[ActiveDir] Stop Downloads
Hi I have set up a policy for one OU where I have stopped the downloads can be saved on to the local location. But, still they can click 'open' and run the installation. Which policy am I missing here? Thanks Md ILyas Conares Metal Supply Ltd p.o.box 2854, dubai, uae tel +9714 8835 111 - Extn.212 fax +9714 8836 611 mob +97150 6550 894 ___ List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
RE: [ActiveDir] forcing a logoff
Whenwe had a similar project, the intention was not so much to prevent "the user" from accessing network resources. IThe objective was to turn off unpatched/vulnerable systems that do not conform to the corporate standard. For example, you want computers that don't have the latest AV or are not RPC-DCOM-protected turned off from the network. These computers don't NEED anyone to be logged into them with any domain credentials before they become infected and start spreading. Needless to say, the project was still-born :( Sincerely,Dèjì Akómöláfé, MCSE MCSA MCP+Iwww.akomolafe.comwww.iyaburo.comDo you now realize that Today is the Tomorrow you were worried about Yesterday? -anon From: Creamer, MarkSent: Tue 1/20/2004 5:56 AMTo: [EMAIL PROTECTED]Subject: RE: [ActiveDir] forcing a logoff 2. Win2K and later (I have no NT 4) has cached credentials, so a user could unplug, log in, replug and thereby bypass the logon script But they still wouldn't have access to anything network based. Those cached credentials will only get them on their local machine. I would think they would simply be prompted for user name and password, at which time they would again have access to the resource. My point was this process avoids the logon script. Thanks for the 802.1x tip - I'll look into that. List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
RE: [ActiveDir] forcing a logoff
Yep, I understand. The problem is I need the logon script to run to get any of that accomplished. Meanwhile, Ive been reading up on some of the new network admission control stuff Ciscos been working on. Sounds like a great concept. mc -Original Message- From: deji Agba [mailto:[EMAIL PROTECTED] Sent: Tuesday, January 20, 2004 10:39 AM To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] forcing a logoff Whenwe had a similar project, the intention was not so much to prevent the user from accessing network resources. IThe objective was to turn off unpatched/vulnerable systems that do not conform to the corporate standard. For example, you want computers that don't have the latest AV or are not RPC-DCOM-protected turned off from the network. These computers don't NEED anyone to be logged into them with any domain credentials before they become infected and start spreading. Needless to say, the project was still-born :( Sincerely, Dèjì Akómöláfé, MCSE MCSA MCP+I www.akomolafe.com www.iyaburo.com Do you now realize that Today is the Tomorrow you were worried about Yesterday? -anon From: Creamer, Mark Sent: Tue 1/20/2004 5:56 AM To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] forcing a logoff 2. Win2K and later (I have no NT 4) has cached credentials, so a user could unplug, log in, replugand thereby bypass the logon scriptBut they still wouldn't have access to anything network based. Thosecached credentials will only get them on their local machine. I would think they would simply be prompted for user name and password, at which time they wouldagain have access to the resource. My point was this process avoids the logon script.Thanks for the 802.1x tip - I'll look into that.List info : http://www.activedir.org/mail_list.htmList FAQ : http://www.activedir.org/list_faq.htmList archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ �
Re[2]: [ActiveDir] How to track object deletion?
Thank you all guys for your help. I've mode some investigation on this. Here are the results. Correct me if I'am mistaken. When AD object is deleted it is actually moved to the Deleted Objects container of the partition it is deleted from. But when it is moved to that container only a little part of its properties is taken with it. Alas, there is no DN property that can tell where the object was deleted from. In spite of the fact that parentGUID property remained in the tombstoned object it is set to the GUID of Deleted Object container, but not to the GUID of the recent object parent. It is a real mess. It all leads to that I can't determine DN of deleted object by any mean without storing some type of objects cache before their deletion! I can't accept that taking into account that object deletion is the most critical AD change. I've been looking at ways for tracking static DNS record changes. So far I've been focusing on the dnsTombestone property which has 3 values of NULL, TRUE, and FALSE. Perhaps you can see if that object has a similar property? I'm not at an AD terminal now, so I can't check, but it might be something you can check on. Just an Idea. :) J -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of [EMAIL PROTECTED] Sent: Monday, January 19, 2004 9:37 AM To: [EMAIL PROTECTED] Subject: [ActiveDir] How to track object deletion? Hello, AD gurus. I' ve been developing a DirSync program that tracks for object changes in AD. Everything is fine except for object deletion. When AD object is deleted, as everybody knows here, it is tombstoned. As I figured out that means that the object is moved to the hidden container called 'Deleted Objects'. So when I delete an object DirSync returns me the following CN=user1\DEL:5fce35d1-42dc-4d42-b4d6-fd4a5c773acd,CN=Deleted Objects,DC=sbhbd1,DC=local as the DN of changed object. In the example above I deleted object with DN: CN=user1,CN=Users, DC=sbhbd1,DC=local. But I've lost some part of original object DN like: * ,CN=Users, * The question is: How to track AD objects deletion? I need to know object original DN, but AD hides it from me. I don't want to keep a copy of original AD or whatever similar to it. Thanks in advance! -- Best regards, (mailto:[EMAIL PROTECTED])19.01.2004, 18:27 List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ -- Best regards, (mailto:[EMAIL PROTECTED])20.01.2004, 15:57 List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
Re: Re[2]: [ActiveDir] How to track object deletion?
The only other way I can think of to track object deletion is to use auditing. Of course this involves somehow collating the event log information, but there are tools available to do this. Tony -- Original Message -- Wrom: ULHPQQWOYIYZUNNYCGPKY Reply-To: [EMAIL PROTECTED] Date: Tue, 20 Jan 2004 16:07:46 +0300 Thank you all guys for your help. I've mode some investigation on this. Here are the results. Correct me if I'am mistaken. When AD object is deleted it is actually moved to the Deleted Objects container of the partition it is deleted from. But when it is moved to that container only a little part of its properties is taken with it. Alas, there is no DN property that can tell where the object was deleted from. In spite of the fact that parentGUID property remained in the tombstoned object it is set to the GUID of Deleted Object container, but not to the GUID of the recent object parent. It is a real mess. It all leads to that I can't determine DN of deleted object by any mean without storing some type of objects cache before their deletion! I can't accept that taking into account that object deletion is the most critical AD change. I've been looking at ways for tracking static DNS record changes. So far I've been focusing on the dnsTombestone property which has 3 values of NULL, TRUE, and FALSE. Perhaps you can see if that object has a similar property? I'm not at an AD terminal now, so I can't check, but it might be something you can check on. Just an Idea. :) J -Original Message- Wrom: LEJGDGVCJVTLBXFGGMEPYOQKEDOTWFAOBU [mailto:[EMAIL PROTECTED] On Behalf Of [EMAIL PROTECTED] Sent: Monday, January 19, 2004 9:37 AM To: [EMAIL PROTECTED] Subject: [ActiveDir] How to track object deletion? Hello, AD gurus. I' ve been developing a DirSync program that tracks for object changes in AD. Everything is fine except for object deletion. When AD object is deleted, as everybody knows here, it is tombstoned. As I figured out that means that the object is moved to the hidden container called 'Deleted Objects'. So when I delete an object DirSync returns me the following CN=user1\DEL:5fce35d1-42dc-4d42-b4d6-fd4a5c773acd,CN=Deleted Objects,DC=sbhbd1,DC=local as the DN of changed object. In the example above I deleted object with DN: CN=user1,CN=Users, DC=sbhbd1,DC=local. But I've lost some part of original object DN like: * ,CN=Users, * The question is: How to track AD objects deletion? I need to know object original DN, but AD hides it from me. I don't want to keep a copy of original AD or whatever similar to it. Thanks in advance! -- Best regards, (mailto:[EMAIL PROTECTED])19.01.2004, 18:27 List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ -- Best regards, (mailto:[EMAIL PROTECTED])20.01.2004, 15:57 List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
RE: Re[2]: [ActiveDir] How to track object deletion?
There's a good description of the different strategies you can use to track AD changes at http://msdn.microsoft.com/library/default.asp?url=/library/en-us/ad/ad/track ing_changes.asp?frame=true. Tony, you should add this to the FAQ... It seems to come up every few months. -gil -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of [EMAIL PROTECTED] Sent: Tuesday, January 20, 2004 6:08 AM To: [EMAIL PROTECTED] Subject: Re[2]: [ActiveDir] How to track object deletion? Thank you all guys for your help. I've mode some investigation on this. Here are the results. Correct me if I'am mistaken. When AD object is deleted it is actually moved to the Deleted Objects container of the partition it is deleted from. But when it is moved to that container only a little part of its properties is taken with it. Alas, there is no DN property that can tell where the object was deleted from. In spite of the fact that parentGUID property remained in the tombstoned object it is set to the GUID of Deleted Object container, but not to the GUID of the recent object parent. It is a real mess. It all leads to that I can't determine DN of deleted object by any mean without storing some type of objects cache before their deletion! I can't accept that taking into account that object deletion is the most critical AD change. I've been looking at ways for tracking static DNS record changes. So far I've been focusing on the dnsTombestone property which has 3 values of NULL, TRUE, and FALSE. Perhaps you can see if that object has a similar property? I'm not at an AD terminal now, so I can't check, but it might be something you can check on. Just an Idea. :) J -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of [EMAIL PROTECTED] Sent: Monday, January 19, 2004 9:37 AM To: [EMAIL PROTECTED] Subject: [ActiveDir] How to track object deletion? Hello, AD gurus. I' ve been developing a DirSync program that tracks for object changes in AD. Everything is fine except for object deletion. When AD object is deleted, as everybody knows here, it is tombstoned. As I figured out that means that the object is moved to the hidden container called 'Deleted Objects'. So when I delete an object DirSync returns me the following CN=user1\DEL:5fce35d1-42dc-4d42-b4d6-fd4a5c773acd,CN=Deleted Objects,DC=sbhbd1,DC=local as the DN of changed object. In the example above I deleted object with DN: CN=user1,CN=Users, DC=sbhbd1,DC=local. But I've lost some part of original object DN like: * ,CN=Users, * The question is: How to track AD objects deletion? I need to know object original DN, but AD hides it from me. I don't want to keep a copy of original AD or whatever similar to it. Thanks in advance! -- Best regards, (mailto:[EMAIL PROTECTED])19.01.2004, 18:27 List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ -- Best regards, (mailto:[EMAIL PROTECTED])20.01.2004, 15:57 List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
[ActiveDir] ntfrsutl inlog command - How to clear old files? FRS problems
We have some servers with slow connections due to some political site link
connections times. What I believe is happening is that the replication window is not
sufficient to propagate all the changes, and when the changes reach to the box, the
files it's expecting to change are no longer there.
Ultrasound reports these as Sharing Violations due to the fact they are in
IBCO_INSTALL_RETRY. It assume a process is holding them open, when in fact they are
not.
The question is how do I clear these out of the ntfrs db to ignore those changes?
One article I found (and can't refind!) suggested clearing the connection on the
server, and restarting FRS service to clear the entries. This worked for a few
servers, but it seems those with manual connections it will not clear the inlog.
Anyone know a better way? Or if anything, where to find more documentation? the
ntfrsutl I would expect to maybe have a switch to clear entries like this, but it does
not.
I have entries dating back to 2002ugh...
Here is an example of 1 inlog result. I have this on 80 some servers. Notice the old
dates, and 0'd out info.
Any help would be greatly appreciated, as I am having reservation on moving forward
with a 2003 upgrade, until FRS is happy.
---
able Type: Inbound Log Table for DOMAIN SYSTEM VOLUME (SYSVOL SHARE) (1)
SequenceNumber : 1291
Flags: 004a Flags [VVAct Locn Retry ]
IFlags : 0001 Flags [IFlagVVRetireExec ]
State: 000f CO STATE: IBCO_INSTALL_DEL_RETRY
ContentCmd : Flags [Flags Clear]
Lcmd : 0003 D/F 1 Delete
FileAttributes : 0030 Flags [DIRECTORY ARCHIVE ]
FileVersionNumber: 0006
PartnerAckSeqNumber : 0012e131
FileSize :
FileOffset :
FrsVsn : 01c3b10e 7cd46dbf
FileUsn : 82386de8
JrnlUsn : 9edfe1a0
JrnlFirstUsn : 9edfe1a0
OriginalReplica : 1 [???]
NewReplica : 1 [???]
ChangeOrderGuid : 8bbb9663-f7ee-498b-92b10db4077d4c1b
OriginatorGuid : 656571a6-cac6-418b-950e50a8729c476e
FileGuid : 47a88a6c-2a59-4847-99752abc6e089242
OldParentGuid: 104f9971-95ad-4edc-934e073d9f62963f
NewParentGuid: 104f9971-95ad-4edc-934e073d9f62963f
CxtionGuid : 9a9ddaf7-96c9-4730-a897861cf726df42
Spare1Ull: Sat Nov 8, 2003 14:01:00
MD5CheckSum : MD5:
RetryCount : 0
FirstTryTime : Thu Dec 18, 2003 20:05:35
EventTime: Thu Dec 18, 2003 18:31:43
FileNameLength : 76
FileName : {74F20E4C-B574-4A73-8879-C4330F02519A}
List info : http://www.activedir.org/mail_list.htm
List FAQ: http://www.activedir.org/list_faq.htm
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
RE: [ActiveDir] forcing a logoff
I noticed that there is a WMI core install for Win9x and I installed it on my test Win95 machine. However, I can't get the WMI script to reboot that machine. Is it possible that even though WMI core is installed, it doesn't give me access to all of the features I'd have on a Win2K machine? The error I receive on the script is: Microsoft VBScript runtime error: The remote server machine does not exist or is unavailable: 'GetObject' Thanks, Mark Creamer List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
RE: [ActiveDir] forcing a logoff
You can try the following shell command: RunDll32.exe Shell32.dll,SHExitWindowsEx 0x1 http://www.borncity.com/WSHBazaar/WSHExitWin3.htm for details. Guy On Tue, 2004-01-20 at 21:41, Creamer, Mark wrote: I noticed that there is a WMI core install for Win9x and I installed it on my test Win95 machine. However, I can't get the WMI script to reboot that machine. Is it possible that even though WMI core is installed, it doesn't give me access to all of the features I'd have on a Win2K machine? The error I receive on the script is: Microsoft VBScript runtime error: The remote server machine does not exist or is unavailable: 'GetObject' Thanks, Mark Creamer List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ -- List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
RE: [ActiveDir] How to track object deletion?
Hey Darren have you ever seen that attribute populated? I don't recall ever seeing it on any objects. I never looked deeply into it though to see what it was legally linked to. Joe -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Darren Mar-Elia Sent: Monday, January 19, 2004 3:02 PM To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] How to track object deletion? Check the lastKnownParent attribute on the deleted object. -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of [EMAIL PROTECTED] Sent: Monday, January 19, 2004 7:37 AM To: [EMAIL PROTECTED] Subject: [ActiveDir] How to track object deletion? Hello, AD gurus. I' ve been developing a DirSync program that tracks for object changes in AD. Everything is fine except for object deletion. When AD object is deleted, as everybody knows here, it is tombstoned. As I figured out that means that the object is moved to the hidden container called 'Deleted Objects'. So when I delete an object DirSync returns me the following CN=user1\DEL:5fce35d1-42dc-4d42-b4d6-fd4a5c773acd,CN=Deleted Objects,DC=sbhbd1,DC=local as the DN of changed object. In the example above I deleted object with DN: CN=user1,CN=Users, DC=sbhbd1,DC=local. But I've lost some part of original object DN like: * ,CN=Users, * The question is: How to track AD objects deletion? I need to know object original DN, but AD hides it from me. I don't want to keep a copy of original AD or whatever similar to it. Thanks in advance! -- Best regards, (mailto:[EMAIL PROTECTED])19.01.2004, 18:27 List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
RE: [ActiveDir] forcing a logoff
Weve been looking into that stuff, too. You looking at the Cisco agent stuff or the 802.1x stuff? From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Creamer, Mark Sent: Tuesday, January 20, 2004 10:47 AM To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] forcing a logoff Yep, I understand. The problem is I need the logon script to run to get any of that accomplished. Meanwhile, Ive been reading up on some of the new network admission control stuff Ciscos been working on. Sounds like a great concept. mc -Original Message- From: deji Agba [mailto:[EMAIL PROTECTED] Sent: Tuesday, January 20, 2004 10:39 AM To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] forcing a logoff Whenwe had a similar project, the intention was not so much to prevent the user from accessing network resources. IThe objective was to turn off unpatched/vulnerable systems that do not conform to the corporate standard. For example, you want computers that don't have the latest AV or are not RPC-DCOM-protected turned off from the network. These computers don't NEED anyone to be logged into them with any domain credentials before they become infected and start spreading. Needless to say, the project was still-born :( Sincerely, Dèjì Akómöláfé, MCSE MCSA MCP+I www.akomolafe.com www.iyaburo.com Do you now realize that Today is the Tomorrow you were worried about Yesterday? -anon From: Creamer, Mark Sent: Tue 1/20/2004 5:56 AM To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] forcing a logoff 2. Win2K and later (I have no NT 4) has cached credentials, so a user could unplug, log in, replugand thereby bypass the logon scriptBut they still wouldn't have access to anything network based. Thosecached credentials will only get them on their local machine. I would think they would simply be prompted for user name and password, at which time they wouldagain have access to the resource. My point was this process avoids the logon script.Thanks for the 802.1x tip - I'll look into that.List info : http://www.activedir.org/mail_list.htmList FAQ : http://www.activedir.org/list_faq.htmList archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
RE: [ActiveDir] How to track object deletion?
FYI, lastKnownParent is not supported on W2K. Robbie Allen http://www.rallenhome.com/ -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Darren Mar-Elia Sent: Tuesday, January 20, 2004 9:25 PM To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] How to track object deletion? Joe- In Server 2003, lastKnownParent is reliably populated with the last known home of the deleted object. However, I've not tried Win2K and its quite possibly not. Darren -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of joe Sent: Tuesday, January 20, 2004 2:03 PM To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] How to track object deletion? Hey Darren have you ever seen that attribute populated? I don't recall ever seeing it on any objects. I never looked deeply into it though to see what it was legally linked to. Joe -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Darren Mar-Elia Sent: Monday, January 19, 2004 3:02 PM To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] How to track object deletion? Check the lastKnownParent attribute on the deleted object. -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of [EMAIL PROTECTED] Sent: Monday, January 19, 2004 7:37 AM To: [EMAIL PROTECTED] Subject: [ActiveDir] How to track object deletion? Hello, AD gurus. I' ve been developing a DirSync program that tracks for object changes in AD. Everything is fine except for object deletion. When AD object is deleted, as everybody knows here, it is tombstoned. As I figured out that means that the object is moved to the hidden container called 'Deleted Objects'. So when I delete an object DirSync returns me the following CN=user1\DEL:5fce35d1-42dc-4d42-b4d6-fd4a5c773acd,CN=Deleted Objects,DC=sbhbd1,DC=local as the DN of changed object. In the example above I deleted object with DN: CN=user1,CN=Users, DC=sbhbd1,DC=local. But I've lost some part of original object DN like: * ,CN=Users, * The question is: How to track AD objects deletion? I need to know object original DN, but AD hides it from me. I don't want to keep a copy of original AD or whatever similar to it. Thanks in advance! -- Best regards, (mailto:[EMAIL PROTECTED])19.01.2004, 18:27 List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
RE: [ActiveDir] Upgrade to Win2k
Title: Upgrade to Win2k http://www.microsoft.com/technet/prodtechnol/windows2000serv/deploy/cookbook/cookintr.asp Sincerely,Dèjì Akómöláfé, MCSE MCSA MCP+Iwww.akomolafe.comwww.iyaburo.comDo you now realize that Today is the Tomorrow you were worried about Yesterday? -anon From: Sudhir KaushalSent: Tue 1/20/2004 8:37 PMTo: [EMAIL PROTECTED]Subject: [ActiveDir] Upgrade to Win2k I have to upgrade my network from NT 4.0 to Win2k. My current scenario is: 1. PDC with DNS ( having 2 zones: secondary abc.com and primary abc.net ) 2. Domain Name is Test. 3. 2 BDC. Plan is 1. Install fresh BDC, Configure the DNS on it by configuring the same zones. While creating the zones i would copy the records from the DNS files on PDC and past it into the dns files on the BDC This way i will have my DNS Zones configured with all the records in that 2. promote the BDC to PDC 3. Upgrade to win2k along with ADS 4. What shall i give as "New DNS Domain Name" in order to retain the same setting. I dont want to change the name of the current domain 5. When i will join a new client where his A record would be created dynamically? In test.local zone or abc.net zone ? As all my clients has to be part of abc.net zone. These clients are being accessed by outside world. Would appreciate if someone can guide me on this or can refer me some good artical on how to upgrade the NT 4 DNS to Win2K DNS keeping the current configurations intact. Or do i have to give the new DNS domain name according to dns zone like abc.net. to get the srv records created under the abc.net zone and whenever new client joins in, its A record would get created in abc.net Thanks in Advance. Regards, Sudhir Kaushal
[ActiveDir] !important!!!
i dunno how but your emails keep commin 2 my in box like 40 or 550 a day
pls help
- Original Message -
From: Byron Fackenthall [EMAIL PROTECTED]
To: [EMAIL PROTECTED]
Sent: Monday, January 19, 2004 7:48 PM
Subject: RE: [ActiveDir] forcing a logoff
If you have WMI installed on your pre 2k machines you can write a script
to check for the latest files and if not there use WMI
Win32OperatingSytem to shut them down.
http://www.microsoft.com/technet/treeview/default.asp?url=/technet/scrip
tcenter/scrguide/sas_cpm_jleo.asp
Watch word wrap and synch up the TOC. There are two sample scripts
under this asp. Like this one:
Const SHUTDOWN = 1
strComputer = .
Set objWMIService = GetObject(winmgmts: {(Shutdown)} _
{impersonationLevel=impersonate}!\\ strComputer
\root\cimv2)
Set colOperatingSystems = objWMIService.ExecQuery _
(SELECT * FROM Win32_OperatingSystem)
For Each objOperatingSystem in colOperatingSystems
ObjOperatingSystem.Win32Shutdown(SHUTDOWN)
Next
You can integrate this into your logon scripts or scan and check if your
network is not to big.
We use a similar tactic to keep users from using their old Nt4 accounts
after we migrate them to AD. We found that if we disabled them to soon
after cutting the users over to their AD accounts some of our systems
failed because they took a while to update to the new account credential
but if we left the account enabled we benefited from some pass through.
This allowed us to keep users from logging in with old accounts based on
a condition ( membership in the migrated group) but still not have to
disable their account until we know the back end systems have gotten
their updates.
Byron
-Original Message-
From: Creamer, Mark [mailto:[EMAIL PROTECTED]
Sent: Monday, January 19, 2004 3:49 PM
To: [EMAIL PROTECTED]
Subject: [ActiveDir] forcing a logoff
Hi all, can you give me some ideas on how to handle this...we use
ScriptLogic to manage our desktop
environments, which works very well. I have been asked to find a way to
force people who have not
updated or are not running the latest AV (specific approved product) to
logoff.
Environment: Win2K domain, Win9x through XP clients, slow WAN links
(some very small offices have 56k
frame)
Here's what I'm thinking so far:
1. User logs in, ScriptLogic runs
2. SL queries the registry for the magic key/value
3. If it doesn't find it, pops up a msg that says, upgrade your AV
before [date] and here's a link to
tell you how
4. Drop-dead date comes along, user still hasn't installed/updated
5. SL queries the registry, finds it not installed and executes a
command to log the user off
I see some basic problems with this though, and maybe you'll have more:
1. Does not affect Win9x users since they can click Cancel and
effectively not log on
2. Win2K and later (I have no NT 4) has cached credentials, so a user
could unplug, log in, replug and
thereby bypass the logon script
3. I'm not sure the various logoff tools I've seen are reliable enough
to guarantee the result
4. Logging off the machine does not protect the network from viruses;
shutdown would be better - it
would be more of an annoyance to prompt the user to get it fixed so
he/she can work normally again
5. Some users stay logged on, never or hardly ever even running their
logon script
So with all that said, can you suggest any better options I should be
considering, maybe not involving
my logon script tool at all?
Thanks,
Mark Creamer
List info : http://www.activedir.org/mail_list.htm
List FAQ: http://www.activedir.org/list_faq.htm
List archive:
http://www.mail-archive.com/activedir%40mail.activedir.org/
List info : http://www.activedir.org/mail_list.htm
List FAQ: http://www.activedir.org/list_faq.htm
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
List info : http://www.activedir.org/mail_list.htm
List FAQ: http://www.activedir.org/list_faq.htm
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
