, the ACLreport.vbs is a tool which is
pointed at the Active Directory Tree to create an HTML file containing
ACL's of a given AD tree (but not the File Directory Tree).
Might you know of any tools which point at the File Directory Tree?
Thanks,
-Tequa
Sakari Kouti [EMAIL PROTECTED] wrote
Hi,
If you want to get the list of permissions into an html file, you can
use ACLReport.vbs at http://www.kouti.com/ (select the Scripts menu, and
click Bonus Material).
Yours, Sakari
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Tech QnA
How about using the TimeZone.exe command in the Resource Kit tools, and
launching it in a startup script for the Windows 2000 workstations?
I'm from Europe and I have no idea what are the new correct values (from
April to March, perhaps), but the command sample is the following:
TIMEZONE /s
Hi badhusha,
I believe one of Jorge's points was that you can install new DCs (new
hardware and new 2003 installation) to the existing domain, so you don't
create a new domain and don't have to migrate anything.
Then, after some intermediate steps, you can remove (with proper steps)
the old 2000
and its resulting
success if run by DA that you can post?
--
O'Reilly Active Directory Third Edition -
http://www.joeware.net/win/ad3e.htm
-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Sakari Kouti
Sent: Thursday, July 20, 2006 6:26 PM
To: ActiveDir
privileges
Windows or 3rd party firewall related??
--
Dean Wells
MSEtechnology
t Email: [EMAIL PROTECTED]
http://msetechnology.com
-Original Message-
From: [EMAIL PROTECTED] [mailto:ActiveDir-
[EMAIL PROTECTED] On Behalf Of Sakari Kouti
Sent: Saturday, July 22, 2006 11:39 AM
Title: Using non-standard TLDs within Active Directory
Hi Neil and Peter,
If two companies both happen to choose corp.local for their
forest name, they cannot create forest trusts, if the need later arises. Of
course, if one of them is a chemical company in the west coast and the other is
a
Hi Jose,
No, an SBS domain cannot have trusts, so it cannot be a child domain.
And yes, after you have installed an SBS box, you can install additional DCs,
if they are normal Windows Server 2003 boxes.
Yours, Sakari
-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL
Sakari wrote:
It seems that the groups are gone from the DCs but are still
cached in the member servers. But its funny that this caching
still applies after several weeks.
Guido wrote:
there is no such thing as a group-membership-cache on
member-servers so I highly doubt you're
Hi All,
Now I drove to the missing group site to see the things with my own eyes.
I found out a slight detail that affects the case :-). In addition to the three
WS2003 DCs, there were also some NT4 BDCs left. So the problem of where the
missing groups existed turned out to have quite an
Hi Jorge, Joe and others,
Thanks for the input. I just posted version 1.01 of the script.
run the script from the command-line like CSCRIPT scriptname
otherwise you need to click away popup boxes
Now the popups (or command-line output, that is) appear only in cscript. So not
tens of popups,
Hi All,
Is there a tool that would create a group and allows you to specify the SID for
the group? The domain part of the SID would match the domain, so actually only
the RID would need to be specified.
A short background: I was told about a case, where an NT domain was in-place
upgraded to
No, NET GROUP doesn't show the missing groups.
Yours, Sakari
-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of joe
Sent: Friday, September 09, 2005 6:46 PM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] Create a group with a specified
There is an offline thread about these mysterious missing groups. If something
comes up in the next few days, I'll let you know.
Yours, Sakari
List info : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive:
Hi All,
All software projects take twice the estimated schedule, so
not on Tuesday, but now on Thursday there is finally the script to dump all AD
ACEs at the end of the page http://www.kouti.com/scripts.htm
A few comments:
- As always, you would get most of the results using just
Hi All,
In case anyone is wondering: Several people were interested
in the script that dumps all ACLs of a domain, so I'll upload one on www.kouti.com. However, I couldn't resist the
temptation to enhance my old script alittle, so I haven't yet uploaded
it.
Another reason for the delay is
Title: Re: [ActiveDir] Active Directory Permissions
Hi Mark,
When writing our book (Inside Active Directory), I wrote a
script that dumps all the ACEs of a domain to an Excel
spreadsheet.
The script has some fixed names and it's not "production
quality" by any means, but if you want, I can
Hi Chuck,
Some comments.
I would not think the SAM account name and UPN as downlevel and new world,
but rather a short logon name and a long logon name, even though the former one
is called pre-Windows 2000.
I like to have UPNs the same as e-mails [EMAIL PROTECTED], and the SAM account
name
Hi Robert,
Jorge wrote on Sunday "The only different is
politics and feelings" and I mostly agree with him.
In addition, I list three non-reasons to have multiple
forests:
- A client once showed me a book that suggested a
"peer-root" domain model. In the model, the forest root domain
an ADk3/w2k3 (and
maybee2k3 :), do not forget to let us know about it, i will be
highly interested about getting it ... wishing u will not published your
bookin Michigand
langagethat seems to hard for me to
understand :o)
2 months ago, I bought Sakari Kouti and Mika Seitsonen's
one
Hi Jeremy,
I may have misunderstood the description about your
network, but what I meant was:
- You have 9 physical locations across US (loc1 through
loc9), and physical subnets 10.1.1.0 through 10.1.9.0
- 2 of those locations (loc1 and loc2) have the 5 DCs, but
7 locations (loc3 through
Title: addiag failures and joining domain
Hi Ray,
As a general comment, quite a few "interesting" attributes
(136 of them in AD2003) already belong to some predefined property set. And each
attribute can (unfortunately) belong to only one property
set.
In AD2003 you could remove some of
Title: Message
Hi Ken,
A short explanation of the sentence "with such a
replication topology, that a child domain GC is always closer to any client than
a root domain GC?" that was in my original suggestion:
Attach your new "isolation site" to the others with a new
site link as the
Hi Jeremy,
If you have 5 DCs and 9 sites, do you have non-DC-related
reasons to have sites? If not, you could remove all sites that don't have a DC,
and link their subnet objects to some remaining sites.
For example, if your DCs are on two AD sites, and then you
have seven DC-less
Hi Yann,
You could grant your user those privileges that are listed
as User Rights, by applying a corresponding Group Policy Object to only one DC.
However, this is probably not enough for you. For example, you cannot grant a
privilege to format hard drives or share folders this way.
Hi Ken,
There is (at least) one requirement for a GC in every
domain. If you don't have a GC in a domain, you cannot convert universal groups
in that domain to local groups. However, this is probably not a big concern for
your empty root domain...
Also a couple of suggestions:
- Why not
-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Sakari Kouti
Sent: Tuesday, July 12, 2005 4:39 PM
To: ActiveDir@mail.activedir.org
Subject: RE: Confidential Attributes (was RE: [ActiveDir] Who
was asking for
a list of SP1 changes? I think
Hi Brett and ~Eric,
Thanks for your comments on my confidential attribute post. Now I solved, how
to set the confidentiality in a way where unnecessary permissions are not
granted.
Brett wrote:
A) Small note, 0xF is 15 decimal and is equivalent to
4 bits set (0b)
Thanks for catching
About confidential attributes in SP1:
When you set an attribute to be confidential, mere read permission is no longer
enough for you to see the attribute value.
HOW TO ENABLE
- Select the attribute to be set as confidential. Category 1 attributes are not
possible to select, which rules most
Hi Johnny,
In addition to what Tony listed, you can add to the context menu (i.e., mouse
right click) of a user object a feature to modify employeeID.
Instructions and the VBScript required are on the bottom of the page
http://www.kouti.com/scripts.htm
Yours, Sakari
-Original
Hi Mark,
You would use a line such as the
following:
Const ADS_PROPERTY_DELETE = 4
Call objUser.PutEx(ADS_PROPERTY_DELETE, otherHomePhone,
_
Array(111-,444-))
This would delete the two numbers specified (111- and
444-).
Yours, Sakari
From: [EMAIL
Hi Dan,
You don't have to remove any ACEs to achieve what you want.
Full Control corresponds to 13 bits with a value of 1 in AccessMask. You need to
use an AccessMask that excludes Delete and Delete Subtree (you didn't mention
Delete All Child Objects, but I would exclude that too).
So you
Hi,
The file %SystemRoot%\System32\dssec.dat specifies, which classes and
attributes are hidden from the lists, when viewing or delegating permissions
using either the Delegation of Control wizard or ACL Editor.
Already in Windows 2000 this file had some peculiarities, such as (for the user
Joe wrote:
Cool Sakari, if you don't mind I made some small mods to it. I have it
preload the attributes and then the lookups go much faster.
No, I don't mind. I made the original to be able to investigate things for our
book, and I only needed to run the script a couple of times. Therefore,
How many consultants on this list actually could enumerate
the property set attributes in a given forest in any reasonable
time? I can do it pretty quickly with adfind and little perl
script. Not sure of any other easy ways of doing it due to
the funky GUID handling.
Now that Joe
joe wrote:
Another mistake with the property sets in the base OEM setup
is the property set called Phone and Mail Options
(E45795B2-9455-11d1-AEBD-F80367C1) - no attributes in this
property set at all... Must not have any phone or mail
attributes in AD.
I actually reported this to
Hi Brett (and joe),
Actually, granting (or denying) permission to one property set takes only one
ACE.
Each property set corresponds to one controlAccessRight object in the
Configuration partition, and that object has a rightsGuid attribute. The ACE
that uses this property set contains that
Hi Neil,
You could modify the 12-hour interval (of tombstone deletion and online defrag)
to be seven days, for example, by modifying the garbageCollPeriod attribute of
CN=Directory Service, CN=Windows NT, CN=Services, CN=Configuration,
DC=yourforest. But not longer that 1/3 of the tombstone
Hi Eric,
A late note on this. Your blog says that to make this magic happen, you use the
the line:
LinkID: 1.2.840.113556.1.2.50
And here 1.2.840.113556.1.2.50 is the OID of the linkID attribute, and this
special value triggers a special code path that implements automatic generation
of link
Hi James,
Depending on your needs, you have at least three
options:
A. Create shortcuts to all the target locations, which
causes LNK files to be generated. Copy these LNK files to the NetHood folder in
each users profile. If you put this in a login script, it takes care of any
changes.
Hi Christine,
My guess is that Microsoft accidentally flagged a wrong attribute to be copied
when a user is copied. The Street attribute you see in ADUC is stored in the
streetAddress attribute (which is an LDAP name), and that attribute is not
copied. However, another attribute with an LDAP
Hi Joseph,
I tested this for the purposes of our Inside Active Directory book.
You should define the linkID attribute for both of your attributeSchema
objects. The forward link must have an even positive non-zero number (for
example, the member attribute has 2) and the back link must have a
never heard of that! so he documented it
in his blog.
joe
-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Sakari Kouti
Sent: Friday, March 04, 2005 4:31 PM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] Creating a backlink
Hi Gary,
Without C programming, you can add a small VB script to the context menu (i.e.,
right-click menu) of a user in ADUC.
See the employeeID sample at the bottom of the page
http://www.kouti.com/scripts.htm
There is also a reference documentation of the user attributes as an Excel
sheet
Hi Alex,
The following filter might be right for
you:
((objectcategory=person)(userAccountControl:1.2.840.113556.1.4.803:=512))
Yours, Sakari
PS.
This gives the same result as Jorge's filter, that he just sent, but mine look
cooler :-)
From: [EMAIL PROTECTED]
[mailto:[EMAIL
Directory, 1st Edition is found
sakari kouti Inside Active Directory, 2nd Edition is found
If you search for kouti on another Amazon page, such as
http://www.amazon.com/exec/obidos/tg/detail/-/0672315874/ , you get the 2nd
Edition of Inside Active Directory.
Yours, Sakari
-Original
Hi Larry,
That escape trick is probably enough for you (using perhaps
the VBS Replace function, if your DNs are in variables), but depending on what
you are doing, you have also other options to get access to the objects with
slash characters in the RDN:
- Use ADO over ADSI (of course,
Title: Migrating access rights from Novell/NDS to W2K3/AD with NDS migrator
It's
been my dream over ten years that NTFS would get similar permission feature to
what has been in NetWare all these years. When a user has permissions to a given
subfolder, it's almost always most logical that
- Directory Services
-- www.qadvice.com --
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Sakari Kouti
Sent: Wednesday, February 09, 2005 12:17 PM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] Migrating access
Title: How-to add group to "Managed by" attribute on Distribution list
Hi Hunter,
In addition to the other answers you have
received:
Windows Server 2003 SP1 version of ADUC should be able to
pick a group as a manager for another group (however, I can't verify this right
now).
To set the
Hi Jorge,
One well-known operational attribute is schemaUpdateNow, which triggers a
schema cache update, when you write 1 to it.
A more complete list can be digged out from ntdsa.dll:
doOnlineDefrag
removeLingeringObject
SchemaUpgradeInProgress
doLinkCleanup
becomePdcWithCheckPoint
Title: Loose vs strict replication consistency
Hi Neil,
W2K DC all SPs: loose
Yes.
W2K DC upgraded to
W2k3: loose
Yes.
w2k3 DC
fresh built into new forest: strict
Yes.
w2k3 DC fresh built
into existing forest: loose
Not sure.
If someone
reading this list has such a DC (the last
Title: Group Security Rights Problem
Hi Oliver,
If User1 can log on to a WS2003 computer, he or she can
type WHOAMI /GROUPS to see that part of the access
token.
You can also download and install Win2000 version of WHOAMI
at
Hi Rubix,
I'm not sure what you mean, but HTH. A user in AD has the following names:
A. CN = common name = Name column in tools = RDN (e.g. Jack Brown or CN=Jack
Brown)
B. First name = givenName (e.g. Jack)
C. Last name = sn (e.g. Brown)
D. Display name = displayName (e.g. Jack Brown)
E. User
Hi David,
In addition to SID filtering, you can protect a trust between domains in two
forests (either a forest trust or an external trust) by using selective
authentication (SA). SA is sometimes called authentication firewall, and the
idea is that only listed users can access only listed
OK. The control I was talking about would require Visual Basic or C++
programming, and the result would be a binary DLL file.
Fortunately, there is also a lighter script-based version. It doesn't create a
new tab in user properties, but it appears in the context menu of the user.
I copied the
The control I was talking about would require Visual Basic or
C++ programming, and the result would be a binary DLL file.
I sent the above text a few minutes ago. Now I noticed that the Platform SDK
actually says It is not currently possible to create an Active Directory
property sheet
Hi,
Another source for ADUC-to-LDAP mappings is on our book's Web site at
http://www.kouti.com/tables.htm
There is a direct HTML version, but the Excel version (included in a ZIP file)
is much more convenient. It's a Windows 2000 version, but Windows Server 2003
didn't change the ADUC fields
58 matches
Mail list logo