Hi,
On one of my mailbox say"A", I have given the Permission like this.
Associted + full mailbox rights to user B ( User B is a user of Seprate forest and have external one way trustwithForest Aandforest B)
Full rights to user C ( User C isa user of third forest Cand have the one way trust with
Nic, we have implemented Simple Sync, for roughly about 12 connectors
and are pleased with the tool. It is syncing roughly 3 LDAP entries
between exchange 5.5, 2000 and 2003 organizations with the exchange 5.5
organization being the root forest. In my mind, it would depend on your
needs,
Not that I have tested in great depth but you could add the
Desktop Technicians global group (assuming you have one) to the local Power Users group on the Print Server and then grant them 'load unload device
drivers'righton the print servers local security policy.
From: Cothern
One of our 60 AD DC's has stopped replicating. All of the others are still
replicating fine. On the problem DC, where are seeing the following in the
Directory Service log in event viewer:
Event Source: NTDS ISAM
Event Category: Database Corruption
Event ID: 467
Description:
NTDS
Please perform an offline defrag of the database, and see if that does
it for you.
If there is corruption in say a secondary index, the offline defrag will
rebuild the indexes and clear it up for you.
If you still get the 1084 we need to look in to this further.
~Eric
-Original
I think Murray brings up some good points. What are your requirements
exactly?
To differentiate between the products (or others) you'll need to understand
what the ultimate goal is and what you have to work with. For example, is
this a RACF sync? Or LDAP or ?? What exactly needs to sync?
Joe -
Write. A. Book.
Your own.
I'll buy it, if no one else will :p
Rich
---
Rich Milburn
MCSE, Microsoft MVP - Directory Services
Sr Network Analyst, Field Platform Development
Applebee's International, Inc.
4551 W.
1,000,000.00 - 3.00 = the first step taken and a down payment on a
Starbuck's coffee :)
-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Rich Milburn
Sent: Tuesday, March 08, 2005 9:07 AM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] Active
By domain I mean domain names.
Two of which are etherpunk.com and set-con.org (just to give some
examples).
To be honest, I really don't know what I'm after. I'm kinda just playing
around doing two things. Making my life easier to manage these things
for my friends / family and learning stuff
I looked at that on mine (I usually stay away from the schema snap-in
G) and saw the box, but it was greyed out. Other attributes, such as
street, had the box checked but still greyed out. Yet others had the box
not greyed out at all.
I wonder what the criteria are for making that box available? I
Good question. At this stage this is what I've been made aware of:
No RACF (phew)
LDAP Connector to mainframe - I haven't been told what version yet
User and Attribute sync to AD from the mainframe is the primary goal. The
business centres around mainframe existance. If you don't exist on the
You could, I'm sure, use 3 of the available custom fields within AD, and
populate them with a status word, and use a script or third party tool
to automate the process. The logic flow is as follows:
1.) Change Custom Field 1 to In Transit or something.
2.) Set the second field to the target
I am a much bigger fan of either cleaning up the NT domains prior to
migration, or getting a list of current active users from the mainframe
and only migrating those users from the NT domains. In both those
situations you end up and only the active users in AD which I prefer to
do since I don't
Guido,
This is an interesting suggestion - are you able to offer more detail?
Right now, we have manual bridgeheads in the main hub sites and manual
connection objects too. [I plan to remove these in due course after reaching
w2k3 FFL.]
Are you suggesting that such a manual bridgehead should be
We did something here for our MAC users that using BV-Control, and some sort
of scripting notification process. I am sure you could use any decent
reporting tool to generate the list of possible expired accounts, and then a
CLI mail tool like postie to sent out notification. You can also try to
I agree with Phil about cleaning up prior if possible. The less confusion
you have during a migration scene the better. I've done many both ways (at
customer's insistence and after a fight most often) and I can honestly say
that the clearer the playing field the better. If nothing else, you can
I'm using Python Scripts that I have running daily to sync up our OpenLDAP
with our Active Directory Domain. I learned python in 2 days (with a little
help from the net and a friend) and put together a 1 way Synchronization, as
our OpenLDAP is the master and AD just keeps the data synced up. I
Associate External Account is needed if the AD account is
disabled and the mailbox is associated with an external forest (or NT4
domain)... hence the name. Theoretically you could set the Associate External
Account to SELF and add the NT4 mailboxes to the ACL as FULL and it should work
with
LOL.
I have been gathering all of the various ideas together over the years for
applications into one place. I am sort of gathering ideas and posts I have
written too in hopes I can slap that stuff together and come up with some
sort of book.
I don't expect writing a techy book is the way to
Active Directory The Sorcerers Guide
OR
AD: Help! I broke it, and I cant go home!
Rich
-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of joe
Sent: Tuesday, March 08, 2005 5:07 PM
To: ActiveDir@mail.activedir.org
Subject: RE: :: Horribly OT
joe wrote:
I don't expect writing a techy book is the way to riches and fame though. I
doubt I will get the penetration in the market of say a Da Vinci Code or a
Harry Potter though maybe if I tried to call it Harry Potter and the miracle
of Active Directory
write it - I'll buy it :) and then
Problem:
Need to lockdown Domain Admins and Administrators so that they can not
add
additional users the Domain Admins and Administrators group.
Possible Solution:
Remove the permission's from the Domain Admins and Administrators so that
only Enterprise Admins can change their membership.
I'd buy it, too. But, only if I get to review it. I know joe well enough
that I know the difference between uggh, and ugh. I can interpret the
grunts fairly accurately.
-rtk
-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Rich Milburn
Sent: Tuesday,
Yeah, thats been discussed a few
times here. One of the issues that you run into with Domain Admins and
the like is that they can take ownership of any object and then just change
permissions back to what they want. It is the way that AD was designed
the intent is clearly there to prevent
Both of your suggestions are good .
Except that neither does much to PREVENT a DA or admin from doing much of
anything. I figured that you are shying away from employing the Joe-Stick (not
to be confused with Joystick J) and telling Mark to go back to the drawing board and re-thinking
why
Ah ok. I think an easy way to configure that then would be in AD/AM.
You could set up each domain as a root in a single AD/AM directory. For
instance
You have an empty ADAM directory
C:\WINDOWS\ADAMadfind -h . -config -rb cn=partitions -s one ncname
AdFind V01.26.00cpp Joe Richards ([EMAIL
True except that no one really
needs to be a member of the EA or DA group at all. In the scenarios that
I submitted, once the trusted DA (read TRUSTED DA) sets up the roles, he can have
InfoSec remove him as the last member of the DA group, create a new user for
DA/EA purposes only, and
hi all.
If I want to deny a user internet access but allow everything else, is this
possible via GPO? On win2k and winXP?
also to include other browsers besides IE
a firewall solution is not possible right now and the clients are dhcp so cisco
acl's won't always work.
Can I gpo this or is it
I would have to tend to agree with this. I am also a fan of wipe the
machine, test for hardware issues, and start over. You may find the issue if
you troubleshoot but in every occasion where I have gone into the
troubleshooting process on a dead DIT I ended up rebuilding anyway, usually
have the
Hey now.
-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Rick Kingslan
Sent: Tuesday, March 08, 2005 7:11 PM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] Active Directory and LDAP
I'd buy it, too. But, only if I get to review it. I know
You can't. Period.
Solution: Don't give these people who are untrustworthy
administrator or any native group access and don't let them log on interactively
to your DCs or allow them to modify the file systems nor registry nor services.
Summary: You can't. Period.
joe
From: [EMAIL
The one instance that we had a corrupt database, we used this method as
well. Fortunately we had enough redundancy to allow the demotion of the
server and not affect any services. Is was also fortunate that we had
high connectivity between the DCs to allow a full copy of the directory
to be
server and not affect any services. Is was also fortunate that we had
high connectivity between the DCs to allow a full copy of the
directory
On 2003 though, you don't have this issue anymore. IFM pretty much
shoots that down. Ntbackup another DC in the domain, restore it to the
file system on
Odd. What OS were you running this on what version of the tools?
Thanks.
--Brian Desmond
[EMAIL PROTECTED]
Payton on the web! www.wpcp.org
v - 773.534.0034 x135
f - 773.534.8101
c - 312.731.3132
-Original Message-
From: [EMAIL PROTECTED] [mailto:ActiveDir-
[EMAIL PROTECTED] On
That is interesting but I was still able to change it with admod...
C:\WINDOWS\ADAMadfind -schema -f ldapdisplayname=streetaddress -dsq |admod
searchflags::16
AdMod V01.03.00cpp Joe Richards ([EMAIL PROTECTED]) February 2005
DN Count: 1
Using server: 2k3dc01.joe.com
Modifying specified
joe
Great answer in a perfect world.
Great answer in the joe-run world. Id like to do the same, but its
kind of funny that the guys I cant really trust, the company still
employs because I cant get evidence that is going to get them fired to the
degree in which HR is not going to spend
Where I come
from, we have this phrase that sums up Ricks message real short and
sweet damn domain admins. Its all political.
--Brian
Thanks.
--Brian Desmond
[EMAIL PROTECTED]
Payton on the
web! www.wpcp.org
v - 773.534.0034 x135
f - 773.534.8101
c -
312.731.3132
Get a Proxy Server and use it to control outbound internet access.
Deji
-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Kern, Tom
Sent: Tuesday, March 08, 2005 7:22 PM
To: ActiveDir (E-mail)
Subject: [ActiveDir] deny internet
hi all.
If
Tom - We use IPSec within Group Policies to do this. Here are some resources
you might want to look over to learn more:
http://www.microsoft.com/serviceproviders/columns/using_ipsec.asp
http://www.analogx.com/contents/articles/ipsec.htm
http://www.hernanracciatti.com.ar/ipfront/about.htm
39 matches
Mail list logo
