  errors.
  
  Very 
  cool, yet anotherreason for you to download ADAM SP1 or dig it 
  offyour R2 CDs. However Do you really want to always do that? I mean come on, keep 
  on going regardless of errors... That is equivilent to the _vbscript_ ON ERROR 
  RESUME NEXT programming mechanism and we don't even have ERROR levels so we 
  can really check to stop our process midstream and correct. 
  
  
  So 
  the "right" solution in my mind if you have CNF objects is to clean them up. 
  If that isn't feasible at the time or you already have the LDIF dump you need 
  to import, clean up the file prior to import. This can be done by hand with 
  notepad or if you have a 600MB LDIF file like the admin in question did you 
  will want to script it. Below is a simple script

RE: [ActiveDir] Active Directory Performance for 64-bit Versions of Windows Server 2003

2006-04-02 Thread Ulf B. Simon-Weidner 




 Finding a precise database size at which 
the 64-bit version becomes more advantageous than the 32-bit version. 
Actually I believe that a 64-bit version is more 
advantegeous immediatelly, however if the better memory handling and higher 
performance will be human recognizable depends on other settings, such as your 
applications and their LDAP-Queries, your GPOs and Logon-Scripts 
(Client/User-Logon), administrative behavior 
a.s.o.

 
Finding a precise amount of RAM to optimize caching the 
database.
LSASS 
is only able to consume 512MB by default in a 32-bit environment. How much 
memory is consumed by your LSASS depends on the DIT-Size and on other settings 
such as indexing, forest infrastructure and GC placement,...
You 
are able to monitor the memory LSASS consumes by cmd (tasklist), perfmon or 
other monitoring tools (Process\LSASS\Working set size or max working set size) 
or just taskmon. If LSASS gets closer to conuming 512MB you should put the /3GB 
Switch in place or run it on 64-bit Hardware/OS. However to figure out the right 
size of RAM you need to keep monitoring and trying at least on one server (or 
one DC and one GC) in your domain since memory usage adjusts on windows 
depending on the availability of memory.

Gruesse - Sincerely, 
Ulf B. Simon-Weidner 
 MVP-Book "Windows XP - Die Expertentipps": 
http://tinyurl.com/44zcz Weblog: 
http://msmvps.org/UlfBSimonWeidner Website: http://www.windowsserverfaq.org Profile:http://mvp.support.microsoft.com/profile="">


  
  
  From: [EMAIL PROTECTED] 
  [mailto:[EMAIL PROTECTED] On Behalf Of Nicolas 
  BlankSent: Sunday, April 02, 2006 10:21 AMTo: 
  ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] Active 
  Directory Performance for 64-bit Versions of Windows Server 
  2003
  
  
  Havent lurked on 
  the list for a while, so apologies if Im asking the answered, 
  however:
  Bearing in mind the 
  non-goals of the paper,
  i.e.
   
  Finding a precise database size at which the 64-bit version 
  becomes more advantageous than the 32-bit version. 
   
  Finding a precise amount of RAM to optimize caching the 
  database.
  
  Any prescriptive 
  guidance on these bearing in mind that most of our DITs contain more than 
  just user info? Also, how do multiple processors affect 64 bit DC 
  performance?
  What about DC 
  specific settings in 64bit environments, do these change at all, since larger 
  cache configurations are assumed  the thinking is here that you wouldnt 
  bother with 64 bit dcs without the extra memory
  
  
  
  
  
  From: 
  Grillenmeier, Guido [mailto:[EMAIL PROTECTED]] Sent: 02 April 2006 09:58 AMTo: ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] Active Directory 
  Performance for 64-bit Versions of Windows Server 
  2003
  
  although nothing 
  official, we've done testing HP internally and were quite comfortable using a 
  single well-sized 64-bit DC (well-sized meaning our whole DIT cached in 
  memory) serving one of our sites with approx.4 Exchange Mbx. servers (I 
  believe all dual-proc) with a total of 20.000 mailboxes. It worked like 
  a charm.
  
  /Guido
  
  
  
  
  From: 
  [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] 
  On Behalf Of joeSent: Sonntag, 2. April 2006 
  09:52To: ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] Active Directory 
  Performance for 64-bit Versions of Windows Server 
  2003
  And silence swept the 
  community as Microsoft folks dived under desks searching for dropped 
  pens
  
  
  I second this request 
  pleasethankyouverymuch.
  
  
  
  
  --
  O'Reilly Active 
  Directory Third Edition - http://www.joeware.net/win/ad3e.htm
  
  
  
  
  
  
  
  From: 
  [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] 
  On Behalf Of Jeremy 
  OlsonSent: Friday, March 31, 
  2006 12:30 PMTo: 
  ActiveDir@mail.activedir.orgSubject: Re: [ActiveDir] Active Directory 
  Performance for 64-bit Versions of Windows Server 
  2003
  Thanks. Looks like a really 
  great white paper. Anything in the works to provide updated DC 
  sizing for exchange ?Thanks 
  again.Jeremy
  
  On 3/30/06, Steve Linehan [EMAIL PROTECTED] 
  wrote: 
  
  
  Since it has been asked many times 
  on the alias when will a paper be released detailing the scenarios when 
  deploying 64-bit servers for Active Directory makes since and providing 
  detailed analysis and numbers, I thought everyone would be happy to know 
  that the Active Directory Program Management and Development teams have 
  released the following White Paper: "Active Directory Performance for 64-bit 
  Versions of Windows Server 2003" 
  http://www.microsoft.com/downloads/details.aspx?FamilyID=52e7c3bd-570a-475c-96e0-316dc821e3e7DisplayLang=en.
  
  
  
  Thanks,
  
  
  
  
  -Steve

RE: [ActiveDir] display name confusion

2006-04-01 Thread Ulf B. Simon-Weidner 



 PPS. I landed a couple of hours ago 
and am jetlagged, so anything written above should be taken with a pillar of 
salt.
Landed yesterday evening (Friday if i recall correctly) 
- and am still a bit jetlagged. And the rubber ducky is still on the road - 
luggage got lost (or not transfered in time) in San Fransisco so I may expect it 
earliest tonight.

Was 
nice meeting you - and glad you've made it out of the lurking space 
;-)
Gruesse - Sincerely, 
Ulf B. Simon-Weidner 
 MVP-Book "Windows XP - Die Expertentipps": 
http://tinyurl.com/44zcz Weblog: 
http://msmvps.org/UlfBSimonWeidner Website: http://www.windowsserverfaq.org Profile:http://mvp.support.microsoft.com/profile="">


  
  
  From: [EMAIL PROTECTED] 
  [mailto:[EMAIL PROTECTED] On Behalf Of Katherine 
  CoombsSent: Saturday, April 01, 2006 5:51 AMTo: 
  ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] display name 
  confusion
  
  Tom,
  
  The column Name in ADUC is not the displayName, 
  but you can add this latter column.
  
  When generating a user via ADUC, the field called Full 
  Name is used to populate the user's CN, displayName and 
  name attributes. By default this format is "givenName 
  sn" but you can modify this via the relevant DisplaySpecifier as 
  you mentioned (see http://support.microsoft.com/?kbid=250455). 
  Note thatchanging the DisplaySpecifier only affects objects 
  created afterwards; objects previously created won't be updated to reflect 
  this change. Additionally, the displayName can be subsequently 
  over-written, or a displayName can be specified at the point of 
  object creation which doesn't adhere to the createDialog 
  format.
  
  If your createDialog for users is %sn, 
  %givenName then - within ADUC - the Full 
  Namefield (which populates the CN, displayName 
  and name attributes) will bepopulated automatically based on 
  the information in the First name and Last 
  namefields. If you don't populate these two fields then the 
  Full Name will need to be specified manually before you can 
  proceed. I presume that this field is required in ADUC because it 
  populates the CN, which is a mandatory attribute, and just for 
  convenience sake the information from this field is then used to populate 
  those other attributes. Creating a user via another mechanism, such as 
  via a script,should only require you to specify the CN and 
  samAccountName, since other attributes including the 
  displayName are optional. Actually, you don't even need to 
  specify the samAccountName come to think of it, since it will be 
  created automatically if you don't, but ultimately the samAccountName 
  attribute itself is mandatory.
  
  So, if you're certain that you're creating the users via ADUC, 
  then someone manually entered the samAccountName in the Full 
  Name field, which propagates tothe displayName attribute 
  amongst others.
  
  I'm not sure what you mean by "the dn's are all mixed". I thought 
  that your problem waswith the displayName attribute? It sounds to 
  me like someone mis-populated the Full Name field, which then flows 
  to the displayName and the CN, and the 
  distinguishedName.
  
  HTH,
  Katherine Coombs
  
  PS. For those interested, it would appear that 4 days is the time 
  required to spend with joe before being converted from a lurker to an 
  eassayist :-)
  PPS. I landed a couple of hours ago and am jetlagged, so anything 
  written above should be taken with a pillar of salt.
  
  
  
  
  From: 
  [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] 
  On Behalf Of Tom KernSent: 30 March 2006 07:16To: 
  activedirectorySubject: [ActiveDir] display name 
  confusion
  
  Can someone explain to me how the display names get generated in 
  ADUC?
  
  I have users whose display names are "lastname,firstname" but whose 
  accounts show up in aduc as the samaccountname format.
  This is sporadic and not for all users.
  The "user-Display" is set to "lastname,firstname" as well in the config 
  NC.
  
  
  When I do a query with adfind or dsquery, the dn's are all mixed as well 
  with some in sAMAccountName format and some as the display name.
  
  Thanks

RE: [ActiveDir] Thanks to all who came to DEC 2006

2006-04-01 Thread Ulf B. Simon-Weidner 
Hi Gil,

Thanks to you and your team, especially Stella and Christine, for all the
work you did to make this conference as special as it is to all of us.

I also want to thank Stuart, AFAIK he was not only sponsoring the event but
also enabled a lot of his folks (Nathan, Levon, Brian,..) to attend and
spent time with us - there were a lot of great discussions between all of
the attendees, speakers, MS, and the conference would not be the same
without their support physically being there.

Gruesse - Sincerely, 

Ulf B. Simon-Weidner 

  MVP-Book Windows XP - Die Expertentipps: http://tinyurl.com/44zcz
  Weblog: http://msmvps.org/UlfBSimonWeidner
  Website: http://www.windowsserverfaq.org
  Profile:
http://mvp.support.microsoft.com/profile=35E388DE-4885-4308-B489-F2F1214C811
D   

 

|-Original Message-
|From: [EMAIL PROTECTED] 
|[mailto:[EMAIL PROTECTED] On Behalf Of Gil 
|Kirkpatrick
|Sent: Friday, March 31, 2006 12:30 PM
|To: ActiveDir@mail.activedir.org
|Subject: [ActiveDir] Thanks to all who came to DEC 2006
|
|Thank you to everyone on the list who came to DEC this year 
|and helped make it a success. I've had nothing but positive 
|comments ranging from really great to un-f***ing-believably 
|great. I've had four different people tell me (including 
|Stuart) that if they can only go to one show a year, DEC would be it.
|
|Certainly the Joe  Dean Show stands out as a popular (and 
|hillarious, and informing) event, but even more critical to 
|the show's success was having the expertise of people like 
|joe, Dean, Guido, Ulf, Jorge, Laura, Wook, and the other 
|list-denizens wandering the halls and talking to people. There 
|was a _scary_ amount of expertise attending the show, and 
|_that's_ what brings people back.
|
|One of the things I do during DEC is wander the halls during 
|the parties and between sessions and listen in on the 
|conversations... I usually don't pick up on anything specific, 
|but I can usually get a sense of the conversation... is it 
|positive/negative, is it energetic, are the people engaged, 
|etc. And this year the halls were positively buzzing, all the 
|way through the final sessions on Wednesday afternoon. It has 
|_never_ been like that before. 
|
|I'd like to take this opportunity to thank joe, Ulf, Dean, and 
|Laura for helping Guido and me with the pre-conference 
|disaster recovery workshop. They wandered into the room where 
|we were setting up, and stayed with us till well after 
|midnight testing and configuring the lab systems. Hmmm... 
|funny, that's about when the Scotch ran out as well... :) To 
|give you an idea of how cool these guys are, they showed up at 
|the workshop the next morning around 7:30 (after getting very 
|little sleep the night before) and spent the next several 
|hours configuring the IP settings in the 150+ lab VMs because 
|the code I wrote to automate the process crashed and burned. 
|And then they spent the rest of the workshop helping the 
|attendees get connected to the wireless net, helping them do 
|the exercises, answering questions, etc. etc. All voluntary, 
|just to help out.
|
|I have to give special thanks to Jorge for running through the 
|pre-conference lab docs until about 3:00 in the morning, just 
|out of the goodness of his heart. Jorge is touring the 
|Southwest US for the next couple of weeks with his girlfriend 
|Nellika (sp?) and I hope he has a great trip.
|
|And double-special-thanks to Guido for partnering with me to 
|produce the whole pre-conference workshop. Guido spent more 
|nights and weekends than either of us want to remember to put 
|the workshop together, and I certainly could not have done it 
|without him. As big a PITA as it was, working with Guido made 
|it a lot of fun except for the part when the VMs started 
|to blue-screen an hour before the workshop was supposed to 
|start. That part truly sucked. :)
|
|Thanks again to all of you who came, and I hope those who 
|couldn't make this year can make it next year.
|
|-gil
|
|-Original Message-
|From: [EMAIL PROTECTED] 
|[mailto:[EMAIL PROTECTED] On Behalf Of 
|Grillenmeier, Guido
|Sent: Friday, March 31, 2006 12:37 PM
|To: ActiveDir@mail.activedir.org
|Subject: RE: [ActiveDir] Quiet? DEC? Related?
|
| $20 of it was spent showing Guido how US slot machines 
|worked in the Belagio.
|
|and that was so complicated to learn :-)  Obviously I lost all 
|of what I've put into the machines as well (hadn't expected 
|anything else) - a whopping $12!  But now I can gamble all I 
|want since on the last day I went to the MM world-store on 
|the strip and bought a Slot-Machine-Type of MM dispenser for 
|my kids - it's way cool and I'm sure I'll use it more often 
|than they will ;-))
|
|
|-Original Message-
|From: [EMAIL PROTECTED] 
|[mailto:[EMAIL PROTECTED] On Behalf Of joe
|Sent: Donnerstag, 30. März 2006 19:00
|To: ActiveDir@mail.activedir.org
|Subject: RE: [ActiveDir] Quiet? DEC? Related?
|
|Would be interested in hearing the survery

RE: [ActiveDir] Reset Local Admin Passwords

2006-04-01 Thread Ulf B. Simon-Weidner 
Title: RE: [ActiveDir] Reset Local Admin Passwords



Hello Scott,

If you are talking about the DSRM-Password: SetPW - which 
is available in W2k SP4 - enables you to remotly reset a DCs DCRM-Password. If 
you want to run this across all running DCs you can do that as 
following:

for /f %i in ('dsquery * -Filter 
"((objectCategory=Computer)(userAccountControl=532480))" attr name -q') do 
setpwd /s:%i /p:[EMAIL PROTECTED]

Make sure you extend the script to provide you with logging 
- you need to make sure that you know if you were unable to reset a DCs 
DSRM-Password.

Gruesse - Sincerely, 
Ulf B. Simon-Weidner 
 MVP-Book "Windows XP - Die Expertentipps": 
http://tinyurl.com/44zcz Weblog: 
http://msmvps.org/UlfBSimonWeidner Website: http://www.windowsserverfaq.org Profile:http://mvp.support.microsoft.com/profile="">


  
  
  From: [EMAIL PROTECTED] 
  [mailto:[EMAIL PROTECTED] On Behalf Of Scott 
  KlassenSent: Friday, March 31, 2006 10:19 AMTo: 
  ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] Reset Local 
  Admin Passwords
  
  
  A bit dated I know, 
  but Danish companys web site seems to have gone kaput. Does anyone here 
  happen to have a copy of DCPC to share?
  
  Scott 
  Klassen
  
  
  
  
  
  From: 
  [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] 
  On Behalf Of Katrin 
  WilhelmSent: Tuesday, 
  January 31, 2006 3:54 PMTo: 
  ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] Reset Local 
  Admin Passwords
  
  Use a tool call DCPC 
  (DC password changer) freeware you can find it here http://www.danish-company.com/dcpc 
  all you need is the domain admin password and all PC running.  Strait forward 
  and I am changing the password every 2-3 month.
  
  Cheers,
  
  
  Katrin 
  Wilhelm (MCSA)CVGT Employment  Training 
  SpecialistsAustraliaE-mail: [EMAIL PROTECTED]
  
  
  
  
  From: 
  [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] 
  On Behalf Of 
  [EMAIL PROTECTED]Sent: Wednesday, 1 February 2006 4:09 
  AMTo: ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] Reset Local 
  Admin Passwords
  
  We do 
  realize the potential risk in this but this request is coming 
  from a higher 
  authority (my boss). I've been asked to find a way to change it 
  and I believe that they are 
  going to have the password reset on a monthly basis. 
  -Original Message- From: 
  [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]] 
  On Behalf Of Laura E. Hunter Sent: Tuesday, January 31, 2006 11:30 AM 
  To: ActiveDir@mail.activedir.org 
  Subject: Re: [ActiveDir] Reset 
  Local Admin Passwords 

  We currently have about 4 different passwords floating around our 
domain 
  and we'd like to get it down to a single standard. Any help 
would 
  be appreciated. 
  Okay, 
  just to offer a counterpoint to your underlying plan - you do 
  realise that by using a single 
  local admin password across your enterprise, if even -one- of those workstations gets 
  the admin password compromised, the attacker who did so now has local 
  admin rights to every workstation on your network? With apologies to 
  Jesper Johannsen[1], it's one of those "How to get your network hacked in 
  10 easy steps" things - if I've just compromised the local admin 
  password of WorkstationA, what do you think is going to be the 
  very first password I try when I move on to try and compromise 
  WorkstationB? 
  
  [1] And 
  additional apologies for the fact that I'm sure I just spelled 
  his name wrong. 
  
  -- --- Laura E. Hunter Microsoft MVP - Windows Server 
  Networking Author: _Active Directory Consultant's Field 
  Guide_ (http://tinyurl.com/7f8ll) List info : http://www.activedir.org/List.aspx List FAQ : http://www.activedir.org/ListFAQ.aspx 
  List archive: 
  http://www.mail-archive.com/activedir%40mail.activedir.org/ 
  
  Confidentiality:
  The contents contain privileged and/or 
  confidential information intended for the named recipient of this 
  email.
  CVGT does not warrant that the contents 
  of any electronically transmitted information will remain 
  confidential.
  If the reader of this email is not the 
  intended recipient you are hereby notified that any use, reproduction, 
  disclosure or distribution of the information contained in the email is 
  prohibited.
  If you receive this email in error, 
  please reply to us immediately and delete the 
  document.Viruses:
  
  It is the recipient/client's duties to 
  virus scan and otherwise test the information provided before loading onto any 
  computer system.
  No warranty is made that this material 
  is free from computer virus or any other defect or 
  error.
  Any loss/damage incurred by using this 
  material is not the sender's responsibility. CVGTs entire liability 
  will be limited to resupplying the material.Please contact us at 
  www.cvgt.com.au for further information regarding this 
  disclaimer.

RE: [ActiveDir] Quiet? DEC? Related?

2006-03-31 Thread Ulf B. Simon-Weidner 
Hmm - they figured that one out while under NDA ;-)

Gruesse - Sincerely, 

Ulf B. Simon-Weidner 

  MVP-Book Windows XP - Die Expertentipps: http://tinyurl.com/44zcz
  Weblog: http://msmvps.org/UlfBSimonWeidner
  Website: http://www.windowsserverfaq.org
  Profile:
http://mvp.support.microsoft.com/profile=35E388DE-4885-4308-B489-F2F1214C811
D   

 

|-Original Message-
|From: [EMAIL PROTECTED] 
|[mailto:[EMAIL PROTECTED] On Behalf Of Mark Parris
|Sent: Thursday, March 30, 2006 9:16 AM
|To: ActiveDir@mail.activedir.org
|Subject: RE: [ActiveDir] Quiet? DEC? Related?
|
|I think if Dean and Joe were to do the pre-conference that 
|would get a few more people there and I would pay a little 
|more to ensure it was worth while for all attending parties. 
|
|From what I recall I would also make any of their other 
|sessions well 
|in
|to the afternoon - just to give everyone attending time to 
|recover from the night before :-)
|
|The other interesting AD snippet that was revealed by the DJ 
|Show was that Brett Shirley wears T-shirts with pictures of 
|himself on it.
|
|-Original Message-
|From: [EMAIL PROTECTED]
|[mailto:[EMAIL PROTECTED] On Behalf Of Fuller, Stuart
|Sent: 30 March 2006 17:52
|To: ActiveDir@mail.activedir.org
|Subject: RE: [ActiveDir] Quiet? DEC? Related?
|
|The DEC backpacks were very nice and my wife immediately 
|appropriated mine as soon as I got home last night.  Gil 
|handed the conference slide deck out on a USB stick which was 
|a great idea. Dean-n-Joe sessions were definitely the best of 
|DEC and Gil *has* to convince them to present next year.  I 
|haven't been that entertained since the very first time I 
|watched Monty Python and the Holy Grail
|
|_Stuart Fuller   
|
|-Original Message-
|From: [EMAIL PROTECTED]
|[mailto:[EMAIL PROTECTED] On Behalf Of 
|Coleman, Hunter
|Sent: Thursday, March 30, 2006 9:28 AM
|To: ActiveDir@mail.activedir.org
|Subject: RE: [ActiveDir] Quiet? DEC? Related?
|
|Dean and Joe ended up doing 2 sessions. I think they were on 
|track to get it all covered in 1 session until Guido's house 
|burned down. At any rate, both were excellent and probably the 
|best of DEC. They're spinning up a website and some or all of 
|the session content will probably end up there. They may be 
|posting details about the site, but I didn't ask how widely 
|they intend to publicize it.
|
|Hunter 
|
|-Original Message-
|From: [EMAIL PROTECTED]
|[mailto:[EMAIL PROTECTED] On Behalf Of Tony Murray
|Sent: Thursday, March 30, 2006 1:43 AM
|To: ActiveDir@mail.activedir.org
|Subject: RE: [ActiveDir] Quiet? DEC? Related?
|
|Sounds great.  Sorry I missed it.  How was the Dean 'n Joe 
|show?  Did the handbags come out or was it a peaceable affair? 
|
|Tony
|
|-Original Message-
|From: [EMAIL PROTECTED]
|[mailto:[EMAIL PROTECTED] On Behalf Of Gil 
|Kirkpatrick
|Sent: Thursday, 30 March 2006 11:07 a.m.
|To: ActiveDir@mail.activedir.org
|Subject: RE: [ActiveDir] Quiet? DEC? Related?
|
|Just wrapped up Day 3. 530 people. General consensus is that 
|it was the best DEC ever. More to follow when I can type on 
|something bigger than a credit card.
|
|-gil
|
|
|-Original Message-
|From: Ayers, Diane [EMAIL PROTECTED]
|To: ActiveDir@mail.activedir.org ActiveDir@mail.activedir.org
|Sent: 3/29/06 1:23 PM
|Subject: RE: [ActiveDir] Quiet?  DEC?  Related?
|
|Maybe we should ask a question on the merits of doubling down 
|on an 11 when the dealer has a face card showing...  :-)
| 
|Diane
|
|
|
|From: [EMAIL PROTECTED]
|[mailto:[EMAIL PROTECTED] On Behalf Of 
|Almeida Pinto, Jorge de
|Sent: Wednesday, March 29, 2006 9:35 AM
|To: ActiveDir@mail.activedir.org
|Subject: RE: [ActiveDir] Quiet? DEC? Related?
|
|
|Don't worry we're still here.. ;-)
| 
|Met vriendelijke groeten / Kind regards, Ing. Jorge de Almeida 
|Pinto Senior Infrastructure Consultant MVP Windows Server - 
|Directory Services
| 
|LogicaCMG Nederland B.V. (BU RTINC Eindhoven)
|(   Tel : +31-(0)40-29.57.777
|(   Mobile : +31-(0)6-26.26.62.80
|*   E-mail : see sender address
|
|
|
|From: [EMAIL PROTECTED] on behalf of Moon, Brendan
|Sent: Wed 2006-03-29 19:26
|To: ActiveDir@mail.activedir.org
|Subject: [ActiveDir] Quiet? DEC? Related?
|
|
|Hmm.. everyone must be having fun at DEC... this list has been 
|very quiet this week!
| 
|- Brendan Moon
| 
|List info   : http://www.activedir.org/List.aspx
|List FAQ: http://www.activedir.org/ListFAQ.aspx
|List archive:
|http://www.mail-archive.com/activedir%40mail.activedir.org/
|
|
|List info   : http://www.activedir.org/List.aspx
|List FAQ: http://www.activedir.org/ListFAQ.aspx
|List archive:
|http://www.mail-archive.com/activedir%40mail.activedir.org/
|List info   : http://www.activedir.org/List.aspx
|List FAQ: http://www.activedir.org/ListFAQ.aspx
|List archive:
|http://www.mail-archive.com/activedir%40mail.activedir.org/
|
|
|List info   : http://www.activedir.org

RE: [ActiveDir] Quiet? DEC? Related?

2006-03-31 Thread Ulf B. Simon-Weidner 
Nope, handed out with but not in the bag. Was only 128. It you want me to
mail you the content let me know. Easier than writing on the plane ;-)

Gruesse - Sincerely, 

Ulf B. Simon-Weidner 

  MVP-Book Windows XP - Die Expertentipps: http://tinyurl.com/44zcz
  Weblog: http://msmvps.org/UlfBSimonWeidner
  Website: http://www.windowsserverfaq.org
  Profile:
http://mvp.support.microsoft.com/profile=35E388DE-4885-4308-B489-F2F1214C811
D   

 

|-Original Message-
|From: [EMAIL PROTECTED] 
|[mailto:[EMAIL PROTECTED] On Behalf Of joe
|Sent: Thursday, March 30, 2006 7:10 PM
|To: ActiveDir@mail.activedir.org
|Subject: RE: [ActiveDir] Quiet? DEC? Related?
|
|Hmmm I didn't get a USB stick with presentations on it... Was 
|it in the bag?
|I still haven't looked through mine yet. 
|
|Ah Monty Python and the holy grail, we probably could have fit 
|a Knights of the Round Table song and dance in there 
|somewhere, have to keep that in mind... 
|
|
|
|
|--
|O'Reilly Active Directory Third Edition - 
|http://www.joeware.net/win/ad3e.htm 
| 
|
|-Original Message-
|From: [EMAIL PROTECTED]
|[mailto:[EMAIL PROTECTED] On Behalf Of Fuller, Stuart
|Sent: Thursday, March 30, 2006 11:52 AM
|To: ActiveDir@mail.activedir.org
|Subject: RE: [ActiveDir] Quiet? DEC? Related?
|
|The DEC backpacks were very nice and my wife immediately 
|appropriated mine as soon as I got home last night.  Gil 
|handed the conference slide deck out on a USB stick which was 
|a great idea. Dean-n-Joe sessions were definitely the best of 
|DEC and Gil *has* to convince them to present next year.  I 
|haven't been that entertained since the very first time I 
|watched Monty Python and the Holy Grail
|
|_Stuart Fuller   
|
|-Original Message-
|From: [EMAIL PROTECTED]
|[mailto:[EMAIL PROTECTED] On Behalf Of 
|Coleman, Hunter
|Sent: Thursday, March 30, 2006 9:28 AM
|To: ActiveDir@mail.activedir.org
|Subject: RE: [ActiveDir] Quiet? DEC? Related?
|
|Dean and Joe ended up doing 2 sessions. I think they were on 
|track to get it all covered in 1 session until Guido's house 
|burned down. At any rate, both were excellent and probably the 
|best of DEC. They're spinning up a website and some or all of 
|the session content will probably end up there. They may be 
|posting details about the site, but I didn't ask how widely 
|they intend to publicize it.
|
|Hunter 
|
|-Original Message-
|From: [EMAIL PROTECTED]
|[mailto:[EMAIL PROTECTED] On Behalf Of Tony Murray
|Sent: Thursday, March 30, 2006 1:43 AM
|To: ActiveDir@mail.activedir.org
|Subject: RE: [ActiveDir] Quiet? DEC? Related?
|
|Sounds great.  Sorry I missed it.  How was the Dean 'n Joe 
|show?  Did the handbags come out or was it a peaceable affair? 
|
|Tony
|
|-Original Message-
|From: [EMAIL PROTECTED]
|[mailto:[EMAIL PROTECTED] On Behalf Of Gil 
|Kirkpatrick
|Sent: Thursday, 30 March 2006 11:07 a.m.
|To: ActiveDir@mail.activedir.org
|Subject: RE: [ActiveDir] Quiet? DEC? Related?
|
|Just wrapped up Day 3. 530 people. General consensus is that 
|it was the best DEC ever. More to follow when I can type on 
|something bigger than a credit card.
|
|-gil
|
|
|-Original Message-
|From: Ayers, Diane [EMAIL PROTECTED]
|To: ActiveDir@mail.activedir.org ActiveDir@mail.activedir.org
|Sent: 3/29/06 1:23 PM
|Subject: RE: [ActiveDir] Quiet?  DEC?  Related?
|
|Maybe we should ask a question on the merits of doubling down 
|on an 11 when the dealer has a face card showing...  :-)
| 
|Diane
|
|
|
|From: [EMAIL PROTECTED]
|[mailto:[EMAIL PROTECTED] On Behalf Of 
|Almeida Pinto, Jorge de
|Sent: Wednesday, March 29, 2006 9:35 AM
|To: ActiveDir@mail.activedir.org
|Subject: RE: [ActiveDir] Quiet? DEC? Related?
|
|
|Don't worry we're still here.. ;-)
| 
|Met vriendelijke groeten / Kind regards, Ing. Jorge de Almeida 
|Pinto Senior Infrastructure Consultant MVP Windows Server - 
|Directory Services
| 
|LogicaCMG Nederland B.V. (BU RTINC Eindhoven)
|(   Tel : +31-(0)40-29.57.777
|(   Mobile : +31-(0)6-26.26.62.80
|*   E-mail : see sender address
|
|
|
|From: [EMAIL PROTECTED] on behalf of Moon, Brendan
|Sent: Wed 2006-03-29 19:26
|To: ActiveDir@mail.activedir.org
|Subject: [ActiveDir] Quiet? DEC? Related?
|
|
|Hmm.. everyone must be having fun at DEC... this list has been 
|very quiet this week!
| 
|- Brendan Moon
| 
|List info   : http://www.activedir.org/List.aspx
|List FAQ: http://www.activedir.org/ListFAQ.aspx
|List archive:
|http://www.mail-archive.com/activedir%40mail.activedir.org/
|
|
|List info   : http://www.activedir.org/List.aspx
|List FAQ: http://www.activedir.org/ListFAQ.aspx
|List archive:
|http://www.mail-archive.com/activedir%40mail.activedir.org/
|List info   : http://www.activedir.org/List.aspx
|List FAQ: http://www.activedir.org/ListFAQ.aspx
|List archive:
|http://www.mail-archive.com/activedir%40mail.activedir.org/
|
|
|List info   : http://www.activedir.org/List.aspx
|List FAQ

RE: [ActiveDir] Copying OU permissions

2006-03-24 Thread Ulf B. Simon-Weidner 
Title: Message



Hi David,

my script at http://www.windowsserverfaq.org/faq/CompACLs.aspprovides 
you with all the parts you need to put your script together.
Gruesse - Sincerely, 
Ulf B. Simon-Weidner 
 MVP-Book "Windows XP - Die Expertentipps": 
http://tinyurl.com/44zcz Weblog: 
http://msmvps.org/UlfBSimonWeidner Website: http://www.windowsserverfaq.org Profile:http://mvp.support.microsoft.com/profile="">


  
  
  From: [EMAIL PROTECTED] 
  [mailto:[EMAIL PROTECTED] On Behalf Of Wyatt, 
  DavidSent: Friday, March 24, 2006 4:27 PMTo: 
  ActiveDir@mail.activedir.orgSubject: [ActiveDir] Copying OU 
  permissions
  
  I need to find a 
  way to dump the ACLs of an OU structure, then use that dump to re-apply the 
  same permissions to a different OU. Anyone know of the best way to do 
  this? I have seen DSACLS but cannot see a way to use a report to 
  permission a different OU.
  
  
  cheers
  David
  
  This 
  message contains confidential information and is intended only for the 
  individual or entity named. If you are not the named addresseeyou should 
  not disseminate, distribute or copy this e-mail. Please notify the sender 
  immediately by e-mail if you have received this e-mail by mistake and 
  delete this e-mail from your system.E-mail transmission cannot be 
  guaranteed to be secure or error-freeas information could be intercepted, 
  corrupted, lost, destroyed, arrivelate or incomplete, or contain viruses. 
  The sender therefore does notaccept liability for any errors or omissions 
  in the contents of this message which arise as a result of e-mail 
  transmission. If verification is required please request a hard-copy 
  version.This message is provided for informational purposes and should 
  notbe construed as an invitation or offer to buy or sell any securities 
  orrelated financial instruments.GAM operates in many jurisdictions and 
  is regulated or licensed in those jurisdictions as 
  required.

RE: [ActiveDir] AdminSDHolder

2006-03-20 Thread Ulf B. Simon-Weidner 



Yes - sorry - didn't want to suggest doing that - just 
wanted to outline how it works.


  
  
  From: [EMAIL PROTECTED] 
  [mailto:[EMAIL PROTECTED] On Behalf Of 
  joeSent: Monday, March 20, 2006 10:27 PMTo: 
  ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] 
  AdminSDHolder
  
  But that is 
  
  perl -e "print \"very 
  \"x1000,\"\n\""
  
  dangerous.
  
  If you happen to drop one of these objects in an OU that 
  has some inherited permissions defined such asuser:FC to somefolks 
  with lesserpowers then it is all over. 
  
  But yes, it is a Security Descriptor level mod which 
  includes the ACLs (both DACL and SACL),inheritence setting (aka 
  protected), owner, primary group, etc. 
  
  
  Neal: Would you like to alter the list because you would 
  like to add your own custom groups/users to get controlled like that or do you 
  just want tojust change what is protected at all?
  
  
  
  
  --
  O'Reilly Active Directory Third Edition - http://www.joeware.net/win/ad3e.htm
  
  
  
  
  From: [EMAIL PROTECTED] 
  [mailto:[EMAIL PROTECTED] On Behalf Of Ulf B. 
  Simon-WeidnerSent: Monday, March 20, 2006 3:32 PMTo: 
  ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] 
  AdminSDHolder
  
  Hi Neil,
  
  as mentioned in my blog entry you are able to change if 
  it applies to the operator-groups (and which).
  
  The whole nTSecurityDescriptor is copied, since there is 
  inheritance disabled on the adminSdHolder-Object inheritance is disabled by 
  default on those protected objects as well. If you enable inheritance on the 
  adminSdHolder the objects will inherit permissions.
  
  Gruesse - Sincerely, 
  
  Ulf B. Simon-Weidner 
   MVP-Book "Windows XP - Die 
  Expertentipps": http://tinyurl.com/44zcz Weblog: 
  http://msmvps.org/UlfBSimonWeidner Website: http://www.windowsserverfaq.org Profile:http://mvp.support.microsoft.com/profile="">
  
  


From: [EMAIL PROTECTED] 
[mailto:[EMAIL PROTECTED] On Behalf Of 
[EMAIL PROTECTED]Sent: Monday, March 20, 2006 11:01 
AMTo: ActiveDir@mail.activedir.orgSubject: RE: 
[ActiveDir] AdminSDHolder

A few minor additions to other posts in this 
thread:

The list of objects protected by SDPROP is hard coded 
AFAIK. The SD applied to adminsdholder is then copied to those objects and 
(by default), all other ACEs are removed and inheritance is disabled 
too.

We discussed changing the list of objects protected in 
previous threads and concluded that this was not possible. I, for one, would 
like the flexibility to alter the list.

neil


From: [EMAIL PROTECTED] 
[mailto:[EMAIL PROTECTED] On Behalf Of Tom 
KernSent: 17 March 2006 20:24To: 
activedirectorySubject: [ActiveDir] 
AdminSDHolder

This may sound like a stupid question, but here goes-

When MS says that Print Operators, Account Operators,or Backup 
Operators are protected by the PDCE checking the ACL on the AdminSDHolder 
object, I never see those groups in the ACE.
Where are they listed?
How are they protected?
What ACL is the PDCE checking to determine what perms should be present 
for those groups?

Thanks and sorry again if this seems really stupid or basic.
PLEASE READ: The 
information contained in this email is confidential and 
intended for the 
named recipient(s) only. If you are not an intended 
recipient of 
this email please notify the sender immediately and delete your 

copy from your 
system. You must not copy, distribute or take any further 

action in 
reliance on it. Email is not a secure method of communication and 

Nomura 
International plc ('NIplc') will not, to the extent permitted by law, 

accept 
responsibility or liability for (a) the accuracy or completeness of, 

or (b) the 
presence of any virus, worm or similar malicious or disabling 

code in, this 
message or any attachment(s) to it. If verification of this 

email is sought 
then please request a hard copy. Unless otherwise stated 

this email: (1) 
is not, and should not be treated or relied upon as, 
investment 
research; (2) contains views or opinions that are solely those of 

the author and 
do not necessarily represent those of NIplc; (3) is intended 

for 
informational purposes only and is not a recommendation, solicitation or 

offer to buy or 
sell securities or related financial instruments. NIplc 
does not provide 
investment services to private customers. Authorised and 

regulated by the 
Financial Services Authority. Registered in England 
no. 1550505 VAT 
No. 447 2492 35. Registered Office: 1 St Martin's-le-Grand, 

London, EC1A 
4NP. A member of the Nomura group of companies.

RE: [ActiveDir] Extending AD Schema

2006-03-20 Thread Ulf B. Simon-Weidner 
Apart from the stuff others have answered:

OIDs need to be registered for the company
A Prefix needs to be registered with MS
LinkIDs - if exist - need to be taken from a range assigned by Microsoft
MapiIDs - if they use them you are on your own - you can't register these,
but they also need to be unique.

For all those Attributes there's no supported way in changing them
afterwards. So make sure whatever used is as unique as you are sure no other
company ever would consider using the same ones.

Gruesse - Sincerely, 

Ulf B. Simon-Weidner 

  MVP-Book Windows XP - Die Expertentipps: http://tinyurl.com/44zcz
  Weblog: http://msmvps.org/UlfBSimonWeidner
  Website: http://www.windowsserverfaq.org
  Profile:
http://mvp.support.microsoft.com/profile=35E388DE-4885-4308-B489-F2F1214C811
D   

 

|-Original Message-
|From: [EMAIL PROTECTED] 
|[mailto:[EMAIL PROTECTED] On Behalf Of Adeel Ansari
|Sent: Tuesday, March 21, 2006 12:01 AM
|To: ActiveDir@mail.activedir.org
|Subject: [ActiveDir] Extending AD Schema
|
|AD Guys and Gals, 
|
|Is there is a way to backout of AD Schema extension?
|
|We have a project that requires AD Schema extension. The 
|vendor has a tool that will make changes in AD schema 
|automatically. However, we are little conscious about it. Is 
|it possible to export the current AD schema and then make 
|extension. Would it be possible to import it back again?
|
|Can you guys/gals share your experience with schema extensions 
|/ updates?
|
|Thanks,
|Adeel
|
|List info   : http://www.activedir.org/List.aspx
|List FAQ: http://www.activedir.org/ListFAQ.aspx
|List archive: 
|http://www.mail-archive.com/activedir%40mail.activedir.org/

List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/

RE: [ActiveDir] AdminSDHolder

2006-03-17 Thread Ulf B. Simon-Weidner 



Hi Tom,

I do not fully understand what you 
mean.

 When MS says that Print Operators, Account 
Operators,or Backup Operators are protected by the PDCE checking the ACL on the 
AdminSDHolder object, I never see
 those groups in the 
ACE.
Wrong - MS does not say that the Operators are 
protected by the PDCE checking any ACL. The PDCE runs the process which ensures 
that the adminCount Attribut of members of those groups (+ others and accounts 
you havent mentioned) is 0, then it resets the Security-Descriptor to be 
the same as the AdminSdHolder-Process.

You've never seen ACEs for AOs? Did you check a user, 
group, computer, inetorgperson or OU? Account Operators have the right to create 
child/delete child on OUs for Users, Groups, Computers, INetOrgPersons, and they 
also have Full Control on those Objects.

 Where are they 
listed?
Security Tab
 How are they 
protected?
See above
 What ACL 
is the PDCE checking to determine what perms should be present for those 
groups?No ACL, it's checking the groups, and 
resets the rights of their members. The adminCount Attribute is 
helper.

In the thread before my blog about this was mentioned, 
I think it clarifies some stuff:
http://msmvps.com/blogs/ulfbsimonweidner/archive/2005/05/29/49659.aspx
Gruesse - Sincerely, 
Ulf B. Simon-Weidner 
 MVP-Book "Windows XP - Die Expertentipps": 
http://tinyurl.com/44zcz Weblog: 
http://msmvps.org/UlfBSimonWeidner Website: http://www.windowsserverfaq.org Profile:http://mvp.support.microsoft.com/profile="">


  
  
  From: [EMAIL PROTECTED] 
  [mailto:[EMAIL PROTECTED] On Behalf Of Tom 
  KernSent: Friday, March 17, 2006 9:24 PMTo: 
  activedirectorySubject: [ActiveDir] 
  AdminSDHolder
  
  This may sound like a stupid question, but here goes-
  
  When MS says that Print Operators, Account Operators,or Backup Operators 
  are protected by the PDCE checking the ACL on the AdminSDHolder object, I 
  never see those groups in the ACE.
  Where are they listed?
  How are they protected?
  What ACL is the PDCE checking to determine what perms should be present 
  for those groups?
  
  Thanks and sorry again if this seems really stupid or 
basic.

RE: [ActiveDir] View Delegated Tasks?

2006-03-17 Thread Ulf B. Simon-Weidner 
Since it hasn't been mentioned - LDP of R2 and ADAM provides the possiblity
to view the ntSecurityDescriptor as well.
 

Gruesse - Sincerely, 

Ulf B. Simon-Weidner 

  MVP-Book Windows XP - Die Expertentipps:  http://tinyurl.com/44zcz
http://tinyurl.com/44zcz
  Weblog:  http://msmvps.org/UlfBSimonWeidner
http://msmvps.org/UlfBSimonWeidner
  Website:  http://www.windowsserverfaq.org/
http://www.windowsserverfaq.org
  Profile:
http://mvp.support.microsoft.com/profile=35E388DE-4885-4308-B489-F2F1214C81
1D
http://mvp.support.microsoft.com/profile=35E388DE-4885-4308-B489-F2F1214C811
D   

 


  _  

From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Almeida Pinto,
Jorge de
Sent: Friday, March 17, 2006 8:02 PM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] View Delegated Tasks?


you can also use DSREVOKE in report mode to see where a certain security
principal has been assigned delegated permissions in the domain partition
 

Met vriendelijke groeten / Kind regards,
Ing. Jorge de Almeida Pinto
Senior Infrastructure Consultant
MVP Windows Server - Directory Services
 
LogicaCMG Nederland B.V. (BU RTINC Eindhoven)
(   Tel : +31-(0)40-29.57.777
(   Mobile : +31-(0)6-26.26.62.80
*   E-mail : see sender address

  _  

From: [EMAIL PROTECTED] on behalf of Brian Desmond
Sent: Fri 2006-03-17 19:58
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] View Delegated Tasks?



You can use the dsacls command line tool if you want it in text view, or, in
ADUC, ViewAdvanced Features, and then right click the OU, Properties,
Security Tab. You can also get the ACL Editor view in ADSIEdit natively.

 

Thanks,
Brian Desmond

 mailto:[EMAIL PROTECTED] [EMAIL PROTECTED]

 

c - 312.731.3132

 

 


  _  


From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Harding, Devon
Sent: Friday, March 17, 2006 1:52 PM
To: ActiveDir@mail.activedir.org
Subject: [ActiveDir] View Delegated Tasks?

 

When I delegate permissions to a group in ADUC to a specific OU (using the
Delegate Wizard), how can I go back and see who was delegated and the
permissions?

 

Devon Harding

Windows Systems Engineer

Southern Wine  Spirits - BSG

954-602-2469

 



  _  






__
This message and any attachments are solely for the intended
recipient and may contain confidential or privileged information.
If you are not the intended recipient, any disclosure, copying, use
or distribution of the information included in the message and any
attachments is prohibited. If you have received this communication
in error, please notify us by reply e-mail and immediately and
permanently delete this message and any attachments. Thank You.


This e-mail and any attachment is for authorised use by the intended
recipient(s) only. It may contain proprietary material, confidential
information and/or be subject to legal privilege. It should not be copied,
disclosed to, retained or used by, any other party. If you are not an
intended recipient then please promptly delete this e-mail and any
attachment and all copies and inform the sender. Thank you.


attachment: winmail.dat

RE: [ActiveDir] AdminSDHolder

2006-03-17 Thread Ulf B. Simon-Weidner 



The securityDescriptor of the adminSdHolder is copied to be 
the same as the securityDescriptor of the Object in Question. Just look at the 
Security-Tab of both, they are the same. If you change to one of a protected 
Object (adminCount 0) it will be reset to be the same within one 
hour.

AdminSdHolder is a object which has IMHO no specific use, 
just to hold a securityDescriptor to use as template.

Gruesse - Sincerely, 
Ulf B. Simon-Weidner 
 MVP-Book "Windows XP - Die Expertentipps": 
http://tinyurl.com/44zcz Weblog: 
http://msmvps.org/UlfBSimonWeidner Website: http://www.windowsserverfaq.org Profile:http://mvp.support.microsoft.com/profile="">


  
  
  From: [EMAIL PROTECTED] 
  [mailto:[EMAIL PROTECTED] On Behalf Of Tom 
  KernSent: Saturday, March 18, 2006 1:26 AMTo: 
  ActiveDir@mail.activedir.orgSubject: Re: [ActiveDir] 
  AdminSDHolder
  
  when you say " if the SD of one of those objects is not the same as what 
  is on the adminSDHolder object...", where on the adminSDHolder object are 
  these values kept that help it determine the SD?
  Thanks
  On 3/17/06, joe 
  [EMAIL PROTECTED] 
  wrote: 
  

The 
SDPROP thread monitors groups/users that are considered "sensitive" and if 
the SD of one of those objects is not the same as what is on the 
adminSDHolder object, that SD is applied to the object. They are not 
specified in the ACL on the adminSDHolder object because they shouldn't have 
permissions over those sensitive objects. 



--
O'Reilly 
Active Directory Third Edition - http://www.joeware.net/win/ad3e.htm





From: [EMAIL PROTECTED] [mailto: 
[EMAIL PROTECTED]] On Behalf Of Tom 
KernSent: Friday, March 17, 2006 3:24 PMTo: 
activedirectorySubject: [ActiveDir] 
AdminSDHolder


This may sound like a stupid question, but here goes-

When MS says that Print Operators, Account Operators,or Backup 
Operators are protected by the PDCE checking the ACL on the AdminSDHolder 
object, I never see those groups in the ACE.
Where are they listed?
How are they protected?
What ACL is the PDCE checking to determine what perms should be present 
for those groups?

Thanks and sorry again if this seems really stupid or 
basic.

RE: [ActiveDir] Forest Recovery Question

2006-03-12 Thread Ulf B. Simon-Weidner 



Assuming a complete failure of the Forest you need to 
disable the GC on multi-domain forests, recover each domain as needed, make sure 
that the domain is in sync, then reenable the GCs. You will not need to disable 
the GC in a single domain environment since the GC does not store anything but 
some indexes from the domain database.

Gruesse - Sincerely, 
Ulf B. Simon-Weidner 
 MVP-Book "Windows XP - Die Expertentipps": 
http://tinyurl.com/44zcz Weblog: 
http://msmvps.org/UlfBSimonWeidner Website: http://www.windowsserverfaq.org Profile:http://mvp.support.microsoft.com/profile="">


  
  
  From: [EMAIL PROTECTED] 
  [mailto:[EMAIL PROTECTED] On Behalf Of James 
  CarterSent: Sunday, March 12, 2006 11:52 AMTo: 
  ActiveDir@mail.activedir.orgSubject: [ActiveDir] Forest Recovery 
  Question
  
  Hi everyone,
  
  I have read a MS whitepaper regarding Forest Recovery. The process seems 
  straightforward.
  
  My question is regarding GC's, it mentions that you should disable the GC 
  function on a restored root DC if enabled as this may contain a partial 
  replica newer than that of the domain it'sauthoritative for. 
  
  If the GC function is disabled, you can't seize the Domain naming master 
  FSMO which I assume would mean you can't add additional 
  childdomains. So would you have todisable then re-enable the 
  GC function, seize the FSMO roles (ex IM)to the restored root DC (now a 
  GC)before adding a second DC and making this aIM FSMO 
  beforerecovering the child domains?
  
  So my question is at what point would you need to re-enable the GC 
  function on the recovered root DC?
  
  This is assuming it's a multi-domain environment...so would disabling the 
  GC function be required in a single domain forest recovery? I would thought 
  not.
  
  thanks
  
  James Carter
  
  
  
  
  
  
  
  Yahoo! MailBring photos to life! New 
  PhotoMail makes sharing a breeze.

RE: [ActiveDir] Migrating AD to a lab

2006-03-11 Thread Ulf B. Simon-Weidner 
Title: Migrating AD to a lab



Hello Peter,

it depends on what you intend to test in your lab. Since 
lab security is usually more relaxed than production security (e.g. external 
employees getting domain admin access to test scripts or whatever) I wouldn't 
want my user-accounts (and worse - service and admin accounts) in the lab with 
their real passwords. If you just want the structure you can use the scripts 
provided with GPMC, and export/import user data without passwords using csvde. 
I'd just put the stuff in the lab you need there, e.g. if you just want to test 
GPOs the OU-Structure and some test accounts would be sufficient, if you want to 
test scripting for modifying users or provisioning you might need some more 
data.

Pulling some backup / introducing another DC / pulling 
drives of a RAID-mirror are valid solutions if you need production data. I'd do 
a imaging-backup or pulling/replacing a drive if I have the same hardware. Also 
keep in mind that virtualisation is a valid solution, you can use P2V in VMWare 
or Virtual Server Migration Tool in VS. Virtualisation also provides you with 
the logical splitting of the production network to the test network, while still 
being able to access the test environment from any production machine. I've 
started to like to put my test-environment in the datacenter (well protected) 
and access it of my workplace. 

This is another important point: I've also found that I was 
lazily considering if I should go in the room with the test equipment when I 
knew I have to be back at my workplace soon or expected some important emails. 
Being able to access the test environment from the desk enables me more often to 
use the test environment when testing a script or something. If the test 
environemnt is physical I was sometimes putting a RDP-enabled workstation with 
two legs in between, so I was able to RDP to the workstation and then RDP into 
the test environment. And multimonitor at the primary desk also provides a great 
gain in productivity - e.g. RDP Fullscreen on the second 
monitor.

Just my 0,02€

Gruesse - Sincerely, 
Ulf B. Simon-Weidner 
 MVP-Book "Windows XP - Die Expertentipps": 
http://tinyurl.com/44zcz Weblog: 
http://msmvps.org/UlfBSimonWeidner Website: http://www.windowsserverfaq.org Profile:http://mvp.support.microsoft.com/profile="">


  
  
  From: [EMAIL PROTECTED] 
  [mailto:[EMAIL PROTECTED] On Behalf Of Peter 
  JohnsonSent: Saturday, March 11, 2006 4:57 PMTo: 
  ActiveDir@mail.activedir.orgSubject: [ActiveDir] Migrating AD to a 
  lab
  
  Hi all 
  I was wondering, after finally got management buy 
  in to build a lab, what the easist way is to get my domain info migrated into 
  the lab for the purposes of testing dev etc?
  Do I simply Dcpromo a new box and then cut it off 
  from the domain and NTDSUTIL it out or do I do a state recoverey from my 
  Tivoli backups? 
  Anyone got any ideas/pointers etc. 
  Thanks  greetings from a chill server room in 
  Johannesburg South Africa. 
  Peter Johnson

RE: [ActiveDir] Technet Magazine Active Directory Component Jigsaw

2006-03-08 Thread Ulf B. Simon-Weidner 



Hi Todd,

this would rock if you are able to scan it (or somebody has 
contacts to the team to request a printable-file)?

Subscriptions are only free for US Residents (shipping 
costs), and the web-version does not include the picture.

Gruesse - Sincerely, 
Ulf B. Simon-Weidner 
 MVP-Book "Windows XP - Die Expertentipps": 
http://tinyurl.com/44zcz Weblog: 
http://msmvps.org/UlfBSimonWeidner Website: http://www.windowsserverfaq.org Profile:http://mvp.support.microsoft.com/profile="">


  
  
  From: [EMAIL PROTECTED] 
  [mailto:[EMAIL PROTECTED] On Behalf Of Myrick, Todd 
  (NIH/CC/DNA) [E]Sent: Wednesday, March 08, 2006 5:00 
  PMTo: ActiveDir@mail.activedir.orgSubject: [ActiveDir] 
  Technet Magazine "Active Directory Component Jigsaw"
  
  
  
  http://www.microsoft.com/technet/technetmag/
  
  Someone in my office 
  just gave me a copy of this free magazine, and it came with the really neat 
  insert called the Active Directory Component Jigsaw. It is a wall 
  hanging that outlines all the AD process graphically. I will try to scan 
  it and post it on my Blog, but I just wanted to make you all aware of 
  it. I plan to hang it on my cubical wall on the outside that says What 
  I do here J
  
  Subscriptions are 
  free.
  
  Todd

RE: [ActiveDir] Bulk Import

2006-03-08 Thread Ulf B. Simon-Weidner 



If you mention google after MSN Search you have to turn off 
the shamless plug.
;-)

  
  
  From: [EMAIL PROTECTED] 
  [mailto:[EMAIL PROTECTED] On Behalf Of Al 
  MulnickSent: Thursday, March 09, 2006 3:26 AMTo: 
  ActiveDir@mail.activedir.orgSubject: Re: [ActiveDir] Bulk 
  Import
  
  If not, ldifde will let you create passwords if you want to go that route 
  but mailboxes would be harder to deal with it. ADMOD will not mailbox 
  enable the objects. For that you'd want to pipe it to exchmbx. 
  
  I'd tell everyone what the input is and ask Deji to look through his 
  couches (couches? As in more than one?) for a useful script. Or you 
  *could* use something like shameless Microsoft plug (as if they need it 
  here) MSN Search or Google to find such scripts pre-written that you could 
  modify. 
  
  Couple of options anyway. People that use CSVDE tend to then use a script 
  to set the passwords on those objects that get created. LDIFDE would be more 
  flexible for what you're trying to do, but I've never tried to do it with that 
  tool. My preference would be script instead. 
  I'd call Deji and ask him to search his couches (is it really two? I feel 
  like I'm hung up on that for some reason :)
  
  
  
  On 3/8/06, [EMAIL PROTECTED] [EMAIL PROTECTED] wrote: 
  What 
is your input? Where are you getting the input from, and what format 
isit in? Al mentioned some script laying around. I may have one stuck in 
one of my couches here :)Sincerely,Dèjì Akómöláfé, 
MCSE+M MCSA+M MCTMicrosoft MVP - Directory Serviceswww.readymaids.com - we know ITwww.akomolafe.comDo you now realize 
that Today is the Tomorrow you were worried 
aboutYesterday?-anonFrom: 
[EMAIL PROTECTED] 
on behalf of Harding, DevonSent: Wed 3/8/2006 1:37 PMTo: ActiveDir@mail.activedir.orgSubject: 
RE: [ActiveDir] Bulk ImportI was going to user csvde, but 
read that it did not support password creation.Is this 
supported under 
ADMod?From: [EMAIL PROTECTED][mailto: 
[EMAIL PROTECTED]] On Behalf Of Al MulnickSent: 
Wednesday, March 08, 2006 4:22 PMTo: ActiveDir@mail.activedir.orgSubject: 
Re: [ActiveDir] Bulk Import I suppose it really depends on 
your input data.What have you got to workwith and what is 
the decision criteria for the OU differences?Creating the 
objects in a particular OU and mailbox enabling them would not be 
terribly difficult depending on the information you have and want to 
putin there. Jim's way would work, but I think I prefer to put them 
where theybelong at creation vs. later.For that reason 
either one of Joe's tools (admod for example) or script would be my 
preference.Script would be minebut that's just because I'm 
funny like that. Joe's tools are faster thoughboth at runtime and to get 
working if you don't have scripts laying around. 
AlOn 3/8/06, Kennedy, Jim [EMAIL PROTECTED] 
wrote:Ok, I skipped a step, sounds like you need these 200 to go to 
separate OU's. Mass create them in one OU, mass right click them and 
create the mailbox thenmass send them an email.The 
script the move if that is faster/easier than a manual drag and drop. 
Soyour spreadsheet of users is: 
firstnamelastname 
passwordtargetOUconvert 
that to comma text for your script and use the first three for 
thecreation and then the first two and last for the 
move. 
From: [EMAIL PROTECTED] 
[mailto:[EMAIL PROTECTED]mailto:[EMAIL PROTECTED] 
] On Behalf Of Kennedy, Jim Sent: 
Wednesday, March 08, 2006 2:16 PM 
 To: ActiveDir@mail.activedir.org 
Subject: RE: [ActiveDir] Bulk ImportDelegate it to 
HR.Short of that get HR or someone to give you a list of the 
names and script it, provide a default password of their SS number 
perhaps...must be changedon first log on.After they are 
created, in the same OU...mass select them in ADUC and rightclick them 
and send them a test email to create the mailbox. 
 
From: [EMAIL PROTECTED] 
[mailto:[EMAIL PROTECTED]mailto:[EMAIL PROTECTED] 
] On Behalf Of Harding, Devon Sent: 
Wednesday, March 08, 2006 2:02 PM  
To: ActiveDir@mail.activedir.org 
Subject: [ActiveDir] Bulk 
Import What's the fast 
way for me to create 200 user accounts in specific OU's and create 
Exchange mailboxes? 
Devon Harding Windows Systems 
Engineer Southern Wine  
Spirits - BSG 
954-602-2469 
 
__ 
This message and any attachments are solely for the 
intended recipient and may contain 
confidential or privileged 
information. If you are not the 
intended recipient, any disclosure, copying, use 
 or distribution of the information 
included in the message and

RE: [ActiveDir] How Secure is a Domain Controller?

2006-03-06 Thread Ulf B. Simon-Weidner 



Hi Neil,

I think long passwords are primary necessary for 
priviledged accounts such as domain admins and especially service accounts. 
Having long, randomly generated passwords is not an issue for service accounts 
if you have a procedure in place to change them. If you need to provide the 
password again, you can generate a new one and change it - no need to even store 
those passwords.
For domain admins teach them how to create long passwords - 
e.g. starting with passphrases would be a start which can be improved with 
nonsense characters in between to avoid dictionary attacks. I also believe it's 
a good idea to teach your users as well, but that's mainly internal 
marketing.

Long passwords don't buy you the security that those 
passwords can not be hacked, however it increases the time the attacker needs to 
get to the passwords, and buys you time for changing the passwords after a DC 
has been stolen.

Since I'm talking about admin and service-accounts it's not 
enforceable via GPO - at least not without 3rd party software or a special 
domain design.

Gruesse - Sincerely, 
Ulf B. Simon-Weidner 
 MVP-Book "Windows XP - Die Expertentipps": 
http://tinyurl.com/44zcz Weblog: 
http://msmvps.org/UlfBSimonWeidner Website: http://www.windowsserverfaq.org Profile:http://mvp.support.microsoft.com/profile="">


  
  
  From: [EMAIL PROTECTED] 
  [mailto:[EMAIL PROTECTED] On Behalf Of 
  [EMAIL PROTECTED]Sent: Monday, March 06, 2006 9:25 
  AMTo: ActiveDir@mail.activedir.orgSubject: RE: 
  [ActiveDir] How Secure is a Domain Controller?
  
  The use of 20 char passwords caught my 
  eye.
  
  In previous discussions with MS et al, it was suggested 
  that the majority of users would simply repeat a (at most ( 7 char password n 
  times, so as to meet the 20+ char pw policy requirement.
  
  As a result, I have heard it suggested that in reality 
  (not theory) a pw policy of more than 7 chars is actually counter productive. 
  [Any pw policy with a multiple of 7 chars being most counter 
  productive.]
  
  Food for thought,
  neil
  
  
  From: [EMAIL PROTECTED] 
  [mailto:[EMAIL PROTECTED] On Behalf Of Ulf B. 
  Simon-WeidnerSent: 05 March 2006 08:35To: 
  ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] How Secure is 
  a Domain Controller?
  
  I've written down some related thoughts 
  once:
  http://msmvps.com/blogs/ulfbsimonweidner/archive/2004/10/24/16568.aspx
  Gruesse - Sincerely, 
  
  Ulf B. Simon-Weidner 
   MVP-Book "Windows XP - Die 
  Expertentipps": http://tinyurl.com/44zcz Weblog: 
  http://msmvps.org/UlfBSimonWeidner Website: http://www.windowsserverfaq.org Profile:http://mvp.support.microsoft.com/profile="">
  
  


From: [EMAIL PROTECTED] 
[mailto:[EMAIL PROTECTED] On Behalf Of 
EdwinSent: Sunday, March 05, 2006 4:17 AMTo: 
ActiveDir@mail.activedir.orgSubject: [ActiveDir] How Secure is a 
Domain Controller?


How Secure is a Domain 
Controller that is fully patched on a default install of Windows 2003? 
When promoted the domain controller has the two default policies, both of 
which are recommended not to be modified. But there are things that 
could be done better for added security. For example, NTLMv2 refuse 
NTLM and LM. Is it common practice to add additional GPOs to the DC 
OU? Or is DC protected enough to where all that is needed to worry 
about are the member machines?

If adding additional GPOs to 
the DC OU, is there anything that should definitely be 
avoided?

Edwin
  PLEASE READ: The 
  information contained in this email is confidential and 
  intended for the 
  named recipient(s) only. If you are not an intended 
  recipient of this 
  email please notify the sender immediately and delete your 

  copy from your 
  system. You must not copy, distribute or take any further 
  action in reliance 
  on it. Email is not a secure method of communication and 
  Nomura 
  International plc ('NIplc') will not, to the extent permitted by law, 
  
  accept 
  responsibility or liability for (a) the accuracy or completeness of, 
  
  or (b) the 
  presence of any virus, worm or similar malicious or disabling 
  
  code in, this 
  message or any attachment(s) to it. If verification of this 
  
  email is sought 
  then please request a hard copy. Unless otherwise stated 
  this email: (1) is 
  not, and should not be treated or relied upon as, 
  investment 
  research; (2) contains views or opinions that are solely those of 
  
  the author and do 
  not necessarily represent those of NIplc; (3) is intended 
  for informational 
  purposes only and is not a recommendation, solicitation or 

  offer to buy or 
  sell securities or related financial instruments. NIplc 
  does not provide 
  investment services to private customers. Authorised and 
  regulated by the 
  Financial Services Authority. Registered in England 
  no. 1550505 V

RE: [ActiveDir] Dynamic Groups

2006-03-06 Thread Ulf B. Simon-Weidner 



And keep in mind that it only works when users are logging 
off and on (at least for domain groups) so that the token is recreated - so 
running it multiple times a day is propably not practical.
Gruesse - Sincerely, 
Ulf B. Simon-Weidner 
 MVP-Book "Windows XP - Die Expertentipps": 
http://tinyurl.com/44zcz Weblog: 
http://msmvps.org/UlfBSimonWeidner Website: http://www.windowsserverfaq.org Profile:http://mvp.support.microsoft.com/profile="">


  
  
  From: [EMAIL PROTECTED] 
  [mailto:[EMAIL PROTECTED] On Behalf Of Brian 
  DesmondSent: Monday, March 06, 2006 9:29 PMTo: 
  ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] Dynamic 
  Groups
  
  
  Bryan-
  
  Just 
  write a script which runs as a scheduled task which enumerates all the users 
  in an OU and checks that theyre a member of the group. Youll also need to 
  remove users who dont belong in there anymore. Depending on the scale of 
  your AD deployment (in terms of number of DCs and links between them) it may 
  just be easier for you to clear out the group and repopulate it. 
  
  
  
  Thanks,Brian 
  Desmond
  [EMAIL PROTECTED]
  
  c - 
  312.731.3132
  
  
  
  
  
  
  
  From: 
  [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] 
  On Behalf Of Lucas, 
  BryanSent: Monday, March 06, 
  2006 3:06 PMTo: 
  ActiveDir@mail.activedir.orgSubject: [ActiveDir] Dynamic 
  Groups
  
  I know you can build a dynamic 
  query based distribution group, but can you do the same for a security 
  group? What is the best way to accomplish making anyone who is in a 
  particular OU a member of a security group on a dynamic basis (scheduled task 
  frequency)?
  
  Bryan 
  Lucas
  Server 
  Administrator
  Texas 
  Christian University
  (817) 
  257-6971

RE: [ActiveDir] Resolving SIDs

2006-03-06 Thread Ulf B. Simon-Weidner 



The SID is only a number which isissued on each DC to 
new security principles by first comes first serves, so if you create two users 
on the same DC you propably have two following SIDs. There's nothing encrypted 
or magic into the SID, so there are no more informations you can get just out of 
the SID without resolving it to the domain.
Gruesse - Sincerely, 
Ulf B. Simon-Weidner 
 MVP-Book "Windows XP - Die Expertentipps": 
http://tinyurl.com/44zcz Weblog: 
http://msmvps.org/UlfBSimonWeidner Website: http://www.windowsserverfaq.org Profile:http://mvp.support.microsoft.com/profile="">


  
  
  From: [EMAIL PROTECTED] 
  [mailto:[EMAIL PROTECTED] On Behalf Of Clay, Justin 
  (ITS)Sent: Monday, March 06, 2006 9:26 PMTo: 
  ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] Resolving 
  SIDs
  
  
  Adeel,
  
  I was thinking that I 
  read that without the account database, you could actually gain some 
  information from the SID, using a formula of some type. I dont know if thats 
  actually possible or not. I might have made it up in a 
dream.
  
  Thanks for the info 
  on sidtoname.exe, that might not help here, but I can see it being useful in 
  the future.
  
  Thanks,
  Justin
  
  
  
  
  
  From: 
  [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] 
  On Behalf Of Adeel 
  AnsariSent: Monday, March 
  06, 2006 2:04 PMTo: 
  ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] Resolving 
  SIDs
  
  
  Justin,
  
  
  
  The only thing that I 
  can think of is Sidtoname.exe. I dont think that you are looking for this 
  however. 
  
  
  
  Can you expand a 
  little bit more on building user information based on 
  SID?
  
  
  
  -Adeel
  
  
  
  
  -Original 
  Message-From: 
  [EMAIL PROTECTED] 
  [mailto:[EMAIL PROTECTED]On Behalf Of Clay, Justin 
  (ITS)Sent: Monday, March 06, 
  2006 9:31 AMTo: 
  ActiveDir@mail.activedir.orgSubject: [ActiveDir] Resolving 
  SIDs
  I thought I remember seeing 
  something recently about how to build some user information from a SID. Is 
  this possible or am I dreaming? I dont mean resolving the SID against AD, I 
  actually mean taking a lone SID and building some user information based on 
  just the SID.
  
  Thanks,
  
  Justin 
  ClayITS 
  Enterprise Services 
  Metropolitan 
  Government of Nashville and Davidson County Howard School Building 
  Phone: 
  (615) 880-2573
  
  


  
ITS ENTERPRISE SERVICES 
EMAIL NOTICEThe information contained in this email and any 
attachments is confidential and may be subject to copyright or other 
intellectual property protection. If you are not the intended recipient, 
you are not authorized to use or disclose this information, and we 
request that you notify us by reply mail or telephone and delete the 
original message from your mail 
  system.
  
  


  ITS ENTERPRISE SERVICES 
EMAIL NOTICEThe information contained in this email and any 
attachments is confidential and may be subject to copyright or other 
intellectual property protection. If you are not the intended recipient, 
you are not authorized to use or disclose this information, and we 
request that you notify us by reply mail or telephone and delete the 
original message from your mail 
system.

RE: [ActiveDir] How Secure is a Domain Controller?

2006-03-05 Thread Ulf B. Simon-Weidner 



I've written down some related thoughts 
once:
http://msmvps.com/blogs/ulfbsimonweidner/archive/2004/10/24/16568.aspx
Gruesse - Sincerely, 
Ulf B. Simon-Weidner 
 MVP-Book "Windows XP - Die Expertentipps": 
http://tinyurl.com/44zcz Weblog: 
http://msmvps.org/UlfBSimonWeidner Website: http://www.windowsserverfaq.org Profile:http://mvp.support.microsoft.com/profile="">


  
  
  From: [EMAIL PROTECTED] 
  [mailto:[EMAIL PROTECTED] On Behalf Of 
  EdwinSent: Sunday, March 05, 2006 4:17 AMTo: 
  ActiveDir@mail.activedir.orgSubject: [ActiveDir] How Secure is a 
  Domain Controller?
  
  
  How Secure is a Domain Controller 
  that is fully patched on a default install of Windows 2003? When 
  promoted the domain controller has the two default policies, both of which are 
  recommended not to be modified. But there are things that could be done 
  better for added security. For example, NTLMv2 refuse NTLM and LM. 
  Is it common practice to add additional GPOs to the DC OU? Or is DC 
  protected enough to where all that is needed to worry about are the member 
  machines?
  
  If adding additional GPOs to the 
  DC OU, is there anything that should definitely be 
  avoided?
  
  Edwin

RE: [ActiveDir] Active Directory Backup

2006-03-04 Thread Ulf B. Simon-Weidner 
Hello,

I do not understand your scenario correctly. If you had multiple DCs, and
you deleted one of them, the GPO will still be on the other DCs.

If you had a single DC, and you reinstalled it but forgot to export your
GPO, you can do that as you describe with the following modifications:

1. Install a WS2k3, do not make it a DC. Try to use the same hardware if
possible, and do not put it into the same network (but provide it with a
link - a single wire on a hub without any other connections would be
sufficient)
2. Restore the Systemstate (still make sure that it's on a separate network)
3. You can log onto the server using the domain admins credentials with the
password at the time of the backup
4. Use GPMC (you can install it at 1. or you use a USB-Stick or CD to
install it) to backup the GPO to e.g. a USB-Stick again
5. Use GPMC on your production server to import the GPO.

You do not need to boot into directory recovery mode here. However note that
you are able to reset the directory recovery mode administrators password as
long as you have the domain admin by logging on while AD is active, then use
ntdsutil to reset the DSRM Admins password.


Gruesse - Sincerely, 

Ulf B. Simon-Weidner 

  MVP-Book Windows XP - Die Expertentipps: http://tinyurl.com/44zcz
  Weblog: http://msmvps.org/UlfBSimonWeidner
  Website: http://www.windowsserverfaq.org
  Profile:
http://mvp.support.microsoft.com/profile=35E388DE-4885-4308-B489-F2F1214C811
D   

 

|-Original Message-
|From: [EMAIL PROTECTED] 
|[mailto:[EMAIL PROTECTED] On Behalf Of marwahashem
|Sent: Friday, March 03, 2006 7:49 PM
|To: ActiveDir@mail.activedir.org
|Subject: [ActiveDir] Active Directory Backup
|
|
|Dear All, 
|
|We were having a Server As Domain Controller called DC1.Mydomain.com
|
|this server had several OU and each OU inside it, and it has a 
|group Policy applied to it.
|
|we used to take the Backup of This server as :-
|
|1- System State .
|2- SYSVOL Folder.
|
|for some resoans, this server has been formatted and 
|completely formatted.
|
|
|
|Now, i did not take a backup from the Group  Policy which i 
|assigned to the Users OU at all.
|
|I want to implement the same group policy on the same OU as Before .
|
|So, i am thinking of another IDEA, Please Follow it with me.
|
|
|1- As long as i have the Backup from the Domain Controller 
|which is SYSTEM STATE  SYSVOL , i will install Windows Server 
|2003 on onther server   i will create the Domain Controller 
|with the same name but without any Configurations at all on ( 
|New Server ) .
|
|2-Once the Windows Server 2003 installed and configured 
|completely , i will restart it , and i will choose F8 to 
|choose ( Active Directory Disaster Receovery Mode ) .
|
|
|3- i will restore the Backup as we know.
|
|
|But , while i am doing it, i Discover that, i forget the 
|Password of the Domain Controller in Disaster recovery mode , 
| i found that , i am Unable to Login , at F8 Choice .
|
|Please, can any one Help me  guide me , to see what is going 
|on  how to solve this situation in Order to solve it . as 
|soon as possible .
|
|
|Please Urgent Help.
|
|
|
|
|
|
|
|
|
|
|
|
|Thanks  Best Regards,
|Marwa,
|List info   : http://www.activedir.org/List.aspx
|List FAQ: http://www.activedir.org/ListFAQ.aspx
|List archive: 
|http://www.mail-archive.com/activedir%40mail.activedir.org/

List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/

RE: [ActiveDir] Trouble adding a new server to an AD domain

2006-03-03 Thread Ulf B. Simon-Weidner 



Hi Gene,

the Infrastructure Master is not the most critical role. 
However if you have a backup of that system I'd recommend a restore of the 
Systemstate. If not, I'd seize the Infrastructure Master to another server, 
clean up the Active Directory from the remainers of the old server 
(Metadata-Cleanup, see here for the KBs http://www.windowsserverfaq.de/faq/AD/RemoveDC.asp). 
Afterwards you should be able to install a new server and promote it as DC using 
the same name as before, and move the IM again if necessary. Between the changes 
make sure that AD is replicated.

Ulf


  
  
  From: [EMAIL PROTECTED] 
  [mailto:[EMAIL PROTECTED] On Behalf Of Gene 
  SibbsSent: Friday, March 03, 2006 10:03 AMTo: 
  ActiveDir@mail.activedir.orgSubject: [ActiveDir] Trouble adding a 
  new server to an AD domain
  
  "I'm having trouble adding a new server to an AD domain. There 
  are20 servers on the network, all are Windows 2003 .Three 
  were domain controllers. One DC housing Infrustructure FSMO Role 
  crashed.A new server was buit. When trying to add it as a DC using 
  dcpromo wizard we see:The Wizard is configuring Active 
  DirectoryLocated comain controller server1.mydomain.comStopping 
  NETLOGONExamining an existing Active Directory ForestAfter a 
  moment we get the error:The operation failed because: This Active 
  Directory installation requires domain configuration changes, but whether 
  these changes have been made on the domain controller server1.mydomain.com is 
  undetermined. The installation process has quite. "The system 
  cannot find the file specified".We though it might be because we named 
  the replacement server the same name as the one which crashed. So we 
  renamed the server and tried again with the same results. This is after a 
  fresh install on a blank drive on this server."
  
  I having a similar error as above...
  
  Any pointers? 
  
  Regards,
  Sib
  
  
  
  Yahoo! MailUse 
  Photomail to share photos without annoying 
attachments.

RE: [ActiveDir] AD Lag Sites

2006-03-03 Thread Ulf B. Simon-Weidner 



As Jorge mentioned you do not have to follow your physical 
subnets for Lag-Sites. Usually you would use that as a guideline, but for 
lag-sites you can do a sub-subnetting. AD replication does not care about the 
physical structure or TCP/IP-Settings (Subnetmask, Def-Gateway) - it just cares 
what you have configured in the sites, subnets and what IP the DC is using. So 
you can in a 10.1.x.x network you could configure all servers with 10.1.x.x 
IP-Adresses with a Subnet-Mask of 255.255.0.0, however you keep all servers in 
one lagsite in the same "virtual subnet" 10.1.9.x and all production Servers in 
10.1.1.x - 10.1.8.x. Remember that all have the default gateway and subnet mask 
for 10.1.x.x. But now you create the virtual subnets in AD, and join 10.1.1.x - 
10.1.8.x to the production site, and 10.1.9.x to the lag-site. AD-Replication 
will do what you wanted it to do, even without the need for 
routing.

However - and this was the main reason why I wanted to 
follow up on this - remember that one lag-site might not be enough. Imagine you 
configure your lag-site to replicate everythursday 6pm. So if someone 
makes an error deleting a whole OU on e.g. Tuesday, you are recognizing it on 
Wednesday and are able to rollback this OU (authoritative restore on the lag 
site, then force replication). However if someone deletes a OU on thursday, and 
you recognize it on friday (or even thursday 7pm) you have to restore a server 
from tape first, because your only lag-site has already replicated that 
deletion.

What I prefer is creating two lag-sites, one which 
replicates in the middle of the week and one which replicates on the weekend. No 
matter when the error will be performed (even right before replication of one of 
the lag-sites), we always have a at least half week old copy of the AD 
intheone of theLag-Site. And I've even heard fromsomeone 
using seven lag-sites for every day in the week. Perhaps he's jumping into this 
thread later ;-)

Gruesse - Sincerely, 
Ulf B. Simon-Weidner 
 MVP-Book "Windows XP - Die Expertentipps": 
http://tinyurl.com/44zcz Weblog: 
http://msmvps.org/UlfBSimonWeidner Website: http://www.windowsserverfaq.org Profile:http://mvp.support.microsoft.com/profile="">


  
  
  From: [EMAIL PROTECTED] 
  [mailto:[EMAIL PROTECTED] On Behalf Of Frank 
  AbagnaleSent: Friday, March 03, 2006 4:29 PMTo: 
  ActiveSubject: [ActiveDir] AD Lag Sites
  
  Single Forest, Single Domain, W2K3 FFL 
  
  
  I am thinking about setting up a lag site for DR 
  purposes. 
  
  Just for clarification purposes, would I need a 
  separate IP subnet i.eIP subnetthat isn't assigned to any other 
  site in ADto create this?
  
  All my existing IP Subnets are assigned to 
  existing Sites which are used for normal replication, so I am assuming my 
  question will result in a yes. 
  
  Does anyone have any recommended guides to follow
  
  thanks frank
  
  
  Relax. Yahoo! Mail virus 
  scanning helps detect nasty viruses!

  1   2   3   >