Perhaps I'm not being clear, sorry Daniel.
If you are running 2003 or SP4 on 2k, there is no QFE to be obtained.
You have rapid demotion on your GCs already. Just click the box and wait
for the process to finish. :)
~Eric
-Original Message-
From: Eric Fleischman
Sent: Friday, July 16, 2
Note that the article says 2k. The code path in question is in 2k03 out
of the fox.
-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Daniel Gilbert
Sent: Friday, July 16, 2004 9:29 PM
To: [EMAIL PROTECTED]
Subject: RE: [ActiveDir] GC removal
Thanks. If I
You can indeed have a user be a power user - or even an admin, and remove
the ability to create shares.
Bruce already pointed out, if they are not power users or admins then they
already cannot create file\print shares.
There is a registry value called SrvsvcShareFileInfo under
\lanmanserver\Defa
Thanks. If I understand your reply correctly, since my GC is a W2K3 server
the removal/deletion should move along unless preempted.
If it is still in the removal process Monday morning, I will contact my PSS
rep and see if I can't get the KB from them.
Dan
-Original Message-
From: [EMAI
Yeah I have it set to view users, whatever as containers. Don't actually use it that
often. I just discovered today that I can make template accounts with it. Wonders of
GUI.
--Brian
-Original Message-
From: joe [mailto:[EMAIL PROTECTED]
Sent: Fri 7/16/2004 4:
Have you installed the Root Certs update from Windows Update?
--Brian
-Original Message-
From: Craig Cerino [mailto:[EMAIL PROTECTED]
Sent: Fri 7/16/2004 3:42 PM
To: [EMAIL PROTECTED]
Cc:
Subject: RE: [ActiveDir] OT:Signed Message for
Ya know, patch management can be a real bear. :-)
I've come a long way since I started lurking around here. :-P
From: [EMAIL PROTECTED] on behalf of joe
Sent: Fri 7/16/2004 5:29 PM
To: [EMAIL PROTECTED]
Subject: RE: [ActiveDir] help finding proxyAddresses
Hey
In 2k03 we introduced rapid gc demotion.
Out of the box on 2k, we'll clean out 500 objects per KCC run. Since KCC
runs every 15 mins, that translates to 2000 objects per hour that are
cleaned out.
This was changed in 2k03 to be as fast as we can so long as we aren't
preempted, and this behavior wa
Well the permissions we are talking here are more of an AD
and AD/AM thing than LDAP. LDAP itself doesn't know nor care about permissions.
It is the engine beneath the LDAP that does the work with the permissions. You
can do perms in most if not every LDAP implementation but that makes it har
These are questions that you can start to find answers to with network
tracing and one of the reasons I like pushing people to do it. You learn a
ton and when you know how it works, troubleshooting gets a trifle easier.
So anyway, both of these are an answer of the proper info from the forest is
q
I can articulate one particular item that
is probably your major issue.
By default, users in ADAM can not access
much of anything. We ACL’d down as part of “secure by default”
so they can’t see many objects in the naming context.
For the sake of testing, go ahead and add
the ADAM user you
Yep I concur of course.
Post the ACL for a user object that this can be done to and we can peek at
it and tell you who can do what.
Use a command like
Dsacls cn=userid,cn=someou,dc=somedomain,dc=com
-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Gr
I am really surprised to not see a Guido response here. He loves forest
trusts. Can talk for hours on the subject. :o)
joe
-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Passo, Larry
Sent: Thursday, July 15, 2004 11:36 AM
To: [EMAIL PROTECTED]
Subject
Nah, Windows Server 2003 is. :oP
Heh.
joe
-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of [EMAIL PROTECTED]
Sent: Wednesday, July 14, 2004 3:52 PM
To: [EMAIL PROTECTED]
Subject: RE: [ActiveDir] SP4
Sure but it's still the best version of W2K so far.
I'm too old to take tests. Plus the last time I tried to
take a Transcender I failed miserably.
joe
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Brian
DesmondSent: Friday, July 16, 2004 1:51 PMTo:
[EMAIL PROTECTED]Subject: [ActiveDir] Signed message for
Craig
Test
:o)
Nod, the serious part was about Dean's previous post.
joe
-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Gilbert, Daniel L
Mr ANOSC/FCBS
Sent: Friday, July 16, 2004 5:47 PM
To: [EMAIL PROTECTED]
Subject: RE: [ActiveDir] GC removal
C'mon Joe, I k
Make them normal users.
Unfortunately that work is proxied through svchost so you can't lock down by
group other than what MS supplies by default.
Yes, that is archaic and not very security minded.
joe
-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behal
The first thing that says is watch your event logs and get some monitoring.
:o)
That aside event ID 0xC7FA is event 2042 which you can read at
http://www.eventid.net/display.asp?eventid=2042&source=NTDS+Replication
Basically you have a DC that is way far out of sync and you need to find ou
Well it looks like it throws principals into the "remote desktop users"
group. In your shoes I would just try throwing a user from the domain into
that group that wouldn't otherwise have perms to connect and see if that
works, that means that is all that is done and you can just add dlg's
(assuming
I like to put this most simply as
Use the GCs for the clients that the Exchange Servers are using. If you have
an Exchange Server in your local site using a local GC, use that GC, would
be silly to go across the WAN. However if your Exchange Server is across the
WAN, use the GC across the WAN
C'mon Joe, I knew I could do that, I was trying to find a way to speed up
nature/evolution.
Dan
-Original Message-
From: joe [mailto:[EMAIL PROTECTED]
Sent: Friday, July 16, 2004 2:28 PM
To: [EMAIL PROTECTED]
Subject: RE: [ActiveDir] GC removal
The fastest method I have found is to demo
Cool. Send me a URL when you get it up and going and I will pop by as soon
as I can. Sounds like Al will as well. I would bet there would be several
folks from the list interested.
joe
-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of David Hogan
Sent:
Joe,
Can you point me to more info on setting
the permissions of users? I've only just begun working with LDAP
a few days ago and am working with an instance I installed and ldif files
I wrote myself.
Thanks,
Sonya
"joe" <[EMAIL PROTECTED]>
Sent by: [EMAIL PROTECTED]
07/16/2004 02:17 PM
Keep in mind that ADUC treats computers and users as leaves by default for display but
they are actually containers. You may have to check your settings. ADSI does it
correctly right off though.
joe
-Original Message-
From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Bri
And if you are using adfind you can just say
Adfind -b whatever -bit -f
"&(objectcategory=person)(objectclass=user)(useraccountcontrol:AND:=2)"
i.e. you don't have to remember the control OIDs for AND or OR.
joe
-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] O
I think dsquery does have you use -upn.
Adfind isn't hardcoded for specific object types, it is
pretty raw LDAP calls so you get to use the actual property
names.
joe
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Thommes, Michael
M.Sent: Friday, July 16, 2004 3:33
Hey that looks pretty smooth! That joeware stuff... I tell
you...
BTW, upgrade your version, it is up to like 1.17 or so
now... :o)
joe
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Michael B.
SmithSent: Friday, July 16, 2004 3:25 PMTo:
[EMAIL PROTECTED]Subject: RE
The fastest method I have found is to demote the server. :o)
I seem to recall Dean posting something once upon a time to force objects to
get yanked out. Can't find it at the moment, check the archives.
-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of D
Title: RE: [ActiveDir] DeForestation
Nope, not doubting, I haven't been following most of the
threads sorry, trying to catch up right now. I mentioned that it might be sticky
but doable. Sorry if I seem to say other.
joe
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Mul
Casual observation? Where's the password listed and
what are you binding as?
How about turning up the logging during the bind and search
and ensure that you are binding as an authenticated user and that your search
string is being passed the way you think it is?
Al
From: [EMAIL PROT
Sounds like it is permissioning. If you don't bind with an
ID you aren't going to see anything unless you crank down all of the permissions
to nothing. Sounds like the ID you used had very little access. You should
doublecheck what your permissions are set as.
To put it another way, if ADS
Title: RE: [ActiveDir] DeForestation
i thought using ms Idenity intergration feature pack and
the PF sync tool as well as the owa solution proposed earlier and win2k3
transtive trusts between 2 forests and dns conditional forwarding, this would be
very possible.
Do you doubt that
it's po
That stamping is done during the domainprep phase, you will note that after
you do domainprep but before you promote a K3 and make it a PDC you will
have some unresolvable SIDs on AD objects. So once you do the forest and
domain preps you should see the growth. When you actually upgrade a 2K to K3
Title: OT: Exchange 2000 SPAM Filtering
“Can
not open this item. Your Digital ID name can not be found by the underlying
security system”
Title: RE: [ActiveDir] Summer Maintenance
Things
really slow down when multicasting to a load of computers where I am (all Cisco
2900XL series switches with fiber links to a 4005 series backbone switch). The multicast
slows to a crawl, as does other network traffic.
--Brian Desmond
[
Hello,
I sent this help request to a perl-ldap
list and it was indicated that the problem may be ADAM specific. The
detail are:
I have set up a MS ADAM instance named cn=examplename,st=wv,c=us.
On
install, the LostAndFound, Roles, and NTDS Quotas objects were created
with dn's CN=LostAndFound
When I ghost 30 or 40 of my clients my network comes to a hault.
_
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Doug M. Long
Sent: Friday, July 16, 2004 1:07 PM
To: [EMAIL PROTECTED]
Subject: RE: [ActiveDir] Summer Maintenance
?
If your multicasting, network congestio
Is there a way to speed up the process for Global Catalog removal?
I know the proper Microsoft steps, but I was hoping there was a script
out there to speed up the process.
Dan
List info : http://www.activedir.org/mail_list.htm
List FAQ: http://www.activedir.org/list_faq.htm
List archive:
Michael,
Thank you! I kept beating on the commands using
"upn" instead of "userprincipalname". I owe you a beer! Thanks
again!
Mike
Thommes
-Original Message-From: Michael B. Smith
[mailto:[EMAIL PROTECTED]Sent: Friday, July 16, 2004 2:25
PMTo: [EMAIL PROTECTED]Subje
C:\BRI>adfind
-b dc=brnets,dc=local -f [EMAIL PROTECTED]local
proxyaddresses
AdFind
V01.12.00cpp Joe Richards ([EMAIL PROTECTED])
May 2003
Using
server: orange.brnets.local
dn:CN=Michael B.
Smith,CN=Users,DC=brnets,DC=local>proxyAddresses:
smtp:[EMAIL PROTECTED]local>proxyAddresses:
After lots of
iterations using dsquery, dsget, and/or adfind, I still can't seem to produce
"proxyAddresses" using a given UPN. It's Friday afternoon, my brain
hurts, and I sure would like to finish the week on a high note. Any
help is REALLY appreciated! Thanks.
Mike
Thommes
?
If your multicasting, network congestion shouldnt be an issue (assuming that you are
putting the same image on all machines), right? Or am I missing something here?
From: [EMAIL PROTECTED] on behalf of Brian Desmond
Sent: Fri 7/16/2004 11:13 AM
To: [EMAIL PROT
Test
--Brian Desmond
[EMAIL PROTECTED]
Payton on the
Web! Http://www.wpcp.org
v: 773.534.0034
x135
f: 773.534.0035
smime.p7s
Description: S/MIME cryptographic signature
Thanks, Steve.
Individual customization and decision IS one of the main selling points of
the Sybari (and my) solutions. Almost-zero admin after deployment is another.
The fact that you don't have to TEACH it (aka Bayesian) and that it's
content-independent (not susceptible to embedded images and
Title: OT: Exchange 2000 SPAM Filtering
We did a 30 day demo of Sybari’s
add-on to the AV and it only caught about 69% verses the 94% that Mailfrontier
is providing. Also, the Mailfrontier gateway is individually customable by
each individual user. So, if an end-user wants to get spam, so
Title: OT: Exchange 2000 SPAM Filtering
Nice spelling mistake Al ;-)
BTW - has anyone written an Event Sink yet for SP1 that
allows someone to define arbitrary keywords to look for in either the SMTP
headers or subject line then set the SCL appropriately?
For example, we actually use SpamA
I think only power users can create shares. If they are not power users or
higher then the solution may already be in place.
-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Carpenter Robert A
Contr InDyne/Enterprise IT
Sent: Friday, July 16, 2004 11:09
Title: Message
I
was looking for a solution a while back and found this.
http://www.simplescripts.de/usb-port-security-tool.htm
It’s
pretty much a VBScript that you run as a service. It checks against a “white
list” and shuts down the computer, or whatever you want it to do.
Title: OT: Exchange 2000 SPAM Filtering
Steve said:
>>>But, it really does not compete with Mailfrontier’s gateway.
Then I said:
Steve,
is there anything specifically that makes you think Mailfrontier is superior to Sybari's? I am really interested because I'd hate to play second fiddle to
Title: OT: Exchange 2000 SPAM Filtering
I would have to recommend the Mailfrontier
Spam Gateway. It is a product that is relatively cheap and really does a great
job on the SPAM portion. They also have an add-on for doing AV screening at
the gateway, but it uses MacAfee. Which is crap, i
Title: OT: Exchange 2000 SPAM Filtering
OK, now that Al (Hi, Al :)) and others have chimed in , would it still be considered rude IF I pitch my own solution in contribution to this thread?
Paging Tony..
Sincerely,Dèjì Akómöláfé, MCSE MCSA MCP+I
Microsoft MVP - Directory Services
www.
Return Receipt
Your [ActiveDir] Running DCDiag
document
:
I have a proposed requirement to restrict the ability to create shares on
the workstation to all but a few people within the domain. Anyone have an
idea as to how to do this?
v/r
RC
Comments and concerns can be directed back to me, complaints can be directed
to /dev/null
List info : http:/
Anyone know what this means when I do a DCDiag
Starting test: kccevent
An Error Event occured. EventID: 0xC7FA
Time Generated: 07/16/2004 10:50:50
Event String: It has been too long since this machine last
An Warning Event occured. EventID: 0x8785
Time Generated
Title: OT: Exchange 2000 SPAM Filtering
If you're going to go that route, you may also want to
check out spamassin as a possible product. You'd want something that
handles anti-virus to compliment the product.
al
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Steve
Rochfo
The one I see mentioned often used to be called SecureNT, now Sanctuary
Device Control. Covers a very broad range of I/O devices and integrates
with AD.
http://www.securewave.com/turcana/securewave/sanctuary_DC.jsp
HTH
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROT
You got it Steve. I don't know if you've ever done this before, but be prepared to
have a handful of them screw up and need reimaging with a floppy disk. Also, don't
think of doing em all at once. 100 - 150 is enough to saturate your network.
--Brian
-Original Message-
Are you using a proxy server? If so then configure it to log to a SQL
database and query that. Both ISA server and MS Proxy server can easily be
configured to do this and you can then generate reports of use by user, size of
download, time of download etc.
You may generate a lot of data - o
thats what i thought but we had one funny dcpromo - the dcpromo.log told us
it had sourced the domain info from a site that networking / site / site
link wise is miles (or should i now say km's !!) away from it
hence the question
this then begs the behaviour wr.t retry if the "closest" one it get
By site and sitelink metric, there is no other way it could do it until MS
has the DCs smartest enough to talk to routers and get routing info out of
them to autodiscover topology. And even still... The complexity would be
rather high going that route.
joe
-Original Message-
From: [EM
what is the under the hood process that windows gets the user listing when you add
members to a group. I mean the drop down list where you select a domain or entire
directory? is that gotten from a gc via dns?
also, when you join a pc to a forest and suddenly all the domains appear in the drop
Yes
-Original Message-
From: Graham Turner [mailto:[EMAIL PROTECTED]
Sent: 16 July 2004 14:22
To: [EMAIL PROTECTED]
Subject: [ActiveDir] dcpromo replication
can anyone confirm the mechanism by which dcpromo being run discovers
the source of domain information on the initial dc promotio
can anyone confirm the mechanism by which dcpromo being run discovers the
source of domain information on the initial dc promotion.
i know we doing this unattended you can hardcode a source into the script
file but how does it find a source when left to its own devices ??
q223757 tells us "the cl
I'm not 100% sure what you are asking
DNS details where and who the relevant DC's are via SRV records, which
servers are GC's, who is the PDC Emulator, etc.
This is how a server being Dcpromo'd knows who holds DC roles.
BR
Rob
-Original Message-
From: Graham Turner [mailto:[EMAIL
I love comments like "The result is that as the imaged computers are
powered up, the admin will type in each unique computer name and walk
away."
We're re-imaging about 1000 student computers this summer and I'm not
intending to go anywhere near most of them so typing in anything is a
no-no! As
Tony,
Thanks much !
Jerry
Jerry Welch
CPS Systems
US/Canada: 888-666-0277
International: +1 703 827 0919 (-4 GMT)
-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] Behalf Of Tony Murray
Sent: Friday, July 16, 2004 7:55 AM
To: [EMAIL PROTECTED]
Subject: Re: [ActiveDir]
Title: OT: Exchange 2000 SPAM Filtering
I'm using MailScanner (http://www.mailscanner.info/) running on
FreeBSD (http://www.freebsd.org/) You need
a bit of Unix experience to set it up (but not too much) and it's working very
well for us. A (sort of) diary of how I did it is at http://techinf
can anyone confirm the mechanism by which dcpromo being run discovers the
source of domain information.
i know we doing this unattended you can hardcode a source into the script
file but how does it find a source when left to its own devices ??
GT
List info : http://www.activedir.org/mail_list
Title: Message
There is a 3rd party whose name
I forget who have some security software that does precisely this. I’ll
try and remember the name
From:
[EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Chuck Oppermann
Sent: 14 July 2004 23:15
To: [EMAIL PROTECTED]
Subject:
We are very impressed with the MailMarshal
solution we’ve deployed.
From:
[EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Fuller, Stuart
Sent: 15 July 2004 17:06
To: '[EMAIL PROTECTED]'
Subject: RE: [ActiveDir] OT:
Active Directory Browser History Files
You can l
Might this not be related to the node type being issued? I remember the
node controlling the name resolution order but don't remember the
specifics.
-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of
[EMAIL PROTECTED]
Sent: 15 July 2004 23:49
To: [EMAIL PROTE
Hi Jerry
Enabled users
(&(objectCategory=person)(objectClass=user)(!(userAccountControl:1.2.840.113556.1.4.803:=2)))
Disabled users
(&(objectCategory=person)(objectClass=user)(userAccountControl:1.2.840.113556.1.4.803:=2))
Tony
-- Original Message --
W
My poor old mind has seen this but lost it :)
Can someone provide an LDAP query string to identify when a User object is
Enabled or Disabled in AD?
Thanks,
Jerry
Jerry Welch
CPS Systems
US/Canada: 888-666-0277
International: +1 703 827 0919 (-4 GMT)
List info : http://www.activedir.org/mail_l
Title: Brian Desmond's Posts
Usually something about the digital
signature - - I do not remember off hand - - I normally delete them after I am
denied. Post a fresh thread - - I’ll tell you what it says
From:
[EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Brian Desmond
74 matches
Mail list logo