RE: [ActiveDir] DC GPO not applying event log settings
Title: DC GPO not applying event log settings Sorry, Win2k/SP4 all current patches applied. From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Eric FleischmanSent: Tuesday, July 20, 2004 8:06 PMTo: [EMAIL PROTECTED]Subject: RE: [ActiveDir] DC GPO not applying event log settings Is this 2k03 rtm? If so, known issue. Call PSS and ask for Q824245. ~Eric From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Alex FontanaSent: Tuesday, July 20, 2004 6:33 PMTo: [EMAIL PROTECTED]Subject: [ActiveDir] DC GPO not applying event log settings Here's the situation, Editing the Default Domain Controllers policy: Max Size for Event Logs (for all): 16384KB Retention Method (for all): As needed Audit Policy: custom settings Windows Updates: Disabled For the life of me I can not get the event log size, retention method, or actual logging of security events to be applied. The Windows Update does get disabled, and the settings for auditing do get set. Anyone have any clue what is going on??? I've also tried creating another GPO, same result. Thanks, Alex.
Re: [ActiveDir] two ops
yeah, also not sure whats going on, honestly dont know where 2 begin, help is appreciated. rgds cyrus Thommes, Michael M. writes: Cyrus, your email address is showing up using our mail server too! Maybe some weird email configuration using localhost? Mike Thommes -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] Sent: Tue 7/20/2004 4:33 AM To: [EMAIL PROTECTED] Cc: Subject: Re: [ActiveDir] two ops realy I have no idea how musicrights.co.uk got tagged on my mail, something interesting to look into. thanks for the help. rgds cyrus Rutherford, Robert writes: 1) Just go into the boot.ini on the root of your boot partition and delete the reference to your old OS. If you are unsure then post the contents here and I'll tell you which 1. 2) How/Why are you using the domain name musicrights.co.uk? My company owns that domain name and we do not use it in any mail system. Rob -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] Sent: 20 July 2004 06:03 To: [EMAIL PROTECTED] Subject: [ActiveDir] two ops greetings, I have formatted the server and re-install window server ops, now every time the server starts or restarts, i'm always propmpted to select which Window Server the system will use. I have only one, how can I remove this prompt to select which window server the system will use. rgds cyrus List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ This e-mail and the information it contains are confidential and may be privileged. If you have received this e-mail in error please notify the sender immediately and delete the material from any computer. Unless you are the intended recipient, you should not copy this e-mail for any purpose, or disclose its contents to any other person. The MCPS-PRS Alliance is not responsible for the completeness or accuracy of this communication as it has been transmitted over a public network. Whilst the MCPS-PRS Alliance monitors all communications for potential viruses, we accept no responsibility for any loss or damage caused by this e-mail and the information it contains. It is the recipient's responsibility to scan this e-mail and any attachments for viruses. Any e-mails sent to and from the MCPS-PRS Alliance servers may be monitored for quality control and other purposes. The MCPS-PRS Alliance Limited is a limited company registered in England under company number 03444246 whose registered office is at c/o 29-33 Berners Street, London, W1T 3AB. List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
RE: [ActiveDir] two ops
Are you using outlook? -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] Sent: 21 July 2004 10:16 To: [EMAIL PROTECTED] Subject: Re: [ActiveDir] two ops yeah, also not sure whats going on, honestly dont know where 2 begin, help is appreciated. rgds cyrus Thommes, Michael M. writes: Cyrus, your email address is showing up using our mail server too! Maybe some weird email configuration using localhost? Mike Thommes -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] Sent: Tue 7/20/2004 4:33 AM To: [EMAIL PROTECTED] Cc: Subject: Re: [ActiveDir] two ops realy I have no idea how musicrights.co.uk got tagged on my mail, something interesting to look into. thanks for the help. rgds cyrus Rutherford, Robert writes: 1) Just go into the boot.ini on the root of your boot partition and delete the reference to your old OS. If you are unsure then post the contents here and I'll tell you which 1. 2) How/Why are you using the domain name musicrights.co.uk? My company owns that domain name and we do not use it in any mail system. Rob -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] Sent: 20 July 2004 06:03 To: [EMAIL PROTECTED] Subject: [ActiveDir] two ops greetings, I have formatted the server and re-install window server ops, now every time the server starts or restarts, i'm always propmpted to select which Window Server the system will use. I have only one, how can I remove this prompt to select which window server the system will use. rgds cyrus List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ This e-mail and the information it contains are confidential and may be privileged. If you have received this e-mail in error please notify the sender immediately and delete the material from any computer. Unless you are the intended recipient, you should not copy this e-mail for any purpose, or disclose its contents to any other person. The MCPS-PRS Alliance is not responsible for the completeness or accuracy of this communication as it has been transmitted over a public network. Whilst the MCPS-PRS Alliance monitors all communications for potential viruses, we accept no responsibility for any loss or damage caused by this e-mail and the information it contains. It is the recipient's responsibility to scan this e-mail and any attachments for viruses. Any e-mails sent to and from the MCPS-PRS Alliance servers may be monitored for quality control and other purposes. The MCPS-PRS Alliance Limited is a limited company registered in England under company number 03444246 whose registered office is at c/o 29-33 Berners Street, London, W1T 3AB. List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ This e-mail and the information it contains are confidential and may be privileged. If you have received this e-mail in error please notify the sender immediately and delete the material from any computer. Unless you are the intended recipient, you should not copy this e-mail for any purpose, or disclose its contents to any other person. The MCPS-PRS Alliance is not responsible for the completeness or accuracy of this communication as it has been transmitted over a public network. Whilst the MCPS-PRS Alliance monitors all communications for potential viruses, we accept no responsibility for any loss or damage caused by this e-mail and the information it contains. It is the recipient's responsibility to scan this e-mail and any attachments for viruses. Any e-mails sent to and from the MCPS-PRS Alliance servers may be monitored for quality control and other purposes. The
RE: [ActiveDir] W2K DC replacement
Title: Message As I understand it... You have lost a DC which held roles and you want to get them onto another server? If you can quickly and get the old DC back then do that and transfer the roles.. else... 1) Seize thelostroles fromone of the other domain controllers using NTDSUTIL - http://support.microsoft.com/default.aspx?scid=kb;en-us;255504 2) Clean up the old server info, via metadata cleanup. You may also need to manually go in and delete theold DCobject from ADUC, sites and services, and DNS. I have seen it a couple of time when the object remains for some time.. Iassume it would eventuallygo when AD cleans up. BR Rob -Original Message-From: Svetlana Kouznetsova [mailto:[EMAIL PROTECTED] Sent: 21 July 2004 11:03To: [EMAIL PROTECTED]Subject: [ActiveDir] W2K DC replacement Hi everybody, My question might sound silly, but I guess, it allowed when you desperate. Hope to get your valuable advice. We have W2K domain controller, which has been taken off line and needs to be rebuild. Unfortunately, the rebuilt part started before we realised, we need to transfer roles to another machine at least. (we have just 2 DC in that domain) We have now new plans to promote a new W2K box into domain controller instead of the old one, which will return online as a member server, as running vital applications. I know that weve done it the wrong way. (please be gentle). But its about too late...So my question is really, in what order should I bring in new W2K server into domain. Can I transfer roles into new DC, if the old one off line or should I re-install the old one as domain controller even if for transfer of roles only? Do I need to do metadata cleanup, if roles will be transferred or just let AD naturally clear it up, replicating changes? Is there any gotchas to watch out for? The only DC left is GC server, as the one, that gone, used to have all the rest of roles. Many thanks in advance for any helpful advices. Lana.This e-mail and the information it contains are confidential and may be privileged. If you have received this e-mail in error please notify the sender immediately and delete the material from any computer. Unless you are the intended recipient, you should not copy this e-mail for any purpose, or disclose its contents to any other person. The MCPS-PRS Alliance is not responsible for the completeness or accuracy of this communication as it has been transmitted over a public network. Whilst the MCPS-PRS Alliance monitors all communications for potential viruses, we accept no responsibility for any loss or damage caused by this e-mail and the information it contains.It is the recipient's responsibility to scan this e-mail and any attachments for viruses. Any e-mails sent to and from the MCPS-PRS Alliance servers may be monitored for quality control and other purposes.The MCPS-PRS Alliance Limited is a limited company registered in England under company number 03444246 whose registered office is at c/o 29-33 Berners Street, London, W1T 3AB.
RE: [ActiveDir] W2K DC replacement
Title: Message Well, we have lost that DC, but I think, itll be easier to bring back new DC instead and rebuild the old one as a W2K3 member server. It is running few important applications things that are inconvenient to run on Domain Controller. And since weve accidentally got such an opportunity in our hands, we might as well just use it. Im going to promote brand new machine into DC and will do seize roles and metadata cleanup before that. I just wasnt sure of the best order to do so. The new machine will come with a new name and IP, the old DC will keep the old name and IP, but as a member server. Hope this would not create any further problems. Thanks a lot for the comment. Lana. -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Rutherford, Robert Sent: 21 July 2004 11:24 To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] W2K DC replacement As I understand it... You have lost a DC which held roles and you want to get them onto another server? If you can quickly and get the old DC back then do that and transfer the roles.. else... 1) Seize thelostroles fromone of the other domain controllers using NTDSUTIL - http://support.microsoft.com/default.aspx?scid=kb;en-us;255504 2) Clean up the old server info, via metadata cleanup. You may also need to manually go in and delete theold DCobject from ADUC, sites and services, and DNS. I have seen it a couple of time when the object remains for some time.. Iassume it would eventuallygo when AD cleans up. BR Rob -Original Message- From: Svetlana Kouznetsova [mailto:[EMAIL PROTECTED] Sent: 21 July 2004 11:03 To: [EMAIL PROTECTED] Subject: [ActiveDir] W2K DC replacement Hi everybody, My question might sound silly, but I guess, it allowed when you desperate. Hope to get your valuable advice. We have W2K domain controller, which has been taken off line and needs to be rebuild. Unfortunately, the rebuilt part started before we realised, we need to transfer roles to another machine at least. (we have just 2 DC in that domain) We have now new plans to promote a new W2K box into domain controller instead of the old one, which will return online as a member server, as running vital applications. I know that weve done it the wrong way. (please be gentle). But its about too late...So my question is really, in what order should I bring in new W2K server into domain. Can I transfer roles into new DC, if the old one off line or should I re-install the old one as domain controller even if for transfer of roles only? Do I need to do metadata cleanup, if roles will be transferred or just let AD naturally clear it up, replicating changes? Is there any gotchas to watch out for? The only DC left is GC server, as the one, that gone, used to have all the rest of roles. Many thanks in advance for any helpful advices. Lana. This e-mail and the information it contains are confidential and may be privileged. If you have received this e-mail in error please notify the sender immediately and delete the material from any computer. Unless you are the intended recipient, you should not copy this e-mail for any purpose, or disclose its contents to any other person. The MCPS-PRS Alliance is not responsible for the completeness or accuracy of this communication as it has been transmitted over a public network. Whilst the MCPS-PRS Alliance monitors all communications for potential viruses, we accept no responsibility for any loss or damage caused by this e-mail and the information it contains. It is the recipient's responsibility to scan this e-mail and any attachments for viruses. Any e-mails sent to and from the MCPS-PRS Alliance servers may be monitored for quality control and other purposes. The MCPS-PRS Alliance Limited is a limited company registered in England under company number 03444246 whose registered office is at c/o 29-33 Berners Street, London, W1T 3AB.
RE: [ActiveDir] DC GPO not applying event log settings
Title: DC GPO not applying event log settings You might want to enable verbose security policy logging too see if it shows something. Here's the info on enabling it: http://support.microsoft.com/default.aspx?scid=kb;en-us;245422 From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Alex FontanaSent: Wednesday, July 21, 2004 10:01 AMTo: [EMAIL PROTECTED]Subject: RE: [ActiveDir] DC GPO not applying event log settings Sorry, Win2k/SP4 all current patches applied. From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Eric FleischmanSent: Tuesday, July 20, 2004 8:06 PMTo: [EMAIL PROTECTED]Subject: RE: [ActiveDir] DC GPO not applying event log settings Is this 2k03 rtm? If so, known issue. Call PSS and ask for Q824245. ~Eric From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Alex FontanaSent: Tuesday, July 20, 2004 6:33 PMTo: [EMAIL PROTECTED]Subject: [ActiveDir] DC GPO not applying event log settings Here's the situation, Editing the Default Domain Controllers policy: Max Size for Event Logs (for all): 16384KB Retention Method (for all): As needed Audit Policy: custom settings Windows Updates: Disabled For the life of me I can not get the event log size, retention method, or actual logging of security events to be applied. The Windows Update does get disabled, and the settings for auditing do get set. Anyone have any clue what is going on??? I've also tried creating another GPO, same result. Thanks, Alex.
[ActiveDir] Renaming the Administrator account
I have always renamed the default Administrator account on every system build I have performed for security reasons. I did the same on the domain but was then scolded by a more experienced AD Administrator. The reason given to me was because there are parts of AD that authenticate or use the SID of the administrator account while other areas may use the Administrator username explicitly. If I were to rename the default Administrator account then those references that call the username explicitly may fail. I am still new to AD so I took the above warning with caution and therefore renamed the default user back to its original settings. I would appreciate anyones input on the above. I would like to rename the Administrator account as part of best practices but if it may cause problems then of course this would not be an option. However, I have a hard time understanding why renaming the account could cause potential problems. I would think that any reference to the Administrator account would be made by the SID and if any call to the username itself was made, it would access a database that was populated with the correct information as it was changed. The only information I have about renaming the account is above. Thank you all for your responses. Edwin
RE: [ActiveDir] Renaming the Administrator account
Title: Message 2000 security/authentication revolves around the SID. I have always renamed the admin account, on a PC and domain level and have never had an issue. I would sensitively ask your 'more' experienced colleague for an example of which "other areas may use the Administrator username explicitly". BR Rob -Original Message-From: Edwin [mailto:[EMAIL PROTECTED] Sent: 21 July 2004 12:38To: [EMAIL PROTECTED]Subject: [ActiveDir] Renaming the Administrator account I have always renamed the default Administrator account on every system build I have performed for security reasons. I did the same on the domain but was then scolded by a more experienced AD Administrator. The reason given to me was because there are parts of AD that authenticate or use the SID of the administrator account while other areas may use the Administrator username explicitly. If I were to rename the default Administrator account then those references that call the username explicitly may fail. I am still new to AD so I took the above warning with caution and therefore renamed the default user back to its original settings. I would appreciate anyones input on the above. I would like to rename the Administrator account as part of best practices but if it may cause problems then of course this would not be an option. However, I have a hard time understanding why renaming the account could cause potential problems. I would think that any reference to the Administrator account would be made by the SID and if any call to the username itself was made, it would access a database that was populated with the correct information as it was changed. The only information I have about renaming the account is above. Thank you all for your responses. EdwinThis e-mail and the information it contains are confidential and may be privileged. If you have received this e-mail in error please notify the sender immediately and delete the material from any computer. Unless you are the intended recipient, you should not copy this e-mail for any purpose, or disclose its contents to any other person. The MCPS-PRS Alliance is not responsible for the completeness or accuracy of this communication as it has been transmitted over a public network. Whilst the MCPS-PRS Alliance monitors all communications for potential viruses, we accept no responsibility for any loss or damage caused by this e-mail and the information it contains.It is the recipient's responsibility to scan this e-mail and any attachments for viruses. Any e-mails sent to and from the MCPS-PRS Alliance servers may be monitored for quality control and other purposes.The MCPS-PRS Alliance Limited is a limited company registered in England under company number 03444246 whose registered office is at c/o 29-33 Berners Street, London, W1T 3AB.
Re: [ActiveDir] Renaming the Administrator account
Anything that specifically uses the domain Administrator account by name should be taken out and shot. You should have no problems with renaming the account. Here's something from Microsoft which suggests (as you do) that it would be a best practice. http://www.microsoft.com/technet/Security/topics/issues/w2kccscg/w2kscgcd.mspx Tony -- Original Message -- Wrom: LSZLKBRNVWWCUFPEGAUTFJMVRESKPN Reply-To: [EMAIL PROTECTED] Date: Wed, 21 Jul 2004 07:37:48 -0400 I have always renamed the default Administrator account on every system build I have performed for security reasons. I did the same on the domain but was then scolded by a more experienced AD Administrator. The reason given to me was because there are parts of AD that authenticate or use the SID of the administrator account while other areas may use the Administrator username explicitly. If I were to rename the default Administrator account then those references that call the username explicitly may fail. I am still new to AD so I took the above warning with caution and therefore renamed the default user back to its original settings. I would appreciate anyone's input on the above. I would like to rename the Administrator account as part of best practices but if it may cause problems then of course this would not be an option. However, I have a hard time understanding why renaming the account could cause potential problems. I would think that any reference to the Administrator account would be made by the SID and if any call to the username itself was made, it would access a database that was populated with the correct information as it was changed. The only information I have about renaming the account is above. Thank you all for your responses. Edwin Sent via the WebMail system at mail.activedir.org List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
RE: [ActiveDir] Renaming the Administrator account
Title: Message The standard best practice IS to rename the Administrator account, no matter what level it is (i.e., local Administrator, Domain Administrator). Yes, there are some programs that refer to the account name. Those are mostly hacker programs from what I've learned. You DON'T want them to be able to access your network. If the more experienced AD administrator complains, have that person check with Microsoft's own best practices guidelines. Even Microsoft recommends the rename. Ken -Original Message-From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of EdwinSent: Wednesday, July 21, 2004 7:38 AMTo: [EMAIL PROTECTED]Subject: [ActiveDir] Renaming the Administrator account I have always renamed the default Administrator account on every system build I have performed for security reasons. I did the same on the domain but was then scolded by a more experienced AD Administrator. The reason given to me was because there are parts of AD that authenticate or use the SID of the administrator account while other areas may use the Administrator username explicitly. If I were to rename the default Administrator account then those references that call the username explicitly may fail. I am still new to AD so I took the above warning with caution and therefore renamed the default user back to its original settings. I would appreciate anyones input on the above. I would like to rename the Administrator account as part of best practices but if it may cause problems then of course this would not be an option. However, I have a hard time understanding why renaming the account could cause potential problems. I would think that any reference to the Administrator account would be made by the SID and if any call to the username itself was made, it would access a database that was populated with the correct information as it was changed. The only information I have about renaming the account is above. Thank you all for your responses. Edwin
RE: [ActiveDir] Renaming the Administrator account
there's no issue renaming it - in 2003 you can actually disable it to make the environment more secure (but caution - this is the only account that doesn't get locked when you have configured a lockout threshold in your PW policy) /Guido From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of EdwinSent: Mittwoch, 21. Juli 2004 13:38To: [EMAIL PROTECTED]Subject: [ActiveDir] Renaming the Administrator account I have always renamed the default Administrator account on every system build I have performed for security reasons. I did the same on the domain but was then scolded by a more experienced AD Administrator. The reason given to me was because there are parts of AD that authenticate or use the SID of the administrator account while other areas may use the Administrator username explicitly. If I were to rename the default Administrator account then those references that call the username explicitly may fail. I am still new to AD so I took the above warning with caution and therefore renamed the default user back to its original settings. I would appreciate anyones input on the above. I would like to rename the Administrator account as part of best practices but if it may cause problems then of course this would not be an option. However, I have a hard time understanding why renaming the account could cause potential problems. I would think that any reference to the Administrator account would be made by the SID and if any call to the username itself was made, it would access a database that was populated with the correct information as it was changed. The only information I have about renaming the account is above. Thank you all for your responses. Edwin
RE: [ActiveDir] Renaming the Administrator account
Excellent! Thank you everyone for your replies. I was concerned about the information that I got but I wasnt in a position to question it since I honestly was not 100% sure. Now, I believe I have some good ammunition for a good argument. Thank you Tony for that URL. This list rocks! Edwin From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Grillenmeier, Guido Sent: Wednesday, July 21, 2004 7:57 AM To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] Renaming the Administrator account there's no issue renaming it - in 2003 you can actually disable it to make the environment more secure (but caution - this is the only account that doesn't get locked when you have configured a lockout threshold in your PW policy) /Guido From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Edwin Sent: Mittwoch, 21. Juli 2004 13:38 To: [EMAIL PROTECTED] Subject: [ActiveDir] Renaming the Administrator account I have always renamed the default Administrator account on every system build I have performed for security reasons. I did the same on the domain but was then scolded by a more experienced AD Administrator. The reason given to me was because there are parts of AD that authenticate or use the SID of the administrator account while other areas may use the Administrator username explicitly. If I were to rename the default Administrator account then those references that call the username explicitly may fail. I am still new to AD so I took the above warning with caution and therefore renamed the default user back to its original settings. I would appreciate anyones input on the above. I would like to rename the Administrator account as part of best practices but if it may cause problems then of course this would not be an option. However, I have a hard time understanding why renaming the account could cause potential problems. I would think that any reference to the Administrator account would be made by the SID and if any call to the username itself was made, it would access a database that was populated with the correct information as it was changed. The only information I have about renaming the account is above. Thank you all for your responses. Edwin
RE: [ActiveDir] Renaming the Administrator account
Anything that specifically uses the domain Administrator account by name should be taken out and shot. LOL!!! Edwin, you are obviously the more experienced AD administrator. I think that is one of the very first things to be taught in AD courses. A true experienced AD admin should know that. Good luck! Samantha (I always get a good information and good laughs from this listthanks!) -Original Message- From: Tony Murray [mailto:[EMAIL PROTECTED] Sent: Wednesday, July 21, 2004 7:55 AM To: [EMAIL PROTECTED] Subject: Re: [ActiveDir] Renaming the Administrator account Anything that specifically uses the domain Administrator account by name should be taken out and shot. You should have no problems with renaming the account. Here's something from Microsoft which suggests (as you do) that it would be a best practice. http://www.microsoft.com/technet/Security/topics/issues/w2kccscg/w2kscgc d.mspx Tony -- Original Message -- Wrom: LSZLKBRNVWWCUFPEGAUTFJMVRESKPN Reply-To: [EMAIL PROTECTED] Date: Wed, 21 Jul 2004 07:37:48 -0400 I have always renamed the default Administrator account on every system build I have performed for security reasons. I did the same on the domain but was then scolded by a more experienced AD Administrator. The reason given to me was because there are parts of AD that authenticate or use the SID of the administrator account while other areas may use the Administrator username explicitly. If I were to rename the default Administrator account then those references that call the username explicitly may fail. I am still new to AD so I took the above warning with caution and therefore renamed the default user back to its original settings. I would appreciate anyone's input on the above. I would like to rename the Administrator account as part of best practices but if it may cause problems then of course this would not be an option. However, I have a hard time understanding why renaming the account could cause potential problems. I would think that any reference to the Administrator account would be made by the SID and if any call to the username itself was made, it would access a database that was populated with the correct information as it was changed. The only information I have about renaming the account is above. Thank you all for your responses. Edwin Sent via the WebMail system at mail.activedir.org List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ --- [This E-mail scanned for viruses by Declude Virus] --- [This E-mail scanned for viruses by Declude Virus] List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
RE: [ActiveDir] W2K DC replacement
Lana, Bring the new DC online and seize the roles. As long as the old server will not be brought back online, you can seize the roles without any problem. Check out http://support.microsoft.com/default.aspx?scid=kb;en-us;255504 which describes this process. Denny -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Svetlana Kouznetsova Sent: Wednesday, July 21, 2004 6:03 AM To: [EMAIL PROTECTED] Subject: [ActiveDir] W2K DC replacement Hi everybody, My question might sound silly, but I guess, it allowed when you desperate. Hope to get your valuable advice. We have W2K domain controller, which has been taken off line and needs to be rebuild. Unfortunately, the rebuilt part started before we realised, we need to transfer roles to another machine at least. (we have just 2 DC in that domain) We have now new plans - to promote a new W2K box into domain controller instead of the old one, which will return online as a member server, as running vital applications. I know that we've done it the wrong way. (please be gentle). But it's about too late...So my question is really, in what order should I bring in new W2K server into domain. Can I transfer roles into new DC, if the old one off line or should I re-install the old one as domain controller even if for transfer of roles only? Do I need to do metadata cleanup, if roles will be transferred or just let AD naturally clear it up, replicating changes? Is there any gotchas to watch out for? The only DC left is GC server, as the one, that gone, used to have all the rest of roles. Many thanks in advance for any helpful advices. Lana. List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
[ActiveDir] client terminal servers using remote DCs
I have a terminal server farm that is in a separate subnet, but in the same site as two DCs. The subnet for that farm is correctly defined in AD, associated with the same site as the two DCs. Were noticing that those terminal servers frequently authenticate on one of two remote DCs rather than the ones in their own site when they log on. Is there something other than the subnet definition that we might have missed that would cause this behavior? Thanks, Mark Creamer
RE: [ActiveDir] Summer Maintenance
Title: RE: [ActiveDir] Summer Maintenance I think you can use Unicast instead of Multicast in the newer versions of Norton ghost. It goes slower but it wont bog down the network. Also, make sure your hop count is set correctly. From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Steve Rochford Sent: Sunday, July 18, 2004 12:13 PM To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] Summer Maintenance We tend to do them in blocks of max 30 because it's more manageable (and most rooms don't have more than that many computers!) I've done it enough times now to know that although we shouldn't have to get involved with boot floppies sometimes things just don't go the way you plan :-) Not sure why Ghost does cause the network problems you describe but I know it does and we just plan round it - making sure no-one's trying to do anything important at the same time etc. Steve From: Brian Desmond [mailto:[EMAIL PROTECTED] Sent: 16 July 2004 21:31 To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] Summer Maintenance Things really slow down when multicasting to a load of computers where I am (all Cisco 2900XL series switches with fiber links to a 4005 series backbone switch). The multicast slows to a crawl, as does other network traffic. --Brian Desmond [EMAIL PROTECTED] Payton on the Web! Http://www.wpcp.org v: 773.534.0034 x135 f: 773.534.0035 From: Doug M. Long [mailto:[EMAIL PROTECTED] On Behalf Of Doug M. Long Sent: Friday, July 16, 2004 1:07 PM To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] Summer Maintenance If your multicasting, network congestion shouldnt be an issue (assuming that you are putting the same image on all machines), right? Or am I missing something here? From: [EMAIL PROTECTED] on behalf of Brian Desmond Sent: Fri 7/16/2004 11:13 AM To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] Summer Maintenance You got it Steve. I don't know if you've ever done this before, but be prepared to have a handful of them screw up and need reimaging with a floppy disk. Also, don't think of doing em all at once. 100 - 150 is enough to saturate your network. --Brian -Original Message- From: Steve Rochford [mailto:[EMAIL PROTECTED] Sent: Fri 7/16/2004 8:08 AM To: [EMAIL PROTECTED] Cc: Subject: RE: [ActiveDir] Summer Maintenance I love comments like The result is that as the imaged computers are powered up, the admin will type in each unique computer name and walk away. We're re-imaging about 1000 student computers this summer and I'm not intending to go anywhere near most of them so typing in anything is a no-no! As others have said, Ghost will happily rename and join to the domain and it will also work with sysprep so you can have the best of both worlds :-) Steve -Original Message- From: Brad Corob [mailto:[EMAIL PROTECTED]] Sent: 15 July 2004 05:00 To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] Summer Maintenance 2) Regardless of how you image the computers, using sysprep is the *only* supported way of using imaged workstations on a network. Look into it if you haven't used it. I find it quite simple to use and extrememly effective. The sysprep process can be automated. I typically find it most useful to automate all of the mini-setup answers except for computer name. The result is that as the imaged computers are powered up, the admin will type in each unique computer name and walk away. You can also join a domain during the sysprep process (automated or not). One caveat here is the default 10-computer limit each user account can create in AD (but it worked fine when we tested it!). The suggested method is to create a designated account for Sysprep imaging and delegate the appropriate rights to your Computer OU's. If joining the computer to the domain during sysprep doesn't work for you, you can also script the process. Technet gives an example script here: http://www.microsoft.com/technet/community/scriptcenter/compmgmt/scrcm31 .msp x but MSDN actually documents the WMI method here: http://msdn.microsoft.com/library/en-us/wmisdk/wmi/joindomainorworkgroup _met hod_in_class_win32_computersystem.asp Particularly helpful is the AccountOU parameter, as it will allow you to specify the OU in which to place the computer object to further ease your post-deployment admin tasks. [The script method works wonders in large deployments when you can't join a domain during the Sysprep process, for example, if this particularly vexing, poorly documented, almost-12-month-old and as-yet-unfixed issue plagues your environment like the spawn of Satan: http://support.novell.com/cgi-bin/search/searchtid.cgi?/10086130.htm No, I'm not bitter. Not one bit.] -Brad List info : http://www.activedir.org/mail_list.htm List FAQ : http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
[ActiveDir] Possible OT: Network boot disk with windows 2003.
Does anyone know of a way to get a DOS network boot diskette to authenticate in a windows 2003 AD domain short of disabling the following on the DC's local policy? Domain Member: Digitally encrypt or sign secure channel data (always) Microsoft network server: Digitally sign communication (always) Thanks Clyde Burns List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
RE: [ActiveDir] client terminal servers using remote DCs
Title: Message Have you checked your srv records in DNS forthe site? Rob -Original Message-From: Creamer, Mark [mailto:[EMAIL PROTECTED] Sent: 21 July 2004 14:25To: [EMAIL PROTECTED]Subject: [ActiveDir] client terminal servers using remote DCs I have a terminal server farm that is in a separate subnet, but in the same site as two DCs. The subnet for that farm is correctly defined in AD, associated with the same site as the two DCs. Were noticing that those terminal servers frequently authenticate on one of two remote DCs rather than the ones in their own site when they log on. Is there something other than the subnet definition that we might have missed that would cause this behavior? Thanks, Mark CreamerThis e-mail and the information it contains are confidential and may be privileged. If you have received this e-mail in error please notify the sender immediately and delete the material from any computer. Unless you are the intended recipient, you should not copy this e-mail for any purpose, or disclose its contents to any other person. The MCPS-PRS Alliance is not responsible for the completeness or accuracy of this communication as it has been transmitted over a public network. Whilst the MCPS-PRS Alliance monitors all communications for potential viruses, we accept no responsibility for any loss or damage caused by this e-mail and the information it contains.It is the recipient's responsibility to scan this e-mail and any attachments for viruses. Any e-mails sent to and from the MCPS-PRS Alliance servers may be monitored for quality control and other purposes.The MCPS-PRS Alliance Limited is a limited company registered in England under company number 03444246 whose registered office is at c/o 29-33 Berners Street, London, W1T 3AB.
RE: [ActiveDir] Summer Maintenance
Title: RE: [ActiveDir] Summer Maintenance I concur (from experience) use the UNICAST option (From the GHOST CAST SERVER - FILE./OTPTIONS) you should be ok. From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Robert N. Leali Sent: Wednesday, July 21, 2004 9:37 AM To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] Summer Maintenance I think you can use Unicast instead of Multicast in the newer versions of Norton ghost. It goes slower but it wont bog down the network. Also, make sure your hop count is set correctly. From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Steve Rochford Sent: Sunday, July 18, 2004 12:13 PM To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] Summer Maintenance We tend to do them in blocks of max 30 because it's more manageable (and most rooms don't have more than that many computers!) I've done it enough times now to know that although we shouldn't have to get involved with boot floppies sometimes things just don't go the way you plan :-) Not sure why Ghost does cause the network problems you describe but I know it does and we just plan round it - making sure no-one's trying to do anything important at the same time etc. Steve From: Brian Desmond [mailto:[EMAIL PROTECTED] Sent: 16 July 2004 21:31 To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] Summer Maintenance Things really slow down when multicasting to a load of computers where I am (all Cisco 2900XL series switches with fiber links to a 4005 series backbone switch). The multicast slows to a crawl, as does other network traffic. --Brian Desmond [EMAIL PROTECTED] Payton on the Web! Http://www.wpcp.org v: 773.534.0034 x135 f: 773.534.0035 From: Doug M. Long [mailto:[EMAIL PROTECTED] On Behalf Of Doug M. Long Sent: Friday, July 16, 2004 1:07 PM To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] Summer Maintenance If your multicasting, network congestion shouldnt be an issue (assuming that you are putting the same image on all machines), right? Or am I missing something here? From: [EMAIL PROTECTED] on behalf of Brian Desmond Sent: Fri 7/16/2004 11:13 AM To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] Summer Maintenance You got it Steve. I don't know if you've ever done this before, but be prepared to have a handful of them screw up and need reimaging with a floppy disk. Also, don't think of doing em all at once. 100 - 150 is enough to saturate your network. --Brian -Original Message- From: Steve Rochford [mailto:[EMAIL PROTECTED] Sent: Fri 7/16/2004 8:08 AM To: [EMAIL PROTECTED] Cc: Subject: RE: [ActiveDir] Summer Maintenance I love comments like The result is that as the imaged computers are powered up, the admin will type in each unique computer name and walk away. We're re-imaging about 1000 student computers this summer and I'm not intending to go anywhere near most of them so typing in anything is a no-no! As others have said, Ghost will happily rename and join to the domain and it will also work with sysprep so you can have the best of both worlds :-) Steve -Original Message- From: Brad Corob [mailto:[EMAIL PROTECTED]] Sent: 15 July 2004 05:00 To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] Summer Maintenance 2) Regardless of how you image the computers, using sysprep is the *only* supported way of using imaged workstations on a network. Look into it if you haven't used it. I find it quite simple to use and extrememly effective. The sysprep process can be automated. I typically find it most useful to automate all of the mini-setup answers except for computer name. The result is that as the imaged computers are powered up, the admin will type in each unique computer name and walk away. You can also join a domain during the sysprep process (automated or not). One caveat here is the default 10-computer limit each user account can create in AD (but it worked fine when we tested it!). The suggested method is to create a designated account for Sysprep imaging and delegate the appropriate rights to your Computer OU's. If joining the computer to the domain during sysprep doesn't work for you, you can also script the process. Technet gives an example script here: http://www.microsoft.com/technet/community/scriptcenter/compmgmt/scrcm31 .msp x but MSDN actually documents the WMI method here: http://msdn.microsoft.com/library/en-us/wmisdk/wmi/joindomainorworkgroup _met hod_in_class_win32_computersystem.asp Particularly helpful is the AccountOU parameter, as it will allow you to specify the OU in which to place the computer object to further ease your post-deployment admin tasks. [The script method works wonders in large deployments when you can't join a domain during the Sysprep process, for example, if this particularly vexing, poorly documented, almost-12-month-old and as-yet-unfixed issue plagues your environment like the spawn of Satan:
RE: [ActiveDir] Possible OT: Network boot disk with windows 2003.
I believe that you would need to do one of the following. Either enable LanMan authentication, enable netbios over TCP/IP, disable Security Options under Settings, Local Policies, Security Options: Microsoft Network Server and Microsoft Network Client: Digitally sign communications = disable. Or Explore using a WinPE environment bootdisk. An example of a PE CD can be found here: http://www.nu2.nu/pebuilder/ Jason -Original Message- From: Burns, Clyde [mailto:[EMAIL PROTECTED] Sent: Wednesday, July 21, 2004 7:38 AM To: [EMAIL PROTECTED] Subject: [ActiveDir] Possible OT: Network boot disk with windows 2003. Does anyone know of a way to get a DOS network boot diskette to authenticate in a windows 2003 AD domain short of disabling the following on the DC's local policy? Domain Member: Digitally encrypt or sign secure channel data (always) Microsoft network server: Digitally sign communication (always) Thanks Clyde Burns List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
RE: [ActiveDir] useraccountflag
I could be wrong, but you're likelylooking forthis: http://msdn.microsoft.com/library/default.asp?url=""> Which takes you to: http://tinyurl.com/674d2and an example in vb. Al From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Creamer, MarkSent: Tuesday, July 20, 2004 4:00 PMTo: [EMAIL PROTECTED]Subject: [ActiveDir] useraccountflag Robbie's cookbook contains code on setting a password to never expire, but what if I want to set those that are set to never expire to start expiring? How would I alter the code? I tried setting to 512 (normal account), but it returns: "Did not need to change userAccountControl (66048)" Here's the code as altered by me to change the flag back to a normal account whose password does expire: * strUserDN = "CN=O'Tester\, GP,OU=TestOU,DC=na,DC=cintas,DC=com" intBit = 512 strAttr = "userAccountControl" Set objUser = GetObject("LDAP://" strUserDN) intBitsOrig = objUser.Get(strAttr) intBitsCalc = CalcBit(intBitsOrig, intBit, True) If intBitsOrig intBitsCalc Then objUser.Put strAttr, intBitsCalc objUser.SetInfo WScript.Echo "Changed " strAttr " from " intBitsOrig " to " intBitsCalc Else WScript.Echo "Did not need to change " strAttr " (" intBitsOrig ")" End If Function CalcBit(intValue, intBit, boolEnable) CalcBit = intValue If boolEnable = True Then CalcBit = intValue Or intBit Else If intValue And intBit Then CalcBit = intValue Xor intBit End If End If Thanks for any help! Mark Creamer
RE: [ActiveDir] client terminal servers using remote DCs
Title: Message I see srv records in several places in DNS, and Im not sure I know what youre referring to Under [domain]/_tcp I see: 2 records for _kerberos (for the two remote DCs) 2 records for _kpassword (for the 2 remote DCs) 4 records for _ldap (for each of the 4 DCs, two local, two remote) Under [domain]/_sites/[my site]/_tcp I see: 2 records for _ldap (for the two LOCAL DCs) Does this look like what youd expect? mc From: Rutherford, Robert [mailto:[EMAIL PROTECTED] Sent: Wednesday, July 21, 2004 9:38 AM To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] client terminal servers using remote DCs Have you checked your srv records in DNS forthe site? Rob -Original Message- From: Creamer, Mark [mailto:[EMAIL PROTECTED] Sent: 21 July 2004 14:25 To: [EMAIL PROTECTED] Subject: [ActiveDir] client terminal servers using remote DCs I have a terminal server farm that is in a separate subnet, but in the same site as two DCs. The subnet for that farm is correctly defined in AD, associated with the same site as the two DCs. Were noticing that those terminal servers frequently authenticate on one of two remote DCs rather than the ones in their own site when they log on. Is there something other than the subnet definition that we might have missed that would cause this behavior? Thanks, Mark Creamer This e-mail and the information it contains are confidential and may be privileged. If you have received this e-mail in error please notify the sender immediately and delete the material from any computer. Unless you are the intended recipient, you should not copy this e-mail for any purpose, or disclose its contents to any other person. The MCPS-PRS Alliance is not responsible for the completeness or accuracy of this communication as it has been transmitted over a public network. Whilst the MCPS-PRS Alliance monitors all communications for potential viruses, we accept no responsibility for any loss or damage caused by this e-mail and the information it contains. It is the recipient's responsibility to scan this e-mail and any attachments for viruses. Any e-mails sent to and from the MCPS-PRS Alliance servers may be monitored for quality control and other purposes. The MCPS-PRS Alliance Limited is a limited company registered in England under company number 03444246 whose registered office is at c/o 29-33 Berners Street, London, W1T 3AB.
[ActiveDir] DC in 2 Sites
Title: Message I built an Exchange server at one site and shipped to another site. In AD Sites and Services, I thought I had deleted it. But this server is under two sites and I can't delete it from the first site. I get the error "The DSA object cannot be deleted."Any suggestions on the best utility to remove the server without affecting the other Site? Thanks, John Pittman
RE: [ActiveDir] win2k pro or server?
Is there a way to tell via vbs? Thank you, Mitch Lawrence -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Brown, Bill [contractor] Posted At: Tuesday, July 20, 2004 1:21 PM Posted To: ~AD Discussion~ Conversation: win2k pro or server? Subject: RE: [ActiveDir] win2k pro or server? If you hit the start button - there is a vertical bar that displays this information... R/Bill -Original Message- From: Kern, Tom [mailto:[EMAIL PROTECTED] Sent: Tuesday, July 20, 2004 2:14 PM To: ActiveDir (E-mail) Subject:[ActiveDir] win2k pro or server? Sorry if this is really basic and covered before- but whats the quickest way(via script or gui admin tool) to tell if a particular pc/server is running win2k pro or server? thanks List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
RE: [ActiveDir] client terminal servers using remote DCs
Title: Message Under [domain]/_sites/[my site]/_tcp I see: 2 records for _ldap (for the two LOCAL DCs) I would expect to see Kerberos and GC (assuming you have a GC in the site)records under this site. Well at least Kerberos... hmm. If you do a ipconfig/ registerdns on of the DC's.. do you then see the correct entries?else just try a bounce at a convenient time and check again. We could register them manually I'm just curious why the DC's are not registeringcorrectly. Can you check your other sites and confirm you have GC or at least kerberos srv records. BR Rob -Original Message-From: Creamer, Mark [mailto:[EMAIL PROTECTED] Sent: 21 July 2004 15:28To: [EMAIL PROTECTED]Subject: RE: [ActiveDir] client terminal servers using remote DCs I see srv records in several places in DNS, and Im not sure I know what youre referring to Under [domain]/_tcp I see: 2 records for _kerberos (for the two remote DCs) 2 records for _kpassword (for the 2 remote DCs) 4 records for _ldap (for each of the 4 DCs, two local, two remote) Under [domain]/_sites/[my site]/_tcp I see: 2 records for _ldap (for the two LOCAL DCs) Does this look like what youd expect? mc From: Rutherford, Robert [mailto:[EMAIL PROTECTED] Sent: Wednesday, July 21, 2004 9:38 AMTo: [EMAIL PROTECTED]Subject: RE: [ActiveDir] client terminal servers using remote DCs Have you checked your srv records in DNS forthe site? Rob -Original Message-From: Creamer, Mark [mailto:[EMAIL PROTECTED] Sent: 21 July 2004 14:25To: [EMAIL PROTECTED]Subject: [ActiveDir] client terminal servers using remote DCs I have a terminal server farm that is in a separate subnet, but in the same site as two DCs. The subnet for that farm is correctly defined in AD, associated with the same site as the two DCs. Were noticing that those terminal servers frequently authenticate on one of two remote DCs rather than the ones in their own site when they log on. Is there something other than the subnet definition that we might have missed that would cause this behavior? Thanks, Mark Creamer This e-mail and the information it contains are confidential and may be privileged. If you have received this e-mail in error please notify the sender immediately and delete the material from any computer. Unless you are the intended recipient, you should not copy this e-mail for any purpose, or disclose its contents to any other person. The MCPS-PRS Alliance is not responsible for the completeness or accuracy of this communication as it has been transmitted over a public network. Whilst the MCPS-PRS Alliance monitors all communications for potential viruses, we accept no responsibility for any loss or damage caused by this e-mail and the information it contains.It is the recipient's responsibility to scan this e-mail and any attachments for viruses. Any e-mails sent to and from the MCPS-PRS Alliance servers may be monitored for quality control and other purposes.The MCPS-PRS Alliance Limited is a limited company registered in England under company number 03444246 whose registered office is at c/o 29-33 Berners Street, London, W1T 3AB.This e-mail and the information it contains are confidential and may be privileged. If you have received this e-mail in error please notify the sender immediately and delete the material from any computer. Unless you are the intended recipient, you should not copy this e-mail for any purpose, or disclose its contents to any other person. The MCPS-PRS Alliance is not responsible for the completeness or accuracy of this communication as it has been transmitted over a public network. Whilst the MCPS-PRS Alliance monitors all communications for potential viruses, we accept no responsibility for any loss or damage caused by this e-mail and the information it contains.It is the recipient's responsibility to scan this e-mail and any attachments for viruses. Any e-mails sent to and from the MCPS-PRS Alliance servers may be monitored for quality control and other purposes.The MCPS-PRS Alliance Limited is a limited company registered in England under company number 03444246 whose registered office is at c/o 29-33 Berners Street, London, W1T 3AB.
RE: [ActiveDir] LastLogOn
Title: Message It does tell you the time you logged into the PC. Very useful tool. I have it scripted into my logon.vbs, using it to force a background out to the PCs. For reference (yeah, I know its probably ugly, I am by no means a pro vbs scripter): '= ' Copy Desktop Background File and Set It '= public sub CheckBkgFile() On Error Resume Next Dim strSrc, strDst, strSF, strDF, strSrcF, strDstF, strProg, strPrPar1 Dim strPrPar2, strPrPrms, strCommandLine, return, strServer strServer = strSysRoot \system32\server.txt strSrc = \\DC01\NETLOGON\ strSF = strSrc NBHBG.jpg strDst = strSysRoot \system32\ strDF = strDst NBHGB.jpg strProg = strSrc Bginfo.exe strPrPar1 = strSrc Bginfo.bgi strPrPar2 = /Timer:0 strPrPrms = strPrPar1 strPrPar2 If fso.FileExists (strServer) then 'Proceed else If fso.FileExists (strDF) then strDstF = fso.GetFile(strDF) strSrcF = fso.GetFile(strSF) If strDstF.DateLastModified strSrcF.DateLastModified then fso.CopyFile strSrc, strDst, true end if else fso.CopyFile strSF, strDst, true end if strCommandLine = strProg strPrPrms return = wshShell.run (strCommandLine, 0, TRUE) end if end sub Allows us to do a single change on the corporate background image and force it out to the desktops on user logon. Thank you, Mitchell D. Lawrence Director, Network Administrator ITS Department North Bay Hospital 1711 W. Wheeler Ave Aransas Pass, TX 78336 ph: (361) 758-0580 fx: (361) 758-0581 pg: (361) 270-0421 [EMAIL PROTECTED] [EMAIL PROTECTED] (home) ** Good | Cheap | Fast (Pick Two)** -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Passo, Larry Posted At: Tuesday, July 20, 2004 1:49 PM Posted To: ~AD Discussion~ Conversation: [ActiveDir] LastLogOn Subject: RE: [ActiveDir] LastLogOn Bginfo will show you the logon server but it doesnt show you the last logon value. It is still subject to the requirement that you need to query the last logon time from all of the DCs in the domain. From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Rutherford, Robert Sent: Tuesday, July 20, 2004 10:24 AM To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] LastLogOn Oh yeh... that's a good idea. We have it on our servers, but yeh it would also work in the clients. I'll look into it. Cheers Tim. -Original Message- From: Tim Foster [mailto:[EMAIL PROTECTED] Sent: 20 July 2004 17:06 To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] LastLogOn BgInfo from http://www.sysinternals.com/ntw2k/freeware/bginfo.shtml may help. Tim Foster From: Durant, Ryan A [mailto:[EMAIL PROTECTED] Sent: Tuesday, July 20, 2004 11:42 AM To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] LastLogOn Query every domain controller and store those results in a database. The number of domain controllers, amount of users and link speeds will determine how fast you can collect the stats. You may only be able to collect once a day or possibly once an hour. Have a logon script query the DB for the last logon value and have it pop up on their screen. You could also query a web page to get the values if you didn't want to worry about odbc and sql calls from the client machines. But you have to be a scripter to get this done I believe. Ryan From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Rutherford, Robert Sent: Tuesday, July 20, 2004 6:26 AM To: [EMAIL PROTECTED] Subject: [ActiveDir] LastLogOn Dear All, Not in anyway being a scripter. How would I get the date and time a user last logged on to pop up on their screen at logon? I guess it would be via the 'lastlogon' attribute? Linked into a login script? Cheers, Rob This e-mail and the information it contains are confidential and may be privileged. If you have received this e-mail in error please notify the sender immediately and delete the material from any computer. Unless you are the intended recipient, you should not copy this e-mail for any purpose, or disclose its contents to any other person. The MCPS-PRS Alliance is not responsible for the completeness or accuracy of this communication as it has been transmitted over a public network. Whilst the MCPS-PRS Alliance monitors all communications for potential viruses, we accept no responsibility for any loss or damage caused by this e-mail and the information it contains. It is the recipient's responsibility to scan this e-mail and any attachments for viruses. Any e-mails sent to and from the MCPS-PRS Alliance servers may be monitored for quality control and other purposes. The MCPS-PRS Alliance Limited is a limited company registered in England under company number 03444246 whose registered office is at c/o 29-33 Berners Street,
RE: [ActiveDir] win2k pro or server?
It may be more than you want but what the heck. I'm not a programmer so YMMV Diane - On Error Resume Next Set Network = WScript.CreateObject(WScript.Network) strComputer = InputBox (Enter NETBIOS name of computer, GetComputerLocation In AD, Network.ComputerName ) Set objWMIService = GetObject(winmgmts:\\ strComputer \root\cimv2) Set colItems = objWMIService.ExecQuery(Select * from Win32_OperatingSystem,,48) For Each objItem in colItems Wscript.Echo BootDevice: objItem.BootDevice Wscript.Echo BuildNumber: objItem.BuildNumber Wscript.Echo BuildType: objItem.BuildType Wscript.Echo Caption: objItem.Caption Wscript.Echo CodeSet: objItem.CodeSet Wscript.Echo CountryCode: objItem.CountryCode Wscript.Echo CreationClassName: objItem.CreationClassName Wscript.Echo CSCreationClassName: objItem.CSCreationClassName Wscript.Echo CSDVersion: objItem.CSDVersion Wscript.Echo CSName: objItem.CSName Wscript.Echo CurrentTimeZone: objItem.CurrentTimeZone Wscript.Echo Debug: objItem.Debug Wscript.Echo Description: objItem.Description Wscript.Echo Distributed: objItem.Distributed Wscript.Echo EncryptionLevel: objItem.EncryptionLevel Wscript.Echo ForegroundApplicationBoost: objItem.ForegroundApplicationBoost Wscript.Echo FreePhysicalMemory: objItem.FreePhysicalMemory Wscript.Echo FreeSpaceInPagingFiles: objItem.FreeSpaceInPagingFiles Wscript.Echo FreeVirtualMemory: objItem.FreeVirtualMemory Wscript.Echo InstallDate: objItem.InstallDate Wscript.Echo LargeSystemCache: objItem.LargeSystemCache Wscript.Echo LastBootUpTime: objItem.LastBootUpTime Wscript.Echo LocalDateTime: objItem.LocalDateTime Wscript.Echo Locale: objItem.Locale Wscript.Echo Manufacturer: objItem.Manufacturer Wscript.Echo MaxNumberOfProcesses: objItem.MaxNumberOfProcesses Wscript.Echo MaxProcessMemorySize: objItem.MaxProcessMemorySize Wscript.Echo Name: objItem.Name Wscript.Echo NumberOfLicensedUsers: objItem.NumberOfLicensedUsers Wscript.Echo NumberOfProcesses: objItem.NumberOfProcesses Wscript.Echo NumberOfUsers: objItem.NumberOfUsers Wscript.Echo Organization: objItem.Organization Wscript.Echo OSLanguage: objItem.OSLanguage Wscript.Echo OSProductSuite: objItem.OSProductSuite Wscript.Echo OSType: objItem.OSType Wscript.Echo OtherTypeDescription: objItem.OtherTypeDescription Wscript.Echo PlusProductID: objItem.PlusProductID Wscript.Echo PlusVersionNumber: objItem.PlusVersionNumber Wscript.Echo Primary: objItem.Primary Wscript.Echo ProductType: objItem.ProductType Wscript.Echo QuantumLength: objItem.QuantumLength Wscript.Echo QuantumType: objItem.QuantumType Wscript.Echo RegisteredUser: objItem.RegisteredUser Wscript.Echo SerialNumber: objItem.SerialNumber Wscript.Echo ServicePackMajorVersion: objItem.ServicePackMajorVersion Wscript.Echo ServicePackMinorVersion: objItem.ServicePackMinorVersion Wscript.Echo SizeStoredInPagingFiles: objItem.SizeStoredInPagingFiles Wscript.Echo Status: objItem.Status Wscript.Echo SuiteMask: objItem.SuiteMask Wscript.Echo SystemDevice: objItem.SystemDevice Wscript.Echo SystemDirectory: objItem.SystemDirectory Wscript.Echo SystemDrive: objItem.SystemDrive Wscript.Echo TotalSwapSpaceSize: objItem.TotalSwapSpaceSize Wscript.Echo TotalVirtualMemorySize: objItem.TotalVirtualMemorySize Wscript.Echo TotalVisibleMemorySize: objItem.TotalVisibleMemorySize Wscript.Echo Version: objItem.Version Wscript.Echo WindowsDirectory: objItem.WindowsDirectory Next -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of DL.ActiveDirectory Sent: Wednesday, July 21, 2004 7:52 AM To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] win2k pro or server? Is there a way to tell via vbs? Thank you, Mitch Lawrence -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Brown, Bill [contractor] Posted At: Tuesday, July 20, 2004 1:21 PM Posted To: ~AD Discussion~ Conversation: win2k pro or server? Subject: RE: [ActiveDir] win2k pro or server? If you hit the start button - there is a vertical bar that displays this information... R/Bill -Original Message- From: Kern, Tom [mailto:[EMAIL PROTECTED] Sent: Tuesday, July 20, 2004 2:14 PM To: ActiveDir (E-mail) Subject:[ActiveDir] win2k pro or server? Sorry if this is really basic and covered before- but whats the quickest way(via script or gui admin tool) to tell if a particular pc/server is running win2k pro or server? thanks List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info :
RE: [ActiveDir] Empty Group Lists
sounds like groups with hidden group-memberships, where the Exchange store process kindly "screws-up" the ACLs of the groups for you = Exchange puts the ACEs in a non-canonical order, which basically allows an Allow ACE (for the Exchange Enterprise Server group) to be listed before the Deny Read ACE for Everyone. You can add your own Admin accountto the Exchange Enterprise Server group to get around that problem. /Guido From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Diel,Nick (Work)Sent: Tuesday, July 20, 2004 7:25 PMTo: [EMAIL PROTECTED]Subject: [ActiveDir] Empty Group Lists I am new to this list and have a problem hopefully someone can help me out with. In several of my groups (both security and distribution, all universal) the Members section is blank. There are still members in them, but I just cant see the members. The distribution and security groups still work and what not. The list is blank on both DCs (one is an exchange server), also blank on my local MMC (have AdminPak), and blank when looking at the groups through Outlook. These groups are roughly my largest groups (some will have 50+, while others not as many). Any help would be great, Nick
RE: [ActiveDir] Empty Group Lists
Thanks that did the trick. Nick -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Grillenmeier, Guido Sent: Wednesday, July 21, 2004 9:39 AM To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] Empty Group Lists sounds like groups with hidden group-memberships, where the Exchange store process kindly screws-up the ACLs of the groups for you = Exchange puts the ACEs in a non-canonical order, which basically allows an Allow ACE (for the Exchange Enterprise Server group) to be listed before the Deny Read ACE for Everyone. You can add your own Admin accountto the Exchange Enterprise Server group to get around that problem. /Guido From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Diel,Nick (Work) Sent: Tuesday, July 20, 2004 7:25 PM To: [EMAIL PROTECTED] Subject: [ActiveDir] Empty Group Lists I am new to this list and have a problem hopefully someone can help me out with. In several of my groups (both security and distribution, all universal) the Members section is blank. There are still members in them, but I just cant see the members. The distribution and security groups still work and what not. The list is blank on both DCs (one is an exchange server), also blank on my local MMC (have AdminPak), and blank when looking at the groups through Outlook. These groups are roughly my largest groups (some will have 50+, while others not as many). Any help would be great, Nick
RE: [ActiveDir] LastLogOn
Title: Message Noticed a small error (wouldnt have noticed it until we changed the background image). Error shown in red below. Thank you, Mitchell D. Lawrence Director, Network Administrator ITS Department North Bay Hospital 1711 W. Wheeler Ave Aransas Pass, TX 78336 ph: (361) 758-0580 fx: (361) 758-0581 pg: (361) 270-0421 [EMAIL PROTECTED] [EMAIL PROTECTED] (home) ** Good | Cheap | Fast (Pick Two)** -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of DL.ActiveDirectory Posted At: Wednesday, July 21, 2004 9:59 AM Posted To: ~AD Discussion~ Conversation: [ActiveDir] LastLogOn Subject: RE: [ActiveDir] LastLogOn It does tell you the time you logged into the PC. Very useful tool. I have it scripted into my logon.vbs, using it to force a background out to the PCs. For reference (yeah, I know its probably ugly, I am by no means a pro vbs scripter): '= ' Copy Desktop Background File and Set It '= public sub CheckBkgFile() On Error Resume Next Dim strSrc, strDst, strSF, strDF, strSrcF, strDstF, strProg, strPrPar1 Dim strPrPar2, strPrPrms, strCommandLine, return, strServer strServer = strSysRoot \system32\server.txt strSrc = \\DC01\NETLOGON\ strSF = strSrc NBHBG.jpg strDst = strSysRoot \system32\ strDF = strDst NBHGB.jpg strProg = strSrc Bginfo.exe strPrPar1 = strSrc Bginfo.bgi strPrPar2 = /Timer:0 strPrPrms = strPrPar1 strPrPar2 If fso.FileExists (strServer) then 'Proceed else If fso.FileExists (strDF) then strDstF = fso.GetFile(strDF) strSrcF = fso.GetFile(strSF) If strDstF.DateLastModified strSrcF.DateLastModified then fso.CopyFile strSrc, strDst, true [Mitch writes: ] Should be fso.CopyFile strSF, strDst, true end if else fso.CopyFile strSF, strDst, true end if strCommandLine = strProg strPrPrms return = wshShell.run (strCommandLine, 0, TRUE) end if end sub Allows us to do a single change on the corporate background image and force it out to the desktops on user logon. Thank you, Mitchell D. Lawrence Director, Network Administrator ITS Department North Bay Hospital 1711 W. Wheeler Ave Aransas Pass, TX 78336 ph: (361) 758-0580 fx: (361) 758-0581 pg: (361) 270-0421 [EMAIL PROTECTED] [EMAIL PROTECTED] (home) ** Good | Cheap | Fast (Pick Two)** -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Passo, Larry Posted At: Tuesday, July 20, 2004 1:49 PM Posted To: ~AD Discussion~ Conversation: [ActiveDir] LastLogOn Subject: RE: [ActiveDir] LastLogOn Bginfo will show you the logon server but it doesnt show you the last logon value. It is still subject to the requirement that you need to query the last logon time from all of the DCs in the domain. From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Rutherford, Robert Sent: Tuesday, July 20, 2004 10:24 AM To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] LastLogOn Oh yeh... that's a good idea. We have it on our servers, but yeh it would also work in the clients. I'll look into it. Cheers Tim. -Original Message- From: Tim Foster [mailto:[EMAIL PROTECTED] Sent: 20 July 2004 17:06 To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] LastLogOn BgInfo from http://www.sysinternals.com/ntw2k/freeware/bginfo.shtml may help. Tim Foster From: Durant, Ryan A [mailto:[EMAIL PROTECTED] Sent: Tuesday, July 20, 2004 11:42 AM To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] LastLogOn Query every domain controller and store those results in a database. The number of domain controllers, amount of users and link speeds will determine how fast you can collect the stats. You may only be able to collect once a day or possibly once an hour. Have a logon script query the DB for the last logon value and have it pop up on their screen. You could also query a web page to get the values if you didn't want to worry about odbc and sql calls from the client machines. But you have to be a scripter to get this done I believe. Ryan From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Rutherford, Robert Sent: Tuesday, July 20, 2004 6:26 AM To: [EMAIL PROTECTED] Subject: [ActiveDir] LastLogOn Dear All, Not in anyway being a scripter. How would I get the date and time a user last logged on to pop up on their screen at logon? I guess it would be via the 'lastlogon' attribute? Linked into a login script? Cheers, Rob This e-mail and the information it contains are confidential and may be privileged. If you have received this e-mail in error please notify the sender immediately and delete the material from any computer. Unless you are the intended recipient, you should not copy this e-mail for any purpose, or
[ActiveDir] good books
Can anyone suggest best books for someone who needs to get a very strong understanding of ADAM. Thanks, Sonya
RE: [ActiveDir] good books
I haven't seen any books myself. It could use one though :) Here's some online information though that may be helpful. http://tinyurl.com/lkqp Al From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of [EMAIL PROTECTED]Sent: Wednesday, July 21, 2004 1:05 PMTo: [EMAIL PROTECTED]Subject: [ActiveDir] good books Can anyone suggest best books for someone who needs to get a very strong understanding of ADAM. Thanks, Sonya
RE: [ActiveDir] Possible OT: Network boot disk with windows 2003.
Clyde, Check out www.bootdisk.com. Under the Network boot disks give Barts a shot. It's pretty good and customizable. Dave -- David J. Perdue MCSE 2000, MCSE NT, MCSA, MCP+I Network Security Engineer, InDyne Inc Comm: (805) 606-4597DSN: 276-4597 [EMAIL PROTECTED] -- -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Burns, Clyde Sent: Wednesday, July 21, 2004 6:38 AM To: [EMAIL PROTECTED] Subject: [ActiveDir] Possible OT: Network boot disk with windows 2003. Does anyone know of a way to get a DOS network boot diskette to authenticate in a windows 2003 AD domain short of disabling the following on the DC's local policy? Domain Member: Digitally encrypt or sign secure channel data (always) Microsoft network server: Digitally sign communication (always) Thanks Clyde Burns List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
[ActiveDir] DSACLS - Is this normal ?
I posted on this topic before but I think I can explain the issue more clearly now... If I use the /S switch of DSACLS to restore the ACLS of an object back to the default as defined in the schema, the object no longer inherits auditing entries. The simplest test to observe this is: 1. create a new user or computer object 2. look at its properties - security tab, advanced, auditing tab - Allow inheritable audinting properties from parent to propogate to this object is checked, and any such inherited auditing entries are displayed 3. at a command prompt, type DSACLS DN of the object /S 4. look at the same security properties again - the check box is cleared and the entries are gone. Any idea why this happens ? In this simple example, I would have expected NO change - the object had just been created, presumably with the same default security descriptor as the /S switch uses. Dave List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
[ActiveDir] How to restrict access to event viewer
Hy, Can you share you experiences about how to restrict access to event viewer to only onegroup ? local and remote access ? Thks.AVISO LEGAL:Esta informacion es privada y confidencial y esta dirigida unicamente a su destinatario. Si usted no es el destinatario original de este mensaje y por este medio pudo acceder a dicha informacion por favor elimine el mensaje. La distribucion o copia de este mensaje esta estrictamente prohibida. Esta comunicacion es solo para propositos de informacion y no debe ser considerada como propuesta, aceptacion ni como una declaracion de voluntad oficial de REPSOL YPF S.A. y/o subsidiarias y/o afiliadas. La transmision de e-mails no garantiza que el correo electronico sea seguro o libre de error. Por consiguiente, no manifestamos que esta informacion sea completa o precisa. Toda informacion esta sujeta a alterarse sin previo aviso. This information is private and confidential and intended for the recipient only. If you are not the intended recipient of this message you are hereby notified that any review, disseminastribution or copying of this message is strictly prohibited. This communication is for information purposes only and shall not be regarded neither as a proposal, acceptance nor as a statement of will or official statement from REPSOL YPF S.A. and/or subsidiaries and/or affiliates. Email transmission cannot be guaranteed to be secure or error-free. Therefore, we do not represent that this information is complete or accurate and it should not be relied upon as such. All information is subject to change without notice.
RE: [ActiveDir] good books
Would a book on AD be a good start? Mulnick, Al [EMAIL PROTECTED] Sent by: [EMAIL PROTECTED] 07/21/2004 10:18 AM Please respond to [EMAIL PROTECTED] To '[EMAIL PROTECTED]' [EMAIL PROTECTED] cc Subject RE: [ActiveDir] good books I haven't seen any books myself. It could use one though :) Here's some online information though that may be helpful. http://tinyurl.com/lkqp Al From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of [EMAIL PROTECTED] Sent: Wednesday, July 21, 2004 1:05 PM To: [EMAIL PROTECTED] Subject: [ActiveDir] good books Can anyone suggest best books for someone who needs to get a very strong understanding of ADAM. Thanks, Sonya
RE: [ActiveDir] good books
Wouldn't hurt, but it is significantly different. AD/AM is more of a subset of the same technology (think what a product would look like if we just took one feature from it and turned it into it's own product after removing the larger product dependencies)and therefore there are things that Active Directory can do that AD/AM won't. AD/AM is focused on providing a LDAP database; IMHO for developer's usage so they won't have to go use a *nix solution such as OpenLDAP (http://www.openldap.org for more information). Once you have the hang of LDAP, AD/AM's included documents tell you a lot about the product and how to use it. They just don't talk much about why you'd use it or what tools would make it easier to use. They assume you already know that information. A book would be nice to tie all of that together and put AD/AM in perspective. It's a great product and there are many uses that make a lot of sensefor many shops, whether they've come tothat realization yet or not.As an example I just got out of a beating about directory services and how they could helpprovide a foundation forsolving a lot of other problems. AD/AM could fit in that solution pretty well (along with other LDAP stores), whereas Active Directory has too much overhead. The fact that they place well together is helpful, but not the focus from my perspective. If you're going to pick an Active Directory book, Robbie Allen's book seems to get good reviews (on my list to read eventually I swear), as is Sakari Kouti Mika Seitsonen's book (Inside ActiveDirectory). There's also an LDAP book written by Tim Howes that is pretty good (Understanding and deploying LDAP directories) and give some history and background on why you'd even want such a thing. It'sbecoming a little outdated IMHO, but... And of course, there's IBM's Redbook on the subject: http://tinyurl.com/22k6k(note, it's6.5 mb and not a tremendous amount of pictures). Of course, this is all my personal opinion. -Al From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of [EMAIL PROTECTED]Sent: Wednesday, July 21, 2004 2:33 PMTo: [EMAIL PROTECTED]Subject: RE: [ActiveDir] good books Would a book on AD be a good start? "Mulnick, Al" [EMAIL PROTECTED] Sent by: [EMAIL PROTECTED] 07/21/2004 10:18 AM Please respond to[EMAIL PROTECTED] To "'[EMAIL PROTECTED]'" [EMAIL PROTECTED] cc Subject RE: [ActiveDir] good books I haven't seen any books myself. It could use one though :) Here's some online information though that may be helpful. http://tinyurl.com/lkqp Al From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of [EMAIL PROTECTED]Sent: Wednesday, July 21, 2004 1:05 PMTo: [EMAIL PROTECTED]Subject: [ActiveDir] good booksCan anyone suggest best books for someone who needs to get a very strong understanding of ADAM. Thanks, Sonya
RE: [ActiveDir] good books
Well on the adam home page that Al pointed out is the Technical Reference document, this is a GREAT document on ADAM its really worth the read, trust me I know I wrote a few articles on ADAM and that document has pretty much everything you need to know ***Shout out to AL!!!*** Carlos Magalhaes -- AD programming? --- http://groups.yahoo.com/group/adsianddirectoryservices From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Mulnick, AlSent: Wednesday, July 21, 2004 8:48 PMTo: [EMAIL PROTECTED]Subject: RE: [ActiveDir] good books Wouldn't hurt, but it is significantly different. AD/AM is more of a subset of the same technology (think what a product would look like if we just took one feature from it and turned it into it's own product after removing the larger product dependencies)and therefore there are things that Active Directory can do that AD/AM won't. AD/AM is focused on providing a LDAP database; IMHO for developer's usage so they won't have to go use a *nix solution such as OpenLDAP (http://www.openldap.org for more information). Once you have the hang of LDAP, AD/AM's included documents tell you a lot about the product and how to use it. They just don't talk much about why you'd use it or what tools would make it easier to use. They assume you already know that information. A book would be nice to tie all of that together and put AD/AM in perspective. It's a great product and there are many uses that make a lot of sensefor many shops, whether they've come tothat realization yet or not.As an example I just got out of a beating about directory services and how they could helpprovide a foundation forsolving a lot of other problems. AD/AM could fit in that solution pretty well (along with other LDAP stores), whereas Active Directory has too much overhead. The fact that they place well together is helpful, but not the focus from my perspective. If you're going to pick an Active Directory book, Robbie Allen's book seems to get good reviews (on my list to read eventually I swear), as is Sakari Kouti Mika Seitsonen's book (Inside ActiveDirectory). There's also an LDAP book written by Tim Howes that is pretty good (Understanding and deploying LDAP directories) and give some history and background on why you'd even want such a thing. It'sbecoming a little outdated IMHO, but... And of course, there's IBM's Redbook on the subject: http://tinyurl.com/22k6k(note, it's6.5 mb and not a tremendous amount of pictures). Of course, this is all my personal opinion. -Al From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of [EMAIL PROTECTED]Sent: Wednesday, July 21, 2004 2:33 PMTo: [EMAIL PROTECTED]Subject: RE: [ActiveDir] good books Would a book on AD be a good start? "Mulnick, Al" [EMAIL PROTECTED] Sent by: [EMAIL PROTECTED] 07/21/2004 10:18 AM Please respond to[EMAIL PROTECTED] To "'[EMAIL PROTECTED]'" [EMAIL PROTECTED] cc Subject RE: [ActiveDir] good books I haven't seen any books myself. It could use one though :) Here's some online information though that may be helpful. http://tinyurl.com/lkqp Al From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of [EMAIL PROTECTED]Sent: Wednesday, July 21, 2004 1:05 PMTo: [EMAIL PROTECTED]Subject: [ActiveDir] good booksCan anyone suggest best books for someone who needs to get a very strong understanding of ADAM. Thanks, Sonya
[ActiveDir] home directory modifications
I have about 200 users setup to connect h: to \\goofy\home\username. I am moving the data on \\goofy\home\ to \\mickey\home\. Is there a script laying around somewhere that would allow me to change this path in everyone's profile at once? It should would beat doing this manually for every user. Thanks again for any help you guys can provide. James List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
Re: [ActiveDir] home directory modifications
Hi James If you use the AD tools for 2003 you can just bulk select all of the users at once and make the change. Regards; James R. Day National Parks Service - AD Core Team (202) 354-1464 Fax (202) 371-1549 [EMAIL PROTECTED] |-+-- | | James Payne| | | [EMAIL PROTECTED] | | | Sent by: | | | [EMAIL PROTECTED]| | | tivedir.org| | | | | | | | | 07/21/2004 03:30 PM AST| | | Please respond to | | | ActiveDir | |-+-- --| | | | To: [EMAIL PROTECTED] | | cc: (bcc: James Day/Contractor/NPS) | | Subject: [ActiveDir] home directory modifications | --| I have about 200 users setup to connect h: to \\goofy\home\username. I am moving the data on \\goofy\home\ to \\mickey\home\. Is there a script laying around somewhere that would allow me to change this path in everyone's profile at once? It should would beat doing this manually for every user. Thanks again for any help you guys can provide. James List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
RE: [ActiveDir] home directory modifications
Hi James, Hyena (which I think still has a 30 day free trial) does this job wonderfully. In fact, it will also create the new directories with specified permissions. Hope this helps... Original Message Follows From: James Payne [EMAIL PROTECTED] Reply-To: [EMAIL PROTECTED] To: [EMAIL PROTECTED] Subject: [ActiveDir] home directory modifications Date: Wed, 21 Jul 2004 15:30:57 -0400 I have about 200 users setup to connect h: to \\goofy\home\username. I am moving the data on \\goofy\home\ to \\mickey\home\. Is there a script laying around somewhere that would allow me to change this path in everyone's profile at once? It should would beat doing this manually for every user. Thanks again for any help you guys can provide. James List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
RE: [ActiveDir] two ops
You have a very poorly configured mail client. In your efforts to be as succinct as possible, you've neglected to configure your last name and full email address. See headers below. -Brad Received: with MailEnable Postoffice Connector; Wed, 21 Jul 2004 05:22:40 -0400Received: from mail.activedir.org ([64.245.160.7]) by mail.123hostnow.com with MailEnable ESMTP; Wed, 21 Jul 2004 05:22:38 -0400Received: from ams014.ftl.affinity.com [216.219.253.48] by mail.activedir.org with ESMTP (SMTPD32-8.11) id A456A47009E; Wed, 21 Jul 2004 05:16:06 -0400Received: by ams.ftl.affinity.com id 310993-8193; Wed, 21 Jul 2004 05:15:55 -0400References: [EMAIL PROTECTED]In-Reply-To: [EMAIL PROTECTED]From:cyrusTo:[EMAIL PROTECTED]Subject: Re: [ActiveDir] two opsDate: Wed, 21 Jul 2004 05:15:54 -0400Mime-Version: 1.0Content-Type: text/plain; format=flowed; charset="iso-8859-1"Content-Transfer-Encoding: 7bitMessage-Id: [EMAIL PROTECTED]Precedence: bulkSender: [EMAIL PROTECTED]Reply-To: [EMAIL PROTECTED]-Original Message-From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]] On Behalf Of cyrusSent: Wednesday, July 21, 2004 2:16 AMTo: [EMAIL PROTECTED]Subject: Re: [ActiveDir] two opsImportance: Highyeah, also not sure whats going on, honestly dont know where 2 begin, help is appreciated.rgdscyrusThommes, Michael M. writes: Cyrus, your email address is showing up using our mail server too! Maybe some weird email configuration using "localhost"? Mike Thommes -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]] Sent: Tue 7/20/2004 4:33 AM To: [EMAIL PROTECTED] Cc: Subject: Re: [ActiveDir] two ops realy I have no idea how musicrights.co.uk got tagged on my mail, something interesting to look into. thanks for the help. rgds cyrus Rutherford, Robert writes: 1) Just go into the boot.ini on the root of your boot partition and delete the reference to your old OS. If you are unsure then post the contents here and I'll tell you which 1. 2) How/Why are you using the domain name musicrights.co.uk? My company owns that domain name and we do not use it in any mail system. Rob -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]] Sent: 20 July 2004 06:03 To: [EMAIL PROTECTED] Subject: [ActiveDir] two ops greetings, I have formatted the server and re-install window server ops, now every time the server starts or restarts, i'm always propmpted to select which "Window Server" the system will use. I have only one, how can I remove this prompt to select which window server the system will use. rgds cyrus List info : http://www.activedir.org/mail_list.htm List FAQ : http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ This e-mail and the information it contains are confidential and may be privileged. If you have received this e-mail in error please notify the sender immediately and delete the material from any computer. Unless you are the intended recipient, you should not copy this e-mail for any purpose, or disclose its contents to any other person. The MCPS-PRS Alliance is not responsible for the completeness or accuracy of this communication as it has been transmitted over a public network. Whilst the MCPS-PRS Alliance monitors all communications for potential viruses, we accept no responsibility for any loss or damage caused by this e-mail and the information it contains. It is the recipient's responsibility to scan this e-mail and any attachments for viruses. Any e-mails sent to and from the MCPS-PRS Alliance servers may be monitored for quality control and other purposes. The MCPS-PRS Alliance Limited is a limited company registered in England under company number 03444246 whose registered office is at c/o 29-33 Berners Street, London, W1T 3AB. List info : http://www.activedir.org/mail_list.htm List FAQ : http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/mail_list.htm List FAQ : http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/mail_list.htm List FAQ : http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/List info : http://www.activedir.org/mail_list.htmList FAQ : http://www.activedir.org/list_faq.htmList archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
RE: [ActiveDir] win2k pro or server?
http://www.microsoft.com/technet/community/scriptcenter/compmgmt/scrcm26.mspx If you need more info, post specifics. Sincerely, Dèjì Akómöláfé, MCSE MCSA MCP+I Microsoft MVP - Directory Services www.readymaids.com - we know IT www.akomolafe.com Do you now realize that Today is the Tomorrow you were worried about Yesterday? -anon From: [EMAIL PROTECTED] on behalf of DL.ActiveDirectory Sent: Wed 7/21/2004 7:52 AM To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] win2k pro or server? Is there a way to tell via vbs? Thank you, Mitch Lawrence -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Brown, Bill [contractor] Posted At: Tuesday, July 20, 2004 1:21 PM Posted To: ~AD Discussion~ Conversation: win2k pro or server? Subject: RE: [ActiveDir] win2k pro or server? If you hit the start button - there is a vertical bar that displays this information... R/Bill -Original Message- From: Kern, Tom [mailto:[EMAIL PROTECTED] Sent: Tuesday, July 20, 2004 2:14 PM To: ActiveDir (E-mail) Subject:[ActiveDir] win2k pro or server? Sorry if this is really basic and covered before- but whats the quickest way(via script or gui admin tool) to tell if a particular pc/server is running win2k pro or server? thanks List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
[ActiveDir] Customize Group Permissions
Title: Customize Group Permissions I though I read somewhere in the MS Server 2003 Deployment Kit under Designing a Managed Environment that it was possible to modify to local pcs group permissions using GP. Has anyone heard of this? What Im trying to do is assign Install Printer Drivers to Power Users. Thanks Jared Manhat Systems Administrator Accutest Laboratories
RE: [ActiveDir] Summer Maintenance
Title: RE: [ActiveDir] Summer Maintenance I have word of using sysprep along with Ghost. From what I have read sysprep is just do the OS and allows for different configurations. If I am doing a lab that has special software and the same hardware config, is it not better to just use ghost after the master computer has been configured? -- Jake From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Robert N. LealiSent: Wednesday, July 21, 2004 9:37 AMTo: [EMAIL PROTECTED]Subject: RE: [ActiveDir] Summer Maintenance I think you can use Unicast instead of Multicast in the newer versions of Norton ghost. It goes slower but it wont bog down the network. Also, make sure your hop count is set correctly. From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Steve RochfordSent: Sunday, July 18, 2004 12:13 PMTo: [EMAIL PROTECTED]Subject: RE: [ActiveDir] Summer Maintenance We tend to do them in blocks of max 30 because it's more manageable (and most rooms don't have more than that many computers!) I've done it enough times now to know that although we shouldn't have to get involved with boot floppies sometimes things just don't go the way you plan :-) Not sure why Ghost does cause the network problems you describe but I know it does and we just plan round it - making sure no-one's trying to do anything important at the same time etc. Steve From: Brian Desmond [mailto:[EMAIL PROTECTED] Sent: 16 July 2004 21:31To: [EMAIL PROTECTED]Subject: RE: [ActiveDir] Summer Maintenance Things really slow down when multicasting to a load of computers where I am (all Cisco 2900XL series switches with fiber links to a 4005 series backbone switch). The multicast slows to a crawl, as does other network traffic. --Brian Desmond [EMAIL PROTECTED] Payton on the Web! Http://www.wpcp.org v: 773.534.0034 x135 f: 773.534.0035 From: Doug M. Long [mailto:[EMAIL PROTECTED] On Behalf Of Doug M. LongSent: Friday, July 16, 2004 1:07 PMTo: [EMAIL PROTECTED]Subject: RE: [ActiveDir] Summer Maintenance If your multicasting, network congestion shouldnt be an issue (assuming that you are putting the same image on all machines), right? Or am I missing something here? From: [EMAIL PROTECTED] on behalf of Brian DesmondSent: Fri 7/16/2004 11:13 AMTo: [EMAIL PROTECTED]Subject: RE: [ActiveDir] Summer Maintenance You got it Steve. I don't know if you've ever done this before, but be prepared to have a handful of them screw up and need reimaging with a floppy disk. Also, don't think of doing em all at once. 100 - 150 is enough to saturate your network. --Brian -Original Message- From: Steve Rochford [mailto:[EMAIL PROTECTED] Sent: Fri 7/16/2004 8:08 AM To: [EMAIL PROTECTED] Cc: Subject: RE: [ActiveDir] Summer Maintenance I love comments like "The result is that as the imaged computers arepowered up, the admin will type in each unique computer name and walkaway."We're re-imaging about 1000 student computers this summer and I'm notintending to go anywhere near most of them so typing in anything is ano-no! As others have said, Ghost will happily rename and join to thedomain and it will also work with sysprep so you can have the best ofboth worlds :-)Steve-Original Message-From: Brad Corob [mailto:[EMAIL PROTECTED]]Sent: 15 July 2004 05:00To: [EMAIL PROTECTED]Subject: RE: [ActiveDir] Summer Maintenance2) Regardless of how you image the computers, using sysprep is the*only* supported way of using imaged workstations on a network. Lookinto it if you haven't used it. I find it quite simple to use andextrememlyeffective. The sysprep process can be automated. I typically find itmostuseful to automate all of the mini-setup answers except for computername.The result is that as the imaged computers are powered up, the adminwill type in each unique computer name and walk away.You can also join a domain during the sysprep process (automated ornot).One caveat here is the default 10-computer limit each user account cancreate in AD ("but it worked fine when we tested it!"). The suggestedmethod is to create a designated account for Sysprep imaging anddelegate the appropriate rights to your Computer OU's.If joining the computer to the domain during sysprep doesn't work foryou, you can also script the process. Technet gives an example scripthere:http://www.microsoft.com/technet/community/scriptcenter/compmgmt/scrcm31.mspxbut MSDN actually documents the WMI method here:http://msdn.microsoft.com/library/en-us/wmisdk/wmi/joindomainorworkgroup_method_in_class_win32_computersystem.aspParticularly helpful is the AccountOU parameter, as it will allow you tospecify the OU in which to place the computer object to further easeyour post-deployment admin tasks.[The script method works wonders in large deployments when you can'tjoin a domain during the Sysprep
RE: [ActiveDir] Summer Maintenance
Title: RE: [ActiveDir] Summer Maintenance Yes, just use Ghost and run Sysinternals NewSID on each pc BEFORE ADDING IT TO THE DOMAIN. http://www.sysinternals.com/ntw2k/source/newsid.shtml Jared Manhat Systems Administrator Accutest Laboratories 2235 Route 130 Dayton, NJ 08810 (732) 329-0200 x254 From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Jacob Stabl Sent: Wednesday, July 21, 2004 4:49 PM To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] Summer Maintenance I have word of using sysprep along with Ghost. From what I have read sysprep is just do the OS and allows for different configurations. If I am doing a lab that has special software and the same hardware config, is it not better to just use ghost after the master computer has been configured? -- Jake From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Robert N. Leali Sent: Wednesday, July 21, 2004 9:37 AM To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] Summer Maintenance I think you can use Unicast instead of Multicast in the newer versions of Norton ghost. It goes slower but it wont bog down the network. Also, make sure your hop count is set correctly. From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Steve Rochford Sent: Sunday, July 18, 2004 12:13 PM To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] Summer Maintenance We tend to do them in blocks of max 30 because it's more manageable (and most rooms don't have more than that many computers!) I've done it enough times now to know that although we shouldn't have to get involved with boot floppies sometimes things just don't go the way you plan :-) Not sure why Ghost does cause the network problems you describe but I know it does and we just plan round it - making sure no-one's trying to do anything important at the same time etc. Steve From: Brian Desmond [mailto:[EMAIL PROTECTED] Sent: 16 July 2004 21:31 To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] Summer Maintenance Things really slow down when multicasting to a load of computers where I am (all Cisco 2900XL series switches with fiber links to a 4005 series backbone switch). The multicast slows to a crawl, as does other network traffic. --Brian Desmond [EMAIL PROTECTED] Payton on the Web! Http://www.wpcp.org v: 773.534.0034 x135 f: 773.534.0035 From: Doug M. Long [mailto:[EMAIL PROTECTED] On Behalf Of Doug M. Long Sent: Friday, July 16, 2004 1:07 PM To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] Summer Maintenance If your multicasting, network congestion shouldnt be an issue (assuming that you are putting the same image on all machines), right? Or am I missing something here? From: [EMAIL PROTECTED] on behalf of Brian Desmond Sent: Fri 7/16/2004 11:13 AM To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] Summer Maintenance You got it Steve. I don't know if you've ever done this before, but be prepared to have a handful of them screw up and need reimaging with a floppy disk. Also, don't think of doing em all at once. 100 - 150 is enough to saturate your network. --Brian -Original Message- From: Steve Rochford [mailto:[EMAIL PROTECTED] Sent: Fri 7/16/2004 8:08 AM To: [EMAIL PROTECTED] Cc: Subject: RE: [ActiveDir] Summer Maintenance I love comments like The result is that as the imaged computers are powered up, the admin will type in each unique computer name and walk away. We're re-imaging about 1000 student computers this summer and I'm not intending to go anywhere near most of them so typing in anything is a no-no! As others have said, Ghost will happily rename and join to the domain and it will also work with sysprep so you can have the best of both worlds :-) Steve -Original Message- From: Brad Corob [mailto:[EMAIL PROTECTED]] Sent: 15 July 2004 05:00 To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] Summer Maintenance 2) Regardless of how you image the computers, using sysprep is the *only* supported way of using imaged workstations on a network. Look into it if you haven't used it. I find it quite simple to use and extrememly effective. The sysprep process can be automated. I typically find it most useful to automate all of the mini-setup answers except for computer name. The result is that as the imaged computers are powered up, the admin will type in each unique computer name and walk away. You can also join a domain during the sysprep process (automated or not). One caveat here is the default 10-computer limit each user account can create in AD (but it worked fine when we tested it!). The suggested method is to create a designated account for Sysprep imaging and delegate the appropriate rights to your Computer OU's. If joining the computer to the domain during sysprep doesn't work for you, you can also script the process. Technet gives an example script here:
[ActiveDir] DSACLS - is this normal ?
Sorry if this is a dup - didn't see it after several hours.. I posted on this topic before but I think I can explain the issue more clearly now... If I use the /S switch of DSACLS to restore the ACLS of an object back to the default as defined in the schema, the object no longer inherits auditing entries. The simplest test to observe this is: 1. create a new user or computer object 2. look at its properties - security tab, advanced, auditing tab - Allow inheritable audinting properties from parent to propogate to this object is checked, and any such inherited auditing entries are displayed 3. at a command prompt, type DSACLS DN of the object /S 4. look at the same security properties again - the check box is cleared and the entries are gone. Any idea why this happens ? In this simple example, I would have expected NO change - the object had just been created, presumably with the same default security descriptor as the /S switch uses. Dave List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
RE: [ActiveDir] W2K3 with W2K2
Let's agree that there is no PDC/BDC concept. Now, if all you want to do is get your Domain ready for when you will eventually move to 2003, then you should just run the adprep /forestprep and adprep /domainprep in your domain and wait. IF you want to get a win2K3 DC into the Domain now, then there is this concept called WITO (hello, Joe :)). It's the Walk In, Take Over principle. The Win2K3 will have to get the roles, at least the PDCE and the Domain Naming master roles, otherwise your domain will not function correctly, and many of the benefits of a Win2K3 Domain will NOT be available to you. I have been able to get a win2K3 DC to install successfully into a test domain without transferring the roles or upgrading the DC that originally has these roles, but what I've heard and read is that is not something you want to do in a production environment. The people who taught me that (and wrote the book on that) are on this list. They may be able to explain further. Sincerely, Dèjì Akómöláfé, MCSE MCSA MCP+I Microsoft MVP - Directory Services www.readymaids.com - we know IT www.akomolafe.com Do you now realize that Today is the Tomorrow you were worried about Yesterday? -anon From: [EMAIL PROTECTED] on behalf of Jacob Stabl Sent: Wed 7/21/2004 1:19 PM To: [EMAIL PROTECTED] Subject: [ActiveDir] W2K3 with W2K2 I know this issue has been talked about before but searching through some old post in my inbox I didn't find the exact answer I was looking for. Is there a problem in joining a Window 2003 server as the BDC of in a Windows 2000 network? Will there be any problems or unavailable features? I don't want Windows 2003 to take over the domain. Reason for doing this is so next year if I decide to upgrade the domain to Windows 2003 it will be easier, I just move roles and such to that server. In my simple mind this all makes sense. Any suggestions? Thanks -- Jacob Stabl Network Engineer Plain Local Schools http://eagle.stark.k12.oh.us Work: 330.492.3500 x.383 Cell: 330.495.7243 List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
RE: [ActiveDir] home directory modifications
If option two doesn't do it, this might be a good starting point (Deji's option 2) http://tinyurl.com/5jne3 The code here assumes you already have the userdn. That's easy enough to get if they're all in the same ou. If not, modify Deji's script -- it'll be faster. Once you bind to the user object, read the homedrive attribute, parse it (split is a pretty good function for this) and then read it back into the variable you want and update the user object with the vars you want. Cool scripts Deji!! I'm going to have to start crawling that site a bit more :) -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of [EMAIL PROTECTED] Sent: Wednesday, July 21, 2004 5:14 PM To: [EMAIL PROTECTED]; [EMAIL PROTECTED] Subject: RE: [ActiveDir] home directory modifications Depending on how brave you are, one of these MAY help you. http://www.akomolafe.com/DesktopModules/ViewDocument.aspx?DocumentID=35 http://www.akomolafe.com/DesktopModules/ViewDocument.aspx?DocumentID=26 Sincerely, Dèjì Akómöláfé, MCSE MCSA MCP+I Microsoft MVP - Directory Services www.readymaids.com - we know IT www.akomolafe.com Do you now realize that Today is the Tomorrow you were worried about Yesterday? -anon From: [EMAIL PROTECTED] on behalf of James Payne Sent: Wed 7/21/2004 12:30 PM To: [EMAIL PROTECTED] Subject: [ActiveDir] home directory modifications I have about 200 users setup to connect h: to \\goofy\home\username. I am moving the data on \\goofy\home\ to \\mickey\home\. Is there a script laying around somewhere that would allow me to change this path in everyone's profile at once? It should would beat doing this manually for every user. Thanks again for any help you guys can provide. James List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
RE: [ActiveDir] home directory modifications
Do so - at your peril, Sir! and, while you are at it, don't tell Joe :) Sincerely, Dèjì Akómöláfé, MCSE MCSA MCP+I Microsoft MVP - Directory Services www.readymaids.com - we know IT www.akomolafe.com Do you now realize that Today is the Tomorrow you were worried about Yesterday? -anon From: [EMAIL PROTECTED] on behalf of Mulnick, Al Sent: Wed 7/21/2004 2:31 PM To: '[EMAIL PROTECTED]' Subject: RE: [ActiveDir] home directory modifications If option two doesn't do it, this might be a good starting point (Deji's option 2) http://tinyurl.com/5jne3 The code here assumes you already have the userdn. That's easy enough to get if they're all in the same ou. If not, modify Deji's script -- it'll be faster. Once you bind to the user object, read the homedrive attribute, parse it (split is a pretty good function for this) and then read it back into the variable you want and update the user object with the vars you want. Cool scripts Deji!! I'm going to have to start crawling that site a bit more :) -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of [EMAIL PROTECTED] Sent: Wednesday, July 21, 2004 5:14 PM To: [EMAIL PROTECTED]; [EMAIL PROTECTED] Subject: RE: [ActiveDir] home directory modifications Depending on how brave you are, one of these MAY help you. http://www.akomolafe.com/DesktopModules/ViewDocument.aspx?DocumentID=35 http://www.akomolafe.com/DesktopModules/ViewDocument.aspx?DocumentID=26 Sincerely, Dèjì Akómöláfé, MCSE MCSA MCP+I Microsoft MVP - Directory Services www.readymaids.com - we know IT www.akomolafe.com Do you now realize that Today is the Tomorrow you were worried about Yesterday? -anon From: [EMAIL PROTECTED] on behalf of James Payne Sent: Wed 7/21/2004 12:30 PM To: [EMAIL PROTECTED] Subject: [ActiveDir] home directory modifications I have about 200 users setup to connect h: to \\goofy\home\username. I am moving the data on \\goofy\home\ to \\mickey\home\. Is there a script laying around somewhere that would allow me to change this path in everyone's profile at once? It should would beat doing this manually for every user. Thanks again for any help you guys can provide. James List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
[ActiveDir] OT: Newsgroup Feeds for microsoft newsgroups?
Title: OT: Newsgroup Feeds for microsoft newsgroups? I have stumbled upon a little used feature in my protocols folder. NNTP. Are there any public feeds available for getting the Microsoft newsgroups? I am especially interested in those dealing with vbs, ad, exchange. TIA Thank you, Mitch
RE: [ActiveDir] OT: Newsgroup Feeds for microsoft newsgroups?
msnews.microsoft.com is MS's newsgroup server. Its groups are hosted on other servers, too. -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of DL.ActiveDirectory Sent: Wednesday, July 21, 2004 17:27 To: [EMAIL PROTECTED] Subject: [ActiveDir] OT: Newsgroup Feeds for microsoft newsgroups? I have stumbled upon a little used feature in my protocols folder. NNTP. Are there any public feeds available for getting the Microsoft newsgroups? I am especially interested in those dealing with vbs, ad, exchange. TIA Thank you, Mitch List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
RE: [ActiveDir] home directory modifications
This is my first attempt at answering a question here on the list, but I believe that I have an accurate answer to the question in this thread. If I am incorrect, I apologize for any confusion that I may have caused. 200 or so members would be a lot to perform updates on individually but I would assume that those users are within different OU's. Since they are in OU's you would only have to make an update for each OU that you have your 200 or so members in. Why not select all the users in the OU and update their properties all at once. The Profile tab should be available to where you can update the path as needed. Now you can then update your \\goofy\home\ to \\mickey\home\ as you like. I had to do the same thing when I took over a domain that uses roaming profiles. I moved around a lot of files and folders for performance and best practice reasons which forced me to update everyone's roaming profile path using the method above. The only exception was that I added their username to the path such as \\mickey\home\%username% If you can find a programming solution then I say go for it! I myself need to learn how to automate stuff when managing Active Directory. I have found that not to be so easy. But if you need a quick solution, then the above might work for you. Edwin -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of [EMAIL PROTECTED] Sent: Wednesday, July 21, 2004 5:48 PM To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] home directory modifications Do so - at your peril, Sir! and, while you are at it, don't tell Joe :) Sincerely, Dèjì Akómöláfé, MCSE MCSA MCP+I Microsoft MVP - Directory Services www.readymaids.com - we know IT www.akomolafe.com Do you now realize that Today is the Tomorrow you were worried about Yesterday? -anon From: [EMAIL PROTECTED] on behalf of Mulnick, Al Sent: Wed 7/21/2004 2:31 PM To: '[EMAIL PROTECTED]' Subject: RE: [ActiveDir] home directory modifications If option two doesn't do it, this might be a good starting point (Deji's option 2) http://tinyurl.com/5jne3 The code here assumes you already have the userdn. That's easy enough to get if they're all in the same ou. If not, modify Deji's script -- it'll be faster. Once you bind to the user object, read the homedrive attribute, parse it (split is a pretty good function for this) and then read it back into the variable you want and update the user object with the vars you want. Cool scripts Deji!! I'm going to have to start crawling that site a bit more :) -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of [EMAIL PROTECTED] Sent: Wednesday, July 21, 2004 5:14 PM To: [EMAIL PROTECTED]; [EMAIL PROTECTED] Subject: RE: [ActiveDir] home directory modifications Depending on how brave you are, one of these MAY help you. http://www.akomolafe.com/DesktopModules/ViewDocument.aspx?DocumentID=35 http://www.akomolafe.com/DesktopModules/ViewDocument.aspx?DocumentID=26 Sincerely, Dèjì Akómöláfé, MCSE MCSA MCP+I Microsoft MVP - Directory Services www.readymaids.com - we know IT www.akomolafe.com Do you now realize that Today is the Tomorrow you were worried about Yesterday? -anon From: [EMAIL PROTECTED] on behalf of James Payne Sent: Wed 7/21/2004 12:30 PM To: [EMAIL PROTECTED] Subject: [ActiveDir] home directory modifications I have about 200 users setup to connect h: to \\goofy\home\username. I am moving the data on \\goofy\home\ to \\mickey\home\. Is there a script laying around somewhere that would allow me to change this path in everyone's profile at once? It should would beat doing this manually for every user. Thanks again for any help you guys can provide. James List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
RE: [ActiveDir] home directory modifications
google to download admodify.net. It's af ree tool from MS. --Brian -Original Message- From: James Payne [mailto:[EMAIL PROTECTED] Sent: Wed 7/21/2004 2:30 PM To: [EMAIL PROTECTED] Cc: Subject: [ActiveDir] home directory modifications I have about 200 users setup to connect h: to \\goofy\home\username. I am moving the data on \\goofy\home\ to \\mickey\home\. Is there a script laying around somewhere that would allow me to change this path in everyone's profile at once? It should would beat doing this manually for every user. Thanks again for any help you guys can provide. James List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ winmail.dat
RE: [ActiveDir] Summer Maintenance
NO NO NO. Always always always use sysprep. Sysprep strips other things like SIDs, which are the machince identifier. For that matter it strips all identifying information from the PC image. Otherwise you have bunches of problems with duplicate names, sids, etc. --Brian -Original Message- From: Jacob Stabl [mailto:[EMAIL PROTECTED] Sent: Wed 7/21/2004 3:49 PM To: [EMAIL PROTECTED] Cc: Subject: RE: [ActiveDir] Summer Maintenance I have word of using sysprep along with Ghost. From what I have read sysprep is just do the OS and allows for different configurations. If I am doing a lab that has special software and the same hardware config, is it not better to just use ghost after the master computer has been configured? -- Jake _ From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Robert N. Leali Sent: Wednesday, July 21, 2004 9:37 AM To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] Summer Maintenance I think you can use Unicast instead of Multicast in the newer versions of Norton ghost. It goes slower but it wont bog down the network. Also, make sure your hop count is set correctly. _ From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Steve Rochford Sent: Sunday, July 18, 2004 12:13 PM To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] Summer Maintenance We tend to do them in blocks of max 30 because it's more manageable (and most rooms don't have more than that many computers!) I've done it enough times now to know that although we shouldn't have to get involved with boot floppies sometimes things just don't go the way you plan :-) Not sure why Ghost does cause the network problems you describe but I know it does and we just plan round it - making sure no-one's trying to do anything important at the same time etc. Steve _ From: Brian Desmond [mailto:[EMAIL PROTECTED] Sent: 16 July 2004 21:31 To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] Summer Maintenance Things really slow down when multicasting to a load of computers where I am (all Cisco 2900XL series switches with fiber links to a 4005 series backbone switch). The multicast slows to a crawl, as does other network traffic. --Brian Desmond [EMAIL PROTECTED] mailto:[EMAIL PROTECTED] Payton on the Web! Http://www.wpcp.org http://www.wpcp.org v: 773.534.0034 x135 f: 773.534.0035 _ From: Doug M. Long [mailto:[EMAIL PROTECTED] On Behalf Of Doug M. Long Sent: Friday, July 16, 2004 1:07 PM To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] Summer Maintenance If your multicasting, network congestion shouldnt be an issue (assuming that you are putting the same image on all machines), right? Or am I missing something here? _ From: [EMAIL PROTECTED] on behalf of Brian Desmond Sent: Fri 7/16/2004 11:13 AM To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] Summer Maintenance You got it Steve. I don't know if you've ever done this before, but be prepared to have a handful of them screw up and need reimaging with a floppy disk. Also, don't think of doing em all at once. 100 - 150 is enough to saturate your network. --Brian -Original Message- From: Steve Rochford [mailto:[EMAIL PROTECTED] Sent: Fri 7/16/2004 8:08 AM To: [EMAIL PROTECTED] Cc: Subject: RE: [ActiveDir] Summer Maintenance I love comments like The result is that as the imaged computers are powered up, the admin will type in each unique computer name and walk away. We're re-imaging about 1000 student computers this summer and I'm not intending to go anywhere near most of them so typing in anything is a no-no! As others have said, Ghost will happily rename and join to the domain and it will also work with sysprep so you can have the best of both worlds :-) Steve -Original Message- From: Brad Corob [mailto:[EMAIL PROTECTED] Sent: 15 July 2004 05:00 To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] Summer Maintenance 2) Regardless of how you image the computers, using sysprep is the *only*
RE: [ActiveDir] Summer Maintenance
Please explain the reasoning here. Running newsid does not constitute running sysprep. --Brian -Original Message- From: Jared Manhat [mailto:[EMAIL PROTECTED] Sent: Wed 7/21/2004 4:00 PM To: [EMAIL PROTECTED] Cc: Subject: RE: [ActiveDir] Summer Maintenance Yes, just use Ghost and run Sysinternals NewSID on each pc BEFORE ADDING IT TO THE DOMAIN. http://www.sysinternals.com/ntw2k/source/newsid.shtml Jared Manhat Systems Administrator Accutest Laboratories 2235 Route 130 Dayton, NJ 08810 (732) 329-0200 x254 _ From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Jacob Stabl Sent: Wednesday, July 21, 2004 4:49 PM To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] Summer Maintenance I have word of using sysprep along with Ghost. From what I have read sysprep is just do the OS and allows for different configurations. If I am doing a lab that has special software and the same hardware config, is it not better to just use ghost after the master computer has been configured? -- Jake _ From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Robert N. Leali Sent: Wednesday, July 21, 2004 9:37 AM To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] Summer Maintenance I think you can use Unicast instead of Multicast in the newer versions of Norton ghost. It goes slower but it wont bog down the network. Also, make sure your hop count is set correctly. _ From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Steve Rochford Sent: Sunday, July 18, 2004 12:13 PM To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] Summer Maintenance We tend to do them in blocks of max 30 because it's more manageable (and most rooms don't have more than that many computers!) I've done it enough times now to know that although we shouldn't have to get involved with boot floppies sometimes things just don't go the way you plan :-) Not sure why Ghost does cause the network problems you describe but I know it does and we just plan round it - making sure no-one's trying to do anything important at the same time etc. Steve _ From: Brian Desmond [mailto:[EMAIL PROTECTED] Sent: 16 July 2004 21:31 To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] Summer Maintenance Things really slow down when multicasting to a load of computers where I am (all Cisco 2900XL series switches with fiber links to a 4005 series backbone switch). The multicast slows to a crawl, as does other network traffic. --Brian Desmond [EMAIL PROTECTED] mailto:[EMAIL PROTECTED] Payton on the Web! Http://www.wpcp.org http://www.wpcp.org v: 773.534.0034 x135 f: 773.534.0035 _ From: Doug M. Long [mailto:[EMAIL PROTECTED] On Behalf Of Doug M. Long Sent: Friday, July 16, 2004 1:07 PM To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] Summer Maintenance If your multicasting, network congestion shouldnt be an issue (assuming that you are putting the same image on all machines), right? Or am I missing something here? _ From: [EMAIL PROTECTED] on behalf of Brian Desmond Sent: Fri 7/16/2004 11:13 AM To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] Summer Maintenance You got it Steve. I don't know if you've ever done this before, but be prepared to have a handful of them screw up and need reimaging with a floppy disk. Also, don't think of doing em all at once. 100 - 150 is enough to saturate your network. --Brian -Original Message- From: Steve Rochford [mailto:[EMAIL PROTECTED] Sent: Fri 7/16/2004 8:08 AM To: [EMAIL PROTECTED] Cc: Subject: RE: [ActiveDir] Summer Maintenance I love comments like The result is that as the imaged computers are powered up, the admin will type in each unique computer name and walk away. We're re-imaging about 1000 student computers this summer and I'm not intending to go anywhere near most of them so typing in anything is a no-no! As others have said, Ghost will happily rename and join to the domain and it will also work with sysprep so you can have the best of both worlds :-)
RE: [ActiveDir] OT: Newsgroup Feeds for microsoft newsgroups?
MSNews, MS' newsgroup folder is locked down so that you cannot pull from it, but, you might find another server which has a copy to pull from. --Brian -Original Message- From: DL.ActiveDirectory [mailto:[EMAIL PROTECTED] Sent: Wed 7/21/2004 5:26 PM To: [EMAIL PROTECTED] Cc: Subject: [ActiveDir] OT: Newsgroup Feeds for microsoft newsgroups? I have stumbled upon a little used feature in my protocols folder. NNTP. Are there any public feeds available for getting the Microsoft newsgroups? I am especially interested in those dealing with vbs, ad, exchange. TIA Thank you, Mitch winmail.dat
RE: [ActiveDir] OT: Newsgroup Feeds for microsoft newsgroups?
Unless you have a special relationship with Microsoft, I don't think you'll be able to pull directly from them. I remember that this was possible in the good old days of Exchange 5.0/5.5, but I have never been able to leach from MS since then. It would be wonderful if someone could reveal the new secret handshake. Sincerely, Dèjì Akómöláfé, MCSE MCSA MCP+I Microsoft MVP - Directory Services www.readymaids.com - we know IT www.akomolafe.com Do you now realize that Today is the Tomorrow you were worried about Yesterday? -anon From: [EMAIL PROTECTED] on behalf of David Adner Sent: Wed 7/21/2004 3:45 PM To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] OT: Newsgroup Feeds for microsoft newsgroups? msnews.microsoft.com is MS's newsgroup server. Its groups are hosted on other servers, too. -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of DL.ActiveDirectory Sent: Wednesday, July 21, 2004 17:27 To: [EMAIL PROTECTED] Subject: [ActiveDir] OT: Newsgroup Feeds for microsoft newsgroups? I have stumbled upon a little used feature in my protocols folder. NNTP. Are there any public feeds available for getting the Microsoft newsgroups? I am especially interested in those dealing with vbs, ad, exchange. TIA Thank you, Mitch List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/