From:
[EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Thommes, Michael M.
Sent: Thursday, September 21, 2006
4:28 AM
To: ActiveDir@mail.activedir.org
Subject: [ActiveDir] different
version of R2 available?
My officemate and I were discussing whether
there are di
No it's app servers running custom stuff
Thanks,
Brian Desmond
[EMAIL PROTECTED]
c - 312.731.3132
> -Original Message-
> From: [EMAIL PROTECTED] [mailto:ActiveDir-
> [EMAIL PROTECTED] On Behalf Of Tony Murray
> Sent: Wednesday, September 20, 2006 10:20 PM
> To: ActiveDir@mail.activedir.
Oh sorry, I was intending to add on to what you said, not question it. :)
--
O'Reilly Active Directory Third Edition -
http://www.joeware.net/win/ad3e.htm
-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Brian Desmond
Sent: Wednesday, September 20, 20
Are these maybe clients that have printers published in AD. The pruner on the
DCs might be trying to contact the print queues on these workstations.
Just a thought.
Tony
-- Original Message --
From: "Brian Desmond" <[EMAIL PROTECTED]>
Reply-To: ActiveDi
No problem, glad to help.
joe
--
O'Reilly Active Directory Third Edition - http://www.joeware.net/win/ad3e.htm
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Dave
WadeSent: Monday, September 18, 2006 12:01 PMTo:
ActiveDir@mail.activedir.orgSubject: RE: [ActiveDi
Oh I don't disagree. Adfind, admod, oldcomp, and a SQL Server and Excel
were the only tools I used and I generated reports about hundreds of
thousands if not millions of objects...
I actually did also use the Mailbox info VBScript I posted on my blog as
well, but none of that expensive fancy per u
I’m seeing a lot of
hits in firewall logs for DCs trying to establish sessions to clients on TCP139
(NBT Session Service). Does anyone know why this is happening or if it’s
necessary?
Thanks,
Brian Desmond
[EMAIL PROTECTED]
c - 312.731.3132
;o) that would do it.
--
O'Reilly Active Directory Third Edition -
http://www.joeware.net/win/ad3e.htm
-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Isenhour, Joseph
Sent: Wednesday, September 20, 2006 4:46 PM
To: ActiveDir@mail.activedir.org
Subj
You will find that many of the "professional" tools are simply glossy gui's
and nice output over what adfind does for you. I understand why people would
pay lots of money for that, but if you have the capability and time to to do
your own pretty reports and aren't afraid of the GUI the free utiliti
Here here!
--
O'Reilly Active Directory Third Edition -
http://www.joeware.net/win/ad3e.htm
-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Alex Alborzfard
Sent: Wednesday, September 20, 2006 1:53 PM
To: ActiveDir@mail.activedir.org
Subject: RE: [Act
If you cut and paste the filter from the email you may have hit a pretty
common issue that happens with the command line where some nonprintable
control character gets into the paste stream. Try typing the filter you see
below and it should work. The filter again should be something like
"(&(objec
Note that adfind does have a SAM Decode switch... -samdc
It will decode some of the SAM related fields such as useraccountcontrol,
samaccounttype, grouptype, etc.
joe
--
O'Reilly Active Directory Third Edition -
http://www.joeware.net/win/ad3e.htm
-Original Message-
From: [EMAIL
Refer to following KB article: Media for Windows Server 2003 R2 is released by using various SKUs, such as Windows Server 2003 R2 Standard Edition, Windows Server 2003 R2 Enterprise Edition, and Windows Server 2003 R2 Datacenter Edition.
CD2 must be the same SKU as what is currently installed.
Different parts.. Enteprise has different options... ADFS is only in
Enterprise for example.
[EMAIL PROTECTED] wrote:
I have both versions here...one for standard and one for enterprise...so
yes two CD's
;-)
Matt Duguid
Systems Engineer for Identity Services
Department of Internal Affairs
Ph
I think there is just one version of the R2 CD. The main CD (CD1) has Standard, Enterprise and Datacenter flavors, but the contents of CD2 look the same to me.
Sincerely, _ (, / | /) /) /) /---| (/_ __ ___// _ // _
I have both versions here...one for standard and one for enterprise...so
yes two CD's
;-)
Matt Duguid
Systems Engineer for Identity Services
Department of Internal Affairs
Phone: +64 4 4748028 (wellington)
Mobile: +64 21 1713290
Fax: +64 4 4748894
Address: Level 4, 47 Boulcott Street, Wellington
My officemate and I were discussing whether
there are different versions of the R2 CD depending on whether you’re
running Server 2003 Standard or Server 2003 Enterprise. Or is there only one version of
R2? TIA!
Mike Thommes
Post your filter
Thanks,
Brian Desmond
[EMAIL PROTECTED]
c - 312.731.3132
> -Original Message-
> From: [EMAIL PROTECTED] [mailto:ActiveDir-
> [EMAIL PROTECTED] On Behalf Of Alex Alborzfard
> Sent: Wednesday, September 20, 2006 1:50 PM
> To: ActiveDir@mail.activedir.org
> Subject: RE: [A
Tony Murray wrote:
Hi all
I recently came across this free ldap editor:
http://www.ldapeditor.com/
It has some nice features, such as the ability to sort attributes by name, save
searches, edit, etc.
I've also came across this lately and I thought about blogging about it
- which I've done
Each DC has two GUIDs...
* the objectGUID identifies the DC itself and is used for replication. That is
also the GUID that is registered in _MSDCS. This value can be found in the
attribute called "objectGUID" on the NTDS Settings object that is owned by the
DC. This GUID is created when promotin
Nevermind, I guess I should learn to spell the attribute name correctly.
Works great, Thanks!
-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Isenhour,
Joseph
Sent: Wednesday, September 20, 2006 8:44 AM
To: ActiveDir@mail.activedir.org
Subject: RE: [Acti
Hi all
I recently came across this free ldap editor:
http://www.ldapeditor.com/
It has some nice features, such as the ability to sort attributes by name, save
searches, edit, etc.
Might be of interest to this community.
Tony
__
Usually when I see that error it's a missing parentheses or quote in the
filter, hence the filter error. Note the quotes and two parentheses at
the end of the filter.
-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Alex Alborzfard
Sent: Wednesday, Septemb
Hi there,
We recently faced the same scenario...
Do they need to use your internal AD because they require access to your
staff accounts? If not they could quite happily use ADAM.
If they do require access to your staff accounts you could get them to
perform DEV/TST/QA on ADAM as proof of concep
Thanks Susan. I'll give LUABugLight a shot as soon as I can get testing
access to the machine.
Scott Klassen
-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Susan Bradley, CPA
aka Ebitz - SBS Rocks [MVP]
Sent: Wednesday, September 20, 2006 2:01 PM
To: A
Does the GUID used for a DC change when
the server is brought up through dcpromo, or does it remain the same as
the base OS install. That is, can I take the current GUID and use it to
prefill my static BIND records, or do I need to do the dcpromo and then
create the records?
Thanks,
Andrew Fidel
http://blogs.msdn.com/aaron_margosis/archive/2006/08/07/LuaBuglight.aspx
Tried that?
I've also pinged someone I know at Intuit.
Scott Klassen wrote:
Not specifically related to AD, but as an offshoot of the "Assign User
rights overs computers with AD" thread. We have a program called PC
Entr
I absolutely would if I could. Definitely going to buy the book, tho.
Larry
> -Original Message-
> From: [EMAIL PROTECTED]
> [mailto:[EMAIL PROTECTED] On Behalf Of Alex
> Alborzfard
> Sent: Wednesday, September 20, 2006 12:53 PM
> To: ActiveDir@mail.activedir.org
> Subject: RE: [Active
I actually did it before I read this. My command line was similar, but
still worked fine. We only wanted certain OU's, and the tool worked just
great. I just did a plain text file, which stacked all the groups under
each user. Didn't have to format anything. It even told me which users
were disable
FWIW in terms of horsepower I used to do this sort of data for hundreds
of thousands of objects with Joe's tool. You'll find it has quite a bit
of horsepower, you just need to fill in the Excel or SQL to get your
report exactly how you want it.
Thanks,
Brian Desmond
[EMAIL PROTECTED]
c - 312.731
I say send Joe a six-pack of his favorite beer and expense it to your
auditors! :)
Alex
-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Larry Wahlers
Sent: Wednesday, September 20, 2006 12:09 PM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] A
When I ran it, I got:
"ldap_get_next_page_s: [domaincontroller_name] Error 0x57 (87) - Filter
Error"
Alex
-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Mike Newell
Sent: Wednesday, September 20, 2006 11:48 AM
To: ActiveDir@mail.activedir.org
Subject
514 isn't the only value if its disabled. Remember it's a bitmask ...
514 = 512 OR 2. I once found a tutorial on how to do bitwise arithemetic
in Excel to figure out if accounts were disabled - you'd AND the
userAccountControl column with 2 and if it was true it's disabled.
Thanks,
Brian Desmond
Not specifically related to AD, but as an offshoot of the "Assign
User rights overs computers with AD" thread. We have a program called PC
Entry which is part of a managed service for payroll from Intuit. The
program requires the user be logged on as a local administrator to function
prope
Many thanks to everybody who replied. I wish I could FTP you all a few
Anheuser-Busch products of your choice from St. Louis in return!
I downloaded Hyena, Exporter, Exporter Express, Quest Reporter (the
freeware version, too) and finally thought about the Joeware AdFind
product, which I'd been me
At the risk of sounding like a one trick pony, I'd have to go with
adfind from www.joeware.net.
adfind -default -nodn -csv -f "(&(objectCategory=person)(objectclass=
user))" cn memberof useraccountcontrol > filename.csv
You can clean it up in excel in just a few minutes (sort by CN, wrap the
memb
Ok for some reason ADSI doesn't seem to like this attribute. I've tried
vbscript and System.DirectoryServices.
In vbscript:
meta = group.GetEx("ms-DSReplValueMetaData")
In C#:
string[] meta =
(string[])group.Properties["ms-DSReplValueMetaData"].Value;
The line in vbscript throws an error saying
Not commenting on the elevation of rights strategies - should be clear
by now that it is simple once you know what you're doing (and Google
will help you and your enemy)
But a quick comment on using domains as a replication boundary due to
the following statement: "Replication wise, the Global Cat
Alberto,
Even though we made our users "PowerUsers" we found
that we needed to make a number of "tweaks" to cater for poorly written
applications. I think we now have about a dozen settings for various ill-behaved
applications. The majority of these are to cater for applications that wri
You should be looking to ask them.
1. What protocol does your web app use for Auth?
2. Does protocol mentioned above transmit u/p over wire vs Kerberos tickets?
3. If it does transmit u/p over wire how does it secure the creds?
4. Does your app "proxy" auth requests back to the domain e.g. via lda
Hyena from Systemtools Software would
be my recommendation.
http://www.systemtools.com/hyena/
Thanks,
Andrew Fidel
Larry Wahlers <[EMAIL PROTECTED]>
Sent by: [EMAIL PROTECTED]
09/20/2006 09:34 AM
Please respond to
ActiveDir@mail.activedir.org
To
ActiveDir@mail.activedir.org
cc
...or joeware's oldcmp. Not sure about the group membership though.
Alex
-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Rimmerman, Russ
Sent: Wednesday, September 20, 2006 9:49 AM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] AD Reporting Tool
Quest Reporter Express is freeware and available from Quest for download
at www.quest.com.
neil
PS I'd ask the auditors to pay for any tools they need to perform their
job :)
-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Larry Wahlers
Sent: 20 Septembe
Check Hyena.
All users, that's really easy to do, you can even use AD users and
computers, you can also do the disabled once with AD users and
computers.
You can do the memberof with Hyena, there is a 30 free trial of hyena
and it is fully functional.
http://www.systemtools.com/hyena/ad_main.htm
I think Quest Reporter does this.
-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Larry Wahlers
Sent: Wednesday, September 20, 2006 8:34 AM
To: ActiveDir@mail.activedir.org
Subject: [ActiveDir] AD Reporting Tool?
Our auditors, for the first time, now
Correct. I did not correctly understand the
reference. I was speaking of bank employees.
However I will hazard a guess as to why banks don't.
Please understand that this is a completely unsubtantiated opinion.
All for-profit businesses (including banks) exist to make money.
Their pr
Our auditors, for the first time, now suddenly want a report of all our
users in AD, what groups they are in, and if the account is disabled or
not. Is there a tool that I can get up to speed on quickly (today if
possible), run it against our AD, and get this report for them?
Thanks in advance, fo
Hi Alberto,
Use the restricted groups feature in a GPO
For the group ADMINISTRATORS define/dictate which groups/users MUST/SHOULD
(e.g. Domain Admins, and local administrator) be in the group ADMINISTRATORS.
Everyone else not defined will not be listed and if defined prior to the
configu
Alberto Oviedo wrote:
Hello. My name is Alberto, I'm from Nicaragua
In our company the support team has granted every user administrator
rights over their workstation, We recently migrated to Windows 2003 AD
and I want to revoke the privileges tha users have on their computers.
Can I do this
You can, but I've yet to see it be so simple. The information you're looking for is "restricted groups" but I HIGHLY advise you to be careful and to TEST that prior to using it on your workstations. I also highly advise that you only apply that type of setting to workstations and not on servers (
Hello. My name is Alberto, I'm from NicaraguaIn our company the support team has granted every user administrator rights over their workstation, We recently migrated to Windows 2003 AD and I want to revoke the privileges tha users have on their computers. Can I do this through AD? It's around 300
What it sounds like is that they want to be able to search the AD, likely for authorization purposes. Not sure how that ties into their idea of authentication for the user? One of the things that often comes up from this type of application is that they want you to dumb down the conversation betwe
Jesper's Blog : Block VML Zero-Day Vuln on a domain:
http://msinfluentials.com/blogs/jesper/archive/2006/09/19/Block-VML-Zero_2D00_Day-Vuln-on-a-domain.aspx
• Microsoft released Security Advisory 925568 – Vulnerability in Vector
Markup Language Could Allow Remote Code Execution
http://www.m
The only clean way to authenticate external users to SharePoint is
with a solution like ADFS and federated identity. SharePoint doesn't
use LDAP internally for auth and you can't really make it.
Federation does give you the ability to have your external users use
their own organization's account
FIPS 112 - Password Usage:
http://www.itl.nist.gov/fipspubs/fip112.htm
*3.3 Lifetime*
The security provided by a password depends on its composition, its
length, and its protection from disclosure and substitution. The risk
associated with an undetected compromise of a password can be minimize
16.1.1 Passwords (Ch. 16 of Special Pub. 800-12):
http://sbc.nist.gov/cyber-security-tips/800-12/chapter16.html
*Changing passwords.* Periodic changing of passwords can reduce the
damage done by stolen passwords and can make brute-force attempts to
break into systems more difficult. Too freque
Banks are not very good examples. I have worked with
several financial institutions and they are some of the slowest to upgrade,
patch, and secure environments. The primary reason for a lot of that is cost to
implement and cost to support. I expect that if they forced accounts to
expire on w
Greetings -
We have a 3rd party vendor who wants to tie their web app into our AD
for authentication and authorization. (This is an app that has already
been purchased and is in-house but uses a local db for AAA).
What, specifically, should I be asking them about their application so
as to k
58 matches
Mail list logo
