RE: [ActiveDir] DFS use question

[Bruce Clingaman]

Some questions to ask yourself:
How much change occurs within an hour? 
What hardware are the servers running on? Enough RAM, processors, drive
performance...
The more change the greater the requirements of hardware, space for staging
and bandwidth.
Seriously consider a third party.
I had some success with smaller volumes (about 15GB) with moderate to high
hourly modifications and a larger volume (40GB) with moderate modifications.

-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Rimmerman, Russ
Sent: Sunday, April 11, 2004 9:06 PM
To: '[EMAIL PROTECTED]'
Subject: [ActiveDir] DFS use question


We have one of our largest sites in England and another large site in the
US, with at least a full T-1 between the two sites.  We have a share with
about 70GB of data in it, that both sites regularly need to access.  Would
this be something we could use DFS for with automatic replication, or is
this way out of DFS's range?  And if it's out of the range of DFS, how are
others solving this issue?  A program like Veritas Storage Replicator, or
NSI DoubleTake?  Or will DFS suffice?

~~
This e-mail is confidential, may contain proprietary information of the
Cooper Cameron Corporation and its operating Divisions and may be
confidential or privileged.

This e-mail should be read, copied, disseminated and/or used only by the
addressee. If you have received this message in error please delete it,
together with any attachments, from your system.
~~
List info   : http://www.activedir.org/mail_list.htm
List FAQ: http://www.activedir.org/list_faq.htm
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/

List info   : http://www.activedir.org/mail_list.htm
List FAQ: http://www.activedir.org/list_faq.htm
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/

RE: [ActiveDir] using dsacls.exe

[Roger Seielstad]

Hmmm.. Interesting use of the term "staged" - gonna have to 
use that..

Actually, the Westin was the designated hotel for, um, 
well, not Exchange.

-- 
Roger D. Seielstad - 
MTS MCSE MS-MVP Sr. Systems Administrator Inovis Inc. 


  
  
  From: joe [mailto:[EMAIL PROTECTED] 
  Sent: Monday, April 12, 2004 8:04 PMTo: 
  [EMAIL PROTECTED]Subject: RE: [ActiveDir] using 
  dsacls.exe
  
  You were hanging out with all the Exchange folks at the 
  "Exchange Hotel". After meeting them I do understand why you would want to, a 
  generally interesting cast of characters. The Ren bar just "staged" us for 
  each night's activities. You seemed well "staged" every time I saw you so I 
  think you were doing ok and your bar choice was fine.
  
  
  -
  http://www.joeware.net (download joeware)
  http://www.cafeshops.com/joewarenet (wear joeware)
  
  
  
  
  
  From: [EMAIL PROTECTED] 
  [mailto:[EMAIL PROTECTED] On Behalf Of Roger 
  SeielstadSent: Monday, April 12, 2004 10:07 AMTo: 
  [EMAIL PROTECTED]Subject: RE: [ActiveDir] using 
  dsacls.exe
  
  So what you're telling me is I was hanging out in the 
  wrong bar all week?
  
  -- 
  Roger D. Seielstad 
  - MTS MCSE MS-MVP Sr. Systems Administrator Inovis Inc. 
  
  
  


From: joe [mailto:[EMAIL PROTECTED] 
Sent: Saturday, April 10, 2004 3:00 AMTo: 
[EMAIL PROTECTED]Subject: RE: [ActiveDir] using 
dsacls.exe

Actually I think he replied to this one in the bar of 
the Renaissance as him, myself, and Deanwere chatting about it while 
drinking and Ulf was working on his pda/phone.

BTW Guido, you slipped out like a phantom man. Sorry 
you had other responsibilities to deal with. Would have been nice to have 
had you around longer and especially when sitting with the Dev guys. We had 
a lot of fun.

Also BTW, the Dev guyssaid that Universal groups 
were all a huge mistake and no one should be using them... Do Exchange in a 
separate single domain forest j/k But I think they would have said 
that had we discussed it. I had something else on my mind when we chatted 
with them that was more important to me than Universal Groups and Domain 
Local Groups. 

Another also BTW, Dean and I talked out an interesting 
idea, you may like it when we have the result ready. An idea to hopefully 
kill the entire lag site paradigm by making it unnecessary. Never was a fan 
of that idea but I do like the idea of DR sites for grabbing backups off of 
as I have discussed previously.

 joe

-
http://www.joeware.net (download joeware)
http://www.cafeshops.com/joewarenet (wear joeware)





From: [EMAIL PROTECTED] 
[mailto:[EMAIL PROTECTED] On Behalf Of 
Grillenmeier, GuidoSent: Friday, April 09, 2004 1:29 
PMTo: [EMAIL PROTECTED]Subject: RE: 
[ActiveDir] using dsacls.exe

Hey Ulf - I see you got home from the summit safely 
;-)

In your AD newsgrouppost which your referenced 
below you answered the following question
 Is there a comprehensive reference 
that identifies each permission required to perform a task ? Giving a user 
the "AddUser" permission is not enough. They also have to have the rights 
to add objects and child objects, etc etc...with Not that I'm 
aware off - the rights I don't know I set with the delegation 
 wizard 
and run dsacls or look into the security tab.
Just want to make sure that everyone is aware of the excellent 
Delegation Whitepaper, that's been available for a couple of months 
now:

http://www.microsoft.com/downloads/details.aspx?FamilyID=631747a3-79e1-48fa-9730-dae7c0a1d6d3DisplayLang=en

And don't forget to download the Appendix for this whitepaper, which 
contains all the nitty gritty details on what's required to perform which 
task.

/Guido



From: [EMAIL PROTECTED] 
[mailto:[EMAIL PROTECTED] On Behalf Of Ulf B. 
Simon-WeidnerSent: Donnerstag, 8. April 2004 17:10To: 
[EMAIL PROTECTED]Subject: RE: [ActiveDir] using 
dsacls.exe

Hello Bart,

see the following post:
http://groups.google.de/[EMAIL PROTECTED]

Ulf B. Simon-Weidner


From: [EMAIL PROTECTED] 
[mailto:[EMAIL PROTECTED] On Behalf Of Vermeire 
BartSent: Dienstag, 6. April 2004 06:43To: 
[EMAIL PROTECTED]Subject: [ActiveDir] using 
dsacls.exe

Hi,
I am 
struggling with the dsacls.exe tool and hope that someone in this list can 
answer me.
I need to set 
permissions on an OU from a CMD line batch file and I am using dsacls.exe 
for that.
However, 
setting the "Reset Password" extended right is one task I cannot 
accomplish.
Can you please 

RE: [ActiveDir] logon scripts

[Roger Seielstad]

Except Deji forgets one important piece of information (which is rare for 
him) - VBScript doesn't natively run on Win9x. It requires a separate install of 
Windows Scripting Host.

-- 
Roger D. Seielstad - MTS MCSE 
MS-MVP Sr. Systems 
Administrator Inovis Inc. 


  
  
  From: Rick Kingslan [mailto:[EMAIL PROTECTED] 
  Sent: Tuesday, April 13, 2004 12:19 AMTo: 
  [EMAIL PROTECTED]Subject: RE: [ActiveDir] logon 
  scripts
  
  Smart 
  guy.
  
  :op
  
  -rtk
  
  
  From: [EMAIL PROTECTED] 
  [mailto:[EMAIL PROTECTED] On Behalf Of deji 
  AgbaSent: Monday, April 12, 2004 11:13 PMTo: 
  [EMAIL PROTECTED]Subject: RE: [ActiveDir] logon 
  scripts
  
  
  I don't have a Win9X to test this on, but 
  Win2K/2K3/XP is fair game for this:
  
  Set wshNetwork = WScript.CreateObject("WScript.Network")Set 
  wshShell = WScript.CreateObject("WScript.Shell")
  str_Group1_Share = "file://myserver/myShare1"str_Exec_Share = 
  "file://myserver/myShare2"str_BS_Share = "file://myserver/myShare3"str_Super_Share = 
  "file://mySuperServer/SuperShare"
  strDriveToMap = "H:"
  usrName = 
  wshShell.ExpandEnvironmentStrings("%USERNAME%")Set usr = 
  GetObject("WinNT://MyDomainName/"  usrName  ",user")
  For Each grp In usr.Groups WScript.Echo 
  grp.NameIf grp.Name = "BS-Group" Then 
  wshNetwork.MapNetworkDrive strDriveToMap, str_BS_ShareExit 
  ForElseif grp.Name = "SOME_GROUP" 
  ThenwshNetwork.MapNetworkDrive strDriveToMap, 
  str_Group1_ShareExit ForElseif grp.Name = 
  "yet_Another_Group" OR grp.Name = "Super-DuperUser" 
  ThenwshNetwork.MapNetworkDrive strDriveToMap, 
  str_Super_SharewshNetwork.MapNetworkDrive "K:", 
  str_Exec_ShareExit ForEnd IfNext
  Set usr = NothingSet wshShell = NothingSet 
  wshNetwork = Nothing
  
  HTH
  
  
  
  
  Sincerely,Dj Akmlf, 
  MCSE MCSA MCP+I
  Microsoft MVP - 
  Active 
  Directorywww.akomolafe.comwww.iyaburo.comDo you 
  now realize that Today is the Tomorrow you were worried about Yesterday? 
  -anon
  
  
  From: Nathan CaseySent: Mon 
  4/12/2004 4:17 PMTo: 
  [EMAIL PROTECTED]Subject: [ActiveDir] logon 
  scripts
  
  What is a recommended logon 
  script solution that will work with win9x, win2k/xp clients for drive mapping, 
  etc that works similar to Novell logon scripts?
  
  Example:
  IF MEMBER OF "GROUP" THEN 
  BEGIN
   MAP 
  H:=SERVER1\VOL1:
  END
  

[ActiveDir] Firewall

[Douglas M. Long]

Do you all force your XP clients to have the 
built-in firewall enabled? Are there any cons (such as some GPs not working) to 
having it enabled? The reason I ask is I am having a problem finding the culprit 
which is causing some users the inability to edit their "editable" (phone 
number, homepage, address, etc) attributes. Thanks in 
advance

RE: [ActiveDir] logon scripts - Kixtart

[Kelly Jeglum]

Is anyone using 
Kixtart as a utility along with their logon scripts?

Kelly J. 
Jeglum LAN Mgr. Auxiliary Services 
University of Wisconsin 
Milwaukee
-Original 
Message-From: Rick Kingslan 
[mailto:[EMAIL PROTECTED]Sent: Monday, April 12, 2004 11:48 
PMTo: [EMAIL PROTECTED]Subject: RE: [ActiveDir] 
logon scripts
LOL!

-rtk


From: [EMAIL PROTECTED] 
[mailto:[EMAIL PROTECTED] On Behalf Of deji 
AgbaSent: Monday, April 12, 2004 11:28 PMTo: 
[EMAIL PROTECTED]Subject: RE: [ActiveDir] logon 
scripts


I don't remember telling you my middle name 
:p




Sincerely,Dèjì Akómöláfé, 
MCSE MCSA MCP+I
Microsoft MVP - 
Active Directorywww.akomolafe.comwww.iyaburo.comDo 
you now realize that Today is the Tomorrow you were worried about 
Yesterday? -anon


From: Rick KingslanSent: Mon 
4/12/2004 9:19 PMTo: [EMAIL PROTECTED]Subject: 
RE: [ActiveDir] logon scripts

Smart 
guy.

:op

-rtk


From: [EMAIL PROTECTED] 
[mailto:[EMAIL PROTECTED] On Behalf Of deji 
AgbaSent: Monday, April 12, 2004 11:13 PMTo: 
[EMAIL PROTECTED]Subject: RE: [ActiveDir] logon 
scripts


I don't have a Win9X to test this on, but 
Win2K/2K3/XP is fair game for this:

Set wshNetwork = WScript.CreateObject("WScript.Network")Set 
wshShell = WScript.CreateObject("WScript.Shell")
str_Group1_Share = "file://myserver/myShare1"str_Exec_Share = "file://myserver/myShare2"str_BS_Share = "file://myserver/myShare3"str_Super_Share = "file://mySuperServer/SuperShare"
strDriveToMap = "H:"
usrName = 
wshShell.ExpandEnvironmentStrings("%USERNAME%")Set usr = 
GetObject("WinNT://MyDomainName/"  usrName  ",user")
For Each grp In usr.Groups WScript.Echo 
grp.NameIf grp.Name = "BS-Group" Then 
wshNetwork.MapNetworkDrive strDriveToMap, str_BS_ShareExit 
ForElseif grp.Name = "SOME_GROUP" 
ThenwshNetwork.MapNetworkDrive strDriveToMap, 
str_Group1_ShareExit ForElseif grp.Name = 
"yet_Another_Group" OR grp.Name = "Super-DuperUser" 
ThenwshNetwork.MapNetworkDrive strDriveToMap, 
str_Super_SharewshNetwork.MapNetworkDrive "K:", 
str_Exec_ShareExit ForEnd IfNext
Set usr = NothingSet wshShell = NothingSet wshNetwork 
= Nothing

HTH




Sincerely,Dèjì Akómöláfé, 
MCSE MCSA MCP+I
Microsoft MVP - 
Active Directorywww.akomolafe.comwww.iyaburo.comDo 
you now realize that Today is the Tomorrow you were worried about 
Yesterday? -anon


From: Nathan CaseySent: Mon 4/12/2004 
4:17 PMTo: [EMAIL PROTECTED]Subject: 
[ActiveDir] logon scripts

What is a recommended logon 
script solution that will work with win9x, win2k/xp clients for drive mapping, 
etc that works similar to Novell logon scripts?

Example:
IF MEMBER OF "GROUP" THEN 
BEGIN
 MAP 
H:=SERVER1\VOL1:
END

Re: [ActiveDir] Firewall

[Robbie Foust]

I'm not using the XP firewall yet, but I'll consider it with SP2 since 
it is much better.  The built in firewall isn't supposed to interfere 
with communications with DC's, I think.  Are you getting any specific 
error message when users try to edit their attributes?  Or do they just 
not have permission to do so?  Check the event logs to see if there are 
any errors.

Robbie Foust, IT Analyst
Systems and Core Services
Duke University


Douglas M. Long wrote:

Do you all force your XP clients to have the built-in firewall 
enabled? Are there any cons (such as some GPs not working) to having 
it enabled? The reason I ask is I am having a problem finding the 
culprit which is causing some users the inability to edit their 
editable (phone number, homepage, address, etc) attributes. Thanks 
in advance
List info   : http://www.activedir.org/mail_list.htm
List FAQ: http://www.activedir.org/list_faq.htm
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/

RE: [ActiveDir] DFS use question

[Marcus.Oh]

I concur... especially considering the restore time in the event that
replication screws up and critical information is pushed off to a
Staging area, inaccessible to the user.

-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Rick Kingslan
Sent: Monday, April 12, 2004 11:30 PM
To: [EMAIL PROTECTED]
Subject: RE: [ActiveDir] DFS use question

With all due respect to those that absolutely think that FRS v1 is hot,
I'm
quite pleased that there has been this level of success with it.

However, even Microsoft admits that FRS iswell, broken.  It gets
better
with each QFE, Service Pack and HotFix, but the basics are just flat
broken.

I'm not sure that I'd recommend it for anything remotely critical. But,
to
each his own.

Rick Kingslan  MCSE, MCSA, MCT, CISSP
Microsoft MVP:
Windows Server / Directory Services
Windows Server / Rights Management
Associate Expert
Expert Zone - www.microsoft.com/windowsxp/expertzone
WebLog - www.msmvps.com/willhack4food
 

-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of E Brown
Sent: Monday, April 12, 2004 2:51 AM
To: [EMAIL PROTECTED]
Subject: RE: [ActiveDir] DFS use question

This is not out of the realm of FRS.
I work with some folks that sync 240+GB between 12 servers using T-1 as
well..
There are some tuning factors that should be followed:

What is DFS topology?
Make sure you using dfs  frs tuning docs.
Setup Ultrasound to monitor...
Let me know if you need more details.

-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Rimmerman, Russ
Sent: Sunday, April 11, 2004 7:06 PM
To: '[EMAIL PROTECTED]'
Subject: [ActiveDir] DFS use question


We have one of our largest sites in England and another large site in
the
US, with at least a full T-1 between the two sites.  We have a share
with
about 70GB of data in it, that both sites regularly need to access.
Would
this be something we could use DFS for with automatic replication, or is
this way out of DFS's range?  And if it's out of the range of DFS, how
are
others solving this issue?  A program like Veritas Storage Replicator,
or
NSI DoubleTake?  Or will DFS suffice?

~~
This e-mail is confidential, may contain proprietary information of the
Cooper Cameron Corporation and its operating Divisions and may be
confidential or privileged.

This e-mail should be read, copied, disseminated and/or used only by the
addressee. If you have received this message in error please delete it,
together with any attachments, from your system.
~~
List info   : http://www.activedir.org/mail_list.htm
List FAQ: http://www.activedir.org/list_faq.htm
List archive:
http://www.mail-archive.com/activedir%40mail.activedir.org/

List info   : http://www.activedir.org/mail_list.htm
List FAQ: http://www.activedir.org/list_faq.htm
List archive:
http://www.mail-archive.com/activedir%40mail.activedir.org/

List info   : http://www.activedir.org/mail_list.htm
List FAQ: http://www.activedir.org/list_faq.htm
List archive:
http://www.mail-archive.com/activedir%40mail.activedir.org/

List info   : http://www.activedir.org/mail_list.htm
List FAQ: http://www.activedir.org/list_faq.htm
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/

RE: [ActiveDir] Firewall

[Justin_Leney]

Return Receipt
   
Your  RE: [ActiveDir] Firewall 
document   
:  
   
was   Justin Leney/US/DCI  
received   
by:
   
at:   04/13/2004 10:05:33 AM   
   




List info   : http://www.activedir.org/mail_list.htm
List FAQ: http://www.activedir.org/list_faq.htm
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/

RE: [ActiveDir] Firewall

[simon.geary]

Have a look in 
c:\windows\pfirewall.log to see what traffic is being dropped by the firewall. 



From: [EMAIL PROTECTED] 
[mailto:[EMAIL PROTECTED] On Behalf Of Douglas M. 
LongSent: 13 April 2004 14:32To: 
[EMAIL PROTECTED]Subject: [ActiveDir] 
Firewall

Do you all force your XP clients to have the 
built-in firewall enabled? Are there any cons (such as some GPs not working) to 
having it enabled? The reason I ask is I am having a problem finding the culprit 
which is causing some users the inability to edit their "editable" (phone 
number, homepage, address, etc) attributes. Thanks in 
advance

RE: [ActiveDir] Firewall

[Depp, Dennis M.]

This is not a firewall issue.  The Windows ICF allows all outbound
connections.

Denny 

-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Jimmy Andersson
Sent: Tuesday, April 13, 2004 9:42 AM
To: [EMAIL PROTECTED]
Subject: RE: [ActiveDir] Firewall

I will probably (if testing goes well) implement it when SP2 is out.
Today
I'm not using the firewall on my XPs.

Regards,
/Jimmy 

-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Robbie Foust
Sent: Tuesday, April 13, 2004 3:46 PM
To: [EMAIL PROTECTED]
Subject: Re: [ActiveDir] Firewall

I'm not using the XP firewall yet, but I'll consider it with SP2 since
it is
much better.  The built in firewall isn't supposed to interfere with
communications with DC's, I think.  Are you getting any specific error
message when users try to edit their attributes?  Or do they just not
have
permission to do so?  Check the event logs to see if there are any
errors.

Robbie Foust, IT Analyst
Systems and Core Services
Duke University




Douglas M. Long wrote:

 Do you all force your XP clients to have the built-in firewall 
 enabled? Are there any cons (such as some GPs not working) to having 
 it enabled? The reason I ask is I am having a problem finding the 
 culprit which is causing some users the inability to edit their 
 editable (phone number, homepage, address, etc) attributes. Thanks 
 in advance

List info   : http://www.activedir.org/mail_list.htm
List FAQ: http://www.activedir.org/list_faq.htm
List archive:
http://www.mail-archive.com/activedir%40mail.activedir.org/

List info   : http://www.activedir.org/mail_list.htm
List FAQ: http://www.activedir.org/list_faq.htm
List archive:
http://www.mail-archive.com/activedir%40mail.activedir.org/

List info   : http://www.activedir.org/mail_list.htm
List FAQ: http://www.activedir.org/list_faq.htm
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/

RE: [ActiveDir] Firewall

[Douglas M. Long]

The attributes are actually greyed out, and not even editable. I have no
errors in the event log, all of the users that are having the problem (which
i now now is not related to the firewall, due to the fact that I just found
an instance proving otherwise...one more variable out of the way) have the
same GPOs, there are using the same DNS, and the same version and patch
level of XP. I can't think of any other things to check. Any other ideas?
Thanks



-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] Behalf Of Robbie Foust
Sent: Tuesday, April 13, 2004 9:46 AM
To: [EMAIL PROTECTED]
Subject: Re: [ActiveDir] Firewall


I'm not using the XP firewall yet, but I'll consider it with SP2 since
it is much better.  The built in firewall isn't supposed to interfere
with communications with DC's, I think.  Are you getting any specific
error message when users try to edit their attributes?  Or do they just
not have permission to do so?  Check the event logs to see if there are
any errors.

Robbie Foust, IT Analyst
Systems and Core Services
Duke University




Douglas M. Long wrote:

 Do you all force your XP clients to have the built-in firewall
 enabled? Are there any cons (such as some GPs not working) to having
 it enabled? The reason I ask is I am having a problem finding the
 culprit which is causing some users the inability to edit their
 editable (phone number, homepage, address, etc) attributes. Thanks
 in advance

List info   : http://www.activedir.org/mail_list.htm
List FAQ: http://www.activedir.org/list_faq.htm
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/


List info   : http://www.activedir.org/mail_list.htm
List FAQ: http://www.activedir.org/list_faq.htm
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/

RE: [ActiveDir] Updating Schema to Windows 2003

[Salandra, Justin A.]

So in summary, I should be able to adprep the forest with no problems if
all DC's are running at least Windows 2000 SP3 and Exchange 2003?

-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Salandra,
Justin A.
Sent: Wednesday, April 07, 2004 10:13 AM
To: [EMAIL PROTECTED]
Subject: RE: [ActiveDir] Updating Schema to Windows 2003

I have experienced this.  But I only experienced it on one DL that was a
global group, I changed it to a universal group.  All my DLs are
Universal groups now and I don't have replication issues.

-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of
[EMAIL PROTECTED]
Sent: Wednesday, April 07, 2004 9:39 AM
To: [EMAIL PROTECTED]
Subject: RE: [ActiveDir] Updating Schema to Windows 2003

Have you run into issues with Exchange pointing to GC servers in your
subdomains and not being able to resolve recipients in Distribution list
unless the DL are Universal DL?   

We have:

Root Forest Windows 2000 with Exchange 2000 and most user accounts,
Groups, DLs, etc
Subdomain Windows 2003 with Exchange 2003 - mostly for development /
testing, few accounts

Exchange at times used the DC in the Subdomain for GC lookups.  Our DLs
were not Universal so when Exchange would attempt to resolve the
recipients of the DL using the subdomain GC it would not find any
members.at that point messages would die in the Categorizer queue.
MS solution was to convert all mail enabled groups to Universal or
remove the subdomain DC from the Exchange Directory Servers list.
Universal groups will publish all their members in the GCs, but this
philosophy seems to contradict everything I read early on about trying
to avoid the use of Universal Groups because of the increase in
replication between GCs.



-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Salandra,
Justin A.
Sent: Wednesday, April 07, 2004 9:15 AM
To: [EMAIL PROTECTED]
Subject: RE: [ActiveDir] Updating Schema to Windows 2003

One thing I did not mention is that I have Exchange 2003 deployed in my
forest.  What precautions need to be taken for this.  I read the q
article 325379 but that talks about exchange 2000.

-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of
[EMAIL PROTECTED]
Sent: Wednesday, April 07, 2004 8:51 AM
To: [EMAIL PROTECTED]
Subject: RE: [ActiveDir] Updating Schema to Windows 2003

Nope, I have one running just as you described. 

-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Salandra,
Justin A.
Sent: Wednesday, April 07, 2004 8:50 AM
To: [EMAIL PROTECTED]
Subject: RE: [ActiveDir] Updating Schema to Windows 2003

If the forest prep is done, are there any problems if a child domain is
built as a windows 2003 domain while the rest of the forest is still in
windows 2000?

-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Steve Shaff
Sent: Tuesday, April 06, 2004 4:02 PM
To: [EMAIL PROTECTED]
Subject: RE: [ActiveDir] Updating Schema to Windows 2003

Forest Prep will prepare your forests for the Windows 2003 upgrade.  IT
will also expand your schema at that time.

S


-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Salandra,
Justin A.
Sent: Tuesday, April 06, 2004 12:01 PM
To: [EMAIL PROTECTED]
Subject: RE: [ActiveDir] Updating Schema to Windows 2003

I really just want to prepare the forest for windows 2003, I don't need
the domains ready yet.

-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Rod Trent
Sent: Tuesday, April 06, 2004 2:22 PM
To: [EMAIL PROTECTED]
Subject: RE: [ActiveDir] Updating Schema to Windows 2003

Also, if you stick in the CD to upgrade a server, it will check the
server and AD type, and will not upgrade until you have performed those
steps.
It
even gives you the steps to perform that you can copy/paste. 

-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Steve Shaff
Sent: Tuesday, April 06, 2004 1:19 PM
To: [EMAIL PROTECTED]
Subject: RE: [ActiveDir] Updating Schema to Windows 2003

I am not aware of any KB articles, but here are the steps that were
performed on our upgrade.

The forest and domains are prepared by using the adprep command on the
schema operations master and infrastructure operations master,
respectively.
(25min)
*   At a command prompt, change to the \I386 directory on the
installation media and then type: d:\i386\adprep /forestprep 
*   When prompted, type 'C', and then press ENTER to begin forest
preparation, or type any other key, and then press ENTER to cancel. 
*   After the forest preparation data has replicated throughout the
forest, prepare the domains for Windows Server 2003 as described below.
The domain preparation operation must be performed on the infrastructure
operations master of each domain in the forest. 
(no 

RE: [ActiveDir] Active Directory GC Locator Services and why Exch ange would STILL be broke if the AD team fixed it - WAS: using dsacls.exe

[Mulnick, Al]

Joe(ware) brings up an interesting point. AutoDL has 
been recommended for group management for some time. I don't expect that 
this is going to be the push going forward, but only because it hasn't been 
updated as a reskit item for several years. It works. But it's a 
workaround and not a very straightforward or client-intuitive one. The 
client is going to still try to update via OL, even if told otherwise. 
It's a feature that's been broken since updating that does not exist in 
5.5. Since it doesn't do security groups (thank goodness) it is a niche 
solution IMHO. One that wouldn't scale well in large environments that 
only wanted to use it for OL replacement of DL modification. 


Since the genie is out of the bottle on DL/DGupdates 
via OL, let's not retrain the users to be something they're not, and let's not 
try to force all the companies around the globe to get rid of older OL versions 
just for this. It can and should be fixed server side, even if we have to 
be concerned with multiple domains and some rearchitecting of DG's. I 
think that's a lot less work in an Exchange environment than replacing the 
desktop client interface to the email system.

My $0.02 (USD) anyway.

Al


From: [EMAIL PROTECTED] 
[mailto:[EMAIL PROTECTED] Sent: Monday, April 12, 2004 
7:01 PMTo: [EMAIL PROTECTED]Subject: RE: 
[ActiveDir] Active Directory GC Locator Services and why Exchange would STILL be 
broke if the AD team fixed it - WAS: using dsacls.exe


Don't worry. 
They are just using .NET P/Invoke to call the underlying DS* APIs (according to 
their architecture diagram), so hopefully fixes at the API level would flow into 
the managed code that consumes it. Based on Joe's detailed post, it is 
clear to me that the fix really needs to be considered at a lower level to the 
stack.

It was definitely the 
case that the guys discussing S.DS.ActiveDirectory didn't understand the need 
for the fix (maybe they did after Roger explained; hard to say), but maybe they 
don't even need to. 

I think the real 
benefit of the new managed code namespace is that for the first time, the 
functions that were only really available in the DS* APIs will be available to 
languages other than C++ (or VB with Declare syntax). There still isn't a 
good script story, but .NET will eventually get that too with MONAD and the 
like. In the meantime, anyone interested in .NET Directory Services 
programming can come bug us over at Carlos' Yahoo mailing list 
J Now I'm 
changing the subject

Joe 
Kaplan





From: 
[EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] 
On Behalf Of joeSent: Monday, April 12, 2004 2:11 
PMTo: [EMAIL PROTECTED]Subject: RE: [ActiveDir] Active Directory 
GC Locator Services and why Exchange would STILL be broke if the AD team fixed 
it - WAS: using dsacls.exe

Yeah understood. 
However they shouldn't fix it there, it should just be exposed there. It should 
be fixed in the underlying code. Not everyone is going to use .NET to get at 
this stuff and everyone shouldn't be coming up with different methods of doing 
resource location otherwise it defeats the purpose of having it built in. 



-
http://www.joeware.net (download 
joeware)
http://www.cafeshops.com/joewarenet (wear 
joeware)








From: 
[EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] 
On Behalf Of Roger 
SeielstadSent: Monday, April 
12, 2004 2:36 PMTo: 
[EMAIL PROTECTED]Subject: RE: [ActiveDir] Active Directory 
GC Locator Services and why Exchange would STILL be broke if the AD team fixed 
it - WAS: using dsacls.exe
You missed the session 
that we attended with regards to s.ds.activedirectory - and that was the team 
that didn't get it. They're writing from scratch a new interface within the .Net 
Framework that will include "easy to use" methods for retrieving DC/GC info. It 
struck a number of us that adding the ability to request a GC homed on a 
specific domain's DC wouldn't be that hard to 
implement.

Roger
-- 
Roger D. Seielstad - 
MTS MCSE MS-MVP Sr. Systems 
Administrator Inovis 
Inc. 



  
  
  
  
  From: joe 
  [mailto:[EMAIL PROTECTED] Sent: Monday, April 12, 2004 1:51 
  PMTo: [EMAIL PROTECTED]Subject: [ActiveDir] Active Directory GC 
  Locator Services and why Exchange would STILL be broke if the AD team fixed it 
  - WAS: using dsacls.exe
  Hey I wanted to chime 
  in on this one quickly. Note I am not ignoring other posts or the emails I am 
  getting, just trying to dig myself out. In fact I had so many emails about a 
  certain problem with people's understanding of things I made some code changes 
  in CPAU so I can cut down my email volume by a couple of hundred emails every 
  couple of days (I hope). :o)
  
  
  Anyway, I don't think 
  this is a Whidbey issue though I guess Whidbey should know how to leverage the 
  fixes that need to be made.
  
  There are two things 
  I think MS needs to do that I see right off. 
  
  1. Add more DNS 
  entries that 

RE: [ActiveDir] logon scripts

[deji Agba]

What can I say? I'm still jet-lagged, I guess :)

Thanks for the pointer.




Sincerely,Dèjì Akómöláfé, MCSE MCSA MCP+I
Microsoft MVP - Active Directorywww.akomolafe.comwww.iyaburo.comDo you now realize that Today is the Tomorrow you were worried about Yesterday? -anon


From: Roger SeielstadSent: Tue 4/13/2004 6:24 AMTo: [EMAIL PROTECTED]Subject: RE: [ActiveDir] logon scripts

Except Deji forgets one important piece of information (which is rare for him) - VBScript doesn't natively run on Win9x. It requires a separate install of Windows Scripting Host.

-- Roger D. Seielstad - MTS MCSE MS-MVP Sr. Systems Administrator Inovis Inc. 




From: Rick Kingslan [mailto:[EMAIL PROTECTED] Sent: Tuesday, April 13, 2004 12:19 AMTo: [EMAIL PROTECTED]Subject: RE: [ActiveDir] logon scripts

Smart guy.

:op

-rtk


From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of deji AgbaSent: Monday, April 12, 2004 11:13 PMTo: [EMAIL PROTECTED]Subject: RE: [ActiveDir] logon scripts


I don't have a Win9X to test this on, but Win2K/2K3/XP is fair game for this:

Set wshNetwork = WScript.CreateObject("WScript.Network")Set wshShell = WScript.CreateObject("WScript.Shell")
str_Group1_Share = "file://myserver/myShare1"str_Exec_Share = "file://myserver/myShare2"str_BS_Share = "file://myserver/myShare3"str_Super_Share = "file://mySuperServer/SuperShare"
strDriveToMap = "H:"
usrName = wshShell.ExpandEnvironmentStrings("%USERNAME%")Set usr = GetObject("WinNT://MyDomainName/"  usrName  ",user")
For Each grp In usr.Groups WScript.Echo grp.NameIf grp.Name = "BS-Group" Then wshNetwork.MapNetworkDrive strDriveToMap, str_BS_ShareExit ForElseif grp.Name = "SOME_GROUP" ThenwshNetwork.MapNetworkDrive strDriveToMap, str_Group1_ShareExit ForElseif grp.Name = "yet_Another_Group" OR grp.Name = "Super-DuperUser" ThenwshNetwork.MapNetworkDrive strDriveToMap, str_Super_SharewshNetwork.MapNetworkDrive "K:", str_Exec_ShareExit ForEnd IfNext
Set usr = NothingSet wshShell = NothingSet wshNetwork = Nothing

HTH




Sincerely,Dèjì Akómöláfé, MCSE MCSA MCP+I
Microsoft MVP - Active Directorywww.akomolafe.comwww.iyaburo.comDo you now realize that Today is the Tomorrow you were worried about Yesterday? -anon


From: Nathan CaseySent: Mon 4/12/2004 4:17 PMTo: [EMAIL PROTECTED]Subject: [ActiveDir] logon scripts

What is a recommended logon script solution that will work with win9x, win2k/xp clients for drive mapping, etc that works similar to Novell logon scripts?

Example:
IF MEMBER OF "GROUP" THEN BEGIN
 MAP H:=SERVER1\VOL1:
END

RE: [ActiveDir] Updating Schema to Windows 2003

[William . Smith]

http://support.microsoft.com/default.aspx?scid=kb;en-us;278875






Salandra, Justin A. [EMAIL PROTECTED]
Sent by: [EMAIL PROTECTED]
04/13/2004 11:02 AM
Please respond to ActiveDir


To:[EMAIL PROTECTED]
cc:
Subject:RE: [ActiveDir] Updating Schema to Windows 2003


So in summary, I should be able to adprep the forest with no problems if
all DC's are running at least Windows 2000 SP3 and Exchange 2003?

-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Salandra,
Justin A.
Sent: Wednesday, April 07, 2004 10:13 AM
To: [EMAIL PROTECTED]
Subject: RE: [ActiveDir] Updating Schema to Windows 2003

I have experienced this. But I only experienced it on one DL that was a
global group, I changed it to a universal group. All my DLs are
Universal groups now and I don't have replication issues.

-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of
[EMAIL PROTECTED]
Sent: Wednesday, April 07, 2004 9:39 AM
To: [EMAIL PROTECTED]
Subject: RE: [ActiveDir] Updating Schema to Windows 2003

Have you run into issues with Exchange pointing to GC servers in your
subdomains and not being able to resolve recipients in Distribution list
unless the DL are Universal DL?  

We have:

Root Forest Windows 2000 with Exchange 2000 and most user accounts,
Groups, DLs, etc
Subdomain Windows 2003 with Exchange 2003 - mostly for development /
testing, few accounts

Exchange at times used the DC in the Subdomain for GC lookups. Our DLs
were not Universal so when Exchange would attempt to resolve the
recipients of the DL using the subdomain GC it would not find any
members.at that point messages would die in the Categorizer queue.
MS solution was to convert all mail enabled groups to Universal or
remove the subdomain DC from the Exchange Directory Servers list.
Universal groups will publish all their members in the GCs, but this
philosophy seems to contradict everything I read early on about trying
to avoid the use of Universal Groups because of the increase in
replication between GCs.



-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Salandra,
Justin A.
Sent: Wednesday, April 07, 2004 9:15 AM
To: [EMAIL PROTECTED]
Subject: RE: [ActiveDir] Updating Schema to Windows 2003

One thing I did not mention is that I have Exchange 2003 deployed in my
forest. What precautions need to be taken for this. I read the q
article 325379 but that talks about exchange 2000.

-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of
[EMAIL PROTECTED]
Sent: Wednesday, April 07, 2004 8:51 AM
To: [EMAIL PROTECTED]
Subject: RE: [ActiveDir] Updating Schema to Windows 2003

Nope, I have one running just as you described. 

-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Salandra,
Justin A.
Sent: Wednesday, April 07, 2004 8:50 AM
To: [EMAIL PROTECTED]
Subject: RE: [ActiveDir] Updating Schema to Windows 2003

If the forest prep is done, are there any problems if a child domain is
built as a windows 2003 domain while the rest of the forest is still in
windows 2000?

-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Steve Shaff
Sent: Tuesday, April 06, 2004 4:02 PM
To: [EMAIL PROTECTED]
Subject: RE: [ActiveDir] Updating Schema to Windows 2003

Forest Prep will prepare your forests for the Windows 2003 upgrade. IT
will also expand your schema at that time.

S


-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Salandra,
Justin A.
Sent: Tuesday, April 06, 2004 12:01 PM
To: [EMAIL PROTECTED]
Subject: RE: [ActiveDir] Updating Schema to Windows 2003

I really just want to prepare the forest for windows 2003, I don't need
the domains ready yet.

-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Rod Trent
Sent: Tuesday, April 06, 2004 2:22 PM
To: [EMAIL PROTECTED]
Subject: RE: [ActiveDir] Updating Schema to Windows 2003

Also, if you stick in the CD to upgrade a server, it will check the
server and AD type, and will not upgrade until you have performed those
steps.
It
even gives you the steps to perform that you can copy/paste. 

-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Steve Shaff
Sent: Tuesday, April 06, 2004 1:19 PM
To: [EMAIL PROTECTED]
Subject: RE: [ActiveDir] Updating Schema to Windows 2003

I am not aware of any KB articles, but here are the steps that were
performed on our upgrade.

The forest and domains are prepared by using the adprep command on the
schema operations master and infrastructure operations master,
respectively.
(25min)
* At a command prompt, change to the \I386 directory on the
installation media and then type: d:\i386\adprep /forestprep 
* When prompted, type 'C', and then press ENTER to begin forest
preparation, or type any other key, and then press 

RE: [ActiveDir] Wlan AD Security

[Mulnick, Al]

That's a pretty valid argument to put any access to your network into an
untrusted network segment, isn't it?  Remote access, wired access (what
about vendors that jack-in?)etc. 

There's some talk about using the reskit stuff to quarantine the network
access.  Some of the AP providers offer this type of usage as well.  One of
the better ways to accomplish authorized access only is to use strong
authentication.  WEP isn't it.  Cracking WEP is published and pretty quick.
MAC layer isn't all that great either since you can spoof the MAC address to
gain access. Certificates are nice, except that some of your downlevel and
handheld devices won't like it.  


I'd say this is a pretty valid argument to rethink security (for many
companies) from a keep out the bad guys and we'll be fine mentaility to a
let's figure out what we need to protect on our network and add security to
those parts to protect from outside the firewall as well as the inside of
the firewall mentality.  When you can sip coffee or favorite hot beverage
of choice downstairs and wander a company's network two floors above or
across the street, the possibilities are limitless.  

I favor the certificate method and VPN for wireless access, but that only
addresses part of the issue IMHO.

Al  



 

-Original Message-
From: Rick Kingslan [mailto:[EMAIL PROTECTED] 
Sent: Tuesday, April 13, 2004 12:13 AM
To: [EMAIL PROTECTED]
Subject: RE: [ActiveDir] Wlan  AD Security

Chris,

We sometimes become off-topic city.  No worries there

This is an interesting topic, and one that I will fall clearly on one side
of it because of my experiences at my company.

 Treat your access points like untrusted computers in the public
DMZ. 

There is really no way that one should treat an access point in any other
way.  Given that the signals coming into an AP cannot truly be verified,
then one must add extra methods to insure security.  The way that I prefer
to see this accomplished is by placing the AP's into an untrusted are of the
network, applying a 128-bit WEP key, then using some added methods
consistent with 802.1x.  This can either be PEAP (using RADIUS / IAS),
Cisco's LEAP, or other secure methods for providing strong authentication.
Obviously, stronger the better, and two-factor (RSA fob, smart card, what
have you) is magnitudes better than a single factor authN.

I'm still fighting to get my APs at work in the DMZ.  They are, at present,
on our internal network.  They are PEAP protected, but somehow I'm just not
all that heartened by the simple addition of PEAP to untrusted devices.

Rick Kingslan  MCSE, MCSA, MCT, CISSP
Microsoft MVP:
Windows Server / Directory Services
Windows Server / Rights Management
Associate Expert
Expert Zone - www.microsoft.com/windowsxp/expertzone
WebLog - www.msmvps.com/willhack4food
 

-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Chris Blair
Sent: Monday, April 12, 2004 8:47 AM
To: [EMAIL PROTECTED]
Subject: [ActiveDir] Wlan  AD Security

This maybe slightly Off Topic, Sorry. I am looking to deploy wireless access
points for our users to access our AD. I am currently reading the white
paper from Microsoft named Enterprise Deployment of Secure 802.11 Networks
Using Microsoft Windows. Has anyone else implemented this? I have also read
about putting the AP's outside of the network and using VPN to access any AD
related resources. Sounds easier, but is it as secure? Does anyone else have
any other solutions?
List info   : http://www.activedir.org/mail_list.htm
List FAQ: http://www.activedir.org/list_faq.htm
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/

List info   : http://www.activedir.org/mail_list.htm
List FAQ: http://www.activedir.org/list_faq.htm
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
List info   : http://www.activedir.org/mail_list.htm
List FAQ: http://www.activedir.org/list_faq.htm
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/

RE: [ActiveDir] Firewall

[Mulnick, Al]

Permissions?  What else is different about them?  Just because they have the
same GPO's, are they applied as expected to the users affected?  Are they in
the same OU's etc?
RSOP might be a worthwhile tool to look at if you suspect the GPO is not
firing correctly but greyed out tabs are usually due to only having read
permissions on the attribute.  If this is unexpected, then have a look at
your process to apply the permissions and see if anything went astray there.

Al


 

-Original Message-
From: Douglas M. Long [mailto:[EMAIL PROTECTED] 
Sent: Tuesday, April 13, 2004 10:08 AM
To: [EMAIL PROTECTED]
Subject: RE: [ActiveDir] Firewall

The attributes are actually greyed out, and not even editable. I have no
errors in the event log, all of the users that are having the problem (which
i now now is not related to the firewall, due to the fact that I just found
an instance proving otherwise...one more variable out of the way) have the
same GPOs, there are using the same DNS, and the same version and patch
level of XP. I can't think of any other things to check. Any other ideas?
Thanks



-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] Behalf Of Robbie Foust
Sent: Tuesday, April 13, 2004 9:46 AM
To: [EMAIL PROTECTED]
Subject: Re: [ActiveDir] Firewall


I'm not using the XP firewall yet, but I'll consider it with SP2 since it is
much better.  The built in firewall isn't supposed to interfere with
communications with DC's, I think.  Are you getting any specific error
message when users try to edit their attributes?  Or do they just not have
permission to do so?  Check the event logs to see if there are any errors.

Robbie Foust, IT Analyst
Systems and Core Services
Duke University




Douglas M. Long wrote:

 Do you all force your XP clients to have the built-in firewall 
 enabled? Are there any cons (such as some GPs not working) to having 
 it enabled? The reason I ask is I am having a problem finding the 
 culprit which is causing some users the inability to edit their 
 editable (phone number, homepage, address, etc) attributes. Thanks 
 in advance

List info   : http://www.activedir.org/mail_list.htm
List FAQ: http://www.activedir.org/list_faq.htm
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/


List info   : http://www.activedir.org/mail_list.htm
List FAQ: http://www.activedir.org/list_faq.htm
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
List info   : http://www.activedir.org/mail_list.htm
List FAQ: http://www.activedir.org/list_faq.htm
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/

RE: [ActiveDir] logon scripts

[Roger Seielstad]

To quote Tony Murray-Smith - "I'm still trying to get used to being 
sober"

-- 
Roger D. Seielstad - MTS MCSE 
MS-MVP Sr. Systems 
Administrator Inovis Inc. 


  
  
  From: deji Agba [mailto:[EMAIL PROTECTED] Sent: 
  Tuesday, April 13, 2004 11:11 AMTo: 
  [EMAIL PROTECTED]Subject: RE: [ActiveDir] logon 
  scripts
  
  
  What can I say? I'm still 
  jet-lagged, I guess :)
  
  Thanks for the pointer.
  
  
  
  
  Sincerely,Dj Akmlf, 
  MCSE MCSA MCP+I
  Microsoft MVP - 
  Active 
  Directorywww.akomolafe.comwww.iyaburo.comDo you 
  now realize that Today is the Tomorrow you were worried about Yesterday? 
  -anon
  
  
  From: Roger SeielstadSent: Tue 
  4/13/2004 6:24 AMTo: 
  [EMAIL PROTECTED]Subject: RE: [ActiveDir] logon 
  scripts
  
  Except Deji forgets one important piece of information (which is rare 
  for him) - VBScript doesn't natively run on Win9x. It requires a separate 
  install of Windows Scripting Host.
  
  -- 
  Roger D. Seielstad - MTS MCSE 
  MS-MVP Sr. 
  Systems Administrator Inovis Inc. 
  
  


From: Rick Kingslan [mailto:[EMAIL PROTECTED] 
Sent: Tuesday, April 13, 2004 12:19 AMTo: 
[EMAIL PROTECTED]Subject: RE: [ActiveDir] logon 
scripts

Smart 
guy.

:op

-rtk


From: [EMAIL PROTECTED] 
[mailto:[EMAIL PROTECTED] On Behalf Of deji 
AgbaSent: Monday, April 12, 2004 11:13 PMTo: 
[EMAIL PROTECTED]Subject: RE: [ActiveDir] logon 
scripts


I don't have a Win9X to test this on, 
but Win2K/2K3/XP is fair game for this:

Set wshNetwork = WScript.CreateObject("WScript.Network")Set 
wshShell = WScript.CreateObject("WScript.Shell")
str_Group1_Share = "file://myserver/myShare1"str_Exec_Share = 
"file://myserver/myShare2"str_BS_Share = 
"file://myserver/myShare3"str_Super_Share = 
"file://mySuperServer/SuperShare"
strDriveToMap = "H:"
usrName = 
wshShell.ExpandEnvironmentStrings("%USERNAME%")Set usr = 
GetObject("WinNT://MyDomainName/"  usrName  ",user")
For Each grp In usr.Groups WScript.Echo 
grp.NameIf grp.Name = "BS-Group" Then 
wshNetwork.MapNetworkDrive strDriveToMap, str_BS_ShareExit 
ForElseif grp.Name = "SOME_GROUP" 
ThenwshNetwork.MapNetworkDrive strDriveToMap, 
str_Group1_ShareExit ForElseif grp.Name = 
"yet_Another_Group" OR grp.Name = "Super-DuperUser" 
ThenwshNetwork.MapNetworkDrive strDriveToMap, 
str_Super_SharewshNetwork.MapNetworkDrive "K:", 
str_Exec_ShareExit ForEnd IfNext
Set usr = NothingSet wshShell = NothingSet 
wshNetwork = Nothing

HTH




Sincerely,Dj 
Akmlf, MCSE MCSA MCP+I
Microsoft MVP 
- Active 
Directorywww.akomolafe.comwww.iyaburo.comDo 
you now realize that Today is the Tomorrow you were worried about 
Yesterday? -anon


From: Nathan CaseySent: Mon 
4/12/2004 4:17 PMTo: 
[EMAIL PROTECTED]Subject: [ActiveDir] logon 
scripts

What is a recommended logon 
script solution that will work with win9x, win2k/xp clients for drive 
mapping, etc that works similar to Novell logon scripts?

Example:
IF MEMBER OF "GROUP" THEN 
BEGIN
 MAP 
H:=SERVER1\VOL1:
END

RE: [ActiveDir] DFS use question

[Marcus.Oh]

Have you checked out the latest features in the Robocopy that comes w/
Windows 2003 Reskit?  Very cool stuff... 

-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Rimmerman, Russ
Sent: Tuesday, April 13, 2004 9:51 AM
To: '[EMAIL PROTECTED]'
Subject: RE: [ActiveDir] DFS use question


What would you all recommend instead?  NSI DoubleTake? 

-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of
[EMAIL PROTECTED]
Sent: Tuesday, April 13, 2004 8:16 AM
To: [EMAIL PROTECTED]
Subject: RE: [ActiveDir] DFS use question

I concur... especially considering the restore time in the event that
replication screws up and critical information is pushed off to a
Staging
area, inaccessible to the user.

-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Rick Kingslan
Sent: Monday, April 12, 2004 11:30 PM
To: [EMAIL PROTECTED]
Subject: RE: [ActiveDir] DFS use question

With all due respect to those that absolutely think that FRS v1 is hot,
I'm
quite pleased that there has been this level of success with it.

However, even Microsoft admits that FRS iswell, broken.  It gets
better
with each QFE, Service Pack and HotFix, but the basics are just flat
broken.

I'm not sure that I'd recommend it for anything remotely critical. But,
to
each his own.

Rick Kingslan  MCSE, MCSA, MCT, CISSP
Microsoft MVP:
Windows Server / Directory Services
Windows Server / Rights Management
Associate Expert
Expert Zone - www.microsoft.com/windowsxp/expertzone
WebLog - www.msmvps.com/willhack4food
 

-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of E Brown
Sent: Monday, April 12, 2004 2:51 AM
To: [EMAIL PROTECTED]
Subject: RE: [ActiveDir] DFS use question

This is not out of the realm of FRS.
I work with some folks that sync 240+GB between 12 servers using T-1 as
well..
There are some tuning factors that should be followed:

What is DFS topology?
Make sure you using dfs  frs tuning docs.
Setup Ultrasound to monitor...
Let me know if you need more details.

-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Rimmerman, Russ
Sent: Sunday, April 11, 2004 7:06 PM
To: '[EMAIL PROTECTED]'
Subject: [ActiveDir] DFS use question


We have one of our largest sites in England and another large site in
the
US, with at least a full T-1 between the two sites.  We have a share
with
about 70GB of data in it, that both sites regularly need to access.
Would
this be something we could use DFS for with automatic replication, or is
this way out of DFS's range?  And if it's out of the range of DFS, how
are
others solving this issue?  A program like Veritas Storage Replicator,
or
NSI DoubleTake?  Or will DFS suffice?

~~
This e-mail is confidential, may contain proprietary information of the
Cooper Cameron Corporation and its operating Divisions and may be
confidential or privileged.

This e-mail should be read, copied, disseminated and/or used only by the
addressee. If you have received this message in error please delete it,
together with any attachments, from your system.
~~
List info   : http://www.activedir.org/mail_list.htm
List FAQ: http://www.activedir.org/list_faq.htm
List archive:
http://www.mail-archive.com/activedir%40mail.activedir.org/

List info   : http://www.activedir.org/mail_list.htm
List FAQ: http://www.activedir.org/list_faq.htm
List archive:
http://www.mail-archive.com/activedir%40mail.activedir.org/

List info   : http://www.activedir.org/mail_list.htm
List FAQ: http://www.activedir.org/list_faq.htm
List archive:
http://www.mail-archive.com/activedir%40mail.activedir.org/

List info   : http://www.activedir.org/mail_list.htm
List FAQ: http://www.activedir.org/list_faq.htm
List archive:
http://www.mail-archive.com/activedir%40mail.activedir.org/

~~
This e-mail is confidential, may contain proprietary information
of the Cooper Cameron Corporation and its operating Divisions
and may be confidential or privileged.

This e-mail should be read, copied, disseminated and/or used only
by the addressee. If you have received this message in error please
delete it, together with any attachments, from your system.
~~
List info   : http://www.activedir.org/mail_list.htm
List FAQ: http://www.activedir.org/list_faq.htm
List archive:
http://www.mail-archive.com/activedir%40mail.activedir.org/

List info   : http://www.activedir.org/mail_list.htm
List FAQ: http://www.activedir.org/list_faq.htm
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/

RE: [ActiveDir] logon scripts

[Jimmy Andersson]

Sober? What's that??? 
:)

/Jimmy


From: [EMAIL PROTECTED] 
[mailto:[EMAIL PROTECTED] On Behalf Of Roger 
SeielstadSent: Tuesday, April 13, 2004 6:22 PMTo: 
[EMAIL PROTECTED]Subject: RE: [ActiveDir] logon 
scripts

To quote Tony Murray-Smith - "I'm still trying to get used to being 
sober"

-- 
Roger D. Seielstad - MTS MCSE 
MS-MVP Sr. Systems 
Administrator Inovis Inc. 


  
  
  From: deji Agba [mailto:[EMAIL PROTECTED] Sent: 
  Tuesday, April 13, 2004 11:11 AMTo: 
  [EMAIL PROTECTED]Subject: RE: [ActiveDir] logon 
  scripts
  
  
  What can I say? I'm still 
  jet-lagged, I guess :)
  
  Thanks for the pointer.
  
  
  
  
  Sincerely,Dèjì Akómöláfé, 
  MCSE MCSA MCP+I
  Microsoft MVP - 
  Active 
  Directorywww.akomolafe.comwww.iyaburo.comDo you 
  now realize that Today is the Tomorrow you were worried about Yesterday? 
  -anon
  
  
  From: Roger SeielstadSent: Tue 
  4/13/2004 6:24 AMTo: 
  [EMAIL PROTECTED]Subject: RE: [ActiveDir] logon 
  scripts
  
  Except Deji forgets one important piece of information (which is rare 
  for him) - VBScript doesn't natively run on Win9x. It requires a separate 
  install of Windows Scripting Host.
  
  -- 
  Roger D. Seielstad - MTS MCSE 
  MS-MVP Sr. 
  Systems Administrator Inovis Inc. 
  
  


From: Rick Kingslan [mailto:[EMAIL PROTECTED] 
Sent: Tuesday, April 13, 2004 12:19 AMTo: 
[EMAIL PROTECTED]Subject: RE: [ActiveDir] logon 
scripts

Smart 
guy.

:op

-rtk


From: [EMAIL PROTECTED] 
[mailto:[EMAIL PROTECTED] On Behalf Of deji 
AgbaSent: Monday, April 12, 2004 11:13 PMTo: 
[EMAIL PROTECTED]Subject: RE: [ActiveDir] logon 
scripts


I don't have a Win9X to test this on, 
but Win2K/2K3/XP is fair game for this:

Set wshNetwork = WScript.CreateObject("WScript.Network")Set 
wshShell = WScript.CreateObject("WScript.Shell")
str_Group1_Share = "file://myserver/myShare1"str_Exec_Share = 
"file://myserver/myShare2"str_BS_Share = 
"file://myserver/myShare3"str_Super_Share = 
"file://mySuperServer/SuperShare"
strDriveToMap = "H:"
usrName = 
wshShell.ExpandEnvironmentStrings("%USERNAME%")Set usr = 
GetObject("WinNT://MyDomainName/"  usrName  ",user")
For Each grp In usr.Groups WScript.Echo 
grp.NameIf grp.Name = "BS-Group" Then 
wshNetwork.MapNetworkDrive strDriveToMap, str_BS_ShareExit 
ForElseif grp.Name = "SOME_GROUP" 
ThenwshNetwork.MapNetworkDrive strDriveToMap, 
str_Group1_ShareExit ForElseif grp.Name = 
"yet_Another_Group" OR grp.Name = "Super-DuperUser" 
ThenwshNetwork.MapNetworkDrive strDriveToMap, 
str_Super_SharewshNetwork.MapNetworkDrive "K:", 
str_Exec_ShareExit ForEnd IfNext
Set usr = NothingSet wshShell = NothingSet 
wshNetwork = Nothing

HTH




Sincerely,Dèjì 
Akómöláfé, MCSE MCSA MCP+I
Microsoft MVP 
- Active 
Directorywww.akomolafe.comwww.iyaburo.comDo 
you now realize that Today is the Tomorrow you were worried about 
Yesterday? -anon


From: Nathan CaseySent: Mon 
4/12/2004 4:17 PMTo: 
[EMAIL PROTECTED]Subject: [ActiveDir] logon 
scripts

What is a recommended logon 
script solution that will work with win9x, win2k/xp clients for drive 
mapping, etc that works similar to Novell logon scripts?

Example:
IF MEMBER OF "GROUP" THEN 
BEGIN
 MAP 
H:=SERVER1\VOL1:
END

RE: [ActiveDir] DFS use question

[Rimmerman, Russ]

Would that work ok on an all Win2000 domain on Win2000 servers? 

-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of [EMAIL PROTECTED]
Sent: Tuesday, April 13, 2004 9:07 AM
To: [EMAIL PROTECTED]
Subject: RE: [ActiveDir] DFS use question

Have you checked out the latest features in the Robocopy that comes w/
Windows 2003 Reskit?  Very cool stuff... 

-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Rimmerman, Russ
Sent: Tuesday, April 13, 2004 9:51 AM
To: '[EMAIL PROTECTED]'
Subject: RE: [ActiveDir] DFS use question


What would you all recommend instead?  NSI DoubleTake? 

-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of [EMAIL PROTECTED]
Sent: Tuesday, April 13, 2004 8:16 AM
To: [EMAIL PROTECTED]
Subject: RE: [ActiveDir] DFS use question

I concur... especially considering the restore time in the event that
replication screws up and critical information is pushed off to a Staging
area, inaccessible to the user.

-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Rick Kingslan
Sent: Monday, April 12, 2004 11:30 PM
To: [EMAIL PROTECTED]
Subject: RE: [ActiveDir] DFS use question

With all due respect to those that absolutely think that FRS v1 is hot, I'm
quite pleased that there has been this level of success with it.

However, even Microsoft admits that FRS iswell, broken.  It gets better
with each QFE, Service Pack and HotFix, but the basics are just flat broken.

I'm not sure that I'd recommend it for anything remotely critical. But, to
each his own.

Rick Kingslan  MCSE, MCSA, MCT, CISSP
Microsoft MVP:
Windows Server / Directory Services
Windows Server / Rights Management
Associate Expert
Expert Zone - www.microsoft.com/windowsxp/expertzone
WebLog - www.msmvps.com/willhack4food
 

-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of E Brown
Sent: Monday, April 12, 2004 2:51 AM
To: [EMAIL PROTECTED]
Subject: RE: [ActiveDir] DFS use question

This is not out of the realm of FRS.
I work with some folks that sync 240+GB between 12 servers using T-1 as
well..
There are some tuning factors that should be followed:

What is DFS topology?
Make sure you using dfs  frs tuning docs.
Setup Ultrasound to monitor...
Let me know if you need more details.

-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Rimmerman, Russ
Sent: Sunday, April 11, 2004 7:06 PM
To: '[EMAIL PROTECTED]'
Subject: [ActiveDir] DFS use question


We have one of our largest sites in England and another large site in the
US, with at least a full T-1 between the two sites.  We have a share with
about 70GB of data in it, that both sites regularly need to access.
Would
this be something we could use DFS for with automatic replication, or is
this way out of DFS's range?  And if it's out of the range of DFS, how are
others solving this issue?  A program like Veritas Storage Replicator, or
NSI DoubleTake?  Or will DFS suffice?

~~
This e-mail is confidential, may contain proprietary information of the
Cooper Cameron Corporation and its operating Divisions and may be
confidential or privileged.

This e-mail should be read, copied, disseminated and/or used only by the
addressee. If you have received this message in error please delete it,
together with any attachments, from your system.
~~
List info   : http://www.activedir.org/mail_list.htm
List FAQ: http://www.activedir.org/list_faq.htm
List archive:
http://www.mail-archive.com/activedir%40mail.activedir.org/

List info   : http://www.activedir.org/mail_list.htm
List FAQ: http://www.activedir.org/list_faq.htm
List archive:
http://www.mail-archive.com/activedir%40mail.activedir.org/

List info   : http://www.activedir.org/mail_list.htm
List FAQ: http://www.activedir.org/list_faq.htm
List archive:
http://www.mail-archive.com/activedir%40mail.activedir.org/

List info   : http://www.activedir.org/mail_list.htm
List FAQ: http://www.activedir.org/list_faq.htm
List archive:
http://www.mail-archive.com/activedir%40mail.activedir.org/

~~
This e-mail is confidential, may contain proprietary information of the
Cooper Cameron Corporation and its operating Divisions and may be
confidential or privileged.

This e-mail should be read, copied, disseminated and/or used only by the
addressee. If you have received this message in error please delete it,
together with any attachments, from your system.
~~
List info   : http://www.activedir.org/mail_list.htm
List FAQ: http://www.activedir.org/list_faq.htm
List archive:
http://www.mail-archive.com/activedir%40mail.activedir.org/

List info   : http://www.activedir.org/mail_list.htm
List FAQ: 

RE: [ActiveDir] logon scripts

[Mulnick, Al]

Jet-lagged? Did you 
take a long detour on the way home? :)


From: deji Agba [mailto:[EMAIL PROTECTED] Sent: 
Tuesday, April 13, 2004 11:11 AMTo: 
[EMAIL PROTECTED]Subject: RE: [ActiveDir] logon 
scripts


What can I say? I'm still jet-lagged, I 
guess :)

Thanks for the pointer.




Sincerely,Dèjì Akómöláfé, 
MCSE MCSA MCP+I
Microsoft MVP - 
Active Directorywww.akomolafe.comwww.iyaburo.comDo 
you now realize that Today is the Tomorrow you were worried about 
Yesterday? -anon


From: Roger SeielstadSent: Tue 
4/13/2004 6:24 AMTo: [EMAIL PROTECTED]Subject: 
RE: [ActiveDir] logon scripts

Except Deji forgets one important piece of information (which is rare for 
him) - VBScript doesn't natively run on Win9x. It requires a separate install of 
Windows Scripting Host.

-- 
Roger D. Seielstad - MTS MCSE 
MS-MVP Sr. Systems 
Administrator Inovis Inc. 


  
  
  From: Rick Kingslan [mailto:[EMAIL PROTECTED] 
  Sent: Tuesday, April 13, 2004 12:19 AMTo: 
  [EMAIL PROTECTED]Subject: RE: [ActiveDir] logon 
  scripts
  
  Smart 
  guy.
  
  :op
  
  -rtk
  
  
  From: [EMAIL PROTECTED] 
  [mailto:[EMAIL PROTECTED] On Behalf Of deji 
  AgbaSent: Monday, April 12, 2004 11:13 PMTo: 
  [EMAIL PROTECTED]Subject: RE: [ActiveDir] logon 
  scripts
  
  
  I don't have a Win9X to test this on, but 
  Win2K/2K3/XP is fair game for this:
  
  Set wshNetwork = WScript.CreateObject("WScript.Network")Set 
  wshShell = WScript.CreateObject("WScript.Shell")
  str_Group1_Share = "file://myserver/myShare1"str_Exec_Share = 
  "file://myserver/myShare2"str_BS_Share = "file://myserver/myShare3"str_Super_Share = 
  "file://mySuperServer/SuperShare"
  strDriveToMap = "H:"
  usrName = 
  wshShell.ExpandEnvironmentStrings("%USERNAME%")Set usr = 
  GetObject("WinNT://MyDomainName/"  usrName  ",user")
  For Each grp In usr.Groups WScript.Echo 
  grp.NameIf grp.Name = "BS-Group" Then 
  wshNetwork.MapNetworkDrive strDriveToMap, str_BS_ShareExit 
  ForElseif grp.Name = "SOME_GROUP" 
  ThenwshNetwork.MapNetworkDrive strDriveToMap, 
  str_Group1_ShareExit ForElseif grp.Name = 
  "yet_Another_Group" OR grp.Name = "Super-DuperUser" 
  ThenwshNetwork.MapNetworkDrive strDriveToMap, 
  str_Super_SharewshNetwork.MapNetworkDrive "K:", 
  str_Exec_ShareExit ForEnd IfNext
  Set usr = NothingSet wshShell = NothingSet 
  wshNetwork = Nothing
  
  HTH
  
  
  
  
  Sincerely,Dèjì Akómöláfé, 
  MCSE MCSA MCP+I
  Microsoft MVP - 
  Active 
  Directorywww.akomolafe.comwww.iyaburo.comDo you 
  now realize that Today is the Tomorrow you were worried about Yesterday? 
  -anon
  
  
  From: Nathan CaseySent: Mon 
  4/12/2004 4:17 PMTo: 
  [EMAIL PROTECTED]Subject: [ActiveDir] logon 
  scripts
  
  What is a recommended logon 
  script solution that will work with win9x, win2k/xp clients for drive mapping, 
  etc that works similar to Novell logon scripts?
  
  Example:
  IF MEMBER OF "GROUP" THEN 
  BEGIN
   MAP 
  H:=SERVER1\VOL1:
  END
  

RE: [ActiveDir] Firewall

[Douglas M. Long]

I cant find anything else different. I get the same results for working
and non-working users when I run gpresult. They are in the same OU, and
GPs are applied as expected. I may sound stupid, but where do I set the
attribute permissions for a single user? Isnt that something that I would
have had to intentionally done (and would most likely have remembered)?



-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] Behalf Of Mulnick, Al
Sent: Tuesday, April 13, 2004 12:03 PM
To: '[EMAIL PROTECTED]'
Subject: RE: [ActiveDir] Firewall


Permissions?  What else is different about them?  Just because they have the
same GPO's, are they applied as expected to the users affected?  Are they in
the same OU's etc?
RSOP might be a worthwhile tool to look at if you suspect the GPO is not
firing correctly but greyed out tabs are usually due to only having read
permissions on the attribute.  If this is unexpected, then have a look at
your process to apply the permissions and see if anything went astray there.

Al




-Original Message-
From: Douglas M. Long [mailto:[EMAIL PROTECTED]
Sent: Tuesday, April 13, 2004 10:08 AM
To: [EMAIL PROTECTED]
Subject: RE: [ActiveDir] Firewall

The attributes are actually greyed out, and not even editable. I have no
errors in the event log, all of the users that are having the problem (which
i now now is not related to the firewall, due to the fact that I just found
an instance proving otherwise...one more variable out of the way) have the
same GPOs, there are using the same DNS, and the same version and patch
level of XP. I can't think of any other things to check. Any other ideas?
Thanks



-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] Behalf Of Robbie Foust
Sent: Tuesday, April 13, 2004 9:46 AM
To: [EMAIL PROTECTED]
Subject: Re: [ActiveDir] Firewall


I'm not using the XP firewall yet, but I'll consider it with SP2 since it is
much better.  The built in firewall isn't supposed to interfere with
communications with DC's, I think.  Are you getting any specific error
message when users try to edit their attributes?  Or do they just not have
permission to do so?  Check the event logs to see if there are any errors.

Robbie Foust, IT Analyst
Systems and Core Services
Duke University




Douglas M. Long wrote:

 Do you all force your XP clients to have the built-in firewall
 enabled? Are there any cons (such as some GPs not working) to having
 it enabled? The reason I ask is I am having a problem finding the
 culprit which is causing some users the inability to edit their
 editable (phone number, homepage, address, etc) attributes. Thanks
 in advance

List info   : http://www.activedir.org/mail_list.htm
List FAQ: http://www.activedir.org/list_faq.htm
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/


List info   : http://www.activedir.org/mail_list.htm
List FAQ: http://www.activedir.org/list_faq.htm
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
List info   : http://www.activedir.org/mail_list.htm
List FAQ: http://www.activedir.org/list_faq.htm
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/


List info   : http://www.activedir.org/mail_list.htm
List FAQ: http://www.activedir.org/list_faq.htm
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/

RE: [ActiveDir] logon scripts - Kixtart

[Raymond McClinnis]

We too are using Script logic, but weve
had problems in the past running it over our WAN.  That being said our problems
are not typical and are a drawback from our wonderful bridged WAN
and have nothing to do with the product.

  I like script logic though, its
very basic and easy to learn and understand.  Ive been able to do a lot
of stuff with a couple of clicks in SL that that would require a couple lines
of code in VB. 





Thanks,


Raymond











From:
[EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Creamer, Mark
Sent: Tuesday, April 13, 2004 6:50
AM
To: [EMAIL PROTECTED]
Subject: RE: [ActiveDir] logon
scripts - Kixtart





We do.
Actually, we also use ScriptLogic which greatly improves the process of putting
together kixtart scripts for diverse groups with many different requirements.
If youre just getting started with KiXtart, Id highly recommend
taking a look at the message boards and other resources at www.kixtart.org, as well as
scriptlogics own site.





mc



-Original Message-
From: Kelly Jeglum
[mailto:[EMAIL PROTECTED] 
Sent: Tuesday, April 13, 2004 9:36
AM
To: '[EMAIL PROTECTED]'
Subject: RE: [ActiveDir] logon
scripts - Kixtart





Is anyone using Kixtart as a utility
along with their logon scripts?











Kelly J. Jeglum 
LAN Mgr. Auxiliary Services 
University of
Wisconsin Milwaukee






-Original Message-
From: Rick Kingslan
[mailto:[EMAIL PROTECTED]
Sent: Monday, April 12, 2004 11:48
PM
To: [EMAIL PROTECTED]
Subject: RE: [ActiveDir] logon
scripts



LOL!



-rtk













From:
[EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of deji Agba
Sent: Monday, April 12, 2004 11:28
PM
To: [EMAIL PROTECTED]
Subject: RE: [ActiveDir] logon
scripts





I don't remember telling you my
middle name :p























Sincerely,

Dèjì Akómöláfé, MCSE MCSA
MCP+I





Microsoft MVP - Active Directory
www.akomolafe.com
www.iyaburo.com
Do you now realize that
Today is the Tomorrow you were worried about Yesterday? -anon





















From: Rick
Kingslan
Sent: Mon 4/12/2004 9:19 PM
To: [EMAIL PROTECTED]
Subject: RE: [ActiveDir] logon
scripts





Smart guy.



:op



-rtk













From:
[EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of deji Agba
Sent: Monday, April 12, 2004 11:13
PM
To: [EMAIL PROTECTED]
Subject: RE: [ActiveDir] logon
scripts





I don't have a Win9X to test this
on, but Win2K/2K3/XP is fair game for this:











Set wshNetwork =
WScript.CreateObject(WScript.Network)
Set wshShell = WScript.CreateObject(WScript.Shell)





str_Group1_Share =
file://myserver/myShare1
str_Exec_Share = file://myserver/myShare2
str_BS_Share = file://myserver/myShare3
str_Super_Share = file://mySuperServer/SuperShare





strDriveToMap = H:






usrName = wshShell.ExpandEnvironmentStrings(%USERNAME%)
Set usr = GetObject(WinNT://MyDomainName/  usrName 
,user)





For Each grp In usr.Groups
 WScript.Echo grp.Name
If grp.Name = BS-Group Then
 wshNetwork.MapNetworkDrive strDriveToMap, str_BS_Share
Exit For
Elseif grp.Name = SOME_GROUP Then
wshNetwork.MapNetworkDrive strDriveToMap, str_Group1_Share
Exit For
Elseif grp.Name = yet_Another_Group OR grp.Name =
Super-DuperUser Then
wshNetwork.MapNetworkDrive strDriveToMap, str_Super_Share
wshNetwork.MapNetworkDrive K:, str_Exec_Share
Exit For
End If
Next





Set usr = Nothing
Set wshShell = Nothing
Set wshNetwork = Nothing











HTH























Sincerely,

Dèjì Akómöláfé, MCSE MCSA MCP+I





Microsoft
MVP - Active Directory
www.akomolafe.com
www.iyaburo.com
Do you now realize that
Today is the Tomorrow you were worried about Yesterday? -anon





















From: Nathan
Casey
Sent: Mon 4/12/2004 4:17 PM
To: [EMAIL PROTECTED]
Subject: [ActiveDir] logon scripts





What is a recommended logon script solution that will
work with win9x, win2k/xp clients for drive mapping, etc that works similar to
Novell logon scripts?



Example:

IF MEMBER OF GROUP THEN BEGIN

 MAP H:=SERVER1\VOL1:

END

[ActiveDir] enterprise-wide accounts

[Creamer, Mark]

Wed
like to eventually trim down the number of domains and get to an OU-based
administrative model. But in the mean time, we have identified a couple of
people that we want to have domain admin rights in all domains. I know that
making them an enterprise admin allows them domain admin rights on the DCs in
each domain because of membership in the BUILTIN\Administrators group in each
domain. But that doesnt allow logon to all the member servers. How do I
best grant domain admin-level rights across all domains in the
forest with a single logon for each of these persons? Looking for a best
practice.



Thanks!



Mark Creamer

Systems Engineer

Cintas Corporation

Honesty and
Integrity in Everything We Do

RE: [ActiveDir] enterprise-wide accounts

[Depp, Dennis M.]

What about adding them to each domain admins group for each 
domain?


From: [EMAIL PROTECTED] 
[mailto:[EMAIL PROTECTED] On Behalf Of Creamer, 
MarkSent: Tuesday, April 13, 2004 4:05 PMTo: 
[EMAIL PROTECTED]Subject: [ActiveDir] enterprise-wide 
accounts


Wed 
like to eventually trim down the number of domains and get to an OU-based 
administrative model. But in the mean time, we have identified a couple of 
people that we want to have domain admin rights in all domains. I know that 
making them an enterprise admin allows them domain admin rights on the DCs in 
each domain because of membership in the BUILTIN\Administrators group in each 
domain. But that doesnt allow logon to all the member servers. How do I best 
grant domain admin-level rights across all domains in the forest with a single 
logon for each of these persons? Looking for a best practice.

Thanks!

Mark 
Creamer
Systems 
Engineer
Cintas 
Corporation
Honesty and 
Integrity in Everything We Do

RE: [ActiveDir] Photos in Active Directory

[mikeb]

All,

Thanks for the feedback.  There's some good information here that will help us 
determine the best way to do this.  We're going to have an AMER and EMEA domain with 
an empty root but want to quickly and easily obtain the photo of any individual for 
security purposes.  Over 60,000 users.

I agree that it's not necessarily something that we want replicated on all domain 
controllers.  But the nature of our WAN dictates that we need to have all photos 
fairly local -- pulling from across the Atlantic is too tedious even for small files.  
We have decent connectivity within those domains.

I originally was leaning toward SQL with a web front-end and deal with the latency (or 
replicate/cluster).  However, AD/AM is in interesting idea as well as we can then have 
separate front-ends and pull from the replicated (only where necessary) database.  
We're going to have additional issues like how do we get digital photos of everyone 
and who's going to crop or compress all of the photos, etc, etc,etc.  Sounds like 
fun...


Thanks,
Mike

 Guido's response is the first thing I thought of as well. 
 
 I don't think AD is a proper place for that info for a couple of reasons
 
 1. Do you really need this replicated to every DC?
 2. If someone dumps your AD, they get all of the photos too, how many people
 would like to have their entire company including photos of everyone
 distributed around. I personally don't like having my photo floating around
 and don't have it in our corporate photo system (which is a web site, not in
 AD).
 3. You are growing your DIT for no real NOS benefit.
 4. You could really live to regret this when people decide to get creative.
 
 Also, how do you intend to display this info? Obviously having it out there
 is for the single purpose of displaying it later. If you have people put it
 in and no way to display, someone will call you out on that.
 
 I would stick this info in an AD/AM or SQL Server or something along those
 lines. Also put up some strict standards on what images get added. I know of
 a case where some monkey where I work had a picture of himself with a cat
 in the hat hat on. I recall seeing that photo one day, hearing he
 complained up to the IT Director under the CIO for something or another and
 then hearing from some friends that his cat in the hat photo was suddenly
 gone from the directory. So I figure the Director wanted to look this gomer
 up in the Org list and up popped that photo much to the director's distaste.
 I have also see some other more frightful images for a corporate directory
 that could spawn lawsuits. 
 
   joe
  
 
 -
 http://www.joeware.net   (download joeware)
 http://www.cafeshops.com/joewarenet  (wear joeware)
  
  
 
 -Original Message-
 From: [EMAIL PROTECTED]
 [mailto:[EMAIL PROTECTED] On Behalf Of Grillenmeier, Guido
 Sent: Friday, April 09, 2004 1:43 PM
 To: [EMAIL PROTECTED]
 Subject: RE: [ActiveDir] Photos in Active Directory
 
 WARNING: let's look at the security aspects of photos in AD from another
 side. You need to be aware that the photo attribute is editable by default
 by every user himself (just like all the other attributes which are part of
 the personal information property set).
 
 But the photo-attribute is somewhat special: it's a binary blob which
 basically has no size limit... (depends on LDAP policy max msg size).
 This means that if you don't lock down this attribute, every user could
 potentially upload really large images (think of a 1 GB image) to this
 attribute and kill your all your DCs anytime he'd like either through
 replication or simply growing the DIT-file over the limits of your disks.
 
 So even if you're not going to use this attribute to store photos, you
 should also ensure that nobody else does it for you.
 
 /Guido
 
 -Original Message-
 From: [EMAIL PROTECTED]
 [mailto:[EMAIL PROTECTED] On Behalf Of Jackson Shaw
 Sent: Dienstag, 6. April 2004 17:55
 To: [EMAIL PROTECTED]
 Subject: RE: [ActiveDir] Photos in Active Directory
 
 I think the benefit is obvious - security.
 
 You may want to consider using Active Directory Application Mode or setting
 up an Application Partition in AD (assuming you are using W2K3).
 Either would enable you to isolate the data  replication.
 
 Photos shouldn't change much so once you have done your initial replication
 there shouldn't really be any additional traffic to bear.
 
 -Original Message-
 From: [EMAIL PROTECTED]
 [mailto:[EMAIL PROTECTED] On Behalf Of Rutherford, Robert
 Sent: Tuesday, April 06, 2004 12:51 AM
 To: [EMAIL PROTECTED]
 Subject: RE: [ActiveDir] Photos in Active Directory
 
 It all depends on how large your organisation is I guess, how many sites,
 WAN links, etc. I wouldn't really recommend it as you really want to keep
 your AD as small as possible for replication and performance reasons.
 
 What benefit will you get out of having users photo's in the user object? 
 
 -Original Message-
 From: [EMAIL 

RE: [ActiveDir] Wlan AD Security

[Guy Teverovsky]

I would say that the link below gives a pretty good reason for not
plugging APs into internal LAN:
http://www.cisco.com/en/US/products/products_security_advisory09186a00802119c8.shtml

Guy

On Tue, 2004-04-13 at 18:12, Mulnick, Al wrote:
 That's a pretty valid argument to put any access to your network into an
 untrusted network segment, isn't it?  Remote access, wired access (what
 about vendors that jack-in?)etc. 
 
 There's some talk about using the reskit stuff to quarantine the network
 access.  Some of the AP providers offer this type of usage as well.  One of
 the better ways to accomplish authorized access only is to use strong
 authentication.  WEP isn't it.  Cracking WEP is published and pretty quick.
 MAC layer isn't all that great either since you can spoof the MAC address to
 gain access. Certificates are nice, except that some of your downlevel and
 handheld devices won't like it.  
 
 
 I'd say this is a pretty valid argument to rethink security (for many
 companies) from a keep out the bad guys and we'll be fine mentaility to a
 let's figure out what we need to protect on our network and add security to
 those parts to protect from outside the firewall as well as the inside of
 the firewall mentality.  When you can sip coffee or favorite hot beverage
 of choice downstairs and wander a company's network two floors above or
 across the street, the possibilities are limitless.  
 
 I favor the certificate method and VPN for wireless access, but that only
 addresses part of the issue IMHO.
 
 Al  
 
 
 
  
 
 -Original Message-
 From: Rick Kingslan [mailto:[EMAIL PROTECTED] 
 Sent: Tuesday, April 13, 2004 12:13 AM
 To: [EMAIL PROTECTED]
 Subject: RE: [ActiveDir] Wlan  AD Security
 
 Chris,
 
 We sometimes become off-topic city.  No worries there
 
 This is an interesting topic, and one that I will fall clearly on one side
 of it because of my experiences at my company.
 
  Treat your access points like untrusted computers in the public
 DMZ. 
 
 There is really no way that one should treat an access point in any other
 way.  Given that the signals coming into an AP cannot truly be verified,
 then one must add extra methods to insure security.  The way that I prefer
 to see this accomplished is by placing the AP's into an untrusted are of the
 network, applying a 128-bit WEP key, then using some added methods
 consistent with 802.1x.  This can either be PEAP (using RADIUS / IAS),
 Cisco's LEAP, or other secure methods for providing strong authentication.
 Obviously, stronger the better, and two-factor (RSA fob, smart card, what
 have you) is magnitudes better than a single factor authN.
 
 I'm still fighting to get my APs at work in the DMZ.  They are, at present,
 on our internal network.  They are PEAP protected, but somehow I'm just not
 all that heartened by the simple addition of PEAP to untrusted devices.
 
 Rick Kingslan  MCSE, MCSA, MCT, CISSP
 Microsoft MVP:
 Windows Server / Directory Services
 Windows Server / Rights Management
 Associate Expert
 Expert Zone - www.microsoft.com/windowsxp/expertzone
 WebLog - www.msmvps.com/willhack4food
  
 
 -Original Message-
 From: [EMAIL PROTECTED]
 [mailto:[EMAIL PROTECTED] On Behalf Of Chris Blair
 Sent: Monday, April 12, 2004 8:47 AM
 To: [EMAIL PROTECTED]
 Subject: [ActiveDir] Wlan  AD Security
 
 This maybe slightly Off Topic, Sorry. I am looking to deploy wireless access
 points for our users to access our AD. I am currently reading the white
 paper from Microsoft named Enterprise Deployment of Secure 802.11 Networks
 Using Microsoft Windows. Has anyone else implemented this? I have also read
 about putting the AP's outside of the network and using VPN to access any AD
 related resources. Sounds easier, but is it as secure? Does anyone else have
 any other solutions?
 List info   : http://www.activedir.org/mail_list.htm
 List FAQ: http://www.activedir.org/list_faq.htm
 List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
 
 List info   : http://www.activedir.org/mail_list.htm
 List FAQ: http://www.activedir.org/list_faq.htm
 List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
 List info   : http://www.activedir.org/mail_list.htm
 List FAQ: http://www.activedir.org/list_faq.htm
 List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/


List info   : http://www.activedir.org/mail_list.htm
List FAQ: http://www.activedir.org/list_faq.htm
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/

RE: [ActiveDir] DFS use question

[Mulnick, Al]

Robocopy is a program that copies files and as I recall, can be scheduled.
But what if I understand the requirements properly, that's not all you
really need.  It sounds like the files get used by users on both sides of
the pond and potentially, what you may really need is a library type
application.  The deciding point is whether or not the users want access to
the same files or not for update.  Do they need to check-in and check-out
document for document control?  Or is this all just read-only information
for them to consume?  If just to read the information, then you are looking
for a product with the characteristics of being able to keep the information
in synch within a given time period.  

DoubleTake could probably do this for you, but it's not really supposed to
do just that.  It's more of a side benefit from what I've seen.  Robocopy
could do it, but it may not be able to handle the synchronization timelines
if too tight for the bandwidth.  DFS is capable of doing this, but you'd
want to check it out and understand that it has some limitations.  Many will
tell you to stay away, while others will swear by it.  YMMV is the bottom
line since the product devs will tell you it absolutely can do this.

Before you go any further, can you let us know what the client usage
requirement is?  If they use the documents in a library function, then none
of the previous mentioned items will likely make you happy IMHO.

Al
 

-Original Message-
From: Rimmerman, Russ [mailto:[EMAIL PROTECTED] 
Sent: Tuesday, April 13, 2004 12:50 PM
To: '[EMAIL PROTECTED]'
Subject: RE: [ActiveDir] DFS use question


Would that work ok on an all Win2000 domain on Win2000 servers? 

-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of [EMAIL PROTECTED]
Sent: Tuesday, April 13, 2004 9:07 AM
To: [EMAIL PROTECTED]
Subject: RE: [ActiveDir] DFS use question

Have you checked out the latest features in the Robocopy that comes w/
Windows 2003 Reskit?  Very cool stuff... 

-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Rimmerman, Russ
Sent: Tuesday, April 13, 2004 9:51 AM
To: '[EMAIL PROTECTED]'
Subject: RE: [ActiveDir] DFS use question


What would you all recommend instead?  NSI DoubleTake? 

-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of [EMAIL PROTECTED]
Sent: Tuesday, April 13, 2004 8:16 AM
To: [EMAIL PROTECTED]
Subject: RE: [ActiveDir] DFS use question

I concur... especially considering the restore time in the event that
replication screws up and critical information is pushed off to a Staging
area, inaccessible to the user.

-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Rick Kingslan
Sent: Monday, April 12, 2004 11:30 PM
To: [EMAIL PROTECTED]
Subject: RE: [ActiveDir] DFS use question

With all due respect to those that absolutely think that FRS v1 is hot, I'm
quite pleased that there has been this level of success with it.

However, even Microsoft admits that FRS iswell, broken.  It gets better
with each QFE, Service Pack and HotFix, but the basics are just flat broken.

I'm not sure that I'd recommend it for anything remotely critical. But, to
each his own.

Rick Kingslan  MCSE, MCSA, MCT, CISSP
Microsoft MVP:
Windows Server / Directory Services
Windows Server / Rights Management
Associate Expert
Expert Zone - www.microsoft.com/windowsxp/expertzone
WebLog - www.msmvps.com/willhack4food
 

-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of E Brown
Sent: Monday, April 12, 2004 2:51 AM
To: [EMAIL PROTECTED]
Subject: RE: [ActiveDir] DFS use question

This is not out of the realm of FRS.
I work with some folks that sync 240+GB between 12 servers using T-1 as
well..
There are some tuning factors that should be followed:

What is DFS topology?
Make sure you using dfs  frs tuning docs.
Setup Ultrasound to monitor...
Let me know if you need more details.

-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Rimmerman, Russ
Sent: Sunday, April 11, 2004 7:06 PM
To: '[EMAIL PROTECTED]'
Subject: [ActiveDir] DFS use question


We have one of our largest sites in England and another large site in the
US, with at least a full T-1 between the two sites.  We have a share with
about 70GB of data in it, that both sites regularly need to access.
Would
this be something we could use DFS for with automatic replication, or is
this way out of DFS's range?  And if it's out of the range of DFS, how are
others solving this issue?  A program like Veritas Storage Replicator, or
NSI DoubleTake?  Or will DFS suffice?

~~
This e-mail is confidential, may contain proprietary information of the
Cooper Cameron Corporation and its operating Divisions and may be
confidential or privileged.

This e-mail should be read, copied, disseminated and/or used only by the
addressee. 

[ActiveDir] GPO

[Salandra, Justin A.]

I used a Windows XP client running the GPMC and setup items in a GPO
that are for Windows XP and higher, however it appears that they are not
going into effect.  I should not need a 2003 DC running in order to have
these GPO settings take effect right? 

Justin A. Salandra, MCSE
Senior Network Engineer
Catholic Healthcare System
212.752.7300 - office
917.455.0110 - cell
[EMAIL PROTECTED]


List info   : http://www.activedir.org/mail_list.htm
List FAQ: http://www.activedir.org/list_faq.htm
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/

RE: [ActiveDir] enterprise-wide accounts

[Cary, Mark]

Could you use a Universal Group?

-Original Message-
From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]
Sent: Tuesday, April 13, 2004 3:16 PM
To: [EMAIL PROTECTED]
Subject: RE: [ActiveDir] enterprise-wide accounts


What about adding them to each domain admins group for each domain?




From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Creamer, Mark
Sent: Tuesday, April 13, 2004 4:05 PM
To: [EMAIL PROTECTED]
Subject: [ActiveDir] enterprise-wide accounts


We'd like to eventually trim down the number of domains and get to an OU-based 
administrative model. But in the mean time, we have identified a couple of people that 
we want to have domain admin rights in all domains. I know that making them an 
enterprise admin allows them domain admin rights on the DCs in each domain because of 
membership in the BUILTIN\Administrators group in each domain. But that doesn't allow 
logon to all the member servers. How do I best grant domain admin-level rights 
across all domains in the forest with a single logon for each of these persons? 
Looking for a best practice.

Thanks!

Mark Creamer
Systems Engineer
Cintas Corporation
Honesty and Integrity in Everything We Do
List info   : http://www.activedir.org/mail_list.htm
List FAQ: http://www.activedir.org/list_faq.htm
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/

RE: [ActiveDir] Photos in Active Directory

[Grillenmeier, Guido]

If you're using this for security reasons, then the main challenge will not only be 
how to get a digital photo of everyone, but also to prove that the jpeg.file you're 
receiving to upload into AD is really the person who it's supposed to represent... - 
I'm sure that's the most fun part.  And obviously you must limit the permissions on 
the appropriate attribute in AD as previously mentioned.

The quality of the photos will really dictate what you can do with it and what the 
impact on AD would be - do you only need it for a rough visual comparison on a 
monitor (5-6 KB thumbnail JPEG of a face will do) or do you need a picture to view on 
a monitor at a distance (i.e. full page) which is also good enough to print as small 
picture (25-35 KB JPEG file) e.g. to create badges.  I won't even consider mentioning 
high-res pictures.

But the two examples above, calculated for 60,000 users will rouhgly grow your AD dit 
file as follows:
Thumbnail   (5-6 KB) =   300 -   360 MB
Full Page (25-35 KB) = 1.500 - 2.100 MB

As I expect your dit to be at roughly 2-3 GB right now without the photos, you'd be 
talking about an increase of approx. 10% vs. 50% of data in AD.  I was just interested 
myself on the impact on AD in a scenario such as your's which is why I did this rough 
estimate.

As such the thumbnail option isn't really that much of an impact on AD afterall... But 
don't forget that you'll have to add the photo-attribute to the GC PAS (currently not 
the case) if you truly want to access the data no matter which DC you connect to.  
However, if you accept the size increase, it shouldn't add too much to your daily 
replication volume (once all the photos are in AD), as this data should be pretty 
static (unless you plan to update it every day with the most current picture of the 
user ;-))

But no matter what, you'll definitely have more flexibility using a separate store for 
the photo data and just linking the right picture to the right AD account. You'll even 
be able to delegate the task of updating the pictures much easier without having to 
trust your NOS directory admins that they don't fool around with this security data.

/Guido


-Original Message-
From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of [EMAIL PROTECTED]
Sent: Dienstag, 13. April 2004 22:18
To: [EMAIL PROTECTED]
Subject: RE: [ActiveDir] Photos in Active Directory

All,

Thanks for the feedback.  There's some good information here that will help us 
determine the best way to do this.  We're going to have an AMER and EMEA domain with 
an empty root but want to quickly and easily obtain the photo of any individual for 
security purposes.  Over 60,000 users.

I agree that it's not necessarily something that we want replicated on all domain 
controllers.  But the nature of our WAN dictates that we need to have all photos 
fairly local -- pulling from across the Atlantic is too tedious even for small files.  
We have decent connectivity within those domains.

I originally was leaning toward SQL with a web front-end and deal with the latency (or 
replicate/cluster).  However, AD/AM is in interesting idea as well as we can then have 
separate front-ends and pull from the replicated (only where necessary) database.  
We're going to have additional issues like how do we get digital photos of everyone 
and who's going to crop or compress all of the photos, etc, etc,etc.  Sounds like 
fun...


Thanks,
Mike

 Guido's response is the first thing I thought of as well. 
 
 I don't think AD is a proper place for that info for a couple of reasons
 
 1. Do you really need this replicated to every DC?
 2. If someone dumps your AD, they get all of the photos too, how many people
 would like to have their entire company including photos of everyone
 distributed around. I personally don't like having my photo floating around
 and don't have it in our corporate photo system (which is a web site, not in
 AD).
 3. You are growing your DIT for no real NOS benefit.
 4. You could really live to regret this when people decide to get creative.
 
 Also, how do you intend to display this info? Obviously having it out there
 is for the single purpose of displaying it later. If you have people put it
 in and no way to display, someone will call you out on that.
 
 I would stick this info in an AD/AM or SQL Server or something along those
 lines. Also put up some strict standards on what images get added. I know of
 a case where some monkey where I work had a picture of himself with a cat
 in the hat hat on. I recall seeing that photo one day, hearing he
 complained up to the IT Director under the CIO for something or another and
 then hearing from some friends that his cat in the hat photo was suddenly
 gone from the directory. So I figure the Director wanted to look this gomer
 up in the Org list and up popped that photo much to the director's distaste.
 I have also see some other more frightful images for a corporate directory
 that could spawn 

RE: [ActiveDir] enterprise-wide accounts

[Grillenmeier, Guido]

domain admins is a global group and as such you can't add 
users from other domains to it. While other global groups can be converted to 
universal groups, you can't do so for the domain admins 
group.

a solution to your problem is to use the restricted groups 
GPO feature (which will not work for your legacy machines in the AD domain) to 
add a universal group to the administrators group of all Server-OUs. I wouldn't 
want to set this GPO at the domain level, as then you're putting your AD domains 
at risk as well, if you do something wrong... The UG to use can either be 
the Enterprise Admins group or any other UG you assign for the 
task.

/Guido


From: [EMAIL PROTECTED] 
[mailto:[EMAIL PROTECTED] On Behalf Of Depp, Dennis 
M.Sent: Dienstag, 13. April 2004 22:16To: 
[EMAIL PROTECTED]Subject: RE: [ActiveDir] enterprise-wide 
accounts

What about adding them to each domain admins group for each 
domain?


From: [EMAIL PROTECTED] 
[mailto:[EMAIL PROTECTED] On Behalf Of Creamer, 
MarkSent: Tuesday, April 13, 2004 4:05 PMTo: 
[EMAIL PROTECTED]Subject: [ActiveDir] enterprise-wide 
accounts


Wed 
like to eventually trim down the number of domains and get to an OU-based 
administrative model. But in the mean time, we have identified a couple of 
people that we want to have domain admin rights in all domains. I know that 
making them an enterprise admin allows them domain admin rights on the DCs in 
each domain because of membership in the BUILTIN\Administrators group in each 
domain. But that doesnt allow logon to all the member servers. How do I best 
grant domain admin-level rights across all domains in the forest with a single 
logon for each of these persons? Looking for a best practice.

Thanks!

Mark 
Creamer
Systems 
Engineer
Cintas 
Corporation
Honesty and 
Integrity in Everything We Do

RE: [ActiveDir] enterprise-wide accounts

[Mike Celone]

Alternatively you can do what we do here. We have a 
startup script that runs from a GPO that adds a group to the local 
administrators group everytime the machine is started up. The script looks 
like this

net localgroup administrators /add 
"domain\admins"

Just create a UG for all theadmins and add them to 
it, then when the servers are rebooted add this script will run and add the 
group to the machine's local administrator group. If you can't wait for 
the servers to be rebooted you can create a script that will read the servers in 
line by line and add this group to their local administrators 
group.

Don't get me wrong Guido's solution will work also but 
won't Restricted groups remove any groups that are in the administrators group 
now except for the ones you specify?

Mike


From: [EMAIL PROTECTED] 
[mailto:[EMAIL PROTECTED] On Behalf Of Grillenmeier, 
GuidoSent: Tuesday, April 13, 2004 5:47 PMTo: 
[EMAIL PROTECTED]Subject: RE: [ActiveDir] enterprise-wide 
accounts

domain admins is a global group and as such you can't add 
users from other domains to it. While other global groups can be converted to 
universal groups, you can't do so for the domain admins 
group.

a solution to your problem is to use the restricted groups 
GPO feature (which will not work for your legacy machines in the AD domain) to 
add a universal group to the administrators group of all Server-OUs. I wouldn't 
want to set this GPO at the domain level, as then you're putting your AD domains 
at risk as well, if you do something wrong... The UG to use can either be 
the Enterprise Admins group or any other UG you assign for the 
task.

/Guido


From: [EMAIL PROTECTED] 
[mailto:[EMAIL PROTECTED] On Behalf Of Depp, Dennis 
M.Sent: Dienstag, 13. April 2004 22:16To: 
[EMAIL PROTECTED]Subject: RE: [ActiveDir] enterprise-wide 
accounts

What about adding them to each domain admins group for each 
domain?


From: [EMAIL PROTECTED] 
[mailto:[EMAIL PROTECTED] On Behalf Of Creamer, 
MarkSent: Tuesday, April 13, 2004 4:05 PMTo: 
[EMAIL PROTECTED]Subject: [ActiveDir] enterprise-wide 
accounts


Wed 
like to eventually trim down the number of domains and get to an OU-based 
administrative model. But in the mean time, we have identified a couple of 
people that we want to have domain admin rights in all domains. I know that 
making them an enterprise admin allows them domain admin rights on the DCs in 
each domain because of membership in the BUILTIN\Administrators group in each 
domain. But that doesnt allow logon to all the member servers. How do I best 
grant domain admin-level rights across all domains in the forest with a single 
logon for each of these persons? Looking for a best practice.

Thanks!

Mark 
Creamer
Systems 
Engineer
Cintas 
Corporation
Honesty and 
Integrity in Everything We Do

RE: [ActiveDir] GPO

[Matja Ladava]

No. GPO's are registry based (At least admin templates), so they should work on XP box 
without the need of Windows Server 2003. It is enough if you set them up from XP box 
or import them in 2000 DC (adm templates). What policies are we talking about ? Run 
gpresult /v to get verbose information about your policies being aplied on your 
workstations.

Regrds

Matjaz Ladava
MVP Windows Server - Directory Services

-Original Message-
From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Salandra, Justin A.
Sent: Tuesday, April 13, 2004 11:11 PM
To: [EMAIL PROTECTED]
Subject: [ActiveDir] GPO

I used a Windows XP client running the GPMC and setup items in a GPO that are for 
Windows XP and higher, however it appears that they are not going into effect.  I 
should not need a 2003 DC running in order to have these GPO settings take effect 
right? 

Justin A. Salandra, MCSE
Senior Network Engineer
Catholic Healthcare System
212.752.7300 - office
917.455.0110 - cell
[EMAIL PROTECTED]


List info   : http://www.activedir.org/mail_list.htm
List FAQ: http://www.activedir.org/list_faq.htm
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/


~mry?+-E
mry?+-}brzm 
Vry-4ibb

RE: [ActiveDir] enterprise-wide accounts

[Matja Ladava]

Use restricted groups GPO settingon member servers 
and prescribe the membership in local Admin groups from other 
domains.

Regards

Matjaz Ladava
MVP Windows server - Directory 
Services


From: [EMAIL PROTECTED] 
[mailto:[EMAIL PROTECTED] On Behalf Of Depp, Dennis 
M.Sent: Tuesday, April 13, 2004 10:16 PMTo: 
[EMAIL PROTECTED]Subject: RE: [ActiveDir] enterprise-wide 
accounts

What about adding them to each domain admins group for each 
domain?


From: [EMAIL PROTECTED] 
[mailto:[EMAIL PROTECTED] On Behalf Of Creamer, 
MarkSent: Tuesday, April 13, 2004 4:05 PMTo: 
[EMAIL PROTECTED]Subject: [ActiveDir] enterprise-wide 
accounts


Wed 
like to eventually trim down the number of domains and get to an OU-based 
administrative model. But in the mean time, we have identified a couple of 
people that we want to have domain admin rights in all domains. I know that 
making them an enterprise admin allows them domain admin rights on the DCs in 
each domain because of membership in the BUILTIN\Administrators group in each 
domain. But that doesnt allow logon to all the member servers. How do I best 
grant domain admin-level rights across all domains in the forest with a single 
logon for each of these persons? Looking for a best practice.

Thanks!

Mark 
Creamer
Systems 
Engineer
Cintas 
Corporation
Honesty and 
Integrity in Everything We Do

[ActiveDir] Restricted Groups GPO

[Rimmerman, Russ]

Is there anything weird about applying a Restricted Groups GPO to a Windows
2003 server?  For some reason, none of our Win2k3 servers in our Win2k AD
domain are getting the local administrators group restricted groups GPO
applied that all of our other machines are successfully getting.  Any ideas?

~~
This e-mail is confidential, may contain proprietary information
of the Cooper Cameron Corporation and its operating Divisions
and may be confidential or privileged.

This e-mail should be read, copied, disseminated and/or used only
by the addressee. If you have received this message in error please
delete it, together with any attachments, from your system.
~~
List info   : http://www.activedir.org/mail_list.htm
List FAQ: http://www.activedir.org/list_faq.htm
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/

RE: [ActiveDir] enterprise-wide accounts

[Grillenmeier, Guido]

 won't Restricted groups remove any groups that are in 
the administrators group 
 now except for the ones you 
specify?

not if you have Win2k 
SP4 or Win2k3 and use the "MemberOf" option of the restricted 
groups.

/Guido



From: [EMAIL PROTECTED] 
[mailto:[EMAIL PROTECTED] On Behalf Of Mike 
CeloneSent: Mittwoch, 14. April 2004 00:07To: 
[EMAIL PROTECTED]Subject: RE: [ActiveDir] enterprise-wide 
accounts

Alternatively you can do what we do here. We have a 
startup script that runs from a GPO that adds a group to the local 
administrators group everytime the machine is started up. The script looks 
like this

net localgroup administrators /add 
"domain\admins"

Just create a UG for all theadmins and add them to 
it, then when the servers are rebooted add this script will run and add the 
group to the machine's local administrator group. If you can't wait for 
the servers to be rebooted you can create a script that will read the servers in 
line by line and add this group to their local administrators 
group.

Don't get me wrong Guido's solution will work also but 
won't Restricted groups remove any groups that are in the administrators group 
now except for the ones you specify?

Mike


From: [EMAIL PROTECTED] 
[mailto:[EMAIL PROTECTED] On Behalf Of Grillenmeier, 
GuidoSent: Tuesday, April 13, 2004 5:47 PMTo: 
[EMAIL PROTECTED]Subject: RE: [ActiveDir] enterprise-wide 
accounts

domain admins is a global group and as such you can't add 
users from other domains to it. While other global groups can be converted to 
universal groups, you can't do so for the domain admins 
group.

a solution to your problem is to use the restricted groups 
GPO feature (which will not work for your legacy machines in the AD domain) to 
add a universal group to the administrators group of all Server-OUs. I wouldn't 
want to set this GPO at the domain level, as then you're putting your AD domains 
at risk as well, if you do something wrong... The UG to use can either be 
the Enterprise Admins group or any other UG you assign for the 
task.

/Guido


From: [EMAIL PROTECTED] 
[mailto:[EMAIL PROTECTED] On Behalf Of Depp, Dennis 
M.Sent: Dienstag, 13. April 2004 22:16To: 
[EMAIL PROTECTED]Subject: RE: [ActiveDir] enterprise-wide 
accounts

What about adding them to each domain admins group for each 
domain?


From: [EMAIL PROTECTED] 
[mailto:[EMAIL PROTECTED] On Behalf Of Creamer, 
MarkSent: Tuesday, April 13, 2004 4:05 PMTo: 
[EMAIL PROTECTED]Subject: [ActiveDir] enterprise-wide 
accounts


Wed 
like to eventually trim down the number of domains and get to an OU-based 
administrative model. But in the mean time, we have identified a couple of 
people that we want to have domain admin rights in all domains. I know that 
making them an enterprise admin allows them domain admin rights on the DCs in 
each domain because of membership in the BUILTIN\Administrators group in each 
domain. But that doesnt allow logon to all the member servers. How do I best 
grant domain admin-level rights across all domains in the forest with a single 
logon for each of these persons? Looking for a best practice.

Thanks!

Mark 
Creamer
Systems 
Engineer
Cintas 
Corporation
Honesty and 
Integrity in Everything We Do

[ActiveDir] How to remove ADC from domain

[Mike Celone]

In my test lab I was doing a test 
migration from Exchange 5.5 to Exchange 2k. I had a machine setup with the 
ADC to move the 5.5 information into the directory. I came in the morning 
and the HD was dead on my ADC machine.Now the machine is dead but the 
computer account is still in the domain.The server also still shows up under 
Sites and Services. If I remove the computer account from the domain will 
that also remove is under Sites and Services? Is there anything else I 
need to do before I remove that machine 
accout?Mike

RE: [ActiveDir] How to remove ADC from domain

[joe]

You will need to delete the computer object with ADUC 
(DSA.MSC) and the server object in sites and services with DSSITE.MSC, removing 
one will not impact the other. Alternatively you can use adsiedit to remove both 
or use a script. 

-
http://www.joeware.net (download joeware)
http://www.cafeshops.com/joewarenet (wear joeware)





From: [EMAIL PROTECTED] 
[mailto:[EMAIL PROTECTED] On Behalf Of Mike 
CeloneSent: Tuesday, April 13, 2004 7:44 PMTo: 
[EMAIL PROTECTED]Subject: [ActiveDir] How to remove ADC 
from domain

In my test lab I was doing a test 
migration from Exchange 5.5 to Exchange 2k. I had a machine setup with the 
ADC to move the 5.5 information into the directory. I came in the morning 
and the HD was dead on my ADC machine.Now the machine is dead but the 
computer account is still in the domain.The server also still shows up under 
Sites and Services. If I remove the computer account from the domain will 
that also remove is under Sites and Services? Is there anything else I 
need to do before I remove that machine 
accout?Mike

RE: [ActiveDir] enterprise-wide accounts

[joe]

Mike, the functionality recently changed, that was a 
subject of a conversation on this list. Many of us were quite happily surprised 
to learn of the change. 

-
http://www.joeware.net (download joeware)
http://www.cafeshops.com/joewarenet (wear joeware)





From: [EMAIL PROTECTED] 
[mailto:[EMAIL PROTECTED] On Behalf Of Grillenmeier, 
GuidoSent: Tuesday, April 13, 2004 6:23 PMTo: 
[EMAIL PROTECTED]Subject: RE: [ActiveDir] enterprise-wide 
accounts

 won't Restricted groups remove any groups that are in 
the administrators group 
 now except for the ones you 
specify?

not if you have Win2k 
SP4 or Win2k3 and use the "MemberOf" option of the restricted 
groups.

/Guido



From: [EMAIL PROTECTED] 
[mailto:[EMAIL PROTECTED] On Behalf Of Mike 
CeloneSent: Mittwoch, 14. April 2004 00:07To: 
[EMAIL PROTECTED]Subject: RE: [ActiveDir] enterprise-wide 
accounts

Alternatively you can do what we do here. We have a 
startup script that runs from a GPO that adds a group to the local 
administrators group everytime the machine is started up. The script looks 
like this

net localgroup administrators /add 
"domain\admins"

Just create a UG for all theadmins and add them to 
it, then when the servers are rebooted add this script will run and add the 
group to the machine's local administrator group. If you can't wait for 
the servers to be rebooted you can create a script that will read the servers in 
line by line and add this group to their local administrators 
group.

Don't get me wrong Guido's solution will work also but 
won't Restricted groups remove any groups that are in the administrators group 
now except for the ones you specify?

Mike


From: [EMAIL PROTECTED] 
[mailto:[EMAIL PROTECTED] On Behalf Of Grillenmeier, 
GuidoSent: Tuesday, April 13, 2004 5:47 PMTo: 
[EMAIL PROTECTED]Subject: RE: [ActiveDir] enterprise-wide 
accounts

domain admins is a global group and as such you can't add 
users from other domains to it. While other global groups can be converted to 
universal groups, you can't do so for the domain admins 
group.

a solution to your problem is to use the restricted groups 
GPO feature (which will not work for your legacy machines in the AD domain) to 
add a universal group to the administrators group of all Server-OUs. I wouldn't 
want to set this GPO at the domain level, as then you're putting your AD domains 
at risk as well, if you do something wrong... The UG to use can either be 
the Enterprise Admins group or any other UG you assign for the 
task.

/Guido


From: [EMAIL PROTECTED] 
[mailto:[EMAIL PROTECTED] On Behalf Of Depp, Dennis 
M.Sent: Dienstag, 13. April 2004 22:16To: 
[EMAIL PROTECTED]Subject: RE: [ActiveDir] enterprise-wide 
accounts

What about adding them to each domain admins group for each 
domain?


From: [EMAIL PROTECTED] 
[mailto:[EMAIL PROTECTED] On Behalf Of Creamer, 
MarkSent: Tuesday, April 13, 2004 4:05 PMTo: 
[EMAIL PROTECTED]Subject: [ActiveDir] enterprise-wide 
accounts


Wed 
like to eventually trim down the number of domains and get to an OU-based 
administrative model. But in the mean time, we have identified a couple of 
people that we want to have domain admin rights in all domains. I know that 
making them an enterprise admin allows them domain admin rights on the DCs in 
each domain because of membership in the BUILTIN\Administrators group in each 
domain. But that doesnt allow logon to all the member servers. How do I best 
grant domain admin-level rights across all domains in the forest with a single 
logon for each of these persons? Looking for a best practice.

Thanks!

Mark 
Creamer
Systems 
Engineer
Cintas 
Corporation
Honesty and 
Integrity in Everything We Do

RE: [ActiveDir] enterprise-wide accounts

[joe]

You can notadd (haven't tried to hack this, probably 
is hard coded functionality) foreignusers to the domain admin 
groupof adomain, they must exist in the same domain - domain admins 
is a global group, standard rules apply. The best would be administrators group 
membershipwhich, unlike NT4, is not the same as domain admins in terms of 
Windows 2000+ Domain objects. 

The delta in Windows 2000+ is that many AD objects have 
different permissions set specifically to domain admins and being an 
administrator on a domain controller does not give access to those objects. 
Additionally nothing is (actually I have to say "should be" due to some "bugs") 
permissioned in the forest wide partitions to "administrators" because they 
don't have domain affinity like domain admins do. I.E. If you have an object in 
the config container with permissions set to administrators group, it means 
administrators in any domain.Say you want to give rights in the config 
container to administrators in Domain 1, by default, those permissions apply to 
every administrator of every domain in the forest. The SID for administrators 
has no domain context, it is a well known SID that is the same everywhere - 
S-1-5-32-544.

The general practice for domain controller permissions 
would be to create your "god" level IDs in your root domain or other main 
domain, then add those IDs to every administrators group on every domain. Then 
also create IDs in each domain for the admins and add those to the domain admins 
groups of the respective domain. You would normally be able to use the one ID to 
do most work, but if you needed to modify something that required domain admins 
rights, you would switch to the local domain admin ID. What is example of 
something a domain admin can do but an administrator can't in AD... How about 
delete Subtrees. Also no delete of child objects however you tend to pick that 
back up due to default SDs. Default DC and Default Domain policy 
objectsdon't have Administrators in the ACL. 

An alternative would be to create a new universal group and 
update AD permissions to match the domain admins group for that universal group. 
You would still have to populate workstations and servers as well so this isn't 
buying a whole ton, definitely not worth the skull sweat to do. 


Of course if the goal isn't full perms over AD Objects, but 
instead Domain member servers/workstations, the previously mentioned GPO method 
is the way to go. 

-
http://www.joeware.net (download joeware)
http://www.cafeshops.com/joewarenet (wear joeware)





From: [EMAIL PROTECTED] 
[mailto:[EMAIL PROTECTED] On Behalf Of Creamer, 
MarkSent: Tuesday, April 13, 2004 4:05 PMTo: 
[EMAIL PROTECTED]Subject: [ActiveDir] enterprise-wide 
accounts


Wed 
like to eventually trim down the number of domains and get to an OU-based 
administrative model. But in the mean time, we have identified a couple of 
people that we want to have domain admin rights in all domains. I know that 
making them an enterprise admin allows them domain admin rights on the DCs in 
each domain because of membership in the BUILTIN\Administrators group in each 
domain. But that doesnt allow logon to all the member servers. How do I best 
grant domain admin-level rights across all domains in the forest with a single 
logon for each of these persons? Looking for a best practice.

Thanks!

Mark 
Creamer
Systems 
Engineer
Cintas 
Corporation
Honesty and 
Integrity in Everything We Do

RE: [ActiveDir] logon scripts

[joe]

There is a killer TZ issue going south of Seattle 


If that isn't a funny enough response try

Deji, you mispelled drunk. 

:o)


"Its rather unpleasantly like being drunk" 
"What's wrong with being drunk?" 
"Ask a glass of water" [1]

 joe

[1] Lifted from Hitchhikers Guide to the Galaxy. BTW, a glass of water 
would have been perfectly safe at the summit. =)


-
http://www.joeware.net (download joeware)
http://www.cafeshops.com/joewarenet (wear joeware)





From: [EMAIL PROTECTED] 
[mailto:[EMAIL PROTECTED] On Behalf Of Mulnick, 
AlSent: Tuesday, April 13, 2004 2:03 PMTo: 
'[EMAIL PROTECTED]'Subject: RE: [ActiveDir] logon 
scripts

Jet-lagged? Did you 
take a long detour on the way home? :)


From: deji Agba [mailto:[EMAIL PROTECTED] Sent: 
Tuesday, April 13, 2004 11:11 AMTo: 
[EMAIL PROTECTED]Subject: RE: [ActiveDir] logon 
scripts


What can I say? I'm still jet-lagged, I 
guess :)

Thanks for the pointer.




Sincerely,Dèjì Akómöláfé, 
MCSE MCSA MCP+I
Microsoft MVP - 
Active Directorywww.akomolafe.comwww.iyaburo.comDo 
you now realize that Today is the Tomorrow you were worried about 
Yesterday? -anon


From: Roger SeielstadSent: Tue 
4/13/2004 6:24 AMTo: [EMAIL PROTECTED]Subject: 
RE: [ActiveDir] logon scripts

Except Deji forgets one important piece of information (which is rare for 
him) - VBScript doesn't natively run on Win9x. It requires a separate install of 
Windows Scripting Host.

-- 
Roger D. Seielstad - MTS MCSE 
MS-MVP Sr. Systems 
Administrator Inovis Inc. 


  
  
  From: Rick Kingslan [mailto:[EMAIL PROTECTED] 
  Sent: Tuesday, April 13, 2004 12:19 AMTo: 
  [EMAIL PROTECTED]Subject: RE: [ActiveDir] logon 
  scripts
  
  Smart 
  guy.
  
  :op
  
  -rtk
  
  
  From: [EMAIL PROTECTED] 
  [mailto:[EMAIL PROTECTED] On Behalf Of deji 
  AgbaSent: Monday, April 12, 2004 11:13 PMTo: 
  [EMAIL PROTECTED]Subject: RE: [ActiveDir] logon 
  scripts
  
  
  I don't have a Win9X to test this on, but 
  Win2K/2K3/XP is fair game for this:
  
  Set wshNetwork = WScript.CreateObject("WScript.Network")Set 
  wshShell = WScript.CreateObject("WScript.Shell")
  str_Group1_Share = "file://myserver/myShare1"str_Exec_Share = 
  "file://myserver/myShare2"str_BS_Share = "file://myserver/myShare3"str_Super_Share = 
  "file://mySuperServer/SuperShare"
  strDriveToMap = "H:"
  usrName = 
  wshShell.ExpandEnvironmentStrings("%USERNAME%")Set usr = 
  GetObject("WinNT://MyDomainName/"  usrName  ",user")
  For Each grp In usr.Groups WScript.Echo 
  grp.NameIf grp.Name = "BS-Group" Then 
  wshNetwork.MapNetworkDrive strDriveToMap, str_BS_ShareExit 
  ForElseif grp.Name = "SOME_GROUP" 
  ThenwshNetwork.MapNetworkDrive strDriveToMap, 
  str_Group1_ShareExit ForElseif grp.Name = 
  "yet_Another_Group" OR grp.Name = "Super-DuperUser" 
  ThenwshNetwork.MapNetworkDrive strDriveToMap, 
  str_Super_SharewshNetwork.MapNetworkDrive "K:", 
  str_Exec_ShareExit ForEnd IfNext
  Set usr = NothingSet wshShell = NothingSet 
  wshNetwork = Nothing
  
  HTH
  
  
  
  
  Sincerely,Dèjì Akómöláfé, 
  MCSE MCSA MCP+I
  Microsoft MVP - 
  Active 
  Directorywww.akomolafe.comwww.iyaburo.comDo you 
  now realize that Today is the Tomorrow you were worried about Yesterday? 
  -anon
  
  
  From: Nathan CaseySent: Mon 
  4/12/2004 4:17 PMTo: 
  [EMAIL PROTECTED]Subject: [ActiveDir] logon 
  scripts
  
  What is a recommended logon 
  script solution that will work with win9x, win2k/xp clients for drive mapping, 
  etc that works similar to Novell logon scripts?
  
  Example:
  IF MEMBER OF "GROUP" THEN 
  BEGIN
   MAP 
  H:=SERVER1\VOL1:
  END
  

RE: [ActiveDir] Firewall

[joe]

Yes, definitely not a firewall, I just wanted to pipe up with that to feel
useful...

This is permissions in AD. Since those permissions are set on the default SD
in the schema for user objects, someone/thing cleared the self ACE for WP
Personal Information...

If I were a gambling man... I would say look for the following symptoms:

O adminCount attribute set on these user objects (probably a 1)
O Inheritance is turned off on the ACL
O Most of the perms you see on most userids are missing

If these are true you probably have adminSdHolder kicking you in the seat of
the pants. Were these folks at any point (including right this second)
Admins, Domain Admins, Enterprise Admins, Account Ops, Server Ops, Backup
Ops, etc etc ad nauseum? If so this is your issue. Those IDs are, by
default, locked down in a protected state so people can't futz with them.
The only permission adminSdHolder'ed objects get for SELF is SELF Change
Password. You can get more info on adminSDHolder by searching the archives
of this list or going to google and searching for it. 

You may find recommendations to CHANGE the permissions on adminSdHolder, I
for the most part, do not agree with that. Your admins should have two IDs,
one that is an admin ID, one that isn't. The one that isn't they can modify
their personal info on to their hearts content, the admin one, tell them
hands off.

Now if you don't have those symptoms above, it would greatly help the
troubleshooting process if you collected a DSACLS dump of one of the userids
in question and posted it...

Ex:

[Tue 04/13/2004 21:38:58.26]
F:\DEV\cpp\MemberOfdsacls CN=$joebobadmindude,CN=Users,DC=joe,DC=com
Access list:
{This object is protected from inheriting permissions from the parent}
Effective Permissions on this object are:
Allow BUILTIN\Pre-Windows 2000 Compatible Access  SPECIAL ACCESS
  READ PERMISSONS
  LIST CONTENTS
  READ PROPERTY
  LIST OBJECT
Allow BUILTIN\Pre-Windows 2000 Compatible Access  SPECIAL ACCESS
  READ PERMISSONS
  LIST CONTENTS
  READ PROPERTY
  LIST OBJECT
Allow JOE\Domain Admins   SPECIAL ACCESS
  READ PERMISSONS
  WRITE PERMISSIONS
  CHANGE OWNERSHIP
  CREATE CHILD
  DELETE CHILD
  LIST CONTENTS
  WRITE SELF
  WRITE PROPERTY
  READ PROPERTY
  LIST OBJECT
  CONTROL ACCESS
Allow JOE\Enterprise Admins   SPECIAL ACCESS
  READ PERMISSONS
  WRITE PERMISSIONS
  CHANGE OWNERSHIP
  CREATE CHILD
  DELETE CHILD
  LIST CONTENTS
  WRITE SELF
  WRITE PROPERTY
  READ PROPERTY
  LIST OBJECT
  CONTROL ACCESS
Allow BUILTIN\Administrators  SPECIAL ACCESS
  DELETE
  READ PERMISSONS
  WRITE PERMISSIONS
  CHANGE OWNERSHIP
  CREATE CHILD
  DELETE CHILD
  LIST CONTENTS
  WRITE SELF
  WRITE PROPERTY
  READ PROPERTY
  LIST OBJECT
  CONTROL ACCESS
Allow NT AUTHORITY\Authenticated UsersSPECIAL ACCESS
  READ PERMISSONS
  LIST CONTENTS
   

RE: [ActiveDir] Updating Schema to Windows 2003

[joe]

Heh. Which comment should I make which comment should I make which
comment... =)

Err. Hmmm. Blech.


You can help this out usually by making sure that you have a specific
Exchange Site for your Exchange Servers, place the DC/GCs into that site
that you want Exchange to use. I.E. Keep the subdomain DC/GCs out of the
Exchange Site. Exchange will *tend* to use those local site DC/GCs but can
possibly failover into the DC/GCs in the other site. 


-
http://www.joeware.net   (download joeware)
http://www.cafeshops.com/joewarenet  (wear joeware)
 
 

-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of
[EMAIL PROTECTED]
Sent: Wednesday, April 07, 2004 9:39 AM
To: [EMAIL PROTECTED]
Subject: RE: [ActiveDir] Updating Schema to Windows 2003

Have you run into issues with Exchange pointing to GC servers in your
subdomains and not being able to resolve recipients in Distribution list
unless the DL are Universal DL?   

We have:

Root Forest Windows 2000 with Exchange 2000 and most user accounts, Groups,
DLs, etc Subdomain Windows 2003 with Exchange 2003 - mostly for development
/ testing, few accounts

Exchange at times used the DC in the Subdomain for GC lookups.  Our DLs were
not Universal so when Exchange would attempt to resolve the recipients of
the DL using the subdomain GC it would not find any members.at that
point messages would die in the Categorizer queue.
MS solution was to convert all mail enabled groups to Universal or remove
the subdomain DC from the Exchange Directory Servers list.
Universal groups will publish all their members in the GCs, but this
philosophy seems to contradict everything I read early on about trying to
avoid the use of Universal Groups because of the increase in replication
between GCs.



-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Salandra, Justin A.
Sent: Wednesday, April 07, 2004 9:15 AM
To: [EMAIL PROTECTED]
Subject: RE: [ActiveDir] Updating Schema to Windows 2003

One thing I did not mention is that I have Exchange 2003 deployed in my
forest.  What precautions need to be taken for this.  I read the q article
325379 but that talks about exchange 2000.

-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of
[EMAIL PROTECTED]
Sent: Wednesday, April 07, 2004 8:51 AM
To: [EMAIL PROTECTED]
Subject: RE: [ActiveDir] Updating Schema to Windows 2003

Nope, I have one running just as you described. 

-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Salandra, Justin A.
Sent: Wednesday, April 07, 2004 8:50 AM
To: [EMAIL PROTECTED]
Subject: RE: [ActiveDir] Updating Schema to Windows 2003

If the forest prep is done, are there any problems if a child domain is
built as a windows 2003 domain while the rest of the forest is still in
windows 2000?

-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Steve Shaff
Sent: Tuesday, April 06, 2004 4:02 PM
To: [EMAIL PROTECTED]
Subject: RE: [ActiveDir] Updating Schema to Windows 2003

Forest Prep will prepare your forests for the Windows 2003 upgrade.  IT will
also expand your schema at that time.

S


-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Salandra, Justin A.
Sent: Tuesday, April 06, 2004 12:01 PM
To: [EMAIL PROTECTED]
Subject: RE: [ActiveDir] Updating Schema to Windows 2003

I really just want to prepare the forest for windows 2003, I don't need the
domains ready yet.

-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Rod Trent
Sent: Tuesday, April 06, 2004 2:22 PM
To: [EMAIL PROTECTED]
Subject: RE: [ActiveDir] Updating Schema to Windows 2003

Also, if you stick in the CD to upgrade a server, it will check the server
and AD type, and will not upgrade until you have performed those steps.
It
even gives you the steps to perform that you can copy/paste. 

-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Steve Shaff
Sent: Tuesday, April 06, 2004 1:19 PM
To: [EMAIL PROTECTED]
Subject: RE: [ActiveDir] Updating Schema to Windows 2003

I am not aware of any KB articles, but here are the steps that were
performed on our upgrade.

The forest and domains are prepared by using the adprep command on the
schema operations master and infrastructure operations master, respectively.
(25min)
*   At a command prompt, change to the \I386 directory on the
installation media and then type: d:\i386\adprep /forestprep 
*   When prompted, type 'C', and then press ENTER to begin forest
preparation, or type any other key, and then press ENTER to cancel. 
*   After the forest preparation data has replicated throughout the
forest, prepare the domains for Windows Server 2003 as described below.
The domain preparation operation must be performed on the infrastructure
operations master of each domain in the forest. 
(no reboot 

RE: [ActiveDir] Firewall

[Rick Kingslan]

Don't be so certain.  Not all traffic is, by default, let out.  Check that
with some third party tools that use 1024 ports.  Effective in killing off
the DDoS Zombie issues.

Rick Kingslan  MCSE, MCSA, MCT, CISSP
Microsoft MVP:
Windows Server / Directory Services
Windows Server / Rights Management
Associate Expert
Expert Zone - www.microsoft.com/windowsxp/expertzone
WebLog - www.msmvps.com/willhack4food
 

-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Depp, Dennis M.
Sent: Tuesday, April 13, 2004 9:07 AM
To: [EMAIL PROTECTED]
Subject: RE: [ActiveDir] Firewall

This is not a firewall issue.  The Windows ICF allows all outbound
connections.

Denny 

-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Jimmy Andersson
Sent: Tuesday, April 13, 2004 9:42 AM
To: [EMAIL PROTECTED]
Subject: RE: [ActiveDir] Firewall

I will probably (if testing goes well) implement it when SP2 is out.
Today
I'm not using the firewall on my XPs.

Regards,
/Jimmy 

-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Robbie Foust
Sent: Tuesday, April 13, 2004 3:46 PM
To: [EMAIL PROTECTED]
Subject: Re: [ActiveDir] Firewall

I'm not using the XP firewall yet, but I'll consider it with SP2 since it is
much better.  The built in firewall isn't supposed to interfere with
communications with DC's, I think.  Are you getting any specific error
message when users try to edit their attributes?  Or do they just not have
permission to do so?  Check the event logs to see if there are any errors.

Robbie Foust, IT Analyst
Systems and Core Services
Duke University




Douglas M. Long wrote:

 Do you all force your XP clients to have the built-in firewall 
 enabled? Are there any cons (such as some GPs not working) to having 
 it enabled? The reason I ask is I am having a problem finding the 
 culprit which is causing some users the inability to edit their 
 editable (phone number, homepage, address, etc) attributes. Thanks 
 in advance

List info   : http://www.activedir.org/mail_list.htm
List FAQ: http://www.activedir.org/list_faq.htm
List archive:
http://www.mail-archive.com/activedir%40mail.activedir.org/

List info   : http://www.activedir.org/mail_list.htm
List FAQ: http://www.activedir.org/list_faq.htm
List archive:
http://www.mail-archive.com/activedir%40mail.activedir.org/

List info   : http://www.activedir.org/mail_list.htm
List FAQ: http://www.activedir.org/list_faq.htm
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/

List info   : http://www.activedir.org/mail_list.htm
List FAQ: http://www.activedir.org/list_faq.htm
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/

RE: [ActiveDir] logon scripts

[Rick Kingslan]

bizarre..

;oP

-rtk


From: [EMAIL PROTECTED] 
[mailto:[EMAIL PROTECTED] On Behalf Of Jimmy 
AnderssonSent: Tuesday, April 13, 2004 11:41 AMTo: 
[EMAIL PROTECTED]Subject: RE: [ActiveDir] logon 
scripts

Sober? What's that??? 
:)

/Jimmy


From: [EMAIL PROTECTED] 
[mailto:[EMAIL PROTECTED] On Behalf Of Roger 
SeielstadSent: Tuesday, April 13, 2004 6:22 PMTo: 
[EMAIL PROTECTED]Subject: RE: [ActiveDir] logon 
scripts

To quote Tony Murray-Smith - "I'm still trying to get used to being 
sober"

-- 
Roger D. Seielstad - MTS MCSE 
MS-MVP Sr. Systems 
Administrator Inovis Inc. 


  
  
  From: deji Agba [mailto:[EMAIL PROTECTED] Sent: 
  Tuesday, April 13, 2004 11:11 AMTo: 
  [EMAIL PROTECTED]Subject: RE: [ActiveDir] logon 
  scripts
  
  
  What can I say? I'm still 
  jet-lagged, I guess :)
  
  Thanks for the pointer.
  
  
  
  
  Sincerely,Dèjì Akómöláfé, 
  MCSE MCSA MCP+I
  Microsoft MVP - 
  Active 
  Directorywww.akomolafe.comwww.iyaburo.comDo you 
  now realize that Today is the Tomorrow you were worried about Yesterday? 
  -anon
  
  
  From: Roger SeielstadSent: Tue 
  4/13/2004 6:24 AMTo: 
  [EMAIL PROTECTED]Subject: RE: [ActiveDir] logon 
  scripts
  
  Except Deji forgets one important piece of information (which is rare 
  for him) - VBScript doesn't natively run on Win9x. It requires a separate 
  install of Windows Scripting Host.
  
  -- 
  Roger D. Seielstad - MTS MCSE 
  MS-MVP Sr. 
  Systems Administrator Inovis Inc. 
  
  


From: Rick Kingslan [mailto:[EMAIL PROTECTED] 
Sent: Tuesday, April 13, 2004 12:19 AMTo: 
[EMAIL PROTECTED]Subject: RE: [ActiveDir] logon 
scripts

Smart 
guy.

:op

-rtk


From: [EMAIL PROTECTED] 
[mailto:[EMAIL PROTECTED] On Behalf Of deji 
AgbaSent: Monday, April 12, 2004 11:13 PMTo: 
[EMAIL PROTECTED]Subject: RE: [ActiveDir] logon 
scripts


I don't have a Win9X to test this on, 
but Win2K/2K3/XP is fair game for this:

Set wshNetwork = WScript.CreateObject("WScript.Network")Set 
wshShell = WScript.CreateObject("WScript.Shell")
str_Group1_Share = "file://myserver/myShare1"str_Exec_Share = 
"file://myserver/myShare2"str_BS_Share = 
"file://myserver/myShare3"str_Super_Share = 
"file://mySuperServer/SuperShare"
strDriveToMap = "H:"
usrName = 
wshShell.ExpandEnvironmentStrings("%USERNAME%")Set usr = 
GetObject("WinNT://MyDomainName/"  usrName  ",user")
For Each grp In usr.Groups WScript.Echo 
grp.NameIf grp.Name = "BS-Group" Then 
wshNetwork.MapNetworkDrive strDriveToMap, str_BS_ShareExit 
ForElseif grp.Name = "SOME_GROUP" 
ThenwshNetwork.MapNetworkDrive strDriveToMap, 
str_Group1_ShareExit ForElseif grp.Name = 
"yet_Another_Group" OR grp.Name = "Super-DuperUser" 
ThenwshNetwork.MapNetworkDrive strDriveToMap, 
str_Super_SharewshNetwork.MapNetworkDrive "K:", 
str_Exec_ShareExit ForEnd IfNext
Set usr = NothingSet wshShell = NothingSet 
wshNetwork = Nothing

HTH




Sincerely,Dèjì 
Akómöláfé, MCSE MCSA MCP+I
Microsoft MVP 
- Active 
Directorywww.akomolafe.comwww.iyaburo.comDo 
you now realize that Today is the Tomorrow you were worried about 
Yesterday? -anon


From: Nathan CaseySent: Mon 
4/12/2004 4:17 PMTo: 
[EMAIL PROTECTED]Subject: [ActiveDir] logon 
scripts

What is a recommended logon 
script solution that will work with win9x, win2k/xp clients for drive 
mapping, etc that works similar to Novell logon scripts?

Example:
IF MEMBER OF "GROUP" THEN 
BEGIN
 MAP 
H:=SERVER1\VOL1:
END

RE: [ActiveDir] Updating Schema to Windows 2003

[joe]

Just a quick correction, they weren't replication issues before, they were
resolution issues. Your AD replication wouldn't have been impacted by having
a global group but your resolution of the lists would be on Exchange
depending on what GC they hit for the resolution process. 

The replication issues that Shawn is eluding to is that to deploy Exchange
DLs you have to go against all the advice previously given for how to (or
even if you wanted to) use Universal Groups in AD. You have to have all of
the users physically in the DL, which means every time the DL changes you
have to replicate the entire group membership (on W2K and W2K3 in 2k mode)
to every domain controller of the domain the UG lives in PLUS every global
catalog in the forest. The recommendation from MS for OS ops was to not use
UGs unless you really needed to and if you did, to nest domain global groups
into the UGs. 

Basically all of the AD Design books/whitepapers/docs need a huge step 0 in
them which says, if you intend to use Exchange, a many things you will find
in this doc is straight up incorrect, go read up on Exchange first and then
come on back. What I am saying is, you need to know when designing your
forest whether or not you intend to use Exchange, it can have quite an
impact on your design. Trying to retrofit, especially in a multi-domain
environment, can be painful. 

If you have a single domain forest, you should be peachy. 

  joe


-
http://www.joeware.net   (download joeware)
http://www.cafeshops.com/joewarenet  (wear joeware)
 
 

-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Salandra, Justin A.
Sent: Wednesday, April 07, 2004 10:13 AM
To: [EMAIL PROTECTED]
Subject: RE: [ActiveDir] Updating Schema to Windows 2003

I have experienced this.  But I only experienced it on one DL that was a
global group, I changed it to a universal group.  All my DLs are Universal
groups now and I don't have replication issues.

-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of
[EMAIL PROTECTED]
Sent: Wednesday, April 07, 2004 9:39 AM
To: [EMAIL PROTECTED]
Subject: RE: [ActiveDir] Updating Schema to Windows 2003

Have you run into issues with Exchange pointing to GC servers in your
subdomains and not being able to resolve recipients in Distribution list
unless the DL are Universal DL?   

We have:

Root Forest Windows 2000 with Exchange 2000 and most user accounts, Groups,
DLs, etc Subdomain Windows 2003 with Exchange 2003 - mostly for development
/ testing, few accounts

Exchange at times used the DC in the Subdomain for GC lookups.  Our DLs were
not Universal so when Exchange would attempt to resolve the recipients of
the DL using the subdomain GC it would not find any members.at that
point messages would die in the Categorizer queue.
MS solution was to convert all mail enabled groups to Universal or remove
the subdomain DC from the Exchange Directory Servers list.
Universal groups will publish all their members in the GCs, but this
philosophy seems to contradict everything I read early on about trying to
avoid the use of Universal Groups because of the increase in replication
between GCs.



-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Salandra, Justin A.
Sent: Wednesday, April 07, 2004 9:15 AM
To: [EMAIL PROTECTED]
Subject: RE: [ActiveDir] Updating Schema to Windows 2003

One thing I did not mention is that I have Exchange 2003 deployed in my
forest.  What precautions need to be taken for this.  I read the q article
325379 but that talks about exchange 2000.

-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of
[EMAIL PROTECTED]
Sent: Wednesday, April 07, 2004 8:51 AM
To: [EMAIL PROTECTED]
Subject: RE: [ActiveDir] Updating Schema to Windows 2003

Nope, I have one running just as you described. 

-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Salandra, Justin A.
Sent: Wednesday, April 07, 2004 8:50 AM
To: [EMAIL PROTECTED]
Subject: RE: [ActiveDir] Updating Schema to Windows 2003

If the forest prep is done, are there any problems if a child domain is
built as a windows 2003 domain while the rest of the forest is still in
windows 2000?

-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Steve Shaff
Sent: Tuesday, April 06, 2004 4:02 PM
To: [EMAIL PROTECTED]
Subject: RE: [ActiveDir] Updating Schema to Windows 2003

Forest Prep will prepare your forests for the Windows 2003 upgrade.  IT will
also expand your schema at that time.

S


-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Salandra, Justin A.
Sent: Tuesday, April 06, 2004 12:01 PM
To: [EMAIL PROTECTED]
Subject: RE: [ActiveDir] Updating Schema to Windows 2003

I really just want to prepare the forest for windows 2003, I don't need the
domains ready yet.

-Original Message-

RE: [ActiveDir] Updating Schema to Windows 2003

[joe]

Yes, you should be able to adprep the forest with no problems if all DCs are
running at least Windows 2000 SP3. Exchange 2003 isn't required. 

There is one KB that I think was mentioned that you need to keep an eye out
which involves mangling a couple of class names. If it happens, it is an
easy fix. I can't recall the details though as I did this a long while back
(last year) on a forest with W2K DCs and E2K/E5.5. 


-
http://www.joeware.net   (download joeware)
http://www.cafeshops.com/joewarenet  (wear joeware)
 
 

-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Salandra, Justin A.
Sent: Tuesday, April 13, 2004 11:03 AM
To: [EMAIL PROTECTED]
Subject: RE: [ActiveDir] Updating Schema to Windows 2003

So in summary, I should be able to adprep the forest with no problems if all
DC's are running at least Windows 2000 SP3 and Exchange 2003?

-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Salandra, Justin A.
Sent: Wednesday, April 07, 2004 10:13 AM
To: [EMAIL PROTECTED]
Subject: RE: [ActiveDir] Updating Schema to Windows 2003

I have experienced this.  But I only experienced it on one DL that was a
global group, I changed it to a universal group.  All my DLs are Universal
groups now and I don't have replication issues.

-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of
[EMAIL PROTECTED]
Sent: Wednesday, April 07, 2004 9:39 AM
To: [EMAIL PROTECTED]
Subject: RE: [ActiveDir] Updating Schema to Windows 2003

Have you run into issues with Exchange pointing to GC servers in your
subdomains and not being able to resolve recipients in Distribution list
unless the DL are Universal DL?   

We have:

Root Forest Windows 2000 with Exchange 2000 and most user accounts, Groups,
DLs, etc Subdomain Windows 2003 with Exchange 2003 - mostly for development
/ testing, few accounts

Exchange at times used the DC in the Subdomain for GC lookups.  Our DLs were
not Universal so when Exchange would attempt to resolve the recipients of
the DL using the subdomain GC it would not find any members.at that
point messages would die in the Categorizer queue.
MS solution was to convert all mail enabled groups to Universal or remove
the subdomain DC from the Exchange Directory Servers list.
Universal groups will publish all their members in the GCs, but this
philosophy seems to contradict everything I read early on about trying to
avoid the use of Universal Groups because of the increase in replication
between GCs.



-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Salandra, Justin A.
Sent: Wednesday, April 07, 2004 9:15 AM
To: [EMAIL PROTECTED]
Subject: RE: [ActiveDir] Updating Schema to Windows 2003

One thing I did not mention is that I have Exchange 2003 deployed in my
forest.  What precautions need to be taken for this.  I read the q article
325379 but that talks about exchange 2000.

-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of
[EMAIL PROTECTED]
Sent: Wednesday, April 07, 2004 8:51 AM
To: [EMAIL PROTECTED]
Subject: RE: [ActiveDir] Updating Schema to Windows 2003

Nope, I have one running just as you described. 

-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Salandra, Justin A.
Sent: Wednesday, April 07, 2004 8:50 AM
To: [EMAIL PROTECTED]
Subject: RE: [ActiveDir] Updating Schema to Windows 2003

If the forest prep is done, are there any problems if a child domain is
built as a windows 2003 domain while the rest of the forest is still in
windows 2000?

-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Steve Shaff
Sent: Tuesday, April 06, 2004 4:02 PM
To: [EMAIL PROTECTED]
Subject: RE: [ActiveDir] Updating Schema to Windows 2003

Forest Prep will prepare your forests for the Windows 2003 upgrade.  IT will
also expand your schema at that time.

S


-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Salandra, Justin A.
Sent: Tuesday, April 06, 2004 12:01 PM
To: [EMAIL PROTECTED]
Subject: RE: [ActiveDir] Updating Schema to Windows 2003

I really just want to prepare the forest for windows 2003, I don't need the
domains ready yet.

-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Rod Trent
Sent: Tuesday, April 06, 2004 2:22 PM
To: [EMAIL PROTECTED]
Subject: RE: [ActiveDir] Updating Schema to Windows 2003

Also, if you stick in the CD to upgrade a server, it will check the server
and AD type, and will not upgrade until you have performed those steps.
It
even gives you the steps to perform that you can copy/paste. 

-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Steve Shaff
Sent: Tuesday, April 06, 2004 1:19 PM
To: [EMAIL PROTECTED]
Subject: RE: [ActiveDir] Updating Schema to Windows 2003

I am not aware of any KB 

[ActiveDir] scripting admin

[Kern, Tom]

sorry for what is more of a personal advice question- i'm a perl guy and i was 
wondering if for proper windows scripting, should i learn VBscript or can i get away 
with most admining with  perl and activestate.
i run a couple of linux and unix servers, so perl makes sense, but would it behove me 
to learn VBscript or even VB to effectively script my win2k ad enviorment or can i get 
away with perl and its integer conversion et al and be a good admin mastering only one 
lang?
thanks in advance
List info   : http://www.activedir.org/mail_list.htm
List FAQ: http://www.activedir.org/list_faq.htm
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/

RE: [ActiveDir] scripting admin

[joe]

I say Perl... 

The activestate dist is great. I am not aware of anything off the top of my
head you can do in vbscript that you can't do in perl. You may want to learn
enough vbscript to convert vbscripts others have written to perl. 

Overall for really simple things vbscript may be easier at first glance, but
as the complexity rises vbscript shows its issues and perl starts to shine. 

Grab Robbie Allen's AD Cookbook which has some perl in it, also his Managing
Enterprise Active Directory Services has quite a bit of perl in it. Most
everything I tend to post here in terms of scripts and do in general is
perl. 

  joe



-
http://www.joeware.net   (download joeware)
http://www.cafeshops.com/joewarenet  (wear joeware)
 
 

-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Kern, Tom
Sent: Tuesday, April 13, 2004 10:32 PM
To: ActiveDir (E-mail)
Subject: [ActiveDir] scripting admin

sorry for what is more of a personal advice question- i'm a perl guy and i
was wondering if for proper windows scripting, should i learn VBscript or
can i get away with most admining with  perl and activestate.
i run a couple of linux and unix servers, so perl makes sense, but would it
behove me to learn VBscript or even VB to effectively script my win2k ad
enviorment or can i get away with perl and its integer conversion et al and
be a good admin mastering only one lang?
thanks in advance
List info   : http://www.activedir.org/mail_list.htm
List FAQ: http://www.activedir.org/list_faq.htm
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
 

List info   : http://www.activedir.org/mail_list.htm
List FAQ: http://www.activedir.org/list_faq.htm
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/