I'm sure this does not have much bearing on AD, per se. So, I apologize for
sending it to this forum that has one of the best collection of brains I've
ever seen.
I have some Engineering Testing Labs with a number of Domains and computers
sharing the same network with my LIVE domain. It's actuall
Joe,
Yeah - turning off the password policy. Hm. Yummy, chewy insides.
We got it resolved, thank to Mr. Cornetet. Turns out that what I needed to
do was:
' ~
Const ADS_UF_NORMAL_ACCOUNT = 512
Const ADS_UF_DISABLED_ACCOUNT = 514
set objParent = GetOb
Title: Message
Well
for better or worse, what you explained is how I understood it myself. Though I
admit to not knowing it really well, never wanted to know it all but damn MS to
hell for inserting AD and Exchange into each other like they did...
(Hey I haven't ranted on here about E2K in
Title: LDAP'ing a computer object in AD
Anytime the question is
"I am
looking for an object somewhere in the forest"
the
answer is almost always, do a GC search of the attributes you know that are in
the GC. In this case you can search on name or samaccountname.
If you
can easily co
Title: Message
Is it
doing an ldap authentication of the user or searching for the user and some
attribute of the user to determine if they can be on?
If
only authenticating and they have the user's upn (say everyone in the company
has [EMAIL PROTECTED]) or full same name
(including domai
Rick you have two options...
1. Turn off your password requirements policy and allow blank passwords...
:op
2. Don't touch useraccountcontrol (i.e. Enable the user) nor the password
until after you create the user object.
Did it make it into Tuna to do the password set and useraccountcontrol se
I have modified our production and lab environments to 30 seconds pause
after modify and 15 second pause between DSA's and have been running in that
configuration for months with no perceived issues.
joe
-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf O
This is almost certainly some form of DNS issue.
The quickest way to figure it out is to fire up netmon and then start
dsa.msc and look to see what happens in the trace. Most likely you will see
DNS calls that are not being responded to.
joe
-Original Message-
From: [EMAIL PROTECTED
Title: Message
To All:
I am looking for some answers to questions I have about the REPADMIN
command. I am running the Windows
2003 Support Tools version of the command with the following switches: /replsum
/bysrc /bydest /sort:delta
I get a display like the following:
Replication Summ
You can not override the limitation in the sam name. You can have a longer
UPN, but you will have a disjoint between the two logon principals, the sam
account and the upn then.
BTW, who wants to type that every time they log on? Have a long password,
not a long username. :op
joe
-Origin
I have
seen many security people who say that 5 is the best and they want 5 including
my internal security people. However, the purpose behind the lockout threshhold
is to stop people from trying to hack an account with guesses or bruteforce. If
you lock out at say 25 and stay locked for an
I'm
not sure I am following. Are you saying that even though you are using the same
physical spindles the disk subsystem will be less busy if you split the
physical space into separate logical partitions?
joe
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of John
Reijnd
Title: Message
The app in question (and there’s one
more doing the same thing) is supposed to validate a user’s logon. That’s
basically the only thing the LDAP functionality is used for. But the user could
be in either of two peer subdomains of an empty root. (If you’re
interested specific
Mark,
I had a similar situation with the LDAP implementation in
the PeopleSoft v8 Portal.
Solved it by configuring the PeopleSoft LDAP request to
point at the Global Catalog port (3268) instead of the normal LDAP port
(389). Also configured the LDAP target server to be the PDC FSMO
ro
Eric,
Have you looked at ADMT. We are using it for our NT4 to Win2k
AD migration and although our NetBIOS names are not the same as in your
case, ADMT uses the NetBIOS name of our NT4 domain as the "Source" and
the FQDN of our AD domain as the Destination. It may not offer some of
the be
Title: Message
Do you
know if the app has referral-chasing turned on in the LDAP search? If it does,
it should be able to start at the root and search down the tree that
way.
In any
case, why not just point the app to the GC; that's what its there for. Be sure
to set the port properly (32
Why not use the native tools then? ADMTv2 is pretty good.
As for the same netbios names. Yuck. Hopefully the clients will be using
new WINS servers then? :)
As for the apps, I think you're skirting the issue to deal with it another
day. I also think some of those apps are likely to fail mis
Title: Message
depends on what you're searching for in the app. What's the app and
what's it searching for.
Remember GC's are going to hold some of the information these apps are
looking for.
Al
-Original Message-From: Creamer, Mark
[mailto:[EMAIL PROTECTED] Sent: Thur
Title: Message
Let me
play this back to see if I have it straight:
One
Domain = Empty Root
Domain
A = Child Domain
Domain
B = Child Domain
Domain
A = Exchange 2000 (really, this is Forest Wide, but we'll assume that you
only consider it installed in this domain)
Domain
B = Exchange 5
We have some apps that make LDAP queries to allow a user to
log in. Picture an “empty” root with two sub-domains. If the app is
to be used only in a single sub-domain, i.e. dc=domain1,dc=company,dc=com, it
works fine. If it needs to cross over to the other domain we have, though, i.e.
dc=do
Hello everyone, I'm looking for some peer feedback on part of a migration
plan.
We are currently an NT4 environment. We've decided to go with W2k3 & AD
for our migration. We're doing a parallel migration into a W2k3 Native
functional level forest. This was specifically to give us easier ro
We have been looking into client solutions and that will probably take a
while, since we already use Websense we got the Premium Group III to
block MMC at the edge.
http://www.websense.com/products/premiumgroups/#pgiii
-Original Message-
From: Christopher Hummert [mailto:[EMAIL PROTECTED]
Title: Message
Al, test-bed scenario:
empty root w/1 dc/gc, child domain A w/1 dc/gc E2K ADC installed, child
domain B w/1 dc/gc E55 ADC installed.
Created the new user in domain A and tests showed that the GAL in domain
B was not showing the new user in the proper container. Found the
Title: Message
When
you created the mailbox, it was on a 5.5 server or a 2000 server?
-Original Message-From: Brown, Bill
[contractor] [mailto:[EMAIL PROTECTED] Sent: Thursday,
October 16, 2003 1:57 PMTo:
[EMAIL PROTECTED]Subject: RE: [ActiveDir] OT? - LEGACY
EXCHAN
You can export / import data in AD by database connection
You can use oledb provider
If you use visual basic 6.0 you can set the ado object to this connection
string
adodc1.connectionstring =
"Provider=ADsDSOObject;Encrypt Password=False;Integrated Security=SSPI;
Location=< the server name Ex: a
Title: Message
Nice reply Al – however I do not believe that the legacyExchangeDN of
the first administrative group has anything to do with the legacyExchangeDN of
a newly created user in AD. Well,
maybe I am missing something here.
I do not intend on “mucking about” with the attributes
http://security.kolla.de
Freeware, works great. over 10,000 items tracking to date, with some
immunization to prevent ie hijacking etc.
- Original Message -
From: "Christopher Hummert" <[EMAIL PROTECTED]>
To: <[EMAIL PROTECTED]>
Sent: Thursday, October 16, 2003 10:05 AM
Subject: [ActiveD
Title: Message
http://support.microsoft.com/default.aspx?scid=kb;EN-US;q273863 is the description
of how to do this. However, I should caution you that mucking about with
the legacyExchangeDN attribute is not a good idea. Getting your users to
live with it now is a better approach. They wi
We at Indiana University have licenses to AdAware Pro and Spybot. I have not
used them much, but they do find a lot of stuff - a LOT. Also, Awaware has
adwatch which allows it to sit in the tray and watch things (kind of gets
annoying sometimes with popups but is still neat). I would recommend AdAw
I was wondering what programs everyone was using to combat
spyware/adware. I noticed that Ad-Aware now has a professional version
out (http://www.lavasoftusa.com/software/adawareprofessional/) and I was
wondering if anyone has been using this, and how you like it?
Thanks
Chris Hummert
**
Title: Message
Al,
The immediate
thing that comes to mind is that in our mixed mode environment [that we will
have to live with for a while yet…] is that in the E55 sites the GAL lists
these folks as being in the Recipients container (ou) where they are really in
a different department
Everyone,
Has anyone ever used Netsh to move DHCP to another server?
In Mark Minasi’s book he talks about using it to add
another DHCP server to your network by dumping it with Netsh from one machine
and Exec it to another machine.
He did not go into much detail but I did not think yo
Just to be clear, the 5 minute/15 second value is the amount of time a DC
will delay after an originating change before notifying its replication
partners. Its not a replication schedule per se. The idea is that changes
happen in clumps over time, and that its better to replicate a bunch of
changes
Return Receipt
Your [ActiveDir] LDAP'ing a computer object in AD
document
:
Title: Message
http://www.microsoft.com/technet/treeview/default.asp?url="">
Is a
good start. What you also want to do is add some capability for the script
to determine the path to the domain. You do this by starting with rootDSE
and building the domain path from there. After that, you ju
Title: Message
Plenty, but I have a question first. Why are you wanting to change
it? What benefit is there if you change it?
-Original Message-From: Brown, Bill
[contractor] [mailto:[EMAIL PROTECTED] Sent: Thursday,
October 16, 2003 10:01 AMTo: ActiveDirListSubject:
[A
See! I knew that I was asking the right guys.
Thanks! You solved it, Ken.
Much appreciated!
Rick Kingslan MCSE, MCSA, MCT
Microsoft MVP - Active Directory
LAN Administration - Windows 2000
West Corporation
[EMAIL PROTECTED]
-Original Message-
From: Ken Cornetet [mailto:[EMAIL PROTEC
Is it possible to set up an ODBC to Active Directory? I
wish to do some reporting using Access and apart from dumping and importing
flat files I haven’t found a way to do it.
Brian
Brian Narkinsky
System Manager
Department of Environmental Protection
MS 6520
2600 Blairstone RD
Code I can give you:
Directly from Robbie's "Active Directory Cookbook":
' Taken from ADS_USER_FLAG_ENUM
Const ADS_UF_NORMAL_ACCOUNT = 512
set objParent = GetObject("LDAP://)
set objUser = objParent.Create("user", "cn=") ' e.g rickk
objUser.Put "sAMAccountName", "" ' e.g rickk
obj
Title: OT? - LEGACY EXCHANGE DN
To All,
When I create a user in AD the legacyExchangeDN attribute is always set to cn=Recipients no matter what ou the user was created under. Using ADSI Edit to change the value to reflect the correct setting fails as the value is immediately changed back.
Is this against a Win 2003 DC? I can run the following against a 2000 DC
(complex passwords required) without any problems:
Set objOU = GetObject("LDAP://OU=myOU,dc=teststate,dc=testmt,dc=testads";)
Set objUser = objOU.Create("User", "cn=MyerKena")
objUser.Put "sAMAccountName", "myerkena"
objUser.
Title: Message
I think this is
what you want. Search for samaccountname=computername$ (append a "$" to the
computer name).
-Original Message-From: Frederic Allaert
[mailto:[EMAIL PROTECTED] Sent: Thursday, October
16, 2003 8:50 AMTo: [EMAIL PROTECTED]Subject:
[ActiveDir
Rick, I'll bet what you are doing wrong is to set the userAccountControl
(to enable the account) when creating the user. Don't do that - create
the user without setting userAccountControl, which will result in the
created user being disabled, then set the password, then set
userAccountControl to en
Title: LDAP'ing a computer object in AD
Hello all,
I have been searching some good, clear examples how to determine the LDAP path
for a computer object, (without knowing the "location" in AD), with the only input being
the hostname of the computer, and the DNS-name for the domain. All this
Title: RE: [ActiveDir] Creating programatically when password complexity is in force
Right,
Can we see some code? We can then deduce from there exactly what you need.
Carlos
-Original Message-
From: Kingslan, Rick T. [mailto:[EMAIL PROTECTED]]
Sent: Thursday, October 16, 2003 2
I've run into an interesting problem. If I create a user
programatically, (using C#, but we've confirmed the same with VBScript)
the password cannot be set until the user object exists. If I try it,
we get the error:
"Server is unwilling to process the request"
when a SetInfo is done on the cr
46 matches
Mail list logo