Search Results

Search found 8983 results on 360 pages for 'active attr'.

facebook twitter digg google delicious technorati stumbleupon myspace wordpress linkedin gmail igoogle windows live tumblr viadeo yahoo buzz yahoo mail yahoo bookmarks favorites email print

Page 56/360 | < Previous Page | 52 53 54 55 56 57 58 59 60 61 62 63  | Next Page >

  • opath syntax to force dynamic distribution group field as numerical comparison? (Exchange 2010)

    - by Matt
    I'm upgrading a (working) query based group (Exchange 2003) to a new and 'improved' dynamic distribution group (2010). For better or worse, our company decided to store everyone's employee ID in the pager field, so it's easy to manipulate via ADUC. That employee number has significance, as all employees are in a certain range, and all contractors are in a very different range. Basically, the new opath syntax appears to be using string compare on my pager field, even though it's a number. Let's say my employee ID is 3004, well, it's "less than" 4 from a string check POV. Set-DynamicDistributionGroup -Identity "my-funky-new-group" -RecipientFilter "(pager -lt 4) -and (pager -like '*') -and (RecipientType -eq 'UserMailbox')" Shows up in EMC with this: ((((((Pager -lt '4') -and (Pager -ne $null))) -and (RecipientType -eq 'UserMailbox'))) -and (-not(Name -like 'SystemMailbox{*')) -and (-not(Name -like 'CAS_{*')) -and (-not(RecipientTypeDetailsValue -eq 'MailboxPlan')) -and (-not(RecipientTypeDetailsValue -eq 'DiscoveryMailbox')) -and (-not(RecipientTypeDetailsValue -eq 'ArbitrationMailbox'))) This group should have max of 3 members right? Nope - I get a ton because of the string compare. I show up, and I'm in the 3000 range. Question: Anyone know a clever way to force this to be an integer check? The read-only LDAP filter on this group looks good, but of course it can't be edited. The LDAP representation (look ma, no quotes on the 4!) - Also interesting it sort of 'fills the' bed with the (pager=4) thing... (&(pager<=4)(!(pager=4))(pager=*)(objectClass=user)(objectCategory=person)(mailNickname=*)(msExchHomeServerName=*)(!(name=SystemMailbox{*))(!(name=CAS_{*))!(msExchRecipientTypeDetails=16777216))(!(msExchRecipientTypeDetails=536870912))(!(msExchRecipientTypeDetails=8388608))) If there is no solution, I suppose my recourse is either finding an unused field that actually will be treated as an integer, or most likely building this list with powershell every morning with my own automation - lame. I know of a few ways to fix this outside of the opath filter (designate "full-time" in another field, etc.), but would rather exchange do the lifting since this is the environment at the moment. Any insight would be great - thanks! Matt

    Read the article

  • RODC password replication and A/D sites and subnets

    - by Gregory Thomson
    I work at a school district with about 30 school sites. Windows 2008 A/D setup - all central at the district office. In A/D, all is under one site, and no subnets defined. One A/D forest and only one domain under that. We're now looking to start putting RODCs at the schools to put the authentication and DNS out there closer to them. I haven't worked with A/D sites and subnets, and only a little with RODC password replication. But just got an invite to a meeting to talk about this tomorrow... If we start breaking down the A/D pieces into sites/subnets, can we also use that as a way to help apply an RODC password replication policy in a way that matches so that only each school sites' users passwords are replicated/cached on their RODC?

    Read the article

  • Automatically taken out of AD domain

    - by Mattias
    Hi Guys, arrived to work this morning just to find that I couldn't log on to my computer. As it turned out my computer had been "unjoined" from our domain. I am positive that I didn't "unjoin" manually yesterday before I closed the computer down. Have anyone experienced this behavior before and is it even possible? Or should I start getting nervous about anyone playing around on the serverside? I'm running my domaincontroller on a Windows2003 server and the client computer that got "unjoined" is a Windows 7 Ultimate.

    Read the article

  • Recommended service account setup for MS SQL Server 2005/2008

    - by boxerbucks
    We have a number of MS SQL servers in our environment running either SQL Server 2005 standard/enterprise or SQL server 2008 enterprise. Currently the SQL services are running as local service or network service and the MS recommended best practice is to run as a domain account which is what we are trying to move towards. Is the best practice with regards to domain accounts to have a separate domain account per service per server? So if we have 4 SQL services we want to run per server and we have 50 servers, we would create 50 * 4 = 200 accounts in AD? This seems excessive to me and I was wondering if anyone has any real experience with this type of setup and it's management.

    Read the article

  • Migrating LDAP user and password to SAMBA4 AD

    - by Rudy Dajoh
    As title suggests. We are migrating from OpenLDAP as user authentication to Samba 4 AD Domain. But I can't find any information on how to transfer passwords and users to Samba 4 AD. How to migrate all LDAP user base at ou=People,dc=company,dc=com to samba 4 AD domain? I don't need to assistance transferring everything, I only need to transfer user accounts. I've finished migrating them all but user/passwords. Can it be done? If so, how?

    Read the article

  • Grant permission for specific other AD users to unlock/log out user from PC

    - by Simon Needham
    What I'm looking to do is permission a Windows PC (ideally XP but if a later OS version is required so be it) so that a select group of users can unlock the machine, logging the current user out. This something that a Local Admin for the machine would be able to do from a locked screen, however, I'd like to avoid granting Local Admin rights to this group of users if I can. The background here is that this machine is 80% used by one person but is treated as a 'shared machine' on days that the primary user is not around. It's usefull that everybody using the machine can carry on using their own accounts with all the personalisations they are used to. I'd also like to void logging the primary user out every night. No one else in the firm has to put up with that and she does use the machine herself most of the time.

    Read the article

  • getent passwd fails, getent group works?

    - by slugman
    I've almost got my AD integration working completely on my OpenSUSE 12.1 server. I have a OpenSUSE 11.4 system successfully integrated into our AD environment. (Meaning, we use ldap to authenticate to AD directory via kerberos, so we can login to our *nix systems via AD users, using name service caching daemon to cache our passwords and groups). Also, important to note these systems are in our lan, ssl authentication is disabled. I am almost all the way there. Nss_ldap is finally authenticating with ldap server (as /var/log/messages shows), but right now, I have another problem: getent passwd & getent shadow fails (shows local accounts only), but getent group works! Getent group shows all my ad groups! I copied over the relavent configuration files from my working OpenSUSE 11.4 box: /etc/krb5.conf /etc/nsswitch.conf /etc/nscd.conf /etc/samba/smb.conf /etc/sssd/sssd.conf /etc/pam.d/common-session-pc /etc/pam.d/common-account-pc /etc/pam.d/common-auth-pc /etc/pam.d/common-password-pc I didn't modify anything between the two. I really don't think I need to modify anything, because getent passwd, getent shadow, and getent group all works fine on the OpenSUSE11.4 box. Attempting to restart nscd service unfortunately didn't do much, and niether did running /usr/sbin/nscd -i passwd. Do any of you admin-gurus have any suggestions? Honestly, I'm happy I made it this far. I'm almost there guys!

    Read the article

  • Grant relay to servers based on AD security group membership

    - by john
    We're moving our relay from an Exchange 2003 server to an Exchange 2010 server. I was hoping the "Grant or deny relay permissions to specific users or groups" option would still be available in some form, but I can't find out how to do it. I've read up on recieve connectors and so far I can't get it to work. I have edited the security on the Recieve Connector to allow the following extended rights to the group and added computer accounts to that group: Accept Routing Headers Bypass Anti-spam Submit to Server Accept any Sender Accept any Recipient Then I suddenly realised while testing... How would the receive connector resolve the permission to a particular AD object, maybe a reverse DNS lookup? What I'd like to know is if what I'm trying to achieve is possible, and how it would be possible. I would rather not revert to an IP-based list as this is not as manageable, and I'm trying to avoid creating static IPs/reservations for a number of workstations that would otherwise not need them.

    Read the article

  • Send mail from a distrobution groups email adress

    - by Campo
    A user has send permission on a distro group on a WINDOWS SERVER 2003 domain. I am the admin. When either of us send email using the distrobution groups email adress we get a non delivery report Your message did not reach some or all of the intended recipients. Subject: TEST Sent: 4/19/2010 4:46 PM The following recipient(s) cannot be reached: [email protected] on 4/19/2010 4:46 PM You do not have permission to send to this recipient. For assistance, contact your system administrator. MSEXCH:MSExchangeIS:/DC=local/DC=DOMAIN:SERVERNAME Thanks, JC

    Read the article

  • Archive Manager, SQL 2005 and MaxTokenSize high CPU

    - by Tim Alexander
    So, I posted this question a few days ago: Impact of increasing the MaxTokenSize for Kerberos Tickets Since then the thought was to test our settings on two member servers, one with IIS and one without. I setup two GPOs to configure the MaxTokenSize reg setting to 48000 and MaxFieldLength/MaxRequestBytes to 64200 (based on MS KB2020943, these are set at 4/3 * T + 200). The member server seemed to work ok (a devalued tape backup server). The IIS server however has had some strange repercussions. The IIS Sserver host Quest Software Archive Manager (AM) 4.5 that communicates with SQL Server 2005 Enterprise on Server 2003 R2. After the changes all looked good until the SQL Server hit 100% CPU. I have removed the GPOS, removed the reg values and even replaced them with defaults (12000 for token size and can't remember the other one but was in a blog post about the issue in my other post). No change. Bouncing the IIS Server stops the high CPU and a colleague has looked at the SQL server and it is definitely the AM connection taking up the time/work on the SQL server. I haven't changed the reg values on the SQL server or the DCs but am reluctant to do so without understanding why this has happened. I am guessing its to do with the overriding auth and group issue we have but I am not seeing Kerberos errors in either event log. Has anyone seen something similar or does anyone have some tips? Was definitely blindsided by the Kerberos issue and am swimming against the tide to keep things functioning.

    Read the article

  • Window 7 Computer name changing on its own?

    - by DC
    Very odd problem... I have a Dell Latitude D830 with XP Pro that has been running on my local domain for many years. I recently Installed Windows 7 Enterprise on the D830 using a brand new HDD so that I could still use XP if I needed by just swapping out the HDD's. I added the W7 installed system to my domain using a completely different machine name than that used for the XP system and everything seemed to be functioning as it should. On boot up over the last 2 weeks or so I occasionally (3 times now) get to the login screen and try to login to the domain only to get an error saying that the Computer name is not a trusted machine in the domain I'm trying to log in to. Come to find out that the machine name on the W7 system has been changed somehow to that of my old XP system. If on the W7 system I then change the name back to the correct name, disjoin the domain, reboot, add the machine back into the domain … all is well for an unknown period of time until this happens again. This last time, I know for a fact that everything was fine the day before when I shut down the system. I came in today, powered up the system and the machine name had been changed to that of my old XP system again. Has anybody else seen this behavior or hav any ideas on what could be causing it? Thanks!

    Read the article

  • pam auth via winbind, howto map primary group for users?

    - by dr gonzo
    I have unix users authenticating to an PDC (via winbind) and want to have the primary group of those users a local unix group (e.g. www-data). users have the group "domain users" with gid 10006 (as the gid winbind mapping) idmap uid = 10000-20000 idmap gid = 10000-20000 winbind enum groups = yes winbind enum users = yes winbind use default domain = yes winbind nested groups = yes but want that the primary group is 33 for all users (www-data) how to achieve that?

    Read the article

  • Powershell - how to set multiple action on get-aduser "dataset"

    - by Patrick Pellegrino
    I'm trying to run a script that modify password for multiple AD user accounts, enable the accounts and force a password change at next logon. I use this code but that's not work : Get-ADUSER -Filter * -SearchScope Subtree -SearchBase "OU=myou,OU=otherou,DC=mydc,DC=local" | Set-ADAccountPassword -Reset -NewPassword (ConvertTo-SecureString -AsPlainText "NewPassord" -Force) | Enable-ADAccount | Set-ADUSER -ChangePasswordAtLogon $true If I run the Get-ADuser line with ONLY one of the other line that's run fine ex : Get-ADUSER -Filter * -SearchScope Subtree -SearchBase "OU=myou,OU=otherou,DC=mydc,DC=local" | Enable-ADAccount Where I'm wrong ? I'm new to PowerShell probably I'm misunderstanding something.

    Read the article

  • Logon Failure: the target account name is incorrect after making a ghost image of a server

    - by cop1152
    I recently replaced a failing SCSI drive in a Windows 2000 server with an IDE drive. I made an image of the SCSI drive and Ghosted it. The purpose of the machine was to give out DHCP at one location and host a couple of files. When I restarted the machine with the new drive, DHCP appears to be working fine, but I cannot get to any of the shares. Instead, I get the following message when attempting to navigate using Explorer. Logon Failure: the target account name is incorrect It appears that this machine is not communicating with the main domain controller. Changes to user accounts (performed on the domain controller) are not replicated on this machine.

    Read the article

  • Internet explorer rejects cookies in kerberos protected intranet sites

    - by remix_tj
    I'm trying to build an intranet site using joomla. The webserver is using HTTP Kerberos authentication with mod_kerb_auth. Everything works fine, the users get authenticated and so on. But if i try to login to the administrator panel i can't because IE does not accept the needed cookies. No such problem with firefox. The intranet site is called "intranet_new" and is hosted by webintranet04, under the directory /var/www/vhosts/joomla/intranet_new/. I have my virtualhost for intranet_new containing this: <Location /> AuthType Kerberos AuthName "Kerberos Login" KrbMethodNegotiate On KrbMethodK5Passwd On KrbAuthRealms PROV.TV.LOCAL Krb5KeyTab /etc/apache2/HTTP.keytab require valid-user </Location> The same is for webintranet04 virtualhost, which is the default pointing to /var/www and contains: <Location /vhosts/joomla/> AuthType Kerberos AuthName "Kerberos Login" KrbMethodNegotiate On KrbMethodK5Passwd On KrbAuthRealms PROV.TV.LOCAL Krb5KeyTab /etc/apache2/HTTP.keytab require valid-user </Location> the very strange problem i have is that if i open http:// webintranet04/vhosts/joomla/intranet_new/administrator IE allows me to login, accepting cookie. If i open http:// intranet_new/administrator, instead, i loop on the login page. Last, intranet_new is a CNAME record of webintranet04. This is only an IE problem. I need: - the admin interface to work with IE - the "kerberized" zone to accept cookie, because i am deploying other programs requiring cookies.

    Read the article

  • In ADUC MMC, Advanced View, how to get Attribute Editor tab on the result of a Find?

    - by geoffc
    In Win2008 MS added a new Tab on objects in ADUC. Called Attribute Editor it is like Novell Console One's Other tab, or an arbitrary LDAP editor view, or an ADSI Edit style view. Basically it shows all allowed attributes for the object class, and allows you to edit according to your permissions. You need to enable Advanced Options in the View menu before it shows up. This is great, however it only shows up when you browse the directory tree and select an object. If you use the Find tool and open an object Attribute Editor is not shown. How annoying! Especially if your domain has more than 2000 users in a single container, then you almost must use Find to get to an object. Is there any way to make the Attribute Editor tab show up after using Find to open an object?

    Read the article

  • Group Policy fault - Students force

    - by Richard 'Bean' Williams
    Work at a school and we've got a scenario. We block F8 on all computers so students cannot access Safe Mode to bypass Group Policy... But students are logging into their accounts using AD, and they are turning them off half way through. Then they are claiming that when they login next time, they have Local Administrator accounts. Is this right, but we have blocked F8 and Startup repair, so wondering how they actually did it. Cheers Richard

    Read the article

  • MOSS 2007 Sharepoint Shared Services AD Import SQL/Search Error prevents user import

    - by TrevJen
    When attempting to import new AD users (Shared Services Administration Shared Service User Profiles and Properties) I receive an error on the top of the User Profiles and Properties page. "An error has occurred while accessing the SQL Server database or the Office SharePoint Server Search service. If this is the first time you have seen this message, try again later. If this problem persists, contact your administrator." I have tried the following: Rebooted server Checked service account permissions and passwords Checked the MIPSCHEDULEDJOB table to ensure all 6 required entries are there.

    Read the article

  • finger for Windows

    - by tearman
    Ok probably a bit of an odd question, but is there a way to enable "finger" like functionality on a Windows network? we'd basically like the ability to find out where a user is logged in on a network and possibly which users are logged onto a workstation if possible. We're currently on AD2003 functional level, with the intent of going to AD2008 very soon, so compatibility in that arena is preferable.

    Read the article

  • Clone roaming Appdata in two places

    - by blsub6
    I have my users appdata (roaming) stored on a external server in the location that they're normally in. I have some users that are in two locations equally. This provides a problem when someone tries to open up Firefox on a computer in a location other than where their appdata is stored, it takes forever. Is there a way that I can clone the redirected appdata (roaming) folder to two locations and have the folder redirection look for appdata (roaming) based on the location that the user is at?

    Read the article

  • Windows VPN for remote site connection drawbacks

    - by Damo
    I'm looking for some thoughts on a particular way of setting up a estate of machines. We have a requirement to install machines into unmanned, remote locations. These machines will auto login and perform tasks controlled from a central server. In order to manage patching, AV, updates etc I want these machines to be joined to a dedicated domain for this estate. Some of the locations will only have 3G connectivity (via other hardware), others will be located on customer premises in internal networks. The central server (of ours) and the Domain Controller will be on a public WAN. I see two ways of facilitating this. Install a router at each location and have a site to site VPN between the remove device and the data centre where the servers are location Have the remote machine dial up and authenticate via a Windows VPN connection to the DC via RAS Option one is more costly to setup and has a higher operational cost. It also offers better diagnostics if the remote PC goes down. Option two works well but is solely dependent on the VPN connection been made before any communication can be made to the remote machine. In a simple test, I can got a Windows 7 machine to dial a VPN prior to authentication to a domain, then automatically login to the machine using domain credentials. If the VPN connection drops, it redials. I can also create a timed task to auto connect every hour in case of other issues. I'd like to know, why (if at all) is operating a remote network of devices which are located in various out of band locations in this way a bad idea? Consider 300-400 remote machines all at different sites. I'd rather have 400 VPN connections to a 2008 server than 400 routers, however I'd like to know other opinions on this.

    Read the article

  • Multiple Domains on an Exchange Server

    - by William
    When I create a new user in exchange, it asks me to provide the User Logon Name. There is a dropdown box that supposedly allows you to select a domain for the user's login. What is this referring to? How can I make it so that I can create users with different domains in their user logon name? p.s. I am very aware of 'Accepted Domains' in Exchange allowing one user to have several email addresses in different domains. I am just curious how I can modify the user's Logon name specifically.

    Read the article

facebook twitter digg google delicious technorati stumbleupon myspace wordpress linkedin gmail igoogle windows live tumblr viadeo yahoo buzz yahoo mail yahoo bookmarks favorites email print

< Previous Page | 52 53 54 55 56 57 58 59 60 61 62 63  | Next Page >