RE: [ActiveDir] DFS use question
Some questions to ask yourself: How much change occurs within an hour? What hardware are the servers running on? Enough RAM, processors, drive performance... The more change the greater the requirements of hardware, space for staging and bandwidth. Seriously consider a third party. I had some success with smaller volumes (about 15GB) with moderate to high hourly modifications and a larger volume (40GB) with moderate modifications. -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Rimmerman, Russ Sent: Sunday, April 11, 2004 9:06 PM To: '[EMAIL PROTECTED]' Subject: [ActiveDir] DFS use question We have one of our largest sites in England and another large site in the US, with at least a full T-1 between the two sites. We have a share with about 70GB of data in it, that both sites regularly need to access. Would this be something we could use DFS for with automatic replication, or is this way out of DFS's range? And if it's out of the range of DFS, how are others solving this issue? A program like Veritas Storage Replicator, or NSI DoubleTake? Or will DFS suffice? ~~ This e-mail is confidential, may contain proprietary information of the Cooper Cameron Corporation and its operating Divisions and may be confidential or privileged. This e-mail should be read, copied, disseminated and/or used only by the addressee. If you have received this message in error please delete it, together with any attachments, from your system. ~~ List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
RE: [ActiveDir] using dsacls.exe
Hmmm.. Interesting use of the term "staged" - gonna have to use that.. Actually, the Westin was the designated hotel for, um, well, not Exchange. -- Roger D. Seielstad - MTS MCSE MS-MVP Sr. Systems Administrator Inovis Inc. From: joe [mailto:[EMAIL PROTECTED] Sent: Monday, April 12, 2004 8:04 PMTo: [EMAIL PROTECTED]Subject: RE: [ActiveDir] using dsacls.exe You were hanging out with all the Exchange folks at the "Exchange Hotel". After meeting them I do understand why you would want to, a generally interesting cast of characters. The Ren bar just "staged" us for each night's activities. You seemed well "staged" every time I saw you so I think you were doing ok and your bar choice was fine. - http://www.joeware.net (download joeware) http://www.cafeshops.com/joewarenet (wear joeware) From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Roger SeielstadSent: Monday, April 12, 2004 10:07 AMTo: [EMAIL PROTECTED]Subject: RE: [ActiveDir] using dsacls.exe So what you're telling me is I was hanging out in the wrong bar all week? -- Roger D. Seielstad - MTS MCSE MS-MVP Sr. Systems Administrator Inovis Inc. From: joe [mailto:[EMAIL PROTECTED] Sent: Saturday, April 10, 2004 3:00 AMTo: [EMAIL PROTECTED]Subject: RE: [ActiveDir] using dsacls.exe Actually I think he replied to this one in the bar of the Renaissance as him, myself, and Deanwere chatting about it while drinking and Ulf was working on his pda/phone. BTW Guido, you slipped out like a phantom man. Sorry you had other responsibilities to deal with. Would have been nice to have had you around longer and especially when sitting with the Dev guys. We had a lot of fun. Also BTW, the Dev guyssaid that Universal groups were all a huge mistake and no one should be using them... Do Exchange in a separate single domain forest j/k But I think they would have said that had we discussed it. I had something else on my mind when we chatted with them that was more important to me than Universal Groups and Domain Local Groups. Another also BTW, Dean and I talked out an interesting idea, you may like it when we have the result ready. An idea to hopefully kill the entire lag site paradigm by making it unnecessary. Never was a fan of that idea but I do like the idea of DR sites for grabbing backups off of as I have discussed previously. joe - http://www.joeware.net (download joeware) http://www.cafeshops.com/joewarenet (wear joeware) From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Grillenmeier, GuidoSent: Friday, April 09, 2004 1:29 PMTo: [EMAIL PROTECTED]Subject: RE: [ActiveDir] using dsacls.exe Hey Ulf - I see you got home from the summit safely ;-) In your AD newsgrouppost which your referenced below you answered the following question Is there a comprehensive reference that identifies each permission required to perform a task ? Giving a user the "AddUser" permission is not enough. They also have to have the rights to add objects and child objects, etc etc...with Not that I'm aware off - the rights I don't know I set with the delegation wizard and run dsacls or look into the security tab. Just want to make sure that everyone is aware of the excellent Delegation Whitepaper, that's been available for a couple of months now: http://www.microsoft.com/downloads/details.aspx?FamilyID=631747a3-79e1-48fa-9730-dae7c0a1d6d3DisplayLang=en And don't forget to download the Appendix for this whitepaper, which contains all the nitty gritty details on what's required to perform which task. /Guido From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Ulf B. Simon-WeidnerSent: Donnerstag, 8. April 2004 17:10To: [EMAIL PROTECTED]Subject: RE: [ActiveDir] using dsacls.exe Hello Bart, see the following post: http://groups.google.de/[EMAIL PROTECTED] Ulf B. Simon-Weidner From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Vermeire BartSent: Dienstag, 6. April 2004 06:43To: [EMAIL PROTECTED]Subject: [ActiveDir] using dsacls.exe Hi, I am struggling with the dsacls.exe tool and hope that someone in this list can answer me. I need to set permissions on an OU from a CMD line batch file and I am using dsacls.exe for that. However, setting the "Reset Password" extended right is one task I cannot accomplish. Can you please
RE: [ActiveDir] logon scripts
Except Deji forgets one important piece of information (which is rare for him) - VBScript doesn't natively run on Win9x. It requires a separate install of Windows Scripting Host. -- Roger D. Seielstad - MTS MCSE MS-MVP Sr. Systems Administrator Inovis Inc. From: Rick Kingslan [mailto:[EMAIL PROTECTED] Sent: Tuesday, April 13, 2004 12:19 AMTo: [EMAIL PROTECTED]Subject: RE: [ActiveDir] logon scripts Smart guy. :op -rtk From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of deji AgbaSent: Monday, April 12, 2004 11:13 PMTo: [EMAIL PROTECTED]Subject: RE: [ActiveDir] logon scripts I don't have a Win9X to test this on, but Win2K/2K3/XP is fair game for this: Set wshNetwork = WScript.CreateObject("WScript.Network")Set wshShell = WScript.CreateObject("WScript.Shell") str_Group1_Share = "file://myserver/myShare1"str_Exec_Share = "file://myserver/myShare2"str_BS_Share = "file://myserver/myShare3"str_Super_Share = "file://mySuperServer/SuperShare" strDriveToMap = "H:" usrName = wshShell.ExpandEnvironmentStrings("%USERNAME%")Set usr = GetObject("WinNT://MyDomainName/" usrName ",user") For Each grp In usr.Groups WScript.Echo grp.NameIf grp.Name = "BS-Group" Then wshNetwork.MapNetworkDrive strDriveToMap, str_BS_ShareExit ForElseif grp.Name = "SOME_GROUP" ThenwshNetwork.MapNetworkDrive strDriveToMap, str_Group1_ShareExit ForElseif grp.Name = "yet_Another_Group" OR grp.Name = "Super-DuperUser" ThenwshNetwork.MapNetworkDrive strDriveToMap, str_Super_SharewshNetwork.MapNetworkDrive "K:", str_Exec_ShareExit ForEnd IfNext Set usr = NothingSet wshShell = NothingSet wshNetwork = Nothing HTH Sincerely,Dj Akmlf, MCSE MCSA MCP+I Microsoft MVP - Active Directorywww.akomolafe.comwww.iyaburo.comDo you now realize that Today is the Tomorrow you were worried about Yesterday? -anon From: Nathan CaseySent: Mon 4/12/2004 4:17 PMTo: [EMAIL PROTECTED]Subject: [ActiveDir] logon scripts What is a recommended logon script solution that will work with win9x, win2k/xp clients for drive mapping, etc that works similar to Novell logon scripts? Example: IF MEMBER OF "GROUP" THEN BEGIN MAP H:=SERVER1\VOL1: END
[ActiveDir] Firewall
Do you all force your XP clients to have the built-in firewall enabled? Are there any cons (such as some GPs not working) to having it enabled? The reason I ask is I am having a problem finding the culprit which is causing some users the inability to edit their "editable" (phone number, homepage, address, etc) attributes. Thanks in advance
RE: [ActiveDir] logon scripts - Kixtart
Is anyone using Kixtart as a utility along with their logon scripts? Kelly J. Jeglum LAN Mgr. Auxiliary Services University of Wisconsin Milwaukee -Original Message-From: Rick Kingslan [mailto:[EMAIL PROTECTED]Sent: Monday, April 12, 2004 11:48 PMTo: [EMAIL PROTECTED]Subject: RE: [ActiveDir] logon scripts LOL! -rtk From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of deji AgbaSent: Monday, April 12, 2004 11:28 PMTo: [EMAIL PROTECTED]Subject: RE: [ActiveDir] logon scripts I don't remember telling you my middle name :p Sincerely,Dèjì Akómöláfé, MCSE MCSA MCP+I Microsoft MVP - Active Directorywww.akomolafe.comwww.iyaburo.comDo you now realize that Today is the Tomorrow you were worried about Yesterday? -anon From: Rick KingslanSent: Mon 4/12/2004 9:19 PMTo: [EMAIL PROTECTED]Subject: RE: [ActiveDir] logon scripts Smart guy. :op -rtk From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of deji AgbaSent: Monday, April 12, 2004 11:13 PMTo: [EMAIL PROTECTED]Subject: RE: [ActiveDir] logon scripts I don't have a Win9X to test this on, but Win2K/2K3/XP is fair game for this: Set wshNetwork = WScript.CreateObject("WScript.Network")Set wshShell = WScript.CreateObject("WScript.Shell") str_Group1_Share = "file://myserver/myShare1"str_Exec_Share = "file://myserver/myShare2"str_BS_Share = "file://myserver/myShare3"str_Super_Share = "file://mySuperServer/SuperShare" strDriveToMap = "H:" usrName = wshShell.ExpandEnvironmentStrings("%USERNAME%")Set usr = GetObject("WinNT://MyDomainName/" usrName ",user") For Each grp In usr.Groups WScript.Echo grp.NameIf grp.Name = "BS-Group" Then wshNetwork.MapNetworkDrive strDriveToMap, str_BS_ShareExit ForElseif grp.Name = "SOME_GROUP" ThenwshNetwork.MapNetworkDrive strDriveToMap, str_Group1_ShareExit ForElseif grp.Name = "yet_Another_Group" OR grp.Name = "Super-DuperUser" ThenwshNetwork.MapNetworkDrive strDriveToMap, str_Super_SharewshNetwork.MapNetworkDrive "K:", str_Exec_ShareExit ForEnd IfNext Set usr = NothingSet wshShell = NothingSet wshNetwork = Nothing HTH Sincerely,Dèjì Akómöláfé, MCSE MCSA MCP+I Microsoft MVP - Active Directorywww.akomolafe.comwww.iyaburo.comDo you now realize that Today is the Tomorrow you were worried about Yesterday? -anon From: Nathan CaseySent: Mon 4/12/2004 4:17 PMTo: [EMAIL PROTECTED]Subject: [ActiveDir] logon scripts What is a recommended logon script solution that will work with win9x, win2k/xp clients for drive mapping, etc that works similar to Novell logon scripts? Example: IF MEMBER OF "GROUP" THEN BEGIN MAP H:=SERVER1\VOL1: END
Re: [ActiveDir] Firewall
I'm not using the XP firewall yet, but I'll consider it with SP2 since it is much better. The built in firewall isn't supposed to interfere with communications with DC's, I think. Are you getting any specific error message when users try to edit their attributes? Or do they just not have permission to do so? Check the event logs to see if there are any errors. Robbie Foust, IT Analyst Systems and Core Services Duke University Douglas M. Long wrote: Do you all force your XP clients to have the built-in firewall enabled? Are there any cons (such as some GPs not working) to having it enabled? The reason I ask is I am having a problem finding the culprit which is causing some users the inability to edit their editable (phone number, homepage, address, etc) attributes. Thanks in advance List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
RE: [ActiveDir] DFS use question
I concur... especially considering the restore time in the event that replication screws up and critical information is pushed off to a Staging area, inaccessible to the user. -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Rick Kingslan Sent: Monday, April 12, 2004 11:30 PM To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] DFS use question With all due respect to those that absolutely think that FRS v1 is hot, I'm quite pleased that there has been this level of success with it. However, even Microsoft admits that FRS iswell, broken. It gets better with each QFE, Service Pack and HotFix, but the basics are just flat broken. I'm not sure that I'd recommend it for anything remotely critical. But, to each his own. Rick Kingslan MCSE, MCSA, MCT, CISSP Microsoft MVP: Windows Server / Directory Services Windows Server / Rights Management Associate Expert Expert Zone - www.microsoft.com/windowsxp/expertzone WebLog - www.msmvps.com/willhack4food -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of E Brown Sent: Monday, April 12, 2004 2:51 AM To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] DFS use question This is not out of the realm of FRS. I work with some folks that sync 240+GB between 12 servers using T-1 as well.. There are some tuning factors that should be followed: What is DFS topology? Make sure you using dfs frs tuning docs. Setup Ultrasound to monitor... Let me know if you need more details. -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Rimmerman, Russ Sent: Sunday, April 11, 2004 7:06 PM To: '[EMAIL PROTECTED]' Subject: [ActiveDir] DFS use question We have one of our largest sites in England and another large site in the US, with at least a full T-1 between the two sites. We have a share with about 70GB of data in it, that both sites regularly need to access. Would this be something we could use DFS for with automatic replication, or is this way out of DFS's range? And if it's out of the range of DFS, how are others solving this issue? A program like Veritas Storage Replicator, or NSI DoubleTake? Or will DFS suffice? ~~ This e-mail is confidential, may contain proprietary information of the Cooper Cameron Corporation and its operating Divisions and may be confidential or privileged. This e-mail should be read, copied, disseminated and/or used only by the addressee. If you have received this message in error please delete it, together with any attachments, from your system. ~~ List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
RE: [ActiveDir] Firewall
Return Receipt Your RE: [ActiveDir] Firewall document : was Justin Leney/US/DCI received by: at: 04/13/2004 10:05:33 AM List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
RE: [ActiveDir] Firewall
Have a look in c:\windows\pfirewall.log to see what traffic is being dropped by the firewall. From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Douglas M. LongSent: 13 April 2004 14:32To: [EMAIL PROTECTED]Subject: [ActiveDir] Firewall Do you all force your XP clients to have the built-in firewall enabled? Are there any cons (such as some GPs not working) to having it enabled? The reason I ask is I am having a problem finding the culprit which is causing some users the inability to edit their "editable" (phone number, homepage, address, etc) attributes. Thanks in advance
RE: [ActiveDir] Firewall
This is not a firewall issue. The Windows ICF allows all outbound connections. Denny -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Jimmy Andersson Sent: Tuesday, April 13, 2004 9:42 AM To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] Firewall I will probably (if testing goes well) implement it when SP2 is out. Today I'm not using the firewall on my XPs. Regards, /Jimmy -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Robbie Foust Sent: Tuesday, April 13, 2004 3:46 PM To: [EMAIL PROTECTED] Subject: Re: [ActiveDir] Firewall I'm not using the XP firewall yet, but I'll consider it with SP2 since it is much better. The built in firewall isn't supposed to interfere with communications with DC's, I think. Are you getting any specific error message when users try to edit their attributes? Or do they just not have permission to do so? Check the event logs to see if there are any errors. Robbie Foust, IT Analyst Systems and Core Services Duke University Douglas M. Long wrote: Do you all force your XP clients to have the built-in firewall enabled? Are there any cons (such as some GPs not working) to having it enabled? The reason I ask is I am having a problem finding the culprit which is causing some users the inability to edit their editable (phone number, homepage, address, etc) attributes. Thanks in advance List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
RE: [ActiveDir] Firewall
The attributes are actually greyed out, and not even editable. I have no errors in the event log, all of the users that are having the problem (which i now now is not related to the firewall, due to the fact that I just found an instance proving otherwise...one more variable out of the way) have the same GPOs, there are using the same DNS, and the same version and patch level of XP. I can't think of any other things to check. Any other ideas? Thanks -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] Behalf Of Robbie Foust Sent: Tuesday, April 13, 2004 9:46 AM To: [EMAIL PROTECTED] Subject: Re: [ActiveDir] Firewall I'm not using the XP firewall yet, but I'll consider it with SP2 since it is much better. The built in firewall isn't supposed to interfere with communications with DC's, I think. Are you getting any specific error message when users try to edit their attributes? Or do they just not have permission to do so? Check the event logs to see if there are any errors. Robbie Foust, IT Analyst Systems and Core Services Duke University Douglas M. Long wrote: Do you all force your XP clients to have the built-in firewall enabled? Are there any cons (such as some GPs not working) to having it enabled? The reason I ask is I am having a problem finding the culprit which is causing some users the inability to edit their editable (phone number, homepage, address, etc) attributes. Thanks in advance List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
RE: [ActiveDir] Updating Schema to Windows 2003
So in summary, I should be able to adprep the forest with no problems if all DC's are running at least Windows 2000 SP3 and Exchange 2003? -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Salandra, Justin A. Sent: Wednesday, April 07, 2004 10:13 AM To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] Updating Schema to Windows 2003 I have experienced this. But I only experienced it on one DL that was a global group, I changed it to a universal group. All my DLs are Universal groups now and I don't have replication issues. -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of [EMAIL PROTECTED] Sent: Wednesday, April 07, 2004 9:39 AM To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] Updating Schema to Windows 2003 Have you run into issues with Exchange pointing to GC servers in your subdomains and not being able to resolve recipients in Distribution list unless the DL are Universal DL? We have: Root Forest Windows 2000 with Exchange 2000 and most user accounts, Groups, DLs, etc Subdomain Windows 2003 with Exchange 2003 - mostly for development / testing, few accounts Exchange at times used the DC in the Subdomain for GC lookups. Our DLs were not Universal so when Exchange would attempt to resolve the recipients of the DL using the subdomain GC it would not find any members.at that point messages would die in the Categorizer queue. MS solution was to convert all mail enabled groups to Universal or remove the subdomain DC from the Exchange Directory Servers list. Universal groups will publish all their members in the GCs, but this philosophy seems to contradict everything I read early on about trying to avoid the use of Universal Groups because of the increase in replication between GCs. -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Salandra, Justin A. Sent: Wednesday, April 07, 2004 9:15 AM To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] Updating Schema to Windows 2003 One thing I did not mention is that I have Exchange 2003 deployed in my forest. What precautions need to be taken for this. I read the q article 325379 but that talks about exchange 2000. -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of [EMAIL PROTECTED] Sent: Wednesday, April 07, 2004 8:51 AM To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] Updating Schema to Windows 2003 Nope, I have one running just as you described. -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Salandra, Justin A. Sent: Wednesday, April 07, 2004 8:50 AM To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] Updating Schema to Windows 2003 If the forest prep is done, are there any problems if a child domain is built as a windows 2003 domain while the rest of the forest is still in windows 2000? -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Steve Shaff Sent: Tuesday, April 06, 2004 4:02 PM To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] Updating Schema to Windows 2003 Forest Prep will prepare your forests for the Windows 2003 upgrade. IT will also expand your schema at that time. S -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Salandra, Justin A. Sent: Tuesday, April 06, 2004 12:01 PM To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] Updating Schema to Windows 2003 I really just want to prepare the forest for windows 2003, I don't need the domains ready yet. -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Rod Trent Sent: Tuesday, April 06, 2004 2:22 PM To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] Updating Schema to Windows 2003 Also, if you stick in the CD to upgrade a server, it will check the server and AD type, and will not upgrade until you have performed those steps. It even gives you the steps to perform that you can copy/paste. -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Steve Shaff Sent: Tuesday, April 06, 2004 1:19 PM To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] Updating Schema to Windows 2003 I am not aware of any KB articles, but here are the steps that were performed on our upgrade. The forest and domains are prepared by using the adprep command on the schema operations master and infrastructure operations master, respectively. (25min) * At a command prompt, change to the \I386 directory on the installation media and then type: d:\i386\adprep /forestprep * When prompted, type 'C', and then press ENTER to begin forest preparation, or type any other key, and then press ENTER to cancel. * After the forest preparation data has replicated throughout the forest, prepare the domains for Windows Server 2003 as described below. The domain preparation operation must be performed on the infrastructure operations master of each domain in the forest. (no
RE: [ActiveDir] Active Directory GC Locator Services and why Exch ange would STILL be broke if the AD team fixed it - WAS: using dsacls.exe
Joe(ware) brings up an interesting point. AutoDL has been recommended for group management for some time. I don't expect that this is going to be the push going forward, but only because it hasn't been updated as a reskit item for several years. It works. But it's a workaround and not a very straightforward or client-intuitive one. The client is going to still try to update via OL, even if told otherwise. It's a feature that's been broken since updating that does not exist in 5.5. Since it doesn't do security groups (thank goodness) it is a niche solution IMHO. One that wouldn't scale well in large environments that only wanted to use it for OL replacement of DL modification. Since the genie is out of the bottle on DL/DGupdates via OL, let's not retrain the users to be something they're not, and let's not try to force all the companies around the globe to get rid of older OL versions just for this. It can and should be fixed server side, even if we have to be concerned with multiple domains and some rearchitecting of DG's. I think that's a lot less work in an Exchange environment than replacing the desktop client interface to the email system. My $0.02 (USD) anyway. Al From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] Sent: Monday, April 12, 2004 7:01 PMTo: [EMAIL PROTECTED]Subject: RE: [ActiveDir] Active Directory GC Locator Services and why Exchange would STILL be broke if the AD team fixed it - WAS: using dsacls.exe Don't worry. They are just using .NET P/Invoke to call the underlying DS* APIs (according to their architecture diagram), so hopefully fixes at the API level would flow into the managed code that consumes it. Based on Joe's detailed post, it is clear to me that the fix really needs to be considered at a lower level to the stack. It was definitely the case that the guys discussing S.DS.ActiveDirectory didn't understand the need for the fix (maybe they did after Roger explained; hard to say), but maybe they don't even need to. I think the real benefit of the new managed code namespace is that for the first time, the functions that were only really available in the DS* APIs will be available to languages other than C++ (or VB with Declare syntax). There still isn't a good script story, but .NET will eventually get that too with MONAD and the like. In the meantime, anyone interested in .NET Directory Services programming can come bug us over at Carlos' Yahoo mailing list J Now I'm changing the subject Joe Kaplan From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of joeSent: Monday, April 12, 2004 2:11 PMTo: [EMAIL PROTECTED]Subject: RE: [ActiveDir] Active Directory GC Locator Services and why Exchange would STILL be broke if the AD team fixed it - WAS: using dsacls.exe Yeah understood. However they shouldn't fix it there, it should just be exposed there. It should be fixed in the underlying code. Not everyone is going to use .NET to get at this stuff and everyone shouldn't be coming up with different methods of doing resource location otherwise it defeats the purpose of having it built in. - http://www.joeware.net (download joeware) http://www.cafeshops.com/joewarenet (wear joeware) From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Roger SeielstadSent: Monday, April 12, 2004 2:36 PMTo: [EMAIL PROTECTED]Subject: RE: [ActiveDir] Active Directory GC Locator Services and why Exchange would STILL be broke if the AD team fixed it - WAS: using dsacls.exe You missed the session that we attended with regards to s.ds.activedirectory - and that was the team that didn't get it. They're writing from scratch a new interface within the .Net Framework that will include "easy to use" methods for retrieving DC/GC info. It struck a number of us that adding the ability to request a GC homed on a specific domain's DC wouldn't be that hard to implement. Roger -- Roger D. Seielstad - MTS MCSE MS-MVP Sr. Systems Administrator Inovis Inc. From: joe [mailto:[EMAIL PROTECTED] Sent: Monday, April 12, 2004 1:51 PMTo: [EMAIL PROTECTED]Subject: [ActiveDir] Active Directory GC Locator Services and why Exchange would STILL be broke if the AD team fixed it - WAS: using dsacls.exe Hey I wanted to chime in on this one quickly. Note I am not ignoring other posts or the emails I am getting, just trying to dig myself out. In fact I had so many emails about a certain problem with people's understanding of things I made some code changes in CPAU so I can cut down my email volume by a couple of hundred emails every couple of days (I hope). :o) Anyway, I don't think this is a Whidbey issue though I guess Whidbey should know how to leverage the fixes that need to be made. There are two things I think MS needs to do that I see right off. 1. Add more DNS entries that
RE: [ActiveDir] logon scripts
What can I say? I'm still jet-lagged, I guess :) Thanks for the pointer. Sincerely,Dèjì Akómöláfé, MCSE MCSA MCP+I Microsoft MVP - Active Directorywww.akomolafe.comwww.iyaburo.comDo you now realize that Today is the Tomorrow you were worried about Yesterday? -anon From: Roger SeielstadSent: Tue 4/13/2004 6:24 AMTo: [EMAIL PROTECTED]Subject: RE: [ActiveDir] logon scripts Except Deji forgets one important piece of information (which is rare for him) - VBScript doesn't natively run on Win9x. It requires a separate install of Windows Scripting Host. -- Roger D. Seielstad - MTS MCSE MS-MVP Sr. Systems Administrator Inovis Inc. From: Rick Kingslan [mailto:[EMAIL PROTECTED] Sent: Tuesday, April 13, 2004 12:19 AMTo: [EMAIL PROTECTED]Subject: RE: [ActiveDir] logon scripts Smart guy. :op -rtk From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of deji AgbaSent: Monday, April 12, 2004 11:13 PMTo: [EMAIL PROTECTED]Subject: RE: [ActiveDir] logon scripts I don't have a Win9X to test this on, but Win2K/2K3/XP is fair game for this: Set wshNetwork = WScript.CreateObject("WScript.Network")Set wshShell = WScript.CreateObject("WScript.Shell") str_Group1_Share = "file://myserver/myShare1"str_Exec_Share = "file://myserver/myShare2"str_BS_Share = "file://myserver/myShare3"str_Super_Share = "file://mySuperServer/SuperShare" strDriveToMap = "H:" usrName = wshShell.ExpandEnvironmentStrings("%USERNAME%")Set usr = GetObject("WinNT://MyDomainName/" usrName ",user") For Each grp In usr.Groups WScript.Echo grp.NameIf grp.Name = "BS-Group" Then wshNetwork.MapNetworkDrive strDriveToMap, str_BS_ShareExit ForElseif grp.Name = "SOME_GROUP" ThenwshNetwork.MapNetworkDrive strDriveToMap, str_Group1_ShareExit ForElseif grp.Name = "yet_Another_Group" OR grp.Name = "Super-DuperUser" ThenwshNetwork.MapNetworkDrive strDriveToMap, str_Super_SharewshNetwork.MapNetworkDrive "K:", str_Exec_ShareExit ForEnd IfNext Set usr = NothingSet wshShell = NothingSet wshNetwork = Nothing HTH Sincerely,Dèjì Akómöláfé, MCSE MCSA MCP+I Microsoft MVP - Active Directorywww.akomolafe.comwww.iyaburo.comDo you now realize that Today is the Tomorrow you were worried about Yesterday? -anon From: Nathan CaseySent: Mon 4/12/2004 4:17 PMTo: [EMAIL PROTECTED]Subject: [ActiveDir] logon scripts What is a recommended logon script solution that will work with win9x, win2k/xp clients for drive mapping, etc that works similar to Novell logon scripts? Example: IF MEMBER OF "GROUP" THEN BEGIN MAP H:=SERVER1\VOL1: END
RE: [ActiveDir] Updating Schema to Windows 2003
http://support.microsoft.com/default.aspx?scid=kb;en-us;278875 Salandra, Justin A. [EMAIL PROTECTED] Sent by: [EMAIL PROTECTED] 04/13/2004 11:02 AM Please respond to ActiveDir To:[EMAIL PROTECTED] cc: Subject:RE: [ActiveDir] Updating Schema to Windows 2003 So in summary, I should be able to adprep the forest with no problems if all DC's are running at least Windows 2000 SP3 and Exchange 2003? -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Salandra, Justin A. Sent: Wednesday, April 07, 2004 10:13 AM To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] Updating Schema to Windows 2003 I have experienced this. But I only experienced it on one DL that was a global group, I changed it to a universal group. All my DLs are Universal groups now and I don't have replication issues. -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of [EMAIL PROTECTED] Sent: Wednesday, April 07, 2004 9:39 AM To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] Updating Schema to Windows 2003 Have you run into issues with Exchange pointing to GC servers in your subdomains and not being able to resolve recipients in Distribution list unless the DL are Universal DL? We have: Root Forest Windows 2000 with Exchange 2000 and most user accounts, Groups, DLs, etc Subdomain Windows 2003 with Exchange 2003 - mostly for development / testing, few accounts Exchange at times used the DC in the Subdomain for GC lookups. Our DLs were not Universal so when Exchange would attempt to resolve the recipients of the DL using the subdomain GC it would not find any members.at that point messages would die in the Categorizer queue. MS solution was to convert all mail enabled groups to Universal or remove the subdomain DC from the Exchange Directory Servers list. Universal groups will publish all their members in the GCs, but this philosophy seems to contradict everything I read early on about trying to avoid the use of Universal Groups because of the increase in replication between GCs. -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Salandra, Justin A. Sent: Wednesday, April 07, 2004 9:15 AM To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] Updating Schema to Windows 2003 One thing I did not mention is that I have Exchange 2003 deployed in my forest. What precautions need to be taken for this. I read the q article 325379 but that talks about exchange 2000. -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of [EMAIL PROTECTED] Sent: Wednesday, April 07, 2004 8:51 AM To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] Updating Schema to Windows 2003 Nope, I have one running just as you described. -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Salandra, Justin A. Sent: Wednesday, April 07, 2004 8:50 AM To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] Updating Schema to Windows 2003 If the forest prep is done, are there any problems if a child domain is built as a windows 2003 domain while the rest of the forest is still in windows 2000? -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Steve Shaff Sent: Tuesday, April 06, 2004 4:02 PM To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] Updating Schema to Windows 2003 Forest Prep will prepare your forests for the Windows 2003 upgrade. IT will also expand your schema at that time. S -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Salandra, Justin A. Sent: Tuesday, April 06, 2004 12:01 PM To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] Updating Schema to Windows 2003 I really just want to prepare the forest for windows 2003, I don't need the domains ready yet. -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Rod Trent Sent: Tuesday, April 06, 2004 2:22 PM To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] Updating Schema to Windows 2003 Also, if you stick in the CD to upgrade a server, it will check the server and AD type, and will not upgrade until you have performed those steps. It even gives you the steps to perform that you can copy/paste. -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Steve Shaff Sent: Tuesday, April 06, 2004 1:19 PM To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] Updating Schema to Windows 2003 I am not aware of any KB articles, but here are the steps that were performed on our upgrade. The forest and domains are prepared by using the adprep command on the schema operations master and infrastructure operations master, respectively. (25min) * At a command prompt, change to the \I386 directory on the installation media and then type: d:\i386\adprep /forestprep * When prompted, type 'C', and then press ENTER to begin forest preparation, or type any other key, and then press
RE: [ActiveDir] Wlan AD Security
That's a pretty valid argument to put any access to your network into an untrusted network segment, isn't it? Remote access, wired access (what about vendors that jack-in?)etc. There's some talk about using the reskit stuff to quarantine the network access. Some of the AP providers offer this type of usage as well. One of the better ways to accomplish authorized access only is to use strong authentication. WEP isn't it. Cracking WEP is published and pretty quick. MAC layer isn't all that great either since you can spoof the MAC address to gain access. Certificates are nice, except that some of your downlevel and handheld devices won't like it. I'd say this is a pretty valid argument to rethink security (for many companies) from a keep out the bad guys and we'll be fine mentaility to a let's figure out what we need to protect on our network and add security to those parts to protect from outside the firewall as well as the inside of the firewall mentality. When you can sip coffee or favorite hot beverage of choice downstairs and wander a company's network two floors above or across the street, the possibilities are limitless. I favor the certificate method and VPN for wireless access, but that only addresses part of the issue IMHO. Al -Original Message- From: Rick Kingslan [mailto:[EMAIL PROTECTED] Sent: Tuesday, April 13, 2004 12:13 AM To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] Wlan AD Security Chris, We sometimes become off-topic city. No worries there This is an interesting topic, and one that I will fall clearly on one side of it because of my experiences at my company. Treat your access points like untrusted computers in the public DMZ. There is really no way that one should treat an access point in any other way. Given that the signals coming into an AP cannot truly be verified, then one must add extra methods to insure security. The way that I prefer to see this accomplished is by placing the AP's into an untrusted are of the network, applying a 128-bit WEP key, then using some added methods consistent with 802.1x. This can either be PEAP (using RADIUS / IAS), Cisco's LEAP, or other secure methods for providing strong authentication. Obviously, stronger the better, and two-factor (RSA fob, smart card, what have you) is magnitudes better than a single factor authN. I'm still fighting to get my APs at work in the DMZ. They are, at present, on our internal network. They are PEAP protected, but somehow I'm just not all that heartened by the simple addition of PEAP to untrusted devices. Rick Kingslan MCSE, MCSA, MCT, CISSP Microsoft MVP: Windows Server / Directory Services Windows Server / Rights Management Associate Expert Expert Zone - www.microsoft.com/windowsxp/expertzone WebLog - www.msmvps.com/willhack4food -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Chris Blair Sent: Monday, April 12, 2004 8:47 AM To: [EMAIL PROTECTED] Subject: [ActiveDir] Wlan AD Security This maybe slightly Off Topic, Sorry. I am looking to deploy wireless access points for our users to access our AD. I am currently reading the white paper from Microsoft named Enterprise Deployment of Secure 802.11 Networks Using Microsoft Windows. Has anyone else implemented this? I have also read about putting the AP's outside of the network and using VPN to access any AD related resources. Sounds easier, but is it as secure? Does anyone else have any other solutions? List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
RE: [ActiveDir] Firewall
Permissions? What else is different about them? Just because they have the same GPO's, are they applied as expected to the users affected? Are they in the same OU's etc? RSOP might be a worthwhile tool to look at if you suspect the GPO is not firing correctly but greyed out tabs are usually due to only having read permissions on the attribute. If this is unexpected, then have a look at your process to apply the permissions and see if anything went astray there. Al -Original Message- From: Douglas M. Long [mailto:[EMAIL PROTECTED] Sent: Tuesday, April 13, 2004 10:08 AM To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] Firewall The attributes are actually greyed out, and not even editable. I have no errors in the event log, all of the users that are having the problem (which i now now is not related to the firewall, due to the fact that I just found an instance proving otherwise...one more variable out of the way) have the same GPOs, there are using the same DNS, and the same version and patch level of XP. I can't think of any other things to check. Any other ideas? Thanks -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] Behalf Of Robbie Foust Sent: Tuesday, April 13, 2004 9:46 AM To: [EMAIL PROTECTED] Subject: Re: [ActiveDir] Firewall I'm not using the XP firewall yet, but I'll consider it with SP2 since it is much better. The built in firewall isn't supposed to interfere with communications with DC's, I think. Are you getting any specific error message when users try to edit their attributes? Or do they just not have permission to do so? Check the event logs to see if there are any errors. Robbie Foust, IT Analyst Systems and Core Services Duke University Douglas M. Long wrote: Do you all force your XP clients to have the built-in firewall enabled? Are there any cons (such as some GPs not working) to having it enabled? The reason I ask is I am having a problem finding the culprit which is causing some users the inability to edit their editable (phone number, homepage, address, etc) attributes. Thanks in advance List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
RE: [ActiveDir] logon scripts
To quote Tony Murray-Smith - "I'm still trying to get used to being sober" -- Roger D. Seielstad - MTS MCSE MS-MVP Sr. Systems Administrator Inovis Inc. From: deji Agba [mailto:[EMAIL PROTECTED] Sent: Tuesday, April 13, 2004 11:11 AMTo: [EMAIL PROTECTED]Subject: RE: [ActiveDir] logon scripts What can I say? I'm still jet-lagged, I guess :) Thanks for the pointer. Sincerely,Dj Akmlf, MCSE MCSA MCP+I Microsoft MVP - Active Directorywww.akomolafe.comwww.iyaburo.comDo you now realize that Today is the Tomorrow you were worried about Yesterday? -anon From: Roger SeielstadSent: Tue 4/13/2004 6:24 AMTo: [EMAIL PROTECTED]Subject: RE: [ActiveDir] logon scripts Except Deji forgets one important piece of information (which is rare for him) - VBScript doesn't natively run on Win9x. It requires a separate install of Windows Scripting Host. -- Roger D. Seielstad - MTS MCSE MS-MVP Sr. Systems Administrator Inovis Inc. From: Rick Kingslan [mailto:[EMAIL PROTECTED] Sent: Tuesday, April 13, 2004 12:19 AMTo: [EMAIL PROTECTED]Subject: RE: [ActiveDir] logon scripts Smart guy. :op -rtk From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of deji AgbaSent: Monday, April 12, 2004 11:13 PMTo: [EMAIL PROTECTED]Subject: RE: [ActiveDir] logon scripts I don't have a Win9X to test this on, but Win2K/2K3/XP is fair game for this: Set wshNetwork = WScript.CreateObject("WScript.Network")Set wshShell = WScript.CreateObject("WScript.Shell") str_Group1_Share = "file://myserver/myShare1"str_Exec_Share = "file://myserver/myShare2"str_BS_Share = "file://myserver/myShare3"str_Super_Share = "file://mySuperServer/SuperShare" strDriveToMap = "H:" usrName = wshShell.ExpandEnvironmentStrings("%USERNAME%")Set usr = GetObject("WinNT://MyDomainName/" usrName ",user") For Each grp In usr.Groups WScript.Echo grp.NameIf grp.Name = "BS-Group" Then wshNetwork.MapNetworkDrive strDriveToMap, str_BS_ShareExit ForElseif grp.Name = "SOME_GROUP" ThenwshNetwork.MapNetworkDrive strDriveToMap, str_Group1_ShareExit ForElseif grp.Name = "yet_Another_Group" OR grp.Name = "Super-DuperUser" ThenwshNetwork.MapNetworkDrive strDriveToMap, str_Super_SharewshNetwork.MapNetworkDrive "K:", str_Exec_ShareExit ForEnd IfNext Set usr = NothingSet wshShell = NothingSet wshNetwork = Nothing HTH Sincerely,Dj Akmlf, MCSE MCSA MCP+I Microsoft MVP - Active Directorywww.akomolafe.comwww.iyaburo.comDo you now realize that Today is the Tomorrow you were worried about Yesterday? -anon From: Nathan CaseySent: Mon 4/12/2004 4:17 PMTo: [EMAIL PROTECTED]Subject: [ActiveDir] logon scripts What is a recommended logon script solution that will work with win9x, win2k/xp clients for drive mapping, etc that works similar to Novell logon scripts? Example: IF MEMBER OF "GROUP" THEN BEGIN MAP H:=SERVER1\VOL1: END
RE: [ActiveDir] DFS use question
Have you checked out the latest features in the Robocopy that comes w/ Windows 2003 Reskit? Very cool stuff... -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Rimmerman, Russ Sent: Tuesday, April 13, 2004 9:51 AM To: '[EMAIL PROTECTED]' Subject: RE: [ActiveDir] DFS use question What would you all recommend instead? NSI DoubleTake? -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of [EMAIL PROTECTED] Sent: Tuesday, April 13, 2004 8:16 AM To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] DFS use question I concur... especially considering the restore time in the event that replication screws up and critical information is pushed off to a Staging area, inaccessible to the user. -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Rick Kingslan Sent: Monday, April 12, 2004 11:30 PM To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] DFS use question With all due respect to those that absolutely think that FRS v1 is hot, I'm quite pleased that there has been this level of success with it. However, even Microsoft admits that FRS iswell, broken. It gets better with each QFE, Service Pack and HotFix, but the basics are just flat broken. I'm not sure that I'd recommend it for anything remotely critical. But, to each his own. Rick Kingslan MCSE, MCSA, MCT, CISSP Microsoft MVP: Windows Server / Directory Services Windows Server / Rights Management Associate Expert Expert Zone - www.microsoft.com/windowsxp/expertzone WebLog - www.msmvps.com/willhack4food -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of E Brown Sent: Monday, April 12, 2004 2:51 AM To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] DFS use question This is not out of the realm of FRS. I work with some folks that sync 240+GB between 12 servers using T-1 as well.. There are some tuning factors that should be followed: What is DFS topology? Make sure you using dfs frs tuning docs. Setup Ultrasound to monitor... Let me know if you need more details. -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Rimmerman, Russ Sent: Sunday, April 11, 2004 7:06 PM To: '[EMAIL PROTECTED]' Subject: [ActiveDir] DFS use question We have one of our largest sites in England and another large site in the US, with at least a full T-1 between the two sites. We have a share with about 70GB of data in it, that both sites regularly need to access. Would this be something we could use DFS for with automatic replication, or is this way out of DFS's range? And if it's out of the range of DFS, how are others solving this issue? A program like Veritas Storage Replicator, or NSI DoubleTake? Or will DFS suffice? ~~ This e-mail is confidential, may contain proprietary information of the Cooper Cameron Corporation and its operating Divisions and may be confidential or privileged. This e-mail should be read, copied, disseminated and/or used only by the addressee. If you have received this message in error please delete it, together with any attachments, from your system. ~~ List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ ~~ This e-mail is confidential, may contain proprietary information of the Cooper Cameron Corporation and its operating Divisions and may be confidential or privileged. This e-mail should be read, copied, disseminated and/or used only by the addressee. If you have received this message in error please delete it, together with any attachments, from your system. ~~ List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
RE: [ActiveDir] logon scripts
Sober? What's that??? :) /Jimmy From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Roger SeielstadSent: Tuesday, April 13, 2004 6:22 PMTo: [EMAIL PROTECTED]Subject: RE: [ActiveDir] logon scripts To quote Tony Murray-Smith - "I'm still trying to get used to being sober" -- Roger D. Seielstad - MTS MCSE MS-MVP Sr. Systems Administrator Inovis Inc. From: deji Agba [mailto:[EMAIL PROTECTED] Sent: Tuesday, April 13, 2004 11:11 AMTo: [EMAIL PROTECTED]Subject: RE: [ActiveDir] logon scripts What can I say? I'm still jet-lagged, I guess :) Thanks for the pointer. Sincerely,Dèjì Akómöláfé, MCSE MCSA MCP+I Microsoft MVP - Active Directorywww.akomolafe.comwww.iyaburo.comDo you now realize that Today is the Tomorrow you were worried about Yesterday? -anon From: Roger SeielstadSent: Tue 4/13/2004 6:24 AMTo: [EMAIL PROTECTED]Subject: RE: [ActiveDir] logon scripts Except Deji forgets one important piece of information (which is rare for him) - VBScript doesn't natively run on Win9x. It requires a separate install of Windows Scripting Host. -- Roger D. Seielstad - MTS MCSE MS-MVP Sr. Systems Administrator Inovis Inc. From: Rick Kingslan [mailto:[EMAIL PROTECTED] Sent: Tuesday, April 13, 2004 12:19 AMTo: [EMAIL PROTECTED]Subject: RE: [ActiveDir] logon scripts Smart guy. :op -rtk From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of deji AgbaSent: Monday, April 12, 2004 11:13 PMTo: [EMAIL PROTECTED]Subject: RE: [ActiveDir] logon scripts I don't have a Win9X to test this on, but Win2K/2K3/XP is fair game for this: Set wshNetwork = WScript.CreateObject("WScript.Network")Set wshShell = WScript.CreateObject("WScript.Shell") str_Group1_Share = "file://myserver/myShare1"str_Exec_Share = "file://myserver/myShare2"str_BS_Share = "file://myserver/myShare3"str_Super_Share = "file://mySuperServer/SuperShare" strDriveToMap = "H:" usrName = wshShell.ExpandEnvironmentStrings("%USERNAME%")Set usr = GetObject("WinNT://MyDomainName/" usrName ",user") For Each grp In usr.Groups WScript.Echo grp.NameIf grp.Name = "BS-Group" Then wshNetwork.MapNetworkDrive strDriveToMap, str_BS_ShareExit ForElseif grp.Name = "SOME_GROUP" ThenwshNetwork.MapNetworkDrive strDriveToMap, str_Group1_ShareExit ForElseif grp.Name = "yet_Another_Group" OR grp.Name = "Super-DuperUser" ThenwshNetwork.MapNetworkDrive strDriveToMap, str_Super_SharewshNetwork.MapNetworkDrive "K:", str_Exec_ShareExit ForEnd IfNext Set usr = NothingSet wshShell = NothingSet wshNetwork = Nothing HTH Sincerely,Dèjì Akómöláfé, MCSE MCSA MCP+I Microsoft MVP - Active Directorywww.akomolafe.comwww.iyaburo.comDo you now realize that Today is the Tomorrow you were worried about Yesterday? -anon From: Nathan CaseySent: Mon 4/12/2004 4:17 PMTo: [EMAIL PROTECTED]Subject: [ActiveDir] logon scripts What is a recommended logon script solution that will work with win9x, win2k/xp clients for drive mapping, etc that works similar to Novell logon scripts? Example: IF MEMBER OF "GROUP" THEN BEGIN MAP H:=SERVER1\VOL1: END
RE: [ActiveDir] DFS use question
Would that work ok on an all Win2000 domain on Win2000 servers? -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of [EMAIL PROTECTED] Sent: Tuesday, April 13, 2004 9:07 AM To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] DFS use question Have you checked out the latest features in the Robocopy that comes w/ Windows 2003 Reskit? Very cool stuff... -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Rimmerman, Russ Sent: Tuesday, April 13, 2004 9:51 AM To: '[EMAIL PROTECTED]' Subject: RE: [ActiveDir] DFS use question What would you all recommend instead? NSI DoubleTake? -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of [EMAIL PROTECTED] Sent: Tuesday, April 13, 2004 8:16 AM To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] DFS use question I concur... especially considering the restore time in the event that replication screws up and critical information is pushed off to a Staging area, inaccessible to the user. -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Rick Kingslan Sent: Monday, April 12, 2004 11:30 PM To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] DFS use question With all due respect to those that absolutely think that FRS v1 is hot, I'm quite pleased that there has been this level of success with it. However, even Microsoft admits that FRS iswell, broken. It gets better with each QFE, Service Pack and HotFix, but the basics are just flat broken. I'm not sure that I'd recommend it for anything remotely critical. But, to each his own. Rick Kingslan MCSE, MCSA, MCT, CISSP Microsoft MVP: Windows Server / Directory Services Windows Server / Rights Management Associate Expert Expert Zone - www.microsoft.com/windowsxp/expertzone WebLog - www.msmvps.com/willhack4food -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of E Brown Sent: Monday, April 12, 2004 2:51 AM To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] DFS use question This is not out of the realm of FRS. I work with some folks that sync 240+GB between 12 servers using T-1 as well.. There are some tuning factors that should be followed: What is DFS topology? Make sure you using dfs frs tuning docs. Setup Ultrasound to monitor... Let me know if you need more details. -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Rimmerman, Russ Sent: Sunday, April 11, 2004 7:06 PM To: '[EMAIL PROTECTED]' Subject: [ActiveDir] DFS use question We have one of our largest sites in England and another large site in the US, with at least a full T-1 between the two sites. We have a share with about 70GB of data in it, that both sites regularly need to access. Would this be something we could use DFS for with automatic replication, or is this way out of DFS's range? And if it's out of the range of DFS, how are others solving this issue? A program like Veritas Storage Replicator, or NSI DoubleTake? Or will DFS suffice? ~~ This e-mail is confidential, may contain proprietary information of the Cooper Cameron Corporation and its operating Divisions and may be confidential or privileged. This e-mail should be read, copied, disseminated and/or used only by the addressee. If you have received this message in error please delete it, together with any attachments, from your system. ~~ List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ ~~ This e-mail is confidential, may contain proprietary information of the Cooper Cameron Corporation and its operating Divisions and may be confidential or privileged. This e-mail should be read, copied, disseminated and/or used only by the addressee. If you have received this message in error please delete it, together with any attachments, from your system. ~~ List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/mail_list.htm List FAQ:
RE: [ActiveDir] logon scripts
Jet-lagged? Did you take a long detour on the way home? :) From: deji Agba [mailto:[EMAIL PROTECTED] Sent: Tuesday, April 13, 2004 11:11 AMTo: [EMAIL PROTECTED]Subject: RE: [ActiveDir] logon scripts What can I say? I'm still jet-lagged, I guess :) Thanks for the pointer. Sincerely,Dèjì Akómöláfé, MCSE MCSA MCP+I Microsoft MVP - Active Directorywww.akomolafe.comwww.iyaburo.comDo you now realize that Today is the Tomorrow you were worried about Yesterday? -anon From: Roger SeielstadSent: Tue 4/13/2004 6:24 AMTo: [EMAIL PROTECTED]Subject: RE: [ActiveDir] logon scripts Except Deji forgets one important piece of information (which is rare for him) - VBScript doesn't natively run on Win9x. It requires a separate install of Windows Scripting Host. -- Roger D. Seielstad - MTS MCSE MS-MVP Sr. Systems Administrator Inovis Inc. From: Rick Kingslan [mailto:[EMAIL PROTECTED] Sent: Tuesday, April 13, 2004 12:19 AMTo: [EMAIL PROTECTED]Subject: RE: [ActiveDir] logon scripts Smart guy. :op -rtk From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of deji AgbaSent: Monday, April 12, 2004 11:13 PMTo: [EMAIL PROTECTED]Subject: RE: [ActiveDir] logon scripts I don't have a Win9X to test this on, but Win2K/2K3/XP is fair game for this: Set wshNetwork = WScript.CreateObject("WScript.Network")Set wshShell = WScript.CreateObject("WScript.Shell") str_Group1_Share = "file://myserver/myShare1"str_Exec_Share = "file://myserver/myShare2"str_BS_Share = "file://myserver/myShare3"str_Super_Share = "file://mySuperServer/SuperShare" strDriveToMap = "H:" usrName = wshShell.ExpandEnvironmentStrings("%USERNAME%")Set usr = GetObject("WinNT://MyDomainName/" usrName ",user") For Each grp In usr.Groups WScript.Echo grp.NameIf grp.Name = "BS-Group" Then wshNetwork.MapNetworkDrive strDriveToMap, str_BS_ShareExit ForElseif grp.Name = "SOME_GROUP" ThenwshNetwork.MapNetworkDrive strDriveToMap, str_Group1_ShareExit ForElseif grp.Name = "yet_Another_Group" OR grp.Name = "Super-DuperUser" ThenwshNetwork.MapNetworkDrive strDriveToMap, str_Super_SharewshNetwork.MapNetworkDrive "K:", str_Exec_ShareExit ForEnd IfNext Set usr = NothingSet wshShell = NothingSet wshNetwork = Nothing HTH Sincerely,Dèjì Akómöláfé, MCSE MCSA MCP+I Microsoft MVP - Active Directorywww.akomolafe.comwww.iyaburo.comDo you now realize that Today is the Tomorrow you were worried about Yesterday? -anon From: Nathan CaseySent: Mon 4/12/2004 4:17 PMTo: [EMAIL PROTECTED]Subject: [ActiveDir] logon scripts What is a recommended logon script solution that will work with win9x, win2k/xp clients for drive mapping, etc that works similar to Novell logon scripts? Example: IF MEMBER OF "GROUP" THEN BEGIN MAP H:=SERVER1\VOL1: END
RE: [ActiveDir] Firewall
I cant find anything else different. I get the same results for working and non-working users when I run gpresult. They are in the same OU, and GPs are applied as expected. I may sound stupid, but where do I set the attribute permissions for a single user? Isnt that something that I would have had to intentionally done (and would most likely have remembered)? -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] Behalf Of Mulnick, Al Sent: Tuesday, April 13, 2004 12:03 PM To: '[EMAIL PROTECTED]' Subject: RE: [ActiveDir] Firewall Permissions? What else is different about them? Just because they have the same GPO's, are they applied as expected to the users affected? Are they in the same OU's etc? RSOP might be a worthwhile tool to look at if you suspect the GPO is not firing correctly but greyed out tabs are usually due to only having read permissions on the attribute. If this is unexpected, then have a look at your process to apply the permissions and see if anything went astray there. Al -Original Message- From: Douglas M. Long [mailto:[EMAIL PROTECTED] Sent: Tuesday, April 13, 2004 10:08 AM To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] Firewall The attributes are actually greyed out, and not even editable. I have no errors in the event log, all of the users that are having the problem (which i now now is not related to the firewall, due to the fact that I just found an instance proving otherwise...one more variable out of the way) have the same GPOs, there are using the same DNS, and the same version and patch level of XP. I can't think of any other things to check. Any other ideas? Thanks -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] Behalf Of Robbie Foust Sent: Tuesday, April 13, 2004 9:46 AM To: [EMAIL PROTECTED] Subject: Re: [ActiveDir] Firewall I'm not using the XP firewall yet, but I'll consider it with SP2 since it is much better. The built in firewall isn't supposed to interfere with communications with DC's, I think. Are you getting any specific error message when users try to edit their attributes? Or do they just not have permission to do so? Check the event logs to see if there are any errors. Robbie Foust, IT Analyst Systems and Core Services Duke University Douglas M. Long wrote: Do you all force your XP clients to have the built-in firewall enabled? Are there any cons (such as some GPs not working) to having it enabled? The reason I ask is I am having a problem finding the culprit which is causing some users the inability to edit their editable (phone number, homepage, address, etc) attributes. Thanks in advance List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
RE: [ActiveDir] logon scripts - Kixtart
We too are using Script logic, but weve had problems in the past running it over our WAN. That being said our problems are not typical and are a drawback from our wonderful bridged WAN and have nothing to do with the product. I like script logic though, its very basic and easy to learn and understand. Ive been able to do a lot of stuff with a couple of clicks in SL that that would require a couple lines of code in VB. Thanks, Raymond From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Creamer, Mark Sent: Tuesday, April 13, 2004 6:50 AM To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] logon scripts - Kixtart We do. Actually, we also use ScriptLogic which greatly improves the process of putting together kixtart scripts for diverse groups with many different requirements. If youre just getting started with KiXtart, Id highly recommend taking a look at the message boards and other resources at www.kixtart.org, as well as scriptlogics own site. mc -Original Message- From: Kelly Jeglum [mailto:[EMAIL PROTECTED] Sent: Tuesday, April 13, 2004 9:36 AM To: '[EMAIL PROTECTED]' Subject: RE: [ActiveDir] logon scripts - Kixtart Is anyone using Kixtart as a utility along with their logon scripts? Kelly J. Jeglum LAN Mgr. Auxiliary Services University of Wisconsin Milwaukee -Original Message- From: Rick Kingslan [mailto:[EMAIL PROTECTED] Sent: Monday, April 12, 2004 11:48 PM To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] logon scripts LOL! -rtk From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of deji Agba Sent: Monday, April 12, 2004 11:28 PM To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] logon scripts I don't remember telling you my middle name :p Sincerely, Dèjì Akómöláfé, MCSE MCSA MCP+I Microsoft MVP - Active Directory www.akomolafe.com www.iyaburo.com Do you now realize that Today is the Tomorrow you were worried about Yesterday? -anon From: Rick Kingslan Sent: Mon 4/12/2004 9:19 PM To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] logon scripts Smart guy. :op -rtk From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of deji Agba Sent: Monday, April 12, 2004 11:13 PM To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] logon scripts I don't have a Win9X to test this on, but Win2K/2K3/XP is fair game for this: Set wshNetwork = WScript.CreateObject(WScript.Network) Set wshShell = WScript.CreateObject(WScript.Shell) str_Group1_Share = file://myserver/myShare1 str_Exec_Share = file://myserver/myShare2 str_BS_Share = file://myserver/myShare3 str_Super_Share = file://mySuperServer/SuperShare strDriveToMap = H: usrName = wshShell.ExpandEnvironmentStrings(%USERNAME%) Set usr = GetObject(WinNT://MyDomainName/ usrName ,user) For Each grp In usr.Groups WScript.Echo grp.Name If grp.Name = BS-Group Then wshNetwork.MapNetworkDrive strDriveToMap, str_BS_Share Exit For Elseif grp.Name = SOME_GROUP Then wshNetwork.MapNetworkDrive strDriveToMap, str_Group1_Share Exit For Elseif grp.Name = yet_Another_Group OR grp.Name = Super-DuperUser Then wshNetwork.MapNetworkDrive strDriveToMap, str_Super_Share wshNetwork.MapNetworkDrive K:, str_Exec_Share Exit For End If Next Set usr = Nothing Set wshShell = Nothing Set wshNetwork = Nothing HTH Sincerely, Dèjì Akómöláfé, MCSE MCSA MCP+I Microsoft MVP - Active Directory www.akomolafe.com www.iyaburo.com Do you now realize that Today is the Tomorrow you were worried about Yesterday? -anon From: Nathan Casey Sent: Mon 4/12/2004 4:17 PM To: [EMAIL PROTECTED] Subject: [ActiveDir] logon scripts What is a recommended logon script solution that will work with win9x, win2k/xp clients for drive mapping, etc that works similar to Novell logon scripts? Example: IF MEMBER OF GROUP THEN BEGIN MAP H:=SERVER1\VOL1: END
[ActiveDir] enterprise-wide accounts
Wed like to eventually trim down the number of domains and get to an OU-based administrative model. But in the mean time, we have identified a couple of people that we want to have domain admin rights in all domains. I know that making them an enterprise admin allows them domain admin rights on the DCs in each domain because of membership in the BUILTIN\Administrators group in each domain. But that doesnt allow logon to all the member servers. How do I best grant domain admin-level rights across all domains in the forest with a single logon for each of these persons? Looking for a best practice. Thanks! Mark Creamer Systems Engineer Cintas Corporation Honesty and Integrity in Everything We Do
RE: [ActiveDir] enterprise-wide accounts
What about adding them to each domain admins group for each domain? From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Creamer, MarkSent: Tuesday, April 13, 2004 4:05 PMTo: [EMAIL PROTECTED]Subject: [ActiveDir] enterprise-wide accounts Wed like to eventually trim down the number of domains and get to an OU-based administrative model. But in the mean time, we have identified a couple of people that we want to have domain admin rights in all domains. I know that making them an enterprise admin allows them domain admin rights on the DCs in each domain because of membership in the BUILTIN\Administrators group in each domain. But that doesnt allow logon to all the member servers. How do I best grant domain admin-level rights across all domains in the forest with a single logon for each of these persons? Looking for a best practice. Thanks! Mark Creamer Systems Engineer Cintas Corporation Honesty and Integrity in Everything We Do
RE: [ActiveDir] Photos in Active Directory
All, Thanks for the feedback. There's some good information here that will help us determine the best way to do this. We're going to have an AMER and EMEA domain with an empty root but want to quickly and easily obtain the photo of any individual for security purposes. Over 60,000 users. I agree that it's not necessarily something that we want replicated on all domain controllers. But the nature of our WAN dictates that we need to have all photos fairly local -- pulling from across the Atlantic is too tedious even for small files. We have decent connectivity within those domains. I originally was leaning toward SQL with a web front-end and deal with the latency (or replicate/cluster). However, AD/AM is in interesting idea as well as we can then have separate front-ends and pull from the replicated (only where necessary) database. We're going to have additional issues like how do we get digital photos of everyone and who's going to crop or compress all of the photos, etc, etc,etc. Sounds like fun... Thanks, Mike Guido's response is the first thing I thought of as well. I don't think AD is a proper place for that info for a couple of reasons 1. Do you really need this replicated to every DC? 2. If someone dumps your AD, they get all of the photos too, how many people would like to have their entire company including photos of everyone distributed around. I personally don't like having my photo floating around and don't have it in our corporate photo system (which is a web site, not in AD). 3. You are growing your DIT for no real NOS benefit. 4. You could really live to regret this when people decide to get creative. Also, how do you intend to display this info? Obviously having it out there is for the single purpose of displaying it later. If you have people put it in and no way to display, someone will call you out on that. I would stick this info in an AD/AM or SQL Server or something along those lines. Also put up some strict standards on what images get added. I know of a case where some monkey where I work had a picture of himself with a cat in the hat hat on. I recall seeing that photo one day, hearing he complained up to the IT Director under the CIO for something or another and then hearing from some friends that his cat in the hat photo was suddenly gone from the directory. So I figure the Director wanted to look this gomer up in the Org list and up popped that photo much to the director's distaste. I have also see some other more frightful images for a corporate directory that could spawn lawsuits. joe - http://www.joeware.net (download joeware) http://www.cafeshops.com/joewarenet (wear joeware) -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Grillenmeier, Guido Sent: Friday, April 09, 2004 1:43 PM To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] Photos in Active Directory WARNING: let's look at the security aspects of photos in AD from another side. You need to be aware that the photo attribute is editable by default by every user himself (just like all the other attributes which are part of the personal information property set). But the photo-attribute is somewhat special: it's a binary blob which basically has no size limit... (depends on LDAP policy max msg size). This means that if you don't lock down this attribute, every user could potentially upload really large images (think of a 1 GB image) to this attribute and kill your all your DCs anytime he'd like either through replication or simply growing the DIT-file over the limits of your disks. So even if you're not going to use this attribute to store photos, you should also ensure that nobody else does it for you. /Guido -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Jackson Shaw Sent: Dienstag, 6. April 2004 17:55 To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] Photos in Active Directory I think the benefit is obvious - security. You may want to consider using Active Directory Application Mode or setting up an Application Partition in AD (assuming you are using W2K3). Either would enable you to isolate the data replication. Photos shouldn't change much so once you have done your initial replication there shouldn't really be any additional traffic to bear. -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Rutherford, Robert Sent: Tuesday, April 06, 2004 12:51 AM To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] Photos in Active Directory It all depends on how large your organisation is I guess, how many sites, WAN links, etc. I wouldn't really recommend it as you really want to keep your AD as small as possible for replication and performance reasons. What benefit will you get out of having users photo's in the user object? -Original Message- From: [EMAIL
RE: [ActiveDir] Wlan AD Security
I would say that the link below gives a pretty good reason for not plugging APs into internal LAN: http://www.cisco.com/en/US/products/products_security_advisory09186a00802119c8.shtml Guy On Tue, 2004-04-13 at 18:12, Mulnick, Al wrote: That's a pretty valid argument to put any access to your network into an untrusted network segment, isn't it? Remote access, wired access (what about vendors that jack-in?)etc. There's some talk about using the reskit stuff to quarantine the network access. Some of the AP providers offer this type of usage as well. One of the better ways to accomplish authorized access only is to use strong authentication. WEP isn't it. Cracking WEP is published and pretty quick. MAC layer isn't all that great either since you can spoof the MAC address to gain access. Certificates are nice, except that some of your downlevel and handheld devices won't like it. I'd say this is a pretty valid argument to rethink security (for many companies) from a keep out the bad guys and we'll be fine mentaility to a let's figure out what we need to protect on our network and add security to those parts to protect from outside the firewall as well as the inside of the firewall mentality. When you can sip coffee or favorite hot beverage of choice downstairs and wander a company's network two floors above or across the street, the possibilities are limitless. I favor the certificate method and VPN for wireless access, but that only addresses part of the issue IMHO. Al -Original Message- From: Rick Kingslan [mailto:[EMAIL PROTECTED] Sent: Tuesday, April 13, 2004 12:13 AM To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] Wlan AD Security Chris, We sometimes become off-topic city. No worries there This is an interesting topic, and one that I will fall clearly on one side of it because of my experiences at my company. Treat your access points like untrusted computers in the public DMZ. There is really no way that one should treat an access point in any other way. Given that the signals coming into an AP cannot truly be verified, then one must add extra methods to insure security. The way that I prefer to see this accomplished is by placing the AP's into an untrusted are of the network, applying a 128-bit WEP key, then using some added methods consistent with 802.1x. This can either be PEAP (using RADIUS / IAS), Cisco's LEAP, or other secure methods for providing strong authentication. Obviously, stronger the better, and two-factor (RSA fob, smart card, what have you) is magnitudes better than a single factor authN. I'm still fighting to get my APs at work in the DMZ. They are, at present, on our internal network. They are PEAP protected, but somehow I'm just not all that heartened by the simple addition of PEAP to untrusted devices. Rick Kingslan MCSE, MCSA, MCT, CISSP Microsoft MVP: Windows Server / Directory Services Windows Server / Rights Management Associate Expert Expert Zone - www.microsoft.com/windowsxp/expertzone WebLog - www.msmvps.com/willhack4food -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Chris Blair Sent: Monday, April 12, 2004 8:47 AM To: [EMAIL PROTECTED] Subject: [ActiveDir] Wlan AD Security This maybe slightly Off Topic, Sorry. I am looking to deploy wireless access points for our users to access our AD. I am currently reading the white paper from Microsoft named Enterprise Deployment of Secure 802.11 Networks Using Microsoft Windows. Has anyone else implemented this? I have also read about putting the AP's outside of the network and using VPN to access any AD related resources. Sounds easier, but is it as secure? Does anyone else have any other solutions? List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
RE: [ActiveDir] DFS use question
Robocopy is a program that copies files and as I recall, can be scheduled. But what if I understand the requirements properly, that's not all you really need. It sounds like the files get used by users on both sides of the pond and potentially, what you may really need is a library type application. The deciding point is whether or not the users want access to the same files or not for update. Do they need to check-in and check-out document for document control? Or is this all just read-only information for them to consume? If just to read the information, then you are looking for a product with the characteristics of being able to keep the information in synch within a given time period. DoubleTake could probably do this for you, but it's not really supposed to do just that. It's more of a side benefit from what I've seen. Robocopy could do it, but it may not be able to handle the synchronization timelines if too tight for the bandwidth. DFS is capable of doing this, but you'd want to check it out and understand that it has some limitations. Many will tell you to stay away, while others will swear by it. YMMV is the bottom line since the product devs will tell you it absolutely can do this. Before you go any further, can you let us know what the client usage requirement is? If they use the documents in a library function, then none of the previous mentioned items will likely make you happy IMHO. Al -Original Message- From: Rimmerman, Russ [mailto:[EMAIL PROTECTED] Sent: Tuesday, April 13, 2004 12:50 PM To: '[EMAIL PROTECTED]' Subject: RE: [ActiveDir] DFS use question Would that work ok on an all Win2000 domain on Win2000 servers? -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of [EMAIL PROTECTED] Sent: Tuesday, April 13, 2004 9:07 AM To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] DFS use question Have you checked out the latest features in the Robocopy that comes w/ Windows 2003 Reskit? Very cool stuff... -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Rimmerman, Russ Sent: Tuesday, April 13, 2004 9:51 AM To: '[EMAIL PROTECTED]' Subject: RE: [ActiveDir] DFS use question What would you all recommend instead? NSI DoubleTake? -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of [EMAIL PROTECTED] Sent: Tuesday, April 13, 2004 8:16 AM To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] DFS use question I concur... especially considering the restore time in the event that replication screws up and critical information is pushed off to a Staging area, inaccessible to the user. -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Rick Kingslan Sent: Monday, April 12, 2004 11:30 PM To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] DFS use question With all due respect to those that absolutely think that FRS v1 is hot, I'm quite pleased that there has been this level of success with it. However, even Microsoft admits that FRS iswell, broken. It gets better with each QFE, Service Pack and HotFix, but the basics are just flat broken. I'm not sure that I'd recommend it for anything remotely critical. But, to each his own. Rick Kingslan MCSE, MCSA, MCT, CISSP Microsoft MVP: Windows Server / Directory Services Windows Server / Rights Management Associate Expert Expert Zone - www.microsoft.com/windowsxp/expertzone WebLog - www.msmvps.com/willhack4food -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of E Brown Sent: Monday, April 12, 2004 2:51 AM To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] DFS use question This is not out of the realm of FRS. I work with some folks that sync 240+GB between 12 servers using T-1 as well.. There are some tuning factors that should be followed: What is DFS topology? Make sure you using dfs frs tuning docs. Setup Ultrasound to monitor... Let me know if you need more details. -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Rimmerman, Russ Sent: Sunday, April 11, 2004 7:06 PM To: '[EMAIL PROTECTED]' Subject: [ActiveDir] DFS use question We have one of our largest sites in England and another large site in the US, with at least a full T-1 between the two sites. We have a share with about 70GB of data in it, that both sites regularly need to access. Would this be something we could use DFS for with automatic replication, or is this way out of DFS's range? And if it's out of the range of DFS, how are others solving this issue? A program like Veritas Storage Replicator, or NSI DoubleTake? Or will DFS suffice? ~~ This e-mail is confidential, may contain proprietary information of the Cooper Cameron Corporation and its operating Divisions and may be confidential or privileged. This e-mail should be read, copied, disseminated and/or used only by the addressee.
[ActiveDir] GPO
I used a Windows XP client running the GPMC and setup items in a GPO that are for Windows XP and higher, however it appears that they are not going into effect. I should not need a 2003 DC running in order to have these GPO settings take effect right? Justin A. Salandra, MCSE Senior Network Engineer Catholic Healthcare System 212.752.7300 - office 917.455.0110 - cell [EMAIL PROTECTED] List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
RE: [ActiveDir] enterprise-wide accounts
Could you use a Universal Group? -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] Sent: Tuesday, April 13, 2004 3:16 PM To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] enterprise-wide accounts What about adding them to each domain admins group for each domain? From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Creamer, Mark Sent: Tuesday, April 13, 2004 4:05 PM To: [EMAIL PROTECTED] Subject: [ActiveDir] enterprise-wide accounts We'd like to eventually trim down the number of domains and get to an OU-based administrative model. But in the mean time, we have identified a couple of people that we want to have domain admin rights in all domains. I know that making them an enterprise admin allows them domain admin rights on the DCs in each domain because of membership in the BUILTIN\Administrators group in each domain. But that doesn't allow logon to all the member servers. How do I best grant domain admin-level rights across all domains in the forest with a single logon for each of these persons? Looking for a best practice. Thanks! Mark Creamer Systems Engineer Cintas Corporation Honesty and Integrity in Everything We Do List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
RE: [ActiveDir] Photos in Active Directory
If you're using this for security reasons, then the main challenge will not only be how to get a digital photo of everyone, but also to prove that the jpeg.file you're receiving to upload into AD is really the person who it's supposed to represent... - I'm sure that's the most fun part. And obviously you must limit the permissions on the appropriate attribute in AD as previously mentioned. The quality of the photos will really dictate what you can do with it and what the impact on AD would be - do you only need it for a rough visual comparison on a monitor (5-6 KB thumbnail JPEG of a face will do) or do you need a picture to view on a monitor at a distance (i.e. full page) which is also good enough to print as small picture (25-35 KB JPEG file) e.g. to create badges. I won't even consider mentioning high-res pictures. But the two examples above, calculated for 60,000 users will rouhgly grow your AD dit file as follows: Thumbnail (5-6 KB) = 300 - 360 MB Full Page (25-35 KB) = 1.500 - 2.100 MB As I expect your dit to be at roughly 2-3 GB right now without the photos, you'd be talking about an increase of approx. 10% vs. 50% of data in AD. I was just interested myself on the impact on AD in a scenario such as your's which is why I did this rough estimate. As such the thumbnail option isn't really that much of an impact on AD afterall... But don't forget that you'll have to add the photo-attribute to the GC PAS (currently not the case) if you truly want to access the data no matter which DC you connect to. However, if you accept the size increase, it shouldn't add too much to your daily replication volume (once all the photos are in AD), as this data should be pretty static (unless you plan to update it every day with the most current picture of the user ;-)) But no matter what, you'll definitely have more flexibility using a separate store for the photo data and just linking the right picture to the right AD account. You'll even be able to delegate the task of updating the pictures much easier without having to trust your NOS directory admins that they don't fool around with this security data. /Guido -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of [EMAIL PROTECTED] Sent: Dienstag, 13. April 2004 22:18 To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] Photos in Active Directory All, Thanks for the feedback. There's some good information here that will help us determine the best way to do this. We're going to have an AMER and EMEA domain with an empty root but want to quickly and easily obtain the photo of any individual for security purposes. Over 60,000 users. I agree that it's not necessarily something that we want replicated on all domain controllers. But the nature of our WAN dictates that we need to have all photos fairly local -- pulling from across the Atlantic is too tedious even for small files. We have decent connectivity within those domains. I originally was leaning toward SQL with a web front-end and deal with the latency (or replicate/cluster). However, AD/AM is in interesting idea as well as we can then have separate front-ends and pull from the replicated (only where necessary) database. We're going to have additional issues like how do we get digital photos of everyone and who's going to crop or compress all of the photos, etc, etc,etc. Sounds like fun... Thanks, Mike Guido's response is the first thing I thought of as well. I don't think AD is a proper place for that info for a couple of reasons 1. Do you really need this replicated to every DC? 2. If someone dumps your AD, they get all of the photos too, how many people would like to have their entire company including photos of everyone distributed around. I personally don't like having my photo floating around and don't have it in our corporate photo system (which is a web site, not in AD). 3. You are growing your DIT for no real NOS benefit. 4. You could really live to regret this when people decide to get creative. Also, how do you intend to display this info? Obviously having it out there is for the single purpose of displaying it later. If you have people put it in and no way to display, someone will call you out on that. I would stick this info in an AD/AM or SQL Server or something along those lines. Also put up some strict standards on what images get added. I know of a case where some monkey where I work had a picture of himself with a cat in the hat hat on. I recall seeing that photo one day, hearing he complained up to the IT Director under the CIO for something or another and then hearing from some friends that his cat in the hat photo was suddenly gone from the directory. So I figure the Director wanted to look this gomer up in the Org list and up popped that photo much to the director's distaste. I have also see some other more frightful images for a corporate directory that could spawn
RE: [ActiveDir] enterprise-wide accounts
domain admins is a global group and as such you can't add users from other domains to it. While other global groups can be converted to universal groups, you can't do so for the domain admins group. a solution to your problem is to use the restricted groups GPO feature (which will not work for your legacy machines in the AD domain) to add a universal group to the administrators group of all Server-OUs. I wouldn't want to set this GPO at the domain level, as then you're putting your AD domains at risk as well, if you do something wrong... The UG to use can either be the Enterprise Admins group or any other UG you assign for the task. /Guido From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Depp, Dennis M.Sent: Dienstag, 13. April 2004 22:16To: [EMAIL PROTECTED]Subject: RE: [ActiveDir] enterprise-wide accounts What about adding them to each domain admins group for each domain? From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Creamer, MarkSent: Tuesday, April 13, 2004 4:05 PMTo: [EMAIL PROTECTED]Subject: [ActiveDir] enterprise-wide accounts Wed like to eventually trim down the number of domains and get to an OU-based administrative model. But in the mean time, we have identified a couple of people that we want to have domain admin rights in all domains. I know that making them an enterprise admin allows them domain admin rights on the DCs in each domain because of membership in the BUILTIN\Administrators group in each domain. But that doesnt allow logon to all the member servers. How do I best grant domain admin-level rights across all domains in the forest with a single logon for each of these persons? Looking for a best practice. Thanks! Mark Creamer Systems Engineer Cintas Corporation Honesty and Integrity in Everything We Do
RE: [ActiveDir] enterprise-wide accounts
Alternatively you can do what we do here. We have a startup script that runs from a GPO that adds a group to the local administrators group everytime the machine is started up. The script looks like this net localgroup administrators /add "domain\admins" Just create a UG for all theadmins and add them to it, then when the servers are rebooted add this script will run and add the group to the machine's local administrator group. If you can't wait for the servers to be rebooted you can create a script that will read the servers in line by line and add this group to their local administrators group. Don't get me wrong Guido's solution will work also but won't Restricted groups remove any groups that are in the administrators group now except for the ones you specify? Mike From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Grillenmeier, GuidoSent: Tuesday, April 13, 2004 5:47 PMTo: [EMAIL PROTECTED]Subject: RE: [ActiveDir] enterprise-wide accounts domain admins is a global group and as such you can't add users from other domains to it. While other global groups can be converted to universal groups, you can't do so for the domain admins group. a solution to your problem is to use the restricted groups GPO feature (which will not work for your legacy machines in the AD domain) to add a universal group to the administrators group of all Server-OUs. I wouldn't want to set this GPO at the domain level, as then you're putting your AD domains at risk as well, if you do something wrong... The UG to use can either be the Enterprise Admins group or any other UG you assign for the task. /Guido From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Depp, Dennis M.Sent: Dienstag, 13. April 2004 22:16To: [EMAIL PROTECTED]Subject: RE: [ActiveDir] enterprise-wide accounts What about adding them to each domain admins group for each domain? From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Creamer, MarkSent: Tuesday, April 13, 2004 4:05 PMTo: [EMAIL PROTECTED]Subject: [ActiveDir] enterprise-wide accounts Wed like to eventually trim down the number of domains and get to an OU-based administrative model. But in the mean time, we have identified a couple of people that we want to have domain admin rights in all domains. I know that making them an enterprise admin allows them domain admin rights on the DCs in each domain because of membership in the BUILTIN\Administrators group in each domain. But that doesnt allow logon to all the member servers. How do I best grant domain admin-level rights across all domains in the forest with a single logon for each of these persons? Looking for a best practice. Thanks! Mark Creamer Systems Engineer Cintas Corporation Honesty and Integrity in Everything We Do
RE: [ActiveDir] GPO
No. GPO's are registry based (At least admin templates), so they should work on XP box without the need of Windows Server 2003. It is enough if you set them up from XP box or import them in 2000 DC (adm templates). What policies are we talking about ? Run gpresult /v to get verbose information about your policies being aplied on your workstations. Regrds Matjaz Ladava MVP Windows Server - Directory Services -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Salandra, Justin A. Sent: Tuesday, April 13, 2004 11:11 PM To: [EMAIL PROTECTED] Subject: [ActiveDir] GPO I used a Windows XP client running the GPMC and setup items in a GPO that are for Windows XP and higher, however it appears that they are not going into effect. I should not need a 2003 DC running in order to have these GPO settings take effect right? Justin A. Salandra, MCSE Senior Network Engineer Catholic Healthcare System 212.752.7300 - office 917.455.0110 - cell [EMAIL PROTECTED] List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ ~mry?+-Emry?+-}brzm Vry-4ibb
RE: [ActiveDir] enterprise-wide accounts
Use restricted groups GPO settingon member servers and prescribe the membership in local Admin groups from other domains. Regards Matjaz Ladava MVP Windows server - Directory Services From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Depp, Dennis M.Sent: Tuesday, April 13, 2004 10:16 PMTo: [EMAIL PROTECTED]Subject: RE: [ActiveDir] enterprise-wide accounts What about adding them to each domain admins group for each domain? From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Creamer, MarkSent: Tuesday, April 13, 2004 4:05 PMTo: [EMAIL PROTECTED]Subject: [ActiveDir] enterprise-wide accounts Wed like to eventually trim down the number of domains and get to an OU-based administrative model. But in the mean time, we have identified a couple of people that we want to have domain admin rights in all domains. I know that making them an enterprise admin allows them domain admin rights on the DCs in each domain because of membership in the BUILTIN\Administrators group in each domain. But that doesnt allow logon to all the member servers. How do I best grant domain admin-level rights across all domains in the forest with a single logon for each of these persons? Looking for a best practice. Thanks! Mark Creamer Systems Engineer Cintas Corporation Honesty and Integrity in Everything We Do
[ActiveDir] Restricted Groups GPO
Is there anything weird about applying a Restricted Groups GPO to a Windows 2003 server? For some reason, none of our Win2k3 servers in our Win2k AD domain are getting the local administrators group restricted groups GPO applied that all of our other machines are successfully getting. Any ideas? ~~ This e-mail is confidential, may contain proprietary information of the Cooper Cameron Corporation and its operating Divisions and may be confidential or privileged. This e-mail should be read, copied, disseminated and/or used only by the addressee. If you have received this message in error please delete it, together with any attachments, from your system. ~~ List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
RE: [ActiveDir] enterprise-wide accounts
won't Restricted groups remove any groups that are in the administrators group now except for the ones you specify? not if you have Win2k SP4 or Win2k3 and use the "MemberOf" option of the restricted groups. /Guido From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Mike CeloneSent: Mittwoch, 14. April 2004 00:07To: [EMAIL PROTECTED]Subject: RE: [ActiveDir] enterprise-wide accounts Alternatively you can do what we do here. We have a startup script that runs from a GPO that adds a group to the local administrators group everytime the machine is started up. The script looks like this net localgroup administrators /add "domain\admins" Just create a UG for all theadmins and add them to it, then when the servers are rebooted add this script will run and add the group to the machine's local administrator group. If you can't wait for the servers to be rebooted you can create a script that will read the servers in line by line and add this group to their local administrators group. Don't get me wrong Guido's solution will work also but won't Restricted groups remove any groups that are in the administrators group now except for the ones you specify? Mike From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Grillenmeier, GuidoSent: Tuesday, April 13, 2004 5:47 PMTo: [EMAIL PROTECTED]Subject: RE: [ActiveDir] enterprise-wide accounts domain admins is a global group and as such you can't add users from other domains to it. While other global groups can be converted to universal groups, you can't do so for the domain admins group. a solution to your problem is to use the restricted groups GPO feature (which will not work for your legacy machines in the AD domain) to add a universal group to the administrators group of all Server-OUs. I wouldn't want to set this GPO at the domain level, as then you're putting your AD domains at risk as well, if you do something wrong... The UG to use can either be the Enterprise Admins group or any other UG you assign for the task. /Guido From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Depp, Dennis M.Sent: Dienstag, 13. April 2004 22:16To: [EMAIL PROTECTED]Subject: RE: [ActiveDir] enterprise-wide accounts What about adding them to each domain admins group for each domain? From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Creamer, MarkSent: Tuesday, April 13, 2004 4:05 PMTo: [EMAIL PROTECTED]Subject: [ActiveDir] enterprise-wide accounts Wed like to eventually trim down the number of domains and get to an OU-based administrative model. But in the mean time, we have identified a couple of people that we want to have domain admin rights in all domains. I know that making them an enterprise admin allows them domain admin rights on the DCs in each domain because of membership in the BUILTIN\Administrators group in each domain. But that doesnt allow logon to all the member servers. How do I best grant domain admin-level rights across all domains in the forest with a single logon for each of these persons? Looking for a best practice. Thanks! Mark Creamer Systems Engineer Cintas Corporation Honesty and Integrity in Everything We Do
[ActiveDir] How to remove ADC from domain
In my test lab I was doing a test migration from Exchange 5.5 to Exchange 2k. I had a machine setup with the ADC to move the 5.5 information into the directory. I came in the morning and the HD was dead on my ADC machine.Now the machine is dead but the computer account is still in the domain.The server also still shows up under Sites and Services. If I remove the computer account from the domain will that also remove is under Sites and Services? Is there anything else I need to do before I remove that machine accout?Mike
RE: [ActiveDir] How to remove ADC from domain
You will need to delete the computer object with ADUC (DSA.MSC) and the server object in sites and services with DSSITE.MSC, removing one will not impact the other. Alternatively you can use adsiedit to remove both or use a script. - http://www.joeware.net (download joeware) http://www.cafeshops.com/joewarenet (wear joeware) From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Mike CeloneSent: Tuesday, April 13, 2004 7:44 PMTo: [EMAIL PROTECTED]Subject: [ActiveDir] How to remove ADC from domain In my test lab I was doing a test migration from Exchange 5.5 to Exchange 2k. I had a machine setup with the ADC to move the 5.5 information into the directory. I came in the morning and the HD was dead on my ADC machine.Now the machine is dead but the computer account is still in the domain.The server also still shows up under Sites and Services. If I remove the computer account from the domain will that also remove is under Sites and Services? Is there anything else I need to do before I remove that machine accout?Mike
RE: [ActiveDir] enterprise-wide accounts
Mike, the functionality recently changed, that was a subject of a conversation on this list. Many of us were quite happily surprised to learn of the change. - http://www.joeware.net (download joeware) http://www.cafeshops.com/joewarenet (wear joeware) From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Grillenmeier, GuidoSent: Tuesday, April 13, 2004 6:23 PMTo: [EMAIL PROTECTED]Subject: RE: [ActiveDir] enterprise-wide accounts won't Restricted groups remove any groups that are in the administrators group now except for the ones you specify? not if you have Win2k SP4 or Win2k3 and use the "MemberOf" option of the restricted groups. /Guido From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Mike CeloneSent: Mittwoch, 14. April 2004 00:07To: [EMAIL PROTECTED]Subject: RE: [ActiveDir] enterprise-wide accounts Alternatively you can do what we do here. We have a startup script that runs from a GPO that adds a group to the local administrators group everytime the machine is started up. The script looks like this net localgroup administrators /add "domain\admins" Just create a UG for all theadmins and add them to it, then when the servers are rebooted add this script will run and add the group to the machine's local administrator group. If you can't wait for the servers to be rebooted you can create a script that will read the servers in line by line and add this group to their local administrators group. Don't get me wrong Guido's solution will work also but won't Restricted groups remove any groups that are in the administrators group now except for the ones you specify? Mike From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Grillenmeier, GuidoSent: Tuesday, April 13, 2004 5:47 PMTo: [EMAIL PROTECTED]Subject: RE: [ActiveDir] enterprise-wide accounts domain admins is a global group and as such you can't add users from other domains to it. While other global groups can be converted to universal groups, you can't do so for the domain admins group. a solution to your problem is to use the restricted groups GPO feature (which will not work for your legacy machines in the AD domain) to add a universal group to the administrators group of all Server-OUs. I wouldn't want to set this GPO at the domain level, as then you're putting your AD domains at risk as well, if you do something wrong... The UG to use can either be the Enterprise Admins group or any other UG you assign for the task. /Guido From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Depp, Dennis M.Sent: Dienstag, 13. April 2004 22:16To: [EMAIL PROTECTED]Subject: RE: [ActiveDir] enterprise-wide accounts What about adding them to each domain admins group for each domain? From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Creamer, MarkSent: Tuesday, April 13, 2004 4:05 PMTo: [EMAIL PROTECTED]Subject: [ActiveDir] enterprise-wide accounts Wed like to eventually trim down the number of domains and get to an OU-based administrative model. But in the mean time, we have identified a couple of people that we want to have domain admin rights in all domains. I know that making them an enterprise admin allows them domain admin rights on the DCs in each domain because of membership in the BUILTIN\Administrators group in each domain. But that doesnt allow logon to all the member servers. How do I best grant domain admin-level rights across all domains in the forest with a single logon for each of these persons? Looking for a best practice. Thanks! Mark Creamer Systems Engineer Cintas Corporation Honesty and Integrity in Everything We Do
RE: [ActiveDir] enterprise-wide accounts
You can notadd (haven't tried to hack this, probably is hard coded functionality) foreignusers to the domain admin groupof adomain, they must exist in the same domain - domain admins is a global group, standard rules apply. The best would be administrators group membershipwhich, unlike NT4, is not the same as domain admins in terms of Windows 2000+ Domain objects. The delta in Windows 2000+ is that many AD objects have different permissions set specifically to domain admins and being an administrator on a domain controller does not give access to those objects. Additionally nothing is (actually I have to say "should be" due to some "bugs") permissioned in the forest wide partitions to "administrators" because they don't have domain affinity like domain admins do. I.E. If you have an object in the config container with permissions set to administrators group, it means administrators in any domain.Say you want to give rights in the config container to administrators in Domain 1, by default, those permissions apply to every administrator of every domain in the forest. The SID for administrators has no domain context, it is a well known SID that is the same everywhere - S-1-5-32-544. The general practice for domain controller permissions would be to create your "god" level IDs in your root domain or other main domain, then add those IDs to every administrators group on every domain. Then also create IDs in each domain for the admins and add those to the domain admins groups of the respective domain. You would normally be able to use the one ID to do most work, but if you needed to modify something that required domain admins rights, you would switch to the local domain admin ID. What is example of something a domain admin can do but an administrator can't in AD... How about delete Subtrees. Also no delete of child objects however you tend to pick that back up due to default SDs. Default DC and Default Domain policy objectsdon't have Administrators in the ACL. An alternative would be to create a new universal group and update AD permissions to match the domain admins group for that universal group. You would still have to populate workstations and servers as well so this isn't buying a whole ton, definitely not worth the skull sweat to do. Of course if the goal isn't full perms over AD Objects, but instead Domain member servers/workstations, the previously mentioned GPO method is the way to go. - http://www.joeware.net (download joeware) http://www.cafeshops.com/joewarenet (wear joeware) From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Creamer, MarkSent: Tuesday, April 13, 2004 4:05 PMTo: [EMAIL PROTECTED]Subject: [ActiveDir] enterprise-wide accounts Wed like to eventually trim down the number of domains and get to an OU-based administrative model. But in the mean time, we have identified a couple of people that we want to have domain admin rights in all domains. I know that making them an enterprise admin allows them domain admin rights on the DCs in each domain because of membership in the BUILTIN\Administrators group in each domain. But that doesnt allow logon to all the member servers. How do I best grant domain admin-level rights across all domains in the forest with a single logon for each of these persons? Looking for a best practice. Thanks! Mark Creamer Systems Engineer Cintas Corporation Honesty and Integrity in Everything We Do
RE: [ActiveDir] logon scripts
There is a killer TZ issue going south of Seattle If that isn't a funny enough response try Deji, you mispelled drunk. :o) "Its rather unpleasantly like being drunk" "What's wrong with being drunk?" "Ask a glass of water" [1] joe [1] Lifted from Hitchhikers Guide to the Galaxy. BTW, a glass of water would have been perfectly safe at the summit. =) - http://www.joeware.net (download joeware) http://www.cafeshops.com/joewarenet (wear joeware) From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Mulnick, AlSent: Tuesday, April 13, 2004 2:03 PMTo: '[EMAIL PROTECTED]'Subject: RE: [ActiveDir] logon scripts Jet-lagged? Did you take a long detour on the way home? :) From: deji Agba [mailto:[EMAIL PROTECTED] Sent: Tuesday, April 13, 2004 11:11 AMTo: [EMAIL PROTECTED]Subject: RE: [ActiveDir] logon scripts What can I say? I'm still jet-lagged, I guess :) Thanks for the pointer. Sincerely,Dèjì Akómöláfé, MCSE MCSA MCP+I Microsoft MVP - Active Directorywww.akomolafe.comwww.iyaburo.comDo you now realize that Today is the Tomorrow you were worried about Yesterday? -anon From: Roger SeielstadSent: Tue 4/13/2004 6:24 AMTo: [EMAIL PROTECTED]Subject: RE: [ActiveDir] logon scripts Except Deji forgets one important piece of information (which is rare for him) - VBScript doesn't natively run on Win9x. It requires a separate install of Windows Scripting Host. -- Roger D. Seielstad - MTS MCSE MS-MVP Sr. Systems Administrator Inovis Inc. From: Rick Kingslan [mailto:[EMAIL PROTECTED] Sent: Tuesday, April 13, 2004 12:19 AMTo: [EMAIL PROTECTED]Subject: RE: [ActiveDir] logon scripts Smart guy. :op -rtk From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of deji AgbaSent: Monday, April 12, 2004 11:13 PMTo: [EMAIL PROTECTED]Subject: RE: [ActiveDir] logon scripts I don't have a Win9X to test this on, but Win2K/2K3/XP is fair game for this: Set wshNetwork = WScript.CreateObject("WScript.Network")Set wshShell = WScript.CreateObject("WScript.Shell") str_Group1_Share = "file://myserver/myShare1"str_Exec_Share = "file://myserver/myShare2"str_BS_Share = "file://myserver/myShare3"str_Super_Share = "file://mySuperServer/SuperShare" strDriveToMap = "H:" usrName = wshShell.ExpandEnvironmentStrings("%USERNAME%")Set usr = GetObject("WinNT://MyDomainName/" usrName ",user") For Each grp In usr.Groups WScript.Echo grp.NameIf grp.Name = "BS-Group" Then wshNetwork.MapNetworkDrive strDriveToMap, str_BS_ShareExit ForElseif grp.Name = "SOME_GROUP" ThenwshNetwork.MapNetworkDrive strDriveToMap, str_Group1_ShareExit ForElseif grp.Name = "yet_Another_Group" OR grp.Name = "Super-DuperUser" ThenwshNetwork.MapNetworkDrive strDriveToMap, str_Super_SharewshNetwork.MapNetworkDrive "K:", str_Exec_ShareExit ForEnd IfNext Set usr = NothingSet wshShell = NothingSet wshNetwork = Nothing HTH Sincerely,Dèjì Akómöláfé, MCSE MCSA MCP+I Microsoft MVP - Active Directorywww.akomolafe.comwww.iyaburo.comDo you now realize that Today is the Tomorrow you were worried about Yesterday? -anon From: Nathan CaseySent: Mon 4/12/2004 4:17 PMTo: [EMAIL PROTECTED]Subject: [ActiveDir] logon scripts What is a recommended logon script solution that will work with win9x, win2k/xp clients for drive mapping, etc that works similar to Novell logon scripts? Example: IF MEMBER OF "GROUP" THEN BEGIN MAP H:=SERVER1\VOL1: END
RE: [ActiveDir] Firewall
Yes, definitely not a firewall, I just wanted to pipe up with that to feel useful... This is permissions in AD. Since those permissions are set on the default SD in the schema for user objects, someone/thing cleared the self ACE for WP Personal Information... If I were a gambling man... I would say look for the following symptoms: O adminCount attribute set on these user objects (probably a 1) O Inheritance is turned off on the ACL O Most of the perms you see on most userids are missing If these are true you probably have adminSdHolder kicking you in the seat of the pants. Were these folks at any point (including right this second) Admins, Domain Admins, Enterprise Admins, Account Ops, Server Ops, Backup Ops, etc etc ad nauseum? If so this is your issue. Those IDs are, by default, locked down in a protected state so people can't futz with them. The only permission adminSdHolder'ed objects get for SELF is SELF Change Password. You can get more info on adminSDHolder by searching the archives of this list or going to google and searching for it. You may find recommendations to CHANGE the permissions on adminSdHolder, I for the most part, do not agree with that. Your admins should have two IDs, one that is an admin ID, one that isn't. The one that isn't they can modify their personal info on to their hearts content, the admin one, tell them hands off. Now if you don't have those symptoms above, it would greatly help the troubleshooting process if you collected a DSACLS dump of one of the userids in question and posted it... Ex: [Tue 04/13/2004 21:38:58.26] F:\DEV\cpp\MemberOfdsacls CN=$joebobadmindude,CN=Users,DC=joe,DC=com Access list: {This object is protected from inheriting permissions from the parent} Effective Permissions on this object are: Allow BUILTIN\Pre-Windows 2000 Compatible Access SPECIAL ACCESS READ PERMISSONS LIST CONTENTS READ PROPERTY LIST OBJECT Allow BUILTIN\Pre-Windows 2000 Compatible Access SPECIAL ACCESS READ PERMISSONS LIST CONTENTS READ PROPERTY LIST OBJECT Allow JOE\Domain Admins SPECIAL ACCESS READ PERMISSONS WRITE PERMISSIONS CHANGE OWNERSHIP CREATE CHILD DELETE CHILD LIST CONTENTS WRITE SELF WRITE PROPERTY READ PROPERTY LIST OBJECT CONTROL ACCESS Allow JOE\Enterprise Admins SPECIAL ACCESS READ PERMISSONS WRITE PERMISSIONS CHANGE OWNERSHIP CREATE CHILD DELETE CHILD LIST CONTENTS WRITE SELF WRITE PROPERTY READ PROPERTY LIST OBJECT CONTROL ACCESS Allow BUILTIN\Administrators SPECIAL ACCESS DELETE READ PERMISSONS WRITE PERMISSIONS CHANGE OWNERSHIP CREATE CHILD DELETE CHILD LIST CONTENTS WRITE SELF WRITE PROPERTY READ PROPERTY LIST OBJECT CONTROL ACCESS Allow NT AUTHORITY\Authenticated UsersSPECIAL ACCESS READ PERMISSONS LIST CONTENTS
RE: [ActiveDir] Updating Schema to Windows 2003
Heh. Which comment should I make which comment should I make which comment... =) Err. Hmmm. Blech. You can help this out usually by making sure that you have a specific Exchange Site for your Exchange Servers, place the DC/GCs into that site that you want Exchange to use. I.E. Keep the subdomain DC/GCs out of the Exchange Site. Exchange will *tend* to use those local site DC/GCs but can possibly failover into the DC/GCs in the other site. - http://www.joeware.net (download joeware) http://www.cafeshops.com/joewarenet (wear joeware) -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of [EMAIL PROTECTED] Sent: Wednesday, April 07, 2004 9:39 AM To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] Updating Schema to Windows 2003 Have you run into issues with Exchange pointing to GC servers in your subdomains and not being able to resolve recipients in Distribution list unless the DL are Universal DL? We have: Root Forest Windows 2000 with Exchange 2000 and most user accounts, Groups, DLs, etc Subdomain Windows 2003 with Exchange 2003 - mostly for development / testing, few accounts Exchange at times used the DC in the Subdomain for GC lookups. Our DLs were not Universal so when Exchange would attempt to resolve the recipients of the DL using the subdomain GC it would not find any members.at that point messages would die in the Categorizer queue. MS solution was to convert all mail enabled groups to Universal or remove the subdomain DC from the Exchange Directory Servers list. Universal groups will publish all their members in the GCs, but this philosophy seems to contradict everything I read early on about trying to avoid the use of Universal Groups because of the increase in replication between GCs. -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Salandra, Justin A. Sent: Wednesday, April 07, 2004 9:15 AM To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] Updating Schema to Windows 2003 One thing I did not mention is that I have Exchange 2003 deployed in my forest. What precautions need to be taken for this. I read the q article 325379 but that talks about exchange 2000. -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of [EMAIL PROTECTED] Sent: Wednesday, April 07, 2004 8:51 AM To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] Updating Schema to Windows 2003 Nope, I have one running just as you described. -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Salandra, Justin A. Sent: Wednesday, April 07, 2004 8:50 AM To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] Updating Schema to Windows 2003 If the forest prep is done, are there any problems if a child domain is built as a windows 2003 domain while the rest of the forest is still in windows 2000? -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Steve Shaff Sent: Tuesday, April 06, 2004 4:02 PM To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] Updating Schema to Windows 2003 Forest Prep will prepare your forests for the Windows 2003 upgrade. IT will also expand your schema at that time. S -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Salandra, Justin A. Sent: Tuesday, April 06, 2004 12:01 PM To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] Updating Schema to Windows 2003 I really just want to prepare the forest for windows 2003, I don't need the domains ready yet. -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Rod Trent Sent: Tuesday, April 06, 2004 2:22 PM To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] Updating Schema to Windows 2003 Also, if you stick in the CD to upgrade a server, it will check the server and AD type, and will not upgrade until you have performed those steps. It even gives you the steps to perform that you can copy/paste. -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Steve Shaff Sent: Tuesday, April 06, 2004 1:19 PM To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] Updating Schema to Windows 2003 I am not aware of any KB articles, but here are the steps that were performed on our upgrade. The forest and domains are prepared by using the adprep command on the schema operations master and infrastructure operations master, respectively. (25min) * At a command prompt, change to the \I386 directory on the installation media and then type: d:\i386\adprep /forestprep * When prompted, type 'C', and then press ENTER to begin forest preparation, or type any other key, and then press ENTER to cancel. * After the forest preparation data has replicated throughout the forest, prepare the domains for Windows Server 2003 as described below. The domain preparation operation must be performed on the infrastructure operations master of each domain in the forest. (no reboot
RE: [ActiveDir] Firewall
Don't be so certain. Not all traffic is, by default, let out. Check that with some third party tools that use 1024 ports. Effective in killing off the DDoS Zombie issues. Rick Kingslan MCSE, MCSA, MCT, CISSP Microsoft MVP: Windows Server / Directory Services Windows Server / Rights Management Associate Expert Expert Zone - www.microsoft.com/windowsxp/expertzone WebLog - www.msmvps.com/willhack4food -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Depp, Dennis M. Sent: Tuesday, April 13, 2004 9:07 AM To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] Firewall This is not a firewall issue. The Windows ICF allows all outbound connections. Denny -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Jimmy Andersson Sent: Tuesday, April 13, 2004 9:42 AM To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] Firewall I will probably (if testing goes well) implement it when SP2 is out. Today I'm not using the firewall on my XPs. Regards, /Jimmy -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Robbie Foust Sent: Tuesday, April 13, 2004 3:46 PM To: [EMAIL PROTECTED] Subject: Re: [ActiveDir] Firewall I'm not using the XP firewall yet, but I'll consider it with SP2 since it is much better. The built in firewall isn't supposed to interfere with communications with DC's, I think. Are you getting any specific error message when users try to edit their attributes? Or do they just not have permission to do so? Check the event logs to see if there are any errors. Robbie Foust, IT Analyst Systems and Core Services Duke University Douglas M. Long wrote: Do you all force your XP clients to have the built-in firewall enabled? Are there any cons (such as some GPs not working) to having it enabled? The reason I ask is I am having a problem finding the culprit which is causing some users the inability to edit their editable (phone number, homepage, address, etc) attributes. Thanks in advance List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
RE: [ActiveDir] logon scripts
bizarre.. ;oP -rtk From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Jimmy AnderssonSent: Tuesday, April 13, 2004 11:41 AMTo: [EMAIL PROTECTED]Subject: RE: [ActiveDir] logon scripts Sober? What's that??? :) /Jimmy From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Roger SeielstadSent: Tuesday, April 13, 2004 6:22 PMTo: [EMAIL PROTECTED]Subject: RE: [ActiveDir] logon scripts To quote Tony Murray-Smith - "I'm still trying to get used to being sober" -- Roger D. Seielstad - MTS MCSE MS-MVP Sr. Systems Administrator Inovis Inc. From: deji Agba [mailto:[EMAIL PROTECTED] Sent: Tuesday, April 13, 2004 11:11 AMTo: [EMAIL PROTECTED]Subject: RE: [ActiveDir] logon scripts What can I say? I'm still jet-lagged, I guess :) Thanks for the pointer. Sincerely,Dèjì Akómöláfé, MCSE MCSA MCP+I Microsoft MVP - Active Directorywww.akomolafe.comwww.iyaburo.comDo you now realize that Today is the Tomorrow you were worried about Yesterday? -anon From: Roger SeielstadSent: Tue 4/13/2004 6:24 AMTo: [EMAIL PROTECTED]Subject: RE: [ActiveDir] logon scripts Except Deji forgets one important piece of information (which is rare for him) - VBScript doesn't natively run on Win9x. It requires a separate install of Windows Scripting Host. -- Roger D. Seielstad - MTS MCSE MS-MVP Sr. Systems Administrator Inovis Inc. From: Rick Kingslan [mailto:[EMAIL PROTECTED] Sent: Tuesday, April 13, 2004 12:19 AMTo: [EMAIL PROTECTED]Subject: RE: [ActiveDir] logon scripts Smart guy. :op -rtk From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of deji AgbaSent: Monday, April 12, 2004 11:13 PMTo: [EMAIL PROTECTED]Subject: RE: [ActiveDir] logon scripts I don't have a Win9X to test this on, but Win2K/2K3/XP is fair game for this: Set wshNetwork = WScript.CreateObject("WScript.Network")Set wshShell = WScript.CreateObject("WScript.Shell") str_Group1_Share = "file://myserver/myShare1"str_Exec_Share = "file://myserver/myShare2"str_BS_Share = "file://myserver/myShare3"str_Super_Share = "file://mySuperServer/SuperShare" strDriveToMap = "H:" usrName = wshShell.ExpandEnvironmentStrings("%USERNAME%")Set usr = GetObject("WinNT://MyDomainName/" usrName ",user") For Each grp In usr.Groups WScript.Echo grp.NameIf grp.Name = "BS-Group" Then wshNetwork.MapNetworkDrive strDriveToMap, str_BS_ShareExit ForElseif grp.Name = "SOME_GROUP" ThenwshNetwork.MapNetworkDrive strDriveToMap, str_Group1_ShareExit ForElseif grp.Name = "yet_Another_Group" OR grp.Name = "Super-DuperUser" ThenwshNetwork.MapNetworkDrive strDriveToMap, str_Super_SharewshNetwork.MapNetworkDrive "K:", str_Exec_ShareExit ForEnd IfNext Set usr = NothingSet wshShell = NothingSet wshNetwork = Nothing HTH Sincerely,Dèjì Akómöláfé, MCSE MCSA MCP+I Microsoft MVP - Active Directorywww.akomolafe.comwww.iyaburo.comDo you now realize that Today is the Tomorrow you were worried about Yesterday? -anon From: Nathan CaseySent: Mon 4/12/2004 4:17 PMTo: [EMAIL PROTECTED]Subject: [ActiveDir] logon scripts What is a recommended logon script solution that will work with win9x, win2k/xp clients for drive mapping, etc that works similar to Novell logon scripts? Example: IF MEMBER OF "GROUP" THEN BEGIN MAP H:=SERVER1\VOL1: END
RE: [ActiveDir] Updating Schema to Windows 2003
Just a quick correction, they weren't replication issues before, they were resolution issues. Your AD replication wouldn't have been impacted by having a global group but your resolution of the lists would be on Exchange depending on what GC they hit for the resolution process. The replication issues that Shawn is eluding to is that to deploy Exchange DLs you have to go against all the advice previously given for how to (or even if you wanted to) use Universal Groups in AD. You have to have all of the users physically in the DL, which means every time the DL changes you have to replicate the entire group membership (on W2K and W2K3 in 2k mode) to every domain controller of the domain the UG lives in PLUS every global catalog in the forest. The recommendation from MS for OS ops was to not use UGs unless you really needed to and if you did, to nest domain global groups into the UGs. Basically all of the AD Design books/whitepapers/docs need a huge step 0 in them which says, if you intend to use Exchange, a many things you will find in this doc is straight up incorrect, go read up on Exchange first and then come on back. What I am saying is, you need to know when designing your forest whether or not you intend to use Exchange, it can have quite an impact on your design. Trying to retrofit, especially in a multi-domain environment, can be painful. If you have a single domain forest, you should be peachy. joe - http://www.joeware.net (download joeware) http://www.cafeshops.com/joewarenet (wear joeware) -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Salandra, Justin A. Sent: Wednesday, April 07, 2004 10:13 AM To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] Updating Schema to Windows 2003 I have experienced this. But I only experienced it on one DL that was a global group, I changed it to a universal group. All my DLs are Universal groups now and I don't have replication issues. -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of [EMAIL PROTECTED] Sent: Wednesday, April 07, 2004 9:39 AM To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] Updating Schema to Windows 2003 Have you run into issues with Exchange pointing to GC servers in your subdomains and not being able to resolve recipients in Distribution list unless the DL are Universal DL? We have: Root Forest Windows 2000 with Exchange 2000 and most user accounts, Groups, DLs, etc Subdomain Windows 2003 with Exchange 2003 - mostly for development / testing, few accounts Exchange at times used the DC in the Subdomain for GC lookups. Our DLs were not Universal so when Exchange would attempt to resolve the recipients of the DL using the subdomain GC it would not find any members.at that point messages would die in the Categorizer queue. MS solution was to convert all mail enabled groups to Universal or remove the subdomain DC from the Exchange Directory Servers list. Universal groups will publish all their members in the GCs, but this philosophy seems to contradict everything I read early on about trying to avoid the use of Universal Groups because of the increase in replication between GCs. -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Salandra, Justin A. Sent: Wednesday, April 07, 2004 9:15 AM To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] Updating Schema to Windows 2003 One thing I did not mention is that I have Exchange 2003 deployed in my forest. What precautions need to be taken for this. I read the q article 325379 but that talks about exchange 2000. -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of [EMAIL PROTECTED] Sent: Wednesday, April 07, 2004 8:51 AM To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] Updating Schema to Windows 2003 Nope, I have one running just as you described. -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Salandra, Justin A. Sent: Wednesday, April 07, 2004 8:50 AM To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] Updating Schema to Windows 2003 If the forest prep is done, are there any problems if a child domain is built as a windows 2003 domain while the rest of the forest is still in windows 2000? -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Steve Shaff Sent: Tuesday, April 06, 2004 4:02 PM To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] Updating Schema to Windows 2003 Forest Prep will prepare your forests for the Windows 2003 upgrade. IT will also expand your schema at that time. S -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Salandra, Justin A. Sent: Tuesday, April 06, 2004 12:01 PM To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] Updating Schema to Windows 2003 I really just want to prepare the forest for windows 2003, I don't need the domains ready yet. -Original Message-
RE: [ActiveDir] Updating Schema to Windows 2003
Yes, you should be able to adprep the forest with no problems if all DCs are running at least Windows 2000 SP3. Exchange 2003 isn't required. There is one KB that I think was mentioned that you need to keep an eye out which involves mangling a couple of class names. If it happens, it is an easy fix. I can't recall the details though as I did this a long while back (last year) on a forest with W2K DCs and E2K/E5.5. - http://www.joeware.net (download joeware) http://www.cafeshops.com/joewarenet (wear joeware) -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Salandra, Justin A. Sent: Tuesday, April 13, 2004 11:03 AM To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] Updating Schema to Windows 2003 So in summary, I should be able to adprep the forest with no problems if all DC's are running at least Windows 2000 SP3 and Exchange 2003? -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Salandra, Justin A. Sent: Wednesday, April 07, 2004 10:13 AM To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] Updating Schema to Windows 2003 I have experienced this. But I only experienced it on one DL that was a global group, I changed it to a universal group. All my DLs are Universal groups now and I don't have replication issues. -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of [EMAIL PROTECTED] Sent: Wednesday, April 07, 2004 9:39 AM To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] Updating Schema to Windows 2003 Have you run into issues with Exchange pointing to GC servers in your subdomains and not being able to resolve recipients in Distribution list unless the DL are Universal DL? We have: Root Forest Windows 2000 with Exchange 2000 and most user accounts, Groups, DLs, etc Subdomain Windows 2003 with Exchange 2003 - mostly for development / testing, few accounts Exchange at times used the DC in the Subdomain for GC lookups. Our DLs were not Universal so when Exchange would attempt to resolve the recipients of the DL using the subdomain GC it would not find any members.at that point messages would die in the Categorizer queue. MS solution was to convert all mail enabled groups to Universal or remove the subdomain DC from the Exchange Directory Servers list. Universal groups will publish all their members in the GCs, but this philosophy seems to contradict everything I read early on about trying to avoid the use of Universal Groups because of the increase in replication between GCs. -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Salandra, Justin A. Sent: Wednesday, April 07, 2004 9:15 AM To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] Updating Schema to Windows 2003 One thing I did not mention is that I have Exchange 2003 deployed in my forest. What precautions need to be taken for this. I read the q article 325379 but that talks about exchange 2000. -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of [EMAIL PROTECTED] Sent: Wednesday, April 07, 2004 8:51 AM To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] Updating Schema to Windows 2003 Nope, I have one running just as you described. -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Salandra, Justin A. Sent: Wednesday, April 07, 2004 8:50 AM To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] Updating Schema to Windows 2003 If the forest prep is done, are there any problems if a child domain is built as a windows 2003 domain while the rest of the forest is still in windows 2000? -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Steve Shaff Sent: Tuesday, April 06, 2004 4:02 PM To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] Updating Schema to Windows 2003 Forest Prep will prepare your forests for the Windows 2003 upgrade. IT will also expand your schema at that time. S -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Salandra, Justin A. Sent: Tuesday, April 06, 2004 12:01 PM To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] Updating Schema to Windows 2003 I really just want to prepare the forest for windows 2003, I don't need the domains ready yet. -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Rod Trent Sent: Tuesday, April 06, 2004 2:22 PM To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] Updating Schema to Windows 2003 Also, if you stick in the CD to upgrade a server, it will check the server and AD type, and will not upgrade until you have performed those steps. It even gives you the steps to perform that you can copy/paste. -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Steve Shaff Sent: Tuesday, April 06, 2004 1:19 PM To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] Updating Schema to Windows 2003 I am not aware of any KB
[ActiveDir] scripting admin
sorry for what is more of a personal advice question- i'm a perl guy and i was wondering if for proper windows scripting, should i learn VBscript or can i get away with most admining with perl and activestate. i run a couple of linux and unix servers, so perl makes sense, but would it behove me to learn VBscript or even VB to effectively script my win2k ad enviorment or can i get away with perl and its integer conversion et al and be a good admin mastering only one lang? thanks in advance List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
RE: [ActiveDir] scripting admin
I say Perl... The activestate dist is great. I am not aware of anything off the top of my head you can do in vbscript that you can't do in perl. You may want to learn enough vbscript to convert vbscripts others have written to perl. Overall for really simple things vbscript may be easier at first glance, but as the complexity rises vbscript shows its issues and perl starts to shine. Grab Robbie Allen's AD Cookbook which has some perl in it, also his Managing Enterprise Active Directory Services has quite a bit of perl in it. Most everything I tend to post here in terms of scripts and do in general is perl. joe - http://www.joeware.net (download joeware) http://www.cafeshops.com/joewarenet (wear joeware) -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Kern, Tom Sent: Tuesday, April 13, 2004 10:32 PM To: ActiveDir (E-mail) Subject: [ActiveDir] scripting admin sorry for what is more of a personal advice question- i'm a perl guy and i was wondering if for proper windows scripting, should i learn VBscript or can i get away with most admining with perl and activestate. i run a couple of linux and unix servers, so perl makes sense, but would it behove me to learn VBscript or even VB to effectively script my win2k ad enviorment or can i get away with perl and its integer conversion et al and be a good admin mastering only one lang? thanks in advance List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/