On 1/29/2014 3:17 PM, Joseph L. Casale wrote: > I'm sorry, with all due respect I disagree. There is an unfathomable quantity of > functionality not accessible via LDAP. > > You can query some aspects made available through the LDAP interface, you > cannot set nor modify plenty. indeed, as I said, 'extended/modified'. the GPO stuff has actually nothing to do with the directory service per say, its just dispatched via it, using kerberos tickets for authentication. LDAP itself doesn't address replication either, and Microsoft made all that about as complicated as they could with their FSMO's and whatnot. its really simple and easy until something goes south, then you discover there's layers and layers of kludge under the skin and its amazing it works at all. -- john r pierce 37N 122W somewhere on the middle of the left coast