Hi Paul,
You are right, this is novell product I was not aware of before.
Yesterday my friend told me that.
Thanks,
Sam
On 7/10/06, Paul Glenn [EMAIL PROTECTED] wrote:
You might look into iPrint for Windows 2003. I know it's a Novell product, but we used it for a few years to allow print acces
Depending on your needs and what you are specifically trying to
accomplish you may want to look at the Internet Printing Protocol functionality
that is built into Windows 2000 and Windows Server 2003: http://www.microsoft.com/windowsserver2003/techinfo/overview/internetprint.mspx
You will need EA rights. The admin needs write access in
the Config partition so child domain DA rights will *not*
suffice.
It is also possible to delegate the right - grant FC access
in:
CN=NetServices,CN=Services,CN=Configuration,DC=xxx,DC=yyy
using adsiedit or similar.
hth,
neil
From:
You don't even need full control (an error in
Microsoft's documentation if you ask me). You just need create and delete
dHCPClass objects in that container.
You need to do this via ADSIEDIT, DSACLS, LDP or
code.
Note. If I remember correctly, some of the
behaviour changed between 2k and
Title: Kerberos MaxTokenSize and too many groups issues
You might also want to review this interesting
white paper:
-- http://www.microsoft.com/downloads/details.aspx?FamilyID=22dd9251-0781-42e6-9346-89d577a3e74aDisplayLang=en
(that took me ages to find so please read it
;-)
--Paul
Okay, I turned up debug logging for netlogons: nltest /dbflag:0x2000 on a computer that was having problems.
Netlogon log has the following interesting events logged:
[CRITICAL] domain: NlSessionSetup: Session setup: cannot I_NetServerAuthenticate 0xc022[CRITICAL] domain: NlSessionSetup:
All,
We have created an aux class with an optional attribute. We wish to dynamically bind this aux class to a small subset of our user objects.
I have a _vbscript_, courtesy of Robbie Allen and the Active Directory Cookbook, that will dynamically bind the aux class to an object. I've also set
Hello,
I've searched high and low on the internet
trying to find out how to generate unique linkIDs for a new linked pair
attribute I wish to create in ADAM (possibly AD, too). Surprisingly,
I haven't found much. I did find http://msdn.microsoft.com/certification/ADLinkID.asp,
but I have not
Your problem is that your belief is incorrect[1].
:o)
First off, LDP and ADSIEDIT look at the world in different
ways. LDP is LDAP based, ADSIEDIT is.. well ADSI based which then thunks
down to LDAP eventually depending on the call and the provider being used.
Things will be and are
It is documented in the book in my signature as well as in
the following blog entry
http://blogs.technet.com/efleis/archive/2004/10/12/241219.aspx
--
O'Reilly Active Directory Third Edition - http://www.joeware.net/win/ad3e.htm
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On
Joe,
Thank you for the detailed reply. I now understand.
Thanks,
Mike
On 7/11/06, joe [EMAIL PROTECTED] wrote:
Your problem is that your belief is incorrect[1]. :o)
First off, LDP and ADSIEDIT look at the world in different ways. LDP is LDAP based, ADSIEDIT is.. well ADSI based which
Do you know of any tools out there that would check for and list AD
accounts whose Password Never Expires is checked and/or how old is a
user's password; e.g. it would generate a report listing all accounts
with password older than 90 days?
The closest thing I can find is JoeWare's (bowing my
joe's tools again ( 8-) ):
adfind -b ou=Employees,dc=xyz,dc=com -bit -f
((objectcategory=person)(useraccountcontrol:AND:=65536))
samaccountname c:\temp\pw_never_expires.txt
Mike Thommes
-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Alex Alborzfard
Doh... Thanks Mike! But after running it, I got the following error:
ldap_get_next_page_s: [domaincontroller.xyz.com] Error 0x1 (1) -
Operations Error
Does it require Domain Admins privileges?
Alex
-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of
This should do it
oldcmp -report -users -bit -af (useraccountcontrol:AND:=65536) -sh
If you want a listing of all accounts with that set you would add -age 0
You could also use adfind to get the info.
joe
--
O'Reilly Active Directory Third Edition -
http://www.joeware.net/win/ad3e.htm
It shouldn't, that should be fine. Something might be wrong with the actual
command line or you aren't authenticated. Add -exterr and see if it tells
you what is wrong.
joe
--
O'Reilly Active Directory Third Edition -
http://www.joeware.net/win/ad3e.htm
-Original Message-
From:
Yep it worked like a champ! Thanks Joe (bowing down again!)
Alex
-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of joe
Sent: Tuesday, July 11, 2006 3:48 PM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] Account Password Expiration Tool
This
Not sure where you're at with the number of groups per user.I like to think of the initial setting for token size as a way of saying You really need to get your security model under control or fix this user's group memberships. At 12k, you shouldn't really be pushing the limit until you're around
Pardon my ignorance, but I have one more question: where do I get a list
of all of user or computer object attributes and values as it was used
in (useraccountcontrol:AND:=65536)?
For instance if I want to enumerate all the user accounts with User Must
Change Password at Next Logon or computers
Just noticed that we both referred to the same token limitation article. It's easy to find when you know what to look for. If you do a search in Google for Token limitation it's the first item that pops up.
A comprehensive list of attributes and values doesn't exist; I have thought
about setting up a dynamic webpage backending into a MySQL DB on my website
for a long time but just haven't done it.
However for userAccountControl you can look at this enumeration:
I will be out of the office on PTO starting Wednesday, July 12, 2006 and
will return to the office on Monday, July 31, 2006. Please email your
requests to the Help Desk email. If you cannot email, contact Selwyn
(x129) or Oliver (x127) for any IT concerns.
List info :
I will be out of the office on PTO starting Wednesday, July 12, 2006 and
will return to the office on Monday, July 31, 2006. Please email your
requests to the Help Desk email. If you cannot email, contact Selwyn
(x129) or Oliver (x127) for any IT concerns.
List info :
As part of my on-going journey into upgrading
a 2000 domain to 2003, Ive run into the issue of moving the Certificate
Authority on one of the original domain controllers to a new Windows 2003 domain
controller.
I have found a couple KB articles that
seem to put me down a good path, but
I will be out of the office on PTO starting Wednesday, July 12, 2006 and
will return to the office on Monday, July 31, 2006. Please email your
requests to the Help Desk email. If you cannot email, contact Selwyn
(x129) or Oliver (x127) for any IT concerns.
List info :
You cannot move from 2000 to 2003 as the database
has changed. You could upgrade to 2k3 ( this would be temporary ) and then move
to another 2k3 server. I know that you said that the HW was old - but perhaps a
temporary sloow 2k3 machine?
You should keep the hostname the same - if
Oh no, I don't think we need 19 days of this... Hey Tony... Already got
three of them in a half an hour.
--
O'Reilly Active Directory Third Edition -
http://www.joeware.net/win/ad3e.htm
-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Steven Comeau
I will be out of the office on PTO starting Wednesday, July 12, 2006 and
will return to the office on Monday, July 31, 2006. Please email your
requests to the Help Desk email. If you cannot email, contact Selwyn
(x129) or Oliver (x127) for any IT concerns.
List info :
I will be out of the office on PTO starting Wednesday, July 12, 2006 and
will return to the office on Monday, July 31, 2006. Please email your
requests to the Help Desk email. If you cannot email, contact Selwyn
(x129) or Oliver (x127) for any IT concerns.
List info :
And will it ever be a slooow 2k3
machine indeed. After continuing to do some reading and researching, it
does appear that my only option is to
1) Upgrade the old DC to 2k3
2) Backup the CA and the registry key as stated in the KB298138
article.
3) Remove the CA services, demote
I will be out of the office on PTO starting Wednesday, July 12, 2006 and
will return to the office on Monday, July 31, 2006. Please email your
requests to the Help Desk email. If you cannot email, contact Selwyn
(x129) or Oliver (x127) for any IT concerns.
List info :
Almost always
;o)
--
O'Reilly Active Directory Third Edition - http://www.joeware.net/win/ad3e.htm
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Deji
AkomolafeSent: Friday, July 07, 2006 9:41 AMTo:
ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] OT: Computer
Coolio. Glad to help out. Couple of items I didn't seem to
write completely enough on after I reread my response...
So no attribute will be listed
on an object when you query the object unless it is populated except
in the
case of looking at allowedAttributes which should show all
I will be out of the office on PTO starting Wednesday, July 12, 2006 and
will return to the office on Monday, July 31, 2006. Please email your
requests to the Help Desk email. If you cannot email, contact Selwyn
(x129) or Oliver (x127) for any IT concerns.
List info :
Set the resolution to 4096x6720, and... ahh, there it is.
NOW the whole ego fits on the screen.
:Q
-gil
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of
joeSent: Tuesday, July 11, 2006 4:58 PMTo:
ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] OT: Computer
Account in
I will be out of the office on PTO starting Wednesday, July 12, 2006 and
will return to the office on Monday, July 31, 2006. Please email your
requests to the Help Desk email. If you cannot email, contact Selwyn
(x129) or Oliver (x127) for any IT concerns.
List info :
I will be out of the office on PTO starting Wednesday, July 12, 2006 and
will return to the office on Monday, July 31, 2006. Please email your
requests to the Help Desk email. If you cannot email, contact Selwyn
(x129) or Oliver (x127) for any IT concerns.
List info :
Okay who's hacking into his Exchange server to turn off his OOF's?
Brian? Joe? Deji?
Steven Comeau wrote:
I will be out of the office on PTO starting Wednesday, July 12, 2006 and
will return to the office on Monday, July 31, 2006. Please email your
requests to the Help Desk email. If you
I will be out of the office on PTO starting Wednesday, July 12, 2006 and
will return to the office on Monday, July 31, 2006. Please email your
requests to the Help Desk email. If you cannot email, contact Selwyn
(x129) or Oliver (x127) for any IT concerns.
List info :
I had to harass Deji on that one, it is the final result
from afairly involved offline discussion which started off with a comment
of'Before I pick another public fight with you .
:)' coupled with 'Please post your "mea culpa"
accordingly :)'[1].
:o)
Though a good quote along these
I will be out of the office on PTO starting Wednesday, July 12, 2006 and
will return to the office on Monday, July 31, 2006. Please email your
requests to the Help Desk email. If you cannot email, contact Selwyn
(x129) or Oliver (x127) for any IT concerns.
List info :
Have you thought about putting a new
server (or an older one with good hardware) in the mix as 2000, moving the CA
to it, and then upgrading it to 2k3? That way you dont have to
worry about the hardware not supporting 2003 or something terrible like that.
Then if you want you could move it
Hi all
I have temporarily suspended Steven Comeaus
subscription, which should stop the out of office replies hitting the list.
Tony
This communication, including any attachments, is confidential. If you are not the intended recipient, you should not read it - please contact me
Gotta love that signature Tony... I promise not to disclose
this information to anyone.
--
O'Reilly Active Directory Third Edition - http://www.joeware.net/win/ad3e.htm
Do not
read this worthless blog entry on Defending Security Infrastructures - http://blog.joeware.net/2006/07/11/445/---
One morepoint - you dont have to have the CA
on a DC just wanted to make sure you knew this. So, in the future ,you dont
have to worry about removing\moving the CA in order to upgrade DC's
steve
- Original Message -
From:
WATSON,
BEN
To:
Could you give specifics on what exactly you did, i.e. the
exact query?
The code for adfind by default follows the Windows LDAP
lib's default for following referrals which is on. However I think that
islimitedcapability and I specifically chose not to add manual
referral chasing code
As of the end of next week you wont
have to put up with it any longer. Im moving on. J
From:
[EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On
Behalf Of joe
Sent: Wednesday, 12 July 2006 2:51 p.m.
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] [List Owner] [OT] OOFs from
The other advantage to doing it this way,
now that I think about it, is a little clearer recovery path if everything
blows up. A system state restore on your old ca and an authoritative restore
on AD should (please everyone check me on this) get you back where you were
without having to
48 matches
Mail list logo