Property Sets and Default Security Descriptors

I made a brief mention of some of the default security permissions that apply to users in my article on Delegating Privileges in Active Directory for Windows IT Pro. I’ve gotten a couple of e-mail questions so I thought I’d elaborate here since I don’t have to worry about how many words I have to work with in this space. Every object class definition in the Active Directory schema has the option to define a “defaultSecurityDescriptor” value which holds the initial ACL that will apply to any new instances of that object when they are created. This rule doesn’t hold … Continue reading Property Sets and Default Security Descriptors

Looking Back on 2010

Last year I put up a quick chart of all the travel for 2009. I thought I’d do the same this year as I’ve just finished wrapping up my two big travel points spreadsheets for Q4. Countries 6 US States 10 US Cities Visited 35 (approx) Airplanes 83 Miles Flown 129,666 (approx) Hotels Visited 49 Hotel Nights 122 Days on the Road 176 A bit of Pivot Table magic says that I spent the most time in: Los Angeles (17 nights) Beijing (15 nights) San Francisco (11 nights) In all that there were definitely a few highlights amongst the routine … Continue reading Looking Back on 2010

Active Directory SPN Mappings and Kerberos

I had an interesting customer problem today where Kerberos was being attempted for a service principal name (SPN) which simply didn’t exist in Active Directory. This was causing the applications (Exchange) involved to fail as they couldn’t authenticate to one another. The client machine involved was logging numerous errors similar to the following indicating that it was presenting a service ticket encrypted by another machine to the server in question. Log Name:      System Source:        Microsoft-Windows-Security-Kerberos Date:          12/6/2010 2:03:11 PM Event ID:      4 Level:         Error Description: The Kerberos client received a KRB_AP_ERR_MODIFIED error from the server server01$. The target name used … Continue reading Active Directory SPN Mappings and Kerberos

Date and Time Math with PowerShell

How many times have you had to figure out what date was X days, months, or years ago, or perhaps what time was Y minutes, hours, or seconds ago? Producing a report of all the users who have not logged in during the past 90 days is a pretty common request. There’s two ways to go about doing this – the lazy way and the precise way. The lazy way is to say well 90 days is about three months ago, and it’s 11/24 today so that would be 8/24. The precise way is to realize that 90 days go … Continue reading Date and Time Math with PowerShell

Error When Removing Exchange 2000 or 2003 Server

There are a litany of issues that will cause Exchange setup to fail when you try to uninstall an Exchange server. It’s really tempting to just skip the uninstall and go delete the server entry from AD using something like ADSI Edit, but, you’re always better off just fixing the problem. Michael B. Smith has a good review of these, however I thought I’d touch on one more, specifically the error "One or more users currently use a mailbox store on this server". This can be really frustrating, especially when you’ve checked each mailbox store for mailboxes and done a … Continue reading Error When Removing Exchange 2000 or 2003 Server

Cleanup User Objects with Invalid MailNicknames

Exchange 2000 and Exchange 2003 have no problem with users (or groups and contacts) which have a space in their mailNickname attribute. Unfortunately if you try to work with one of these users using Exchange 2007 or Exchange 2010, the PowerShell cmdlets will throw a validation error similar to the following: Property expression "John Doe" isn’t valid. Valid values are: Strings formed with characters from A to Z (uppercase or lowercase), digits from 0 to 9, !, #, $, %, &, ‘, *, +, -, /, =, ?, ^, _, `, {, |, } or ~. One or more periods … Continue reading Cleanup User Objects with Invalid MailNicknames

Viewing the History of an Active Directory Object with Replication Metadata

I answered a question via Twitter the other day as to whether or not it was possible to see when someone was added to a group without relying on audit information. The good news is that the answer is “Yes!” – assuming your forest is running in the Windows Server 2003 Forest Functional Level (FFL2) or better, and that the user was added after you upgraded your forest to this level. You can also see when a user was removed, however once they’ve been removed you won’t be able to see when they were added. Start with FFL2, linked values, … Continue reading Viewing the History of an Active Directory Object with Replication Metadata

Exchange Server 2010 SP1 Training

If your organization is deploying Exchange Server 2010 or you’re even thinking about it, you should get your manager to send you to this event. I’m working with Tony Redmond and Paul Robichaux who are two of the top Exchange MVPs to build a three day in depth Exchange Server 2010 workshop. Tony and Paul are leading the content delivery and I own the hands on labs. I’ve seen much of the content (it’s almost done!) and it’s far more in depth than any other Exchange courseware I’ve seen, plus it’s up to date with all of the changes (there … Continue reading Exchange Server 2010 SP1 Training

Speaking at TEC EMEA this Fall

I’ll be delivering a couple of sessions in Dusseldorf in a couple weeks for TEC 2010 EMEA. There’s even still time to register if you’re not coming yet. I’ve been to a number of TEC’s now and without a doubt I think TEC is the most technically valuable conference I’ve attended. It’s definitely worth the cost. The two sessions I’m doing are: Designing and Planning AD Schema Extensions – This session examines what makes sense in AD and what doesn’t, shows how to evaluate a proposed schema change and even helps you deal with a fear of schema changes. You’ll … Continue reading Speaking at TEC EMEA this Fall

Active Directory, 4th Ed Available on iPhone and iPad

My book has been available on the iPhone and iPad since September of 2009. It’s quite a bargain too at US$4.99. The neat thing about this is you can search the contents of the book for whatever you’re looking for, plus, you can read it just like you would the actual text. Here’s a few screenshots of what the experience looks like on the iPhone: