: TRUEsystemOnly:
FALSE
from
the %windir%\adam\MS-AdamSchemaW2K3.LDF file in ADAM SP1.
--
O'Reilly Active Directory Third Edition - http://www.joeware.net/win/ad3e.htm
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Bernier, Brandon
(.)Sent: Tuesday, October 10, 2006 4:04
Title: RE: Flags Attribute?
Nevermind the second part of my question. I figured out what I was doing wrong, my LDIF syntax was messed up when I tried to modify MayContain.
_
From: Bernier, Brandon (.)
Sent: Tuesday, October 10, 2006 3
Title: Flags Attribute?
Ok, I think I'm going crazy here... I need to add the Flags attribute into an ADAM instance and can't find it in any of LDF files that ship with W2K/W2K3/R2/ADAM. While I can do a ADFind on this attribute and dump the needed properties into a LDIF file, I'd like to st
Look in the scirpts folder when you install GPMC. There is a script
called CreateXMLFromEnvirnoment.wsf and you can tell it to dump out all
the Groups, OU's and Users. Then take that XML it generates and run a
script in your other Domain with GPMC installed called
CreateEnvironmentFromXML.wsf.
-Br
Are you publishing a CRL? If so then it must use the path to
the CRL that's specified in the certificate or it bombs out (latency to the
hosting CRL server will kill it too..forgot the exact value). Why do you
need CRL checking on your DC's? Doesn't that make you question who is on your
DC
t a big deal...I disagree,
since if that was the case my code would be working and this note
wouldn't exist. Anyone seen this before?
-Brandon
_________
From: Bernier, Brandon (.)
Sent: Tuesday, August 15, 2006 1:24 PM
To: 'ActiveDir@mail
st. Anyone seen this before?
-Brandon
_____
From: Bernier, Brandon (.)
Sent: Tuesday, August 15, 2006 1:24 PM
To: 'ActiveDir@mail.activedir.org'
Subject: ADSIEdit unable to enumerate list of objects that a group can create
OK
Title: ADSIEdit unable to enumerate list of objects that a group can create
OK..I'm probably doing something silly here but I need more insight on how ADSIEdit enumerates what object types you can create..
The scenario is I have 1 OU and in that OU I have a Group that I've ACL'd to create/d
ted
attribute to find out what attributes the currently bound user actually
has rights to modify. This is an essential troubleshooting step. Also,
the ACL editor in ADAM SP1 LDP is really nice and may help you see what
you did wrong.
Joe K.
- Original Message -----
From: Bernier,
Title: ADAM pwdLastSet
We need to delegate an ADAM Group the ability to change any other ADAM Users pwdLastSet to 0 under a certain OU. This way we can force ADAM Users to change their password if they meet specific criteria.
So we add an ACE to the parent OU where the ADAM Users live for W
It's too bad IIS6 doesn't support TLS for FTP or that
would be a great solution. However, since it doesn't I would recommend a product
called "Serv-U" by Rhinosoft.
-Brandon
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Lucas,
BryanSent: Wednesday, July 12, 2006 3:32 PM
Title: ADAM Passwords?
Since ADAM doesn't have a PDC Emulator FSMO, how does it deal with the following? Assuming tons of replicas in a configuration set.
1.) ADAM User Account gets locked out, who authoritatively locks it out?
2.) ADAM User changes their password and typed in the old on
Another big benefit to using an Enterprise CA is that you can use
existing Certificate Templates and auto-enroll all your Domain Controllers
via Group Policy.
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of
[EMAIL PROTECTED]Sent: Thursday, July 06, 2006 4:06
AMTo: Acti
Title: Self vs. the object name / effective permissions
Someone came by my cube and said they were having permission issues. They assigned Self some rights for computer objects and in ADUC the effective permissions are correct. However, they also did effective permissions on the name of the
Can you do a rolling upgrade? Meaning evict one node from the cluster,
reload it with 2K3 and put DHCP back on then add it back into the
cluster and do the other node. I've done this with SQL many times, but I
forgot what changed from W2K to W2k3 for DHCP..I don't remember anything
mind blowing, bu
If
you use Autoenrollment, you also need to repoint the PKI settings in
the GPO that tells the clients to autoenroll to the new
CA.
-Brandon
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Tony
MurraySent: Monday, June 05, 2006 11:09 PMTo:
ActiveDir@mail.activedir.orgS
This msg chain sums it up.
http://groups.google.com/group/microsoft.public.windowsxp.setup_deployme
nt/browse_thread/thread/1e82dbc6cb7480d0/655cafc92cb89c97?lnk=st&q=why+n
ot+use+sysprep&rnum=1&hl=en#655cafc92cb89c97
-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED]
If your concerned about the server being up, incorporate this into your
script. It will ping the box and execute your logic if its up. This is
just an example, it wouldn't actually work if you cut and paste it.
Set objShell = CreateObject("WScript.Shell")
For Each strServerName in colServerList
I would use ethereal to grab a trace of opening up ADUC and take a peek
at what its trying to do. Maybe it's a DNS issue. Also, are your clients
logging event ID 1030's in the app log?
-Brandon
-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Za Vue
S
Here
is a good link to get you started.
http://www.microsoft.com/technet/scriptcenter/scripts/ad/default.mspx
Also if you don't
have any prior _vbscript_ experience, the Windows 2000 Scripting Guide is pretty
good book(one of my many desktop companions).
-Brandon
From: [EMAIL PROTECTE
ad3e.htm
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Bernier, Brandon
(.)Sent: Wednesday, May 17, 2006 5:20 PMTo:
ActiveDir@mail.activedir.orgSubject: [ActiveDir] Removing ADAM from
configuration set
I'm currently blowing away the server object and
nTDSDSA object I w
Title: [OT] Service ChangeConf
Is there another way to delegate the startup type of a service besides using CC (ChangeConf), this would be fine but it also gives whomever has access to change the service context to localsystem.
-Brandon
Title: DC Demotion and Certificate Services
I take it your using an Enterprise CA and issuing via the
Domain Controller Template?
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Brian
ClineSent: Friday, May 19, 2006 1:52 PMTo:
ActiveDir@mail.activedir.orgSubject: [ActiveDir]
yClass1,CN=Schema,CN=Configuration,DC=X
changetype: ntdsschemamodify
add: AuxiliaryClass
AuxiliaryClass: MyClass2
-Brandon
_
From: Bernier, Brandon (.)
Sent: Thursday, May 18, 2006 10:54 AM
To: 'ActiveDir@mail.activedi
Title: DSACLS bug maybe?
Has anyone seen this issue before?
If you create a computer account in ADUC, then type "DSACLS DnOfComputerObject" it will spit out the ACL's on it. However, if you create another computer account and delegate out who can join it DSACLS can't spit out the ACL's.
forest)
Cheers
Ken
: -Original Message-
: From: [EMAIL PROTECTED] [mailto:ActiveDir-
: [EMAIL PROTECTED] On Behalf Of Bernier, Brandon (.)
: Sent: Thursday, 18 May 2006 11:10 PM
: To: ActiveDir@mail.activedir.org
: Subject: RE: [ActiveDir] [OT] IIS6 - Kerb/NTLM
:
: I forgot one detail
Title: Linking an auxiliary class to a structural class
I've got a billion ADAM instances and I want to add an auxiliary class to a structural one, both class already exist. This is cake in the ADAM Schema MMC or via ADSI, but I'm going for LDF format. Can someone tell me where I fudged up?
:
changetype: modify
add: schemaUpdateNow
schemaUpdateNow: 1
-
_
From: Bernier, Brandon (.)
Sent: Wednesday, May 17, 2006 5:23 PM
To: 'ActiveDir@mail.activedir.org'
Subject: ADAM Schema Questions
1.) If you hav
I forgot one detail. I am accessing this site from a computer that is
joined up to a different forest. That metabase key
NTAuthenticationProviders also didn't do what I was hoping for.
-Brandon
-Original Message-
From: Bernier, Brandon (.)
Sent: Thursday, May 18, 2006 8:56
ents do you
see? Can you cut-n-paste them here please?
Cheers
Ken
--
My IIS Blog: www.adOpenStatic.com/cs/blogs/ken
Tech.Ed Boston 2006 See you there: Everything the web administrator
needs to know about MOM 2005
____
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECT
What are your requirements? Also if you can get over .Net big footprint,
it's very easy to learn (I came from a VBS background). Nowadays I
struggle more trying to write cmdlets in powershell then anything I can
do in C#.
-Brandon
-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAI
Title: ADAM Schema Questions
1.) If you have a ton of server in a configuration set, when you do a schema extension and one box is down will it work? In my test I had two ADAM servers and it would not take the schema update because it couldn’t replicate (I purposely broke replication with it
Title: Removing ADAM from configuration set
I'm currently blowing away the server object and nTDSDSA object I wish to separate from CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,CN=GUID. Is there a better way to knock it out of the configuration set? I tried using DSMGMT.ex
Title: [OT] IIS6 - Kerb/NTLM
OK…I've got a nice issue here and I've been bashing my head against my desk to the point where I need help.
I'm writing a very directory intensive application in C# with ASP.Net 2.0. If I authenticate to the webpage via NTLM my directory calls will fail, this i
Title: [OU] ASP.Net 2.0 Impersonation
This is way off topic, but I need a sanity check and the only other place to turn is the wall left of me.
Background: Writing lots of tools in ASP.Net 2.0 on a R2 Enterprise Server. For my website I turn off Anonymous Access and enable Windows Authentic
Title: [OU] ASP.Net 2.0 Impersonation - DirectoryEntry
This is way off topic, but I need a sanity check and the only other place to turn is the wall left of me.
Background: Writing lots of tools in ASP.Net 2.0 on a R2 Enterprise Server. For my website I turn off Anonymous Access and enable
eges
from the SCM. That is a change I had to make to my SVCUTL utility and a change
MSFT had to make to SC for the SP1 version.
joe
--
O'Reilly Active Directory Third Edition - http://www.joeware.net/win/ad3e.htm
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Ber
xe is trying to do when it stops a service and what RCtl is. Comments are appreciated.
-Brandon
_
From: Bernier, Brandon (.)
Sent: Tuesday, May 02, 2006 9:15 AM
To: ActiveDir@mail.activedir.org
Subject: [OT] SCM SDDL on Windows 200
Title: [OT] SCM SDDL on Windows 2003 SP1
I'm having this issue when I ACL the SCM for Windows 2003 SP1. I want certain groups to start/stop their own services…so I add this ACE to (A;;CCLC;;;GroupObjectSID) to the SCM, this allows them to query config and query service status (so compmgmt.ms
: $cnt\n";print "Total Dupes:
$dupecnt\n";
should work fine. I even put a handy dandy spinner in there when
processing so you know it was doing something.
--
O'Reilly Active Directory Third Edition - http://www.joeware.net/win/ad3e.htm
From: [EMAIL PROTECTED]
Title: Multiple users having same UPN?
Hello all,
I'm mulling over this one and the more I think about this the less I like it. We have a single forest / multi-domain environment and nothing has a UPN populated. Well of course some bad apple app comes along and requires UPN's so we have to
Title: Issue creating forest trusts
no firewalls in the way (yet), both forests are at
SP1.
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of
[EMAIL PROTECTED]Sent: Thursday, March 09, 2006 10:37
AMTo: ActiveDir@mail.activedir.orgSubject: Fw: [ActiveDir]
Issue creating fore
Title: Issue creating forest trusts
Hello all,
I'm running into this issue where I want to create a forest trust on Windows 2003 with FFL2 level in both forests. When I enter the domain FQDN in the wizard, it tell me it cannot establish an RPC connect to server X. So I grabbed a network tr
Title: Using IPSec on Domain Controllers?
Is anyone using IPSec for DC to DC communication in a moderately large environment? I'm curious to see what kind of support issues people are running into... Thanks!
-Brandon
Title: LDAPS SRV Records?
Does anyone have an idea which Windows API does the DNS registration of SRV records for DCs? I'm very curious as to if that is a public method. The purpose is I'm looking into how feasible it is to write a Windows Service that hooks into netlogon and registers secu
y DA there for a bit but the vendors were
supposed to fix that. Again, ping Vern.
joe
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Bernier, Brandon
(.)Sent: Wednesday, January 11, 2006 3:27 PMTo:
ActiveDir@mail.activedir.orgSubject: [ActiveDir] Rights needed
for...
D
Title: Rights needed for...
Does anyone know what rights are acutally used during a join to perform the kpasswd function on the computer object? This doesn't really affect windows host since the traces (at least in my environment) shows them using NTLM for the password change.
I'm told "Res
6.1.4.1.311.10.3.4.1 " in your call to CryptEncodeObject to
create one. Optionally, you can try makecert.exe ( but I have never tried this )
spat
- Original Message -----
From:
Bernier, Brandon
(.)
To: ActiveDir@mail.activedir.org
Sent: Thursday, January 05,
Title: [OT] Generating EFS Recovery Certificate
Sorry for the off topic question. Here is the background...
Remember when you first bring up a DC and it generates a self-signed EFS Recovery Certificate? Well what do you do when you don't know about that and 5 years down the road you want t
Each user object has an attribute called "telephone
number". I don't know much about crystal reports, otherwise I'd give you
more specific details on that. Let me know if you would like a _vbscript_ or Perl
example.
-brandon
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf
I don't believe that info is stored in Active
Directory, I'm no exchange guru so please let me know if thats not true. It can
be accessed from the IIS metabase, that info is stored in the RelayIPList key
under the default SMTP instance. You can use Metabase Explorer to view it, but
it's
my CA backup or will this cause a
problem?
Thanks
all!!!
From:
[EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]
On Behalf Of Bernier, Brandon
(.)Sent: Friday, November 11,
2005 2:41 PMTo:
ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] CertSvc
Error
besides uninstalling
the C
besides
uninstalling the CA and going through all the issues around that, why don't you
blow away the templetes? If you run certtmpl.msc after it will ask "This is the
first time you have opened Certificate Templetes, would you like to publish them
in Active Directory?" say yes and then you
53 matches
Mail list logo