Tony Blunt's questions

Is it possible, using LDAP filter syntax, to retrieve all users a user is subordinate to, based on the 'manager' attribute? For example,

• Bob is John's manager
• Alice is Bob's manager
• Dave is Alice's manager
• Mary is Dave's manager

When I give John's user account, I get Bob, Alice, Dave and Mary.

I know this can be done the other way around using LDAP_MATCHING_RULE_IN_CHAIN, e.g.

(manager:1.2.840.113556.1.4.1941:=cn=mary,ou=bosses,dc=domain,dc=local)

...would return Dave, Alice, Bob and John's user accounts (per this article):

My question is - in the absence of a corresponding linked attribute (such as in the case of member and memberof), can this be achieved using filter syntax? I know this can be achieved programmatically but I'm trying to avoid that if possible.

my current situation is as follows:

• We are running an Azure subscription that was set up with a PERSONAL Windows Live account, but the account has been set up using an email address from our actual domain.
• We have an Exchange 2013/O365 hybrid setup, with our AD syncing with O365. We have a mixture of on-premise mailboxes, E1 and E3 licenced users with mailboxes in O365.

My ultimate goal is have our local AD syncing with Azure and O365, with true SSO for users.

Forgetting the SSO bit for now (unless it has relevance at this stage), I just need to know how I can move my existing Azure subscription from the personal account into our existing Azure AD that O365 is using.

If someone can point me in the right direction as the process I need to go through I'd appreciate it.

Many thanks.

I'm trying to determine the best solution that allows me to assure our CEO that his Office 365 mailbox cannot be read by anyone, including myself, an admin.

Obviously the mailbox is already locked down for his access only, but I could grant myself access and nose around if I were that way inclined. I'm certainly not, but the sensitivity of the data means we need an airtight solution. Auditing of the mailbox/server is not enough.

I'm thinking that mailbox permissions can never lock an admin out 100%, so some form of encryption of the messages will be required, so that even if I were to access the mailbox, I could not read the messages. He will be sending and receiving emails internally and externally, and uses Outlook on Mac/PC, and iOS to access his emails. I can't account for the external recipients' email clients, and ideally need to avoid any additional client side software.

Please could someone help with a suitable suggestion and give a high-level overview of what the solution entails? If you need more info please let me know.

Many thanks,

I'm in the process of setting up a deployment share for Windows 7 and Office 2010 Pro Plus, using MDT 2012. My question involves the customisation of the Office 2010 install.

I've imported Office into MDT and I've successfully created a custom MSP file to tailor the settings to our business. However, I need to have a number of different customisations for different groups of users. For instance, our laptop users need Outlook Anywhere configured whereas desktop users do not. Basically - what's the best way of doing this?

Do I have to import Office into MDT more than once, each instance using a different MSP, then have the task sequence select the appropriate instance? It's just that this method seems extremely wasteful so I'm thinking that there's a more intelligent way to do it? Or am I coming at this from the wrong direction? Should I be looking at Group Policy to tweak the Outlook settings in this instance? I'm just aware that there are certain things that OCT can do that group policy cannot, so I would have thought that there must be something I can do in MDT.

I'm new to MDT so any pointers will be apprectiated. Thanks in advance.

Whilst I have experience of WDS/RIS, I am new to using MDT so I have a question regarding drivers. Our company has various different desktop hardware all over the place and I need to roll out Windows 7 to all machines. So far I have created my deployment share and used a task sequence to create my base reference image, using a VM. So far I have not added any Out-of-Box drivers. I have then added the reference WIM image into 'Operating Systems'

Now I have the task of rolling this out to the various types of hardware. My questions are:

1.Is it simply a case of adding in the required drivers into the 'Out-of-box Drivers' folder? 2.Do I need to update the deployment share after adding in the drivers? If so, do I need to refresh the boot image in WDS after doing so? 3.Can I simply dump all the drivers for all the different types of hardware in this folder, and the LiteTouch deployment will figure out what's needed during deployment?

Thanks in advance. Sorry if these are simple questions!

I am trying to implement remote client access using L2TP/IPSec VPN for both domain members and non-members. Domain members is fine and working OK but I am having trouble issuing a certificate to the non-domain members.

I believe I must be looking at issuing the computer certs via web enrollment, so I have made a duplicate of the Computer template, and changed the Subject Name setting to 'Supply in the request', since I assuming trying to build it from AD is pointless for a non-member.

Problem is, when I try to create a New > 'Certificate Template to Issue', my new template is not showing in the list, nor is the template showing in the web enrollment site.

I have a feeling I am missing something simple. I am using an Enterprise Admin account when using the CA MMC, and my Enterprise CA is running on a Server 2003 R2 Std machine.

Any suggestions to what I might be missing/doing wrong? Thanks in advance...

I'm trying to publish Exchange 2003 activesync on a Server2K3 box, through TMG 2010 on a 2008R2 box, using client certificate on Android mobiles.

From what I can tell, the issue is with TMG, as when I connect directly to the mail server everything works fine. When going through TMG, I can see the attempt in the EAS logs and the server returns 403.7 - Forbidden, client certificate required.

Now, I have set up the web listener to require client certificates, I have told the publishing rule to use Kerberos Constrained Delegation and I have configured the TMG box in Active Directory for delegation with the following SPNs:

http/{mail server internal FQDN}
w3svc/{mail server internal FQDN}

I have followed the steps in these two walkthroughs:
http://www.isaserver.org/tutorials/publish-microsoft-exchange-active-sync-eas-isa-server-2006-part1.html
http://www.isaserver.org/tutorials/Publish-Microsoft-Exchange-Active-Sync-EAS-ISA-Server-2006-Part2.html

Yet despite everything I am still getting 403.7 back from the Exchange server. I suspect the issue is either with the TMG server getting a ticket from our DC, or with the TMG providing the ticket to the mailserver.

Any suggestions would be most welcome!

Thanks in advance.

Probably something simple, but I'm trying to identify which logical drive in my HP Server's Array relates to a particular disk presented in Windows Server 2003.

So I have a Proliant DL580 G5 server with two RAID controllers. The controller in question is a Smart Array P400, which has 8 disks, split into 4 Arrays (A,B,C,D) each with a RAID 1 logical drive. The server is reporting a disk failure on one of the logical drives, and I would like to backup the files before replacing the failed disk.

What I thought would be a simple task is proving a bit of a pain. How do I identify which windows 'disk' relates to each of the logical drives in the RAID Array? I can't find any properties in diskmgmt.msc that relate to properties in ACU. Whilst I have an idea which one it is, I can't be sure.

Thanks in advance...