RE: [ActiveDir] OT: Legato Replistor
Don't get me wrong, by all means get in there and test it out (I'm doing exactly that right now), but I think it'd be a little foolish to bank on product which hasn't even had its first release yet when there are others out there which have already had a few years to mature. -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of [EMAIL PROTECTED] Sent: 08 November 2005 15:47 To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] OT: Legato Replistor Give it at least six months for the initial problems to ironed out first...remember the pain of early Windows 2000 DFS? If there ever is a great argument FOR using DFSR now, this is it! Rather than waiting for an arbitrary length of cooling off period, you ought to get in there now and test it out and see what works and what does not work for you - you have a better chance of effecting changes to the final product at this point, and you get the benefit of actually knowing and understanding the product better than you otherwise would. Moreso, it gives you a true understanding of its capabilities well before the Marketing spiel hits the airwaves and tart clouding your judgment. If you use it now, you will get the technical angle, and you will be less susceptible to some attractive jargons coined up by people like me whose very existence will depend on getting you to implement - I will have all the ammo then and you will have nothing but a whimpering I just want to wait a while . :). You noticed how Guido shredded my Quantum Leap theory, didn't you? That's what I mean. Sincerely, Dèjì Akómöláfé, MCSE+M MCSA+M MCT Microsoft MVP - Directory Services www.readymaids.com - we know IT www.akomolafe.com Do you now realize that Today is the Tomorrow you were worried about Yesterday? -anon From: [EMAIL PROTECTED] on behalf of Jensz, Travis Sent: Tue 11/8/2005 3:00 AM To: 'ActiveDir@mail.activedir.org' Subject: RE: [ActiveDir] OT: Legato Replistor We've recently used RepliStor for our 2000 to 2003 migration, and now we're using it to maintain a hot spare at some of our larger sites. Generally speaking it's pretty good, and when everything's running well it transmits data surprisingly quick - I haven't bothered yet trying to prove whether or not it actually does replicate data on something more granular than a per file basis, but it's pretty quick. The main problem we had with it came down to a conflict with the AV software on the target machine. Since we're only replicating one-way (and RepliStor is locking the target data for us) we simply disabled AV on the target and we'll just enable it again if we ever lose the live server. However, it sounds like you plan to replicate data around in a multi-master scenario, so disabling AV isn't really an option... not sure how you'd get around it... maybe their support guys will be able to help you out. Also, all of our replication so far has been over LAN connections, so our experience with the software has very much been a best case scenario. We'll be tackling WAN replication some time soon. I'm sure the following applies to most data replication software, not just RepliStor, but here are a few things which caused us pain: - antivirus!! - switches with QoS enabled - files which had the offline attribute set - buffer area filling up As for DFSR, I wouldn't dream of using it the day it hits the shelf. Give it at least six months for the initial problems to ironed out first... remember the pain of early Windows 2000 DFS? Travis -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Grillenmeier, Guido Sent: 07 November 2005 21:33 To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] OT: Legato Replistor I've been doing various tests myself and while I wouldn't say a DFSR is a quantum leap from Double-Take, I'd certainly agree that it is when compared to FRS. Maybe even two leaps... Certainly something that I consider one of the main benefits of R2. But besides all the talk on the file replication improvements, you should also not loose focus on the various benefits of the updated core DFS itself. Here are my favorite changes of DFS/DFSR (other than dramatically improving repl. performance and efficiency): · new object type Folders to create Link-Hierarchy within the same DFS root · powerful options to configure Target priority (handling of link target referrals) outside of client's site (links within client's site will always be listed first in referral list) ? Random Order ? Lowest Cost ? Exclude Targets outside client's site ? special Failback option: Client's can be configured to fail back to preferred target (requires special hotfix - only available for XP SP2) ? availability of options depend on special OS and AD additions (e.g. although mixing OS versions is possible, if domain controllers or root servers are running Windows Server 2003
[ActiveDir] Automating NoMas
How can I prevent the Event ID error 9548(MSExchangeIS) from happening? I normally use NoMas to fix em, but I want to prevent them from happening. Would it be possible to create a script that runs like every morning and perform exactly what NoMas does for every child domain I have? Devon Harding Windows Systems Engineer Southern Wine Spirits - BSG 954-602-2469 - __ This message and any attachments are solely for the intended recipient and may contain confidential or privileged information. If you are not the intended recipient, any disclosure, copying, use or distribution of the information included in the message and any attachments is prohibited. If you have received this communication in error, please notify us by reply e-mail and immediately and permanently delete this message and any attachments. Thank You. List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
RE: [ActiveDir] Automating NoMas
Correct your deprovisioning process. Those issues are due to incorrectly setting values on mailbox enabled users. Basically bad data is going in the directory and then you are manually swinging back and correcting it. -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Harding, Devon Sent: Wednesday, November 09, 2005 9:18 AM To: ActiveDir@mail.activedir.org Subject: [ActiveDir] Automating NoMas How can I prevent the Event ID error 9548(MSExchangeIS) from happening? I normally use NoMas to fix em, but I want to prevent them from happening. Would it be possible to create a script that runs like every morning and perform exactly what NoMas does for every child domain I have? Devon Harding Windows Systems Engineer Southern Wine Spirits - BSG 954-602-2469 - __ This message and any attachments are solely for the intended recipient and may contain confidential or privileged information. If you are not the intended recipient, any disclosure, copying, use or distribution of the information included in the message and any attachments is prohibited. If you have received this communication in error, please notify us by reply e-mail and immediately and permanently delete this message and any attachments. Thank You. List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
RE: [ActiveDir] Improving your AD's fault tolerance with old hardware?
Even outside of Exchange I think it depends on how fast the box actually is and how hard you hit AD. For a box in the closet to offer a get out of jail because everything else fails... Ok. But I would be concerned that other machines you don't think of normally as much as you think of Exchange could find the DC and start using it and get suboptimal perf from it. joe -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Tony Murray Sent: Tuesday, November 08, 2005 11:08 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Improving your AD's fault tolerance with old hardware? I'd go along with Ed here. I can't see too much risk with this approach. I wouldn't assign any of the FSMO roles to the old hardware DC, simply because of the hassle in seizing the roles elsewhere in the event of a severe hardware failure. No problem with making the DC as GC though. Another option to consider is setting up a lag site with the old hardware DC. This can be useful for some recovery scenarios as well as the safe introduction of schema changes. Search the list archive for recent posts on the lag site concept. It is important to ensure that whatever hardware you use is sufficient for the task. There are published minimum requirements for Windows Server 2003, but you should also determine what is the minimum required for your own environment. A scenario I have in mind is if you have Exchange 2003 running in your environment you perhaps don't want it to be using an old DC/GC that's running like a dog. :-) Tony -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Ed Crowley [MVP] Sent: Wednesday, 9 November 2005 2:59 p.m. To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Improving your AD's fault tolerance with old hardware? I remember back in the days of our old 3500-user NT 4.0 domain, back when I ran an administration group. We had a nice ProLiant server that was a 486. We only had one of those. But because it was manageable through Insight Agents, we decided to keep it and made it our PDC, since it wasn't terribly useful for anything else. We figured that if it were to die, we'd just junk it and promote another server. It never did die while I was there, and it performed fine. So, although the hardware sales guys at my current employer would crucify me for saying this, I can't disagree with your approach. Ed Crowley MCSE+Internet MVP Freelance E-Mail Philosopher Protecting the world from PSTs and Bricked Backups!T -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Danny Sent: Tuesday, November 08, 2005 3:50 PM To: ActiveDir@mail.activedir.org Subject: [ActiveDir] Improving your AD's fault tolerance with old hardware? Correct me if I am wrong, but assuming the more DC's you have in your forest, the more fault tolerant your Active Directory will become, is it therefore worth it to use retired, possibly out of (hardware) warranty servers or workstations for this purpose if you are budget-less (to purchase new servers)? In this case, I am referring to orgs with 20-200 AD users. How about GC's and other related AD roles and critical software based services? Same deal? Thank you, ...D List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
RE: [ActiveDir] Automating NoMas
Let me restate this just a little. The issue are due to Exchange Dev having an incomplete understanding of how people do things in the enterprise and assuming that the only time a disabled account could have a mailbox is because it is a resource mailbox so instead of having an attribute for it they assume and then after assuming run into all sorts of issues with their assumption. From our side, it means that we have to adjust how we deprovision accounts to properly populate the directory so Exchange doesn't get its panties in a bunch. And yes, enough of these will get your Exchange server's panties in a bunch. Lots of folks (primarily from MS) like to say these are meaningless and can't hurt anything but I have seen multiple cases where they caused store hangs and queues. I actually got an MS person to admin they were a huge issue about 2-3 years ago but couldn't get the person to give me an email stating that. I understood completely. The interesting thing is that you would at least expect ADUC with the Exchange extensions to properly disable these accounts but nope, we have to handle it manually. But that is ok, we really shouldn't be using ADUC to manage users in larger orgs anyway. No business rules, no decent logging, too many people with too many permissions: you want to use provisioning tools, either self written or purchased. -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of joe Sent: Wednesday, November 09, 2005 10:59 AM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Automating NoMas Correct your deprovisioning process. Those issues are due to incorrectly setting values on mailbox enabled users. Basically bad data is going in the directory and then you are manually swinging back and correcting it. -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Harding, Devon Sent: Wednesday, November 09, 2005 9:18 AM To: ActiveDir@mail.activedir.org Subject: [ActiveDir] Automating NoMas How can I prevent the Event ID error 9548(MSExchangeIS) from happening? I normally use NoMas to fix em, but I want to prevent them from happening. Would it be possible to create a script that runs like every morning and perform exactly what NoMas does for every child domain I have? Devon Harding Windows Systems Engineer Southern Wine Spirits - BSG 954-602-2469 - __ This message and any attachments are solely for the intended recipient and may contain confidential or privileged information. If you are not the intended recipient, any disclosure, copying, use or distribution of the information included in the message and any attachments is prohibited. If you have received this communication in error, please notify us by reply e-mail and immediately and permanently delete this message and any attachments. Thank You. List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
RE: [ActiveDir] Directory Experts Conference 2006 call for presentations
Title: Directory Experts Conference 2006 call for presentations The URL I provided is messed up... its www.dec2006.com/callforpapers.cfm. I somehow managed to get a file:// inserted in the original link. -g From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Gil KirkpatrickSent: Tuesday, November 08, 2005 5:02 PMTo: ActiveDir@mail.activedir.orgSubject: [ActiveDir] Directory Experts Conference 2006 call for presentations Greetings list-members DEC 2006 is coming up in March, and I'd like to extend this invitation to you to submit a proposal for a presentation. For those who have not attended DEC before, it is a technology conference focused on MSFT Identity and Access technologies, including AD, ADFS, MIIS, InfoCard, and AZMAN. The typical attendee is an AD or MIIS architect or engineer, usually from a large enterprise deployment, with at least a couple of years of AD experience under their belt. We will also be hosting a "Masters Track" for AD, targeting the true AD gear-heads (think joe, Dean, and Guido, and you get the idea). The conference is in Vegas March 26-29, and promises to be a lot of fun, with great sessions and speakers, and loads of networking opportunities. Feel free to send your proposals to me, or submit them through the DEC web site, www.dec2006.com/callforpapers.cfm. And remember, be excellent to each other, and party on, dudes. -gil Gil Kirkpatrick CTO, NetPro Don''t miss the Directory Experts Conference 2006. More information at www.dec2006.com.
RE: [ActiveDir] Improving your AD's fault tolerance with old hardware?
Don't mean to call you out, Joe, but .. Didn't you use to run the PDC for that Widget factory on a very small (no, itsy-bitsy) hardware? And didn't you explain at that time that there was no sense in putting it on one of the beefy Dells we were purchasing around that time? And didn't run seamlessly and adequately (discounting the WINS gyrations)? I'd think you'd be a champion for the don't need an enterprise hardware for such mundane task crowd :). I personally have to also second Ed's opinion on this - it's better to have a second DC even on crappy hardware than it is to have none at all because of budget constraints. Sincerely, Dèjì Akómöláfé, MCSE+M MCSA+M MCT Microsoft MVP - Directory Services www.readymaids.com - we know IT www.akomolafe.com Do you now realize that Today is the Tomorrow you were worried about Yesterday? -anon From: [EMAIL PROTECTED] on behalf of joe Sent: Wed 11/9/2005 8:02 AM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Improving your AD's fault tolerance with old hardware? Even outside of Exchange I think it depends on how fast the box actually is and how hard you hit AD. For a box in the closet to offer a get out of jail because everything else fails... Ok. But I would be concerned that other machines you don't think of normally as much as you think of Exchange could find the DC and start using it and get suboptimal perf from it. joe -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Tony Murray Sent: Tuesday, November 08, 2005 11:08 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Improving your AD's fault tolerance with old hardware? I'd go along with Ed here. I can't see too much risk with this approach. I wouldn't assign any of the FSMO roles to the old hardware DC, simply because of the hassle in seizing the roles elsewhere in the event of a severe hardware failure. No problem with making the DC as GC though. Another option to consider is setting up a lag site with the old hardware DC. This can be useful for some recovery scenarios as well as the safe introduction of schema changes. Search the list archive for recent posts on the lag site concept. It is important to ensure that whatever hardware you use is sufficient for the task. There are published minimum requirements for Windows Server 2003, but you should also determine what is the minimum required for your own environment. A scenario I have in mind is if you have Exchange 2003 running in your environment you perhaps don't want it to be using an old DC/GC that's running like a dog. :-) Tony -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Ed Crowley [MVP] Sent: Wednesday, 9 November 2005 2:59 p.m. To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Improving your AD's fault tolerance with old hardware? I remember back in the days of our old 3500-user NT 4.0 domain, back when I ran an administration group. We had a nice ProLiant server that was a 486. We only had one of those. But because it was manageable through Insight Agents, we decided to keep it and made it our PDC, since it wasn't terribly useful for anything else. We figured that if it were to die, we'd just junk it and promote another server. It never did die while I was there, and it performed fine. So, although the hardware sales guys at my current employer would crucify me for saying this, I can't disagree with your approach. Ed Crowley MCSE+Internet MVP Freelance E-Mail Philosopher Protecting the world from PSTs and Bricked Backups!T -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Danny Sent: Tuesday, November 08, 2005 3:50 PM To: ActiveDir@mail.activedir.org Subject: [ActiveDir] Improving your AD's fault tolerance with old hardware? Correct me if I am wrong, but assuming the more DC's you have in your forest, the more fault tolerant your Active Directory will become, is it therefore worth it to use retired, possibly out of (hardware) warranty servers or workstations for this purpose if you are budget-less (to purchase new servers)? In this case, I am referring to orgs with 20-200 AD users. How about GC's and other related AD roles and critical software based services? Same deal? Thank you, ...D List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive:
RE: [ActiveDir] Automating NoMas
Ok with that said, what would be the correct way or tools to disable a mail enabled account in Active Directory? -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of joe Sent: Wednesday, November 09, 2005 11:49 AM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Automating NoMas Let me restate this just a little. The issue are due to Exchange Dev having an incomplete understanding of how people do things in the enterprise and assuming that the only time a disabled account could have a mailbox is because it is a resource mailbox so instead of having an attribute for it they assume and then after assuming run into all sorts of issues with their assumption. From our side, it means that we have to adjust how we deprovision accounts to properly populate the directory so Exchange doesn't get its panties in a bunch. And yes, enough of these will get your Exchange server's panties in a bunch. Lots of folks (primarily from MS) like to say these are meaningless and can't hurt anything but I have seen multiple cases where they caused store hangs and queues. I actually got an MS person to admin they were a huge issue about 2-3 years ago but couldn't get the person to give me an email stating that. I understood completely. The interesting thing is that you would at least expect ADUC with the Exchange extensions to properly disable these accounts but nope, we have to handle it manually. But that is ok, we really shouldn't be using ADUC to manage users in larger orgs anyway. No business rules, no decent logging, too many people with too many permissions: you want to use provisioning tools, either self written or purchased. -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of joe Sent: Wednesday, November 09, 2005 10:59 AM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Automating NoMas Correct your deprovisioning process. Those issues are due to incorrectly setting values on mailbox enabled users. Basically bad data is going in the directory and then you are manually swinging back and correcting it. -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Harding, Devon Sent: Wednesday, November 09, 2005 9:18 AM To: ActiveDir@mail.activedir.org Subject: [ActiveDir] Automating NoMas How can I prevent the Event ID error 9548(MSExchangeIS) from happening? I normally use NoMas to fix em, but I want to prevent them from happening. Would it be possible to create a script that runs like every morning and perform exactly what NoMas does for every child domain I have? Devon Harding Windows Systems Engineer Southern Wine Spirits - BSG 954-602-2469 - __ This message and any attachments are solely for the intended recipient and may contain confidential or privileged information. If you are not the intended recipient, any disclosure, copying, use or distribution of the information included in the message and any attachments is prohibited. If you have received this communication in error, please notify us by reply e-mail and immediately and permanently delete this message and any attachments. Thank You. List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
RE: [ActiveDir] Improving your AD's fault tolerance with old hardware?
Of course, my lack of concern with his proposal was contingent upon the validity of his assumption that performance wouldn't be an issue. Ed Crowley MCSE+Internet MVP Freelance E-Mail Philosopher Protecting the world from PSTs and Bricked Backups!T -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of joe Sent: Wednesday, November 09, 2005 8:02 AM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Improving your AD's fault tolerance with old hardware? Even outside of Exchange I think it depends on how fast the box actually is and how hard you hit AD. For a box in the closet to offer a get out of jail because everything else fails... Ok. But I would be concerned that other machines you don't think of normally as much as you think of Exchange could find the DC and start using it and get suboptimal perf from it. joe -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Tony Murray Sent: Tuesday, November 08, 2005 11:08 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Improving your AD's fault tolerance with old hardware? I'd go along with Ed here. I can't see too much risk with this approach. I wouldn't assign any of the FSMO roles to the old hardware DC, simply because of the hassle in seizing the roles elsewhere in the event of a severe hardware failure. No problem with making the DC as GC though. Another option to consider is setting up a lag site with the old hardware DC. This can be useful for some recovery scenarios as well as the safe introduction of schema changes. Search the list archive for recent posts on the lag site concept. It is important to ensure that whatever hardware you use is sufficient for the task. There are published minimum requirements for Windows Server 2003, but you should also determine what is the minimum required for your own environment. A scenario I have in mind is if you have Exchange 2003 running in your environment you perhaps don't want it to be using an old DC/GC that's running like a dog. :-) Tony -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Ed Crowley [MVP] Sent: Wednesday, 9 November 2005 2:59 p.m. To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Improving your AD's fault tolerance with old hardware? I remember back in the days of our old 3500-user NT 4.0 domain, back when I ran an administration group. We had a nice ProLiant server that was a 486. We only had one of those. But because it was manageable through Insight Agents, we decided to keep it and made it our PDC, since it wasn't terribly useful for anything else. We figured that if it were to die, we'd just junk it and promote another server. It never did die while I was there, and it performed fine. So, although the hardware sales guys at my current employer would crucify me for saying this, I can't disagree with your approach. Ed Crowley MCSE+Internet MVP Freelance E-Mail Philosopher Protecting the world from PSTs and Bricked Backups!T -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Danny Sent: Tuesday, November 08, 2005 3:50 PM To: ActiveDir@mail.activedir.org Subject: [ActiveDir] Improving your AD's fault tolerance with old hardware? Correct me if I am wrong, but assuming the more DC's you have in your forest, the more fault tolerant your Active Directory will become, is it therefore worth it to use retired, possibly out of (hardware) warranty servers or workstations for this purpose if you are budget-less (to purchase new servers)? In this case, I am referring to orgs with 20-200 AD users. How about GC's and other related AD roles and critical software based services? Same deal? Thank you, ...D List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
RE: [ActiveDir] Improving your AD's fault tolerance with old hardware?
Under NT4 we had crappy hardware for the two NA domains (actually 2 DCs for each domain split across the NA datacenters). But I went into a morning management meeting and said that we were ready to die any day and needed more hardware and went to the systems integration people and said we needed 2K because we have SAMs 80MB. I got the new hardware and offloaded functionality (WINS) across to the other machines. Once we had 2K we had budget for some new machines and the PDCs were absolutely on new hardware, I clearly recall sitting in the datacenter one morning with a bunch of system integration folks standing behind me while I converted the old machines to 2K and pushed the FSMOs over to the new hardware with a fresh 2K load. We did however reload the old DCs and keep them up and running but that was not my personal choice because they were definitely slower. The saving grace was that all traffic at that time was strictly NOS based auth/authz. There were no LDAP apps and Exchange played in its own sandbox. The PDCs have always been coddled by me whenever possible. I am not one of the people running around saying AD doesn't have a PDC. It was the one special DC in every domain that had me running when it hiccuped. There were no other special DCs until Exchange 2K spun up and then every DC in the Exchange Sites became special as well due to the Exchange/Outlook rough failover mechanisms. If an Exchange DC starts screwing up, it either needs to be fixed or off the network ASAP. Also, even with that new hardware you may recall (I think you were still around) we ran into an issue with the SE MI NA Domain PDC puking out every morning because it would get all bunched up. That ended up being a combination of load and its NetBIOS resolution mode being set to H-Node instead of P-Node. I am not saying DON'T use older hardware. I am saying be careful where you place it and what will use it. It could bite you hard. -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of [EMAIL PROTECTED] Sent: Wednesday, November 09, 2005 12:12 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Improving your AD's fault tolerance with old hardware? Don't mean to call you out, Joe, but .. Didn't you use to run the PDC for that Widget factory on a very small (no, itsy-bitsy) hardware? And didn't you explain at that time that there was no sense in putting it on one of the beefy Dells we were purchasing around that time? And didn't run seamlessly and adequately (discounting the WINS gyrations)? I'd think you'd be a champion for the don't need an enterprise hardware for such mundane task crowd :). I personally have to also second Ed's opinion on this - it's better to have a second DC even on crappy hardware than it is to have none at all because of budget constraints. Sincerely, Dèjì Akómöláfé, MCSE+M MCSA+M MCT Microsoft MVP - Directory Services www.readymaids.com - we know IT www.akomolafe.com Do you now realize that Today is the Tomorrow you were worried about Yesterday? -anon From: [EMAIL PROTECTED] on behalf of joe Sent: Wed 11/9/2005 8:02 AM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Improving your AD's fault tolerance with old hardware? Even outside of Exchange I think it depends on how fast the box actually is and how hard you hit AD. For a box in the closet to offer a get out of jail because everything else fails... Ok. But I would be concerned that other machines you don't think of normally as much as you think of Exchange could find the DC and start using it and get suboptimal perf from it. joe -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Tony Murray Sent: Tuesday, November 08, 2005 11:08 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Improving your AD's fault tolerance with old hardware? I'd go along with Ed here. I can't see too much risk with this approach. I wouldn't assign any of the FSMO roles to the old hardware DC, simply because of the hassle in seizing the roles elsewhere in the event of a severe hardware failure. No problem with making the DC as GC though. Another option to consider is setting up a lag site with the old hardware DC. This can be useful for some recovery scenarios as well as the safe introduction of schema changes. Search the list archive for recent posts on the lag site concept. It is important to ensure that whatever hardware you use is sufficient for the task. There are published minimum requirements for Windows Server 2003, but you should also determine what is the minimum required for your own environment. A scenario I have in mind is if you have Exchange 2003 running in your environment you perhaps don't want it to be using an old DC/GC that's running like a dog. :-) Tony -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Ed Crowley [MVP] Sent: Wednesday, 9
RE: [ActiveDir] Automating NoMas
See http://support.microsoft.com/?id=278966 -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Harding, Devon Sent: Wednesday, November 09, 2005 12:25 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Automating NoMas Ok with that said, what would be the correct way or tools to disable a mail enabled account in Active Directory? -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of joe Sent: Wednesday, November 09, 2005 11:49 AM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Automating NoMas Let me restate this just a little. The issue are due to Exchange Dev having an incomplete understanding of how people do things in the enterprise and assuming that the only time a disabled account could have a mailbox is because it is a resource mailbox so instead of having an attribute for it they assume and then after assuming run into all sorts of issues with their assumption. From our side, it means that we have to adjust how we deprovision accounts to properly populate the directory so Exchange doesn't get its panties in a bunch. And yes, enough of these will get your Exchange server's panties in a bunch. Lots of folks (primarily from MS) like to say these are meaningless and can't hurt anything but I have seen multiple cases where they caused store hangs and queues. I actually got an MS person to admin they were a huge issue about 2-3 years ago but couldn't get the person to give me an email stating that. I understood completely. The interesting thing is that you would at least expect ADUC with the Exchange extensions to properly disable these accounts but nope, we have to handle it manually. But that is ok, we really shouldn't be using ADUC to manage users in larger orgs anyway. No business rules, no decent logging, too many people with too many permissions: you want to use provisioning tools, either self written or purchased. -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of joe Sent: Wednesday, November 09, 2005 10:59 AM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Automating NoMas Correct your deprovisioning process. Those issues are due to incorrectly setting values on mailbox enabled users. Basically bad data is going in the directory and then you are manually swinging back and correcting it. -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Harding, Devon Sent: Wednesday, November 09, 2005 9:18 AM To: ActiveDir@mail.activedir.org Subject: [ActiveDir] Automating NoMas How can I prevent the Event ID error 9548(MSExchangeIS) from happening? I normally use NoMas to fix em, but I want to prevent them from happening. Would it be possible to create a script that runs like every morning and perform exactly what NoMas does for every child domain I have? Devon Harding Windows Systems Engineer Southern Wine Spirits - BSG 954-602-2469 - __ This message and any attachments are solely for the intended recipient and may contain confidential or privileged information. If you are not the intended recipient, any disclosure, copying, use or distribution of the information included in the message and any attachments is prohibited. If you have received this communication in error, please notify us by reply e-mail and immediately and permanently delete this message and any attachments. Thank You. List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
RE: [ActiveDir] Automating NoMas
Something like this might be of interest. http://www.microsoft.com/technet/prodtechnol/exchange/guides/DROpsGuide/a209faf9-91a1-46d7-8a6d-538ce3fba85d.mspx The best way would be to disassociate the mailbox from the account and maintain the mailbox for as long as the account retention requires (keep them matched). That would require you to keep track of where a user's mailstore is located of course. Note, this approach doesn't scale well. At all. That's why the above mentioned script exists in the first place. Most people want to keep the user and the mailbox objects tied together until both are removed (if removed at all). Or, they tend to have a separate group that does AD administration but has nothing to do with the mailbox provisioning which also easily results in this type of situation. I agree with Joe that the ADUC with Exchange integrated tools should handle this more gracefully, but it's never that simple. ;-) -ajm From: Harding, Devon [EMAIL PROTECTED] Reply-To: ActiveDir@mail.activedir.org To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Automating NoMas Date: Wed, 9 Nov 2005 12:25:19 -0500 Ok with that said, what would be the correct way or tools to disable a mail enabled account in Active Directory? -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of joe Sent: Wednesday, November 09, 2005 11:49 AM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Automating NoMas Let me restate this just a little. The issue are due to Exchange Dev having an incomplete understanding of how people do things in the enterprise and assuming that the only time a disabled account could have a mailbox is because it is a resource mailbox so instead of having an attribute for it they assume and then after assuming run into all sorts of issues with their assumption. From our side, it means that we have to adjust how we deprovision accounts to properly populate the directory so Exchange doesn't get its panties in a bunch. And yes, enough of these will get your Exchange server's panties in a bunch. Lots of folks (primarily from MS) like to say these are meaningless and can't hurt anything but I have seen multiple cases where they caused store hangs and queues. I actually got an MS person to admin they were a huge issue about 2-3 years ago but couldn't get the person to give me an email stating that. I understood completely. The interesting thing is that you would at least expect ADUC with the Exchange extensions to properly disable these accounts but nope, we have to handle it manually. But that is ok, we really shouldn't be using ADUC to manage users in larger orgs anyway. No business rules, no decent logging, too many people with too many permissions: you want to use provisioning tools, either self written or purchased. -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of joe Sent: Wednesday, November 09, 2005 10:59 AM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Automating NoMas Correct your deprovisioning process. Those issues are due to incorrectly setting values on mailbox enabled users. Basically bad data is going in the directory and then you are manually swinging back and correcting it. -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Harding, Devon Sent: Wednesday, November 09, 2005 9:18 AM To: ActiveDir@mail.activedir.org Subject: [ActiveDir] Automating NoMas How can I prevent the Event ID error 9548(MSExchangeIS) from happening? I normally use NoMas to fix em, but I want to prevent them from happening. Would it be possible to create a script that runs like every morning and perform exactly what NoMas does for every child domain I have? Devon Harding Windows Systems Engineer Southern Wine Spirits - BSG 954-602-2469 - __ This message and any attachments are solely for the intended recipient and may contain confidential or privileged information. If you are not the intended recipient, any disclosure, copying, use or distribution of the information included in the message and any attachments is prohibited. If you have received this communication in error, please notify us by reply e-mail and immediately and permanently delete this message and any attachments. Thank You. List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/List.aspx List
RE: [ActiveDir] Automating NoMas
Hmmm... Maybe there ought to a mailbox store just for terminated users. Ed Crowley MCSE+Internet MVP Freelance E-Mail Philosopher Protecting the world from PSTs and Bricked Backups! -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Al Mulnick Sent: Wednesday, November 09, 2005 10:11 AM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Automating NoMas Something like this might be of interest. http://www.microsoft.com/technet/prodtechnol/exchange/guides/DROpsGuide/a209 faf9-91a1-46d7-8a6d-538ce3fba85d.mspx The best way would be to disassociate the mailbox from the account and maintain the mailbox for as long as the account retention requires (keep them matched). That would require you to keep track of where a user's mailstore is located of course. Note, this approach doesn't scale well. At all. That's why the above mentioned script exists in the first place. Most people want to keep the user and the mailbox objects tied together until both are removed (if removed at all). Or, they tend to have a separate group that does AD administration but has nothing to do with the mailbox provisioning which also easily results in this type of situation. I agree with Joe that the ADUC with Exchange integrated tools should handle this more gracefully, but it's never that simple. ;-) -ajm From: Harding, Devon [EMAIL PROTECTED] Reply-To: ActiveDir@mail.activedir.org To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Automating NoMas Date: Wed, 9 Nov 2005 12:25:19 -0500 Ok with that said, what would be the correct way or tools to disable a mail enabled account in Active Directory? -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of joe Sent: Wednesday, November 09, 2005 11:49 AM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Automating NoMas Let me restate this just a little. The issue are due to Exchange Dev having an incomplete understanding of how people do things in the enterprise and assuming that the only time a disabled account could have a mailbox is because it is a resource mailbox so instead of having an attribute for it they assume and then after assuming run into all sorts of issues with their assumption. From our side, it means that we have to adjust how we deprovision accounts to properly populate the directory so Exchange doesn't get its panties in a bunch. And yes, enough of these will get your Exchange server's panties in a bunch. Lots of folks (primarily from MS) like to say these are meaningless and can't hurt anything but I have seen multiple cases where they caused store hangs and queues. I actually got an MS person to admin they were a huge issue about 2-3 years ago but couldn't get the person to give me an email stating that. I understood completely. The interesting thing is that you would at least expect ADUC with the Exchange extensions to properly disable these accounts but nope, we have to handle it manually. But that is ok, we really shouldn't be using ADUC to manage users in larger orgs anyway. No business rules, no decent logging, too many people with too many permissions: you want to use provisioning tools, either self written or purchased. -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of joe Sent: Wednesday, November 09, 2005 10:59 AM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Automating NoMas Correct your deprovisioning process. Those issues are due to incorrectly setting values on mailbox enabled users. Basically bad data is going in the directory and then you are manually swinging back and correcting it. -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Harding, Devon Sent: Wednesday, November 09, 2005 9:18 AM To: ActiveDir@mail.activedir.org Subject: [ActiveDir] Automating NoMas How can I prevent the Event ID error 9548(MSExchangeIS) from happening? I normally use NoMas to fix em, but I want to prevent them from happening. Would it be possible to create a script that runs like every morning and perform exactly what NoMas does for every child domain I have? Devon Harding Windows Systems Engineer Southern Wine Spirits - BSG 954-602-2469 - __ This message and any attachments are solely for the intended recipient and may contain confidential or privileged information. If you are not the intended recipient, any disclosure, copying, use or distribution of the information included in the message and any attachments is prohibited. If you have received this communication in error, please notify us by reply e-mail and immediately and permanently delete this message and any attachments. Thank You. List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive:
[ActiveDir] scripting file move issue(OT)
I'm having a problem trying to figure out how to script or batch file something. I want to move N number of files from a series of sudirectories to another dir and then wait to make sure a different process that is running will remove the files i just moved from the other dir, before moving more N number of files from a series of subdirectories to that dir and continuing the process in this manner until the seires of subdirectories are empty. can i script something like this? would perl be better at this than _vbscript_? can i do this with Robocopy? I read the docs and don't really think so but maybe someone else more familliar with it would know thanks
RE: [ActiveDir] Automating NoMas
I recommended this to a company once, actually it was a large company with a lot of users who should have been deleted and I recommended a whole server. Move all mailboxes of users who were going away to it and then disconnect/delete the mailbox. It gets away from the 9548 issue as well as the issue of crap, we have to jump off this mailbox server or this store really quick but we can't move the deleted mailboxes until they are reconnected to a user. It also can help with making the process for programmatic reconnects easier since you can target the reconnect script on one machine. -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Ed Crowley [MVP] Sent: Wednesday, November 09, 2005 1:22 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Automating NoMas Hmmm... Maybe there ought to a mailbox store just for terminated users. Ed Crowley MCSE+Internet MVP Freelance E-Mail Philosopher Protecting the world from PSTs and Bricked Backups!T -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Al Mulnick Sent: Wednesday, November 09, 2005 10:11 AM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Automating NoMas Something like this might be of interest. http://www.microsoft.com/technet/prodtechnol/exchange/guides/DROpsGuide/a209 faf9-91a1-46d7-8a6d-538ce3fba85d.mspx The best way would be to disassociate the mailbox from the account and maintain the mailbox for as long as the account retention requires (keep them matched). That would require you to keep track of where a user's mailstore is located of course. Note, this approach doesn't scale well. At all. That's why the above mentioned script exists in the first place. Most people want to keep the user and the mailbox objects tied together until both are removed (if removed at all). Or, they tend to have a separate group that does AD administration but has nothing to do with the mailbox provisioning which also easily results in this type of situation. I agree with Joe that the ADUC with Exchange integrated tools should handle this more gracefully, but it's never that simple. ;-) -ajm From: Harding, Devon [EMAIL PROTECTED] Reply-To: ActiveDir@mail.activedir.org To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Automating NoMas Date: Wed, 9 Nov 2005 12:25:19 -0500 Ok with that said, what would be the correct way or tools to disable a mail enabled account in Active Directory? -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of joe Sent: Wednesday, November 09, 2005 11:49 AM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Automating NoMas Let me restate this just a little. The issue are due to Exchange Dev having an incomplete understanding of how people do things in the enterprise and assuming that the only time a disabled account could have a mailbox is because it is a resource mailbox so instead of having an attribute for it they assume and then after assuming run into all sorts of issues with their assumption. From our side, it means that we have to adjust how we deprovision accounts to properly populate the directory so Exchange doesn't get its panties in a bunch. And yes, enough of these will get your Exchange server's panties in a bunch. Lots of folks (primarily from MS) like to say these are meaningless and can't hurt anything but I have seen multiple cases where they caused store hangs and queues. I actually got an MS person to admin they were a huge issue about 2-3 years ago but couldn't get the person to give me an email stating that. I understood completely. The interesting thing is that you would at least expect ADUC with the Exchange extensions to properly disable these accounts but nope, we have to handle it manually. But that is ok, we really shouldn't be using ADUC to manage users in larger orgs anyway. No business rules, no decent logging, too many people with too many permissions: you want to use provisioning tools, either self written or purchased. -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of joe Sent: Wednesday, November 09, 2005 10:59 AM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Automating NoMas Correct your deprovisioning process. Those issues are due to incorrectly setting values on mailbox enabled users. Basically bad data is going in the directory and then you are manually swinging back and correcting it. -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Harding, Devon Sent: Wednesday, November 09, 2005 9:18 AM To: ActiveDir@mail.activedir.org Subject: [ActiveDir] Automating NoMas How can I prevent the Event ID error 9548(MSExchangeIS) from happening? I normally use NoMas to fix em, but I want to prevent them from happening. Would it be possible to create a script that runs like every morning and perform exactly what NoMas does for every
RE: [ActiveDir] scripting file move issue(OT)
Yes, this is scriptable. Perl vs VBS? Either will work, so I'd go with whatever you are most comfortable with. How quickly are your source directories going to refill, and how quickly are is your destination directory going to get cleaned up by the different process? From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Tom KernSent: Wednesday, November 09, 2005 11:30 AMTo: activedirectorySubject: [ActiveDir] scripting file move issue(OT) I'm having a problem trying to figure out how to script or batch file something. I want to move N number of files from a series of sudirectories to another dir and then wait to make sure a different process that is running will remove the files i just moved from the other dir, before moving more N number of files from a series of subdirectories to that dir and continuing the process in this manner until the seires of subdirectories are empty. can i script something like this? would perl be better at this than _vbscript_? can i do this with Robocopy? I read the docs and don't really think so but maybe someone else more familliar with it would know thanks
Re: [ActiveDir] scripting file move issue(OT)
the source dirs take awhile to refill as they are being filled by xcopy. it copies about 4gig a batch. The destination dir empties in about 10-15secs. also the destinantion dir can only handle 1000 files at a time before being emptied. thanks On 11/9/05, Coleman, Hunter [EMAIL PROTECTED] wrote: Yes, this is scriptable. Perl vs VBS? Either will work, so I'd go with whatever you are most comfortable with. How quickly are your source directories going to refill, and how quickly are is your destination directory going to get cleaned up by the different process? From: [EMAIL PROTECTED] [mailto: [EMAIL PROTECTED]] On Behalf Of Tom KernSent: Wednesday, November 09, 2005 11:30 AMTo: activedirectorySubject: [ActiveDir] scripting file move issue(OT) I'm having a problem trying to figure out how to script or batch file something. I want to move N number of files from a series of sudirectories to another dir and then wait to make sure a different process that is running will remove the files i just moved from the other dir, before moving more N number of files from a series of subdirectories to that dir and continuing the process in this manner until the seires of subdirectories are empty. can i script something like this? would perl be better at this than _vbscript_? can i do this with Robocopy? I read the docs and don't really think so but maybe someone else more familliar with it would know thanks
RE: [ActiveDir] scripting file move issue(OT)
Tom, Suggest you use FSO.MoveFile or Folder.MoveHere in _vbscript_ to do the moving rather than xcopy. You could enumerate files, have a for each loop with a counter, and move files until the counter is divisible by 1000 (or = 1000 and reset), sleep for 15-20 seconds, and continue. After your sleep you could check that the destination folder is empty and if not then sleep again. Im assuming some familiarity with the _vbscript_ Im talking about, if you need more specifics just ask. Rich --- Rich Milburn MCSE, Microsoft MVP - Directory Services Sr Network Analyst, Field Platform Development Applebee's International, Inc. 4551 W. 107th St Overland Park, KS 66207 913-967-2819 -- I am always doing that which I can not do, in order that I may learn how to do it. - Pablo Picasso From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Tom Kern Sent: Wednesday, November 09, 2005 12:58 PM To: ActiveDir@mail.activedir.org Subject: Re: [ActiveDir] scripting file move issue(OT) the source dirs take awhile to refill as they are being filled by xcopy. it copies about 4gig a batch. The destination dir empties in about 10-15secs. also the destinantion dir can only handle 1000 files at a time before being emptied. thanks On 11/9/05, Coleman, Hunter [EMAIL PROTECTED] wrote: Yes, this is scriptable. Perl vs VBS? Either will work, so I'd go with whatever you are most comfortable with. How quickly are your source directories going to refill, and how quickly are is your destination directory going to get cleaned up by the different process? From: [EMAIL PROTECTED] [mailto: [EMAIL PROTECTED]] On Behalf Of Tom Kern Sent: Wednesday, November 09, 2005 11:30 AM To: activedirectory Subject: [ActiveDir] scripting file move issue(OT) I'm having a problem trying to figure out how to script or batch file something. I want to move N number of files from a series of sudirectories to another dir and then wait to make sure a different process that is running will remove the files i just moved from the other dir, before moving more N number of files from a series of subdirectories to that dir and continuing the process in this manner until the seires of subdirectories are empty. can i script something like this? would perl be better at this than _vbscript_? can i do this with Robocopy? I read the docs and don't really think so but maybe someone else more familliar with it would know thanks ---APPLEBEE'S INTERNATIONAL, INC. CONFIDENTIALITY NOTICE--- PRIVILEGED / CONFIDENTIAL INFORMATION may be contained in this message or any attachments. This information is strictly confidential and may be subject to attorney-client privilege. This message is intended only for the use of the named addressee. If you are not the intended recipient of this message, unauthorized forwarding, printing, copying, distribution, or using such information is strictly prohibited and may be unlawful. If you have received this in error, you should kindly notify the sender by reply e-mail and immediately destroy this message. Unauthorized interception of this e-mail is a violation of federal criminal law. Applebee's International, Inc. reserves the right to monitor and review the content of all messages sent to and from this e-mail address. Messages sent to or from this e-mail address may be stored on the Applebee's International, Inc. e-mail system.
Re: [ActiveDir] scripting file move issue(OT)
thanks i think i might need a little more assistance here. i'm a little out of my depth On 11/9/05, Rich Milburn [EMAIL PROTECTED] wrote: Tom, Suggest you use FSO.MoveFile or Folder.MoveHere in _vbscript_ to do the moving rather than xcopy. You could enumerate files, have a for each loop with a counter, and move files until the counter is divisible by 1000 (or = 1000 and reset), sleep for 15-20 seconds, and continue. After your sleep you could check that the destination folder is empty and if not then sleep again. I'm assuming some familiarity with the _vbscript_ I'm talking about, if you need more specifics just ask. Rich --- Rich Milburn MCSE, Microsoft MVP - Directory ServicesSr Network Analyst, Field Platform Development Applebee's International, Inc. 4551 W. 107th St Overland Park, KS 66207 913-967-2819 -- I am always doing that which I can not do, in order that I may learn how to do it. - Pablo Picasso From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]] On Behalf Of Tom KernSent: Wednesday, November 09, 2005 12:58 PMTo: ActiveDir@mail.activedir.orgSubject: Re: [ActiveDir] scripting file move issue(OT) the source dirs take awhile to refill as they are being filled by xcopy. it copies about 4gig a batch. The destination dir empties in about 10-15secs. also the destinantion dir can only handle 1000 files at a time before being emptied. thanks On 11/9/05, Coleman, Hunter [EMAIL PROTECTED] wrote: Yes, this is scriptable. Perl vs VBS? Either will work, so I'd go with whatever you are most comfortable with. How quickly are your source directories going to refill, and how quickly are is your destination directory going to get cleaned up by the different process? From: [EMAIL PROTECTED] [mailto: [EMAIL PROTECTED]] On Behalf Of Tom KernSent: Wednesday, November 09, 2005 11:30 AMTo: activedirectory Subject: [ActiveDir] scripting file move issue(OT) I'm having a problem trying to figure out how to script or batch file something. I want to move N number of files from a series of sudirectories to another dir and then wait to make sure a different process that is running will remove the files i just moved from the other dir, before moving more N number of files from a series of subdirectories to that dir and continuing the process in this manner until the seires of subdirectories are empty. can i script something like this? would perl be better at this than _vbscript_? can i do this with Robocopy? I read the docs and don't really think so but maybe someone else more familliar with it would know thanks ---APPLEBEE'S INTERNATIONAL, INC. CONFIDENTIALITY NOTICE--- PRIVILEGED / CONFIDENTIAL INFORMATION may be contained in this message or any attachments. This information is strictly confidential and may be subject to attorney-client privilege. This message is intended only for the use of the named addressee. If you are not the intended recipient of this message, unauthorized forwarding, printing, copying, distribution, or using such information is strictly prohibited and may be unlawful. If you have received this in error, you should kindly notify the sender by reply e-mail and immediately destroy this message. Unauthorized interception of this e-mail is a violation of federal criminal law. Applebee's International, Inc. reserves the right to monitor and review the content of all messages sent to and from this e-mail address. Messages sent to or from this e-mail address may be stored on the Applebee's International, Inc. e-mail system.
RE: [ActiveDir] Automating NoMas
OK, let me start by saying I'm no programming or scripting expert, but I dabble... :) I copied and pasted the text off the TechNet site.. When I run it, unmodified, the script only runs against my child domain. We have one parent domain, and one child; the machine I'm running from is my workstation which is part of the parent domain. It appears, to me, that the oRecordset only contains the names of the trusted domains? If I modify the code and add a call to the function just after the Else (PerDomain(strDomainNC)) when the strDomainNC is still set to the parent domain, then it functions as expected... (Lines 59 - 69 of the original code, plus the extra function call after the Else below) If oRecordSet.Eof Then TextStream.WriteLine(Didn't find any trusts, assuming single domain...) PerDomain(strDomainNC) Else PerDomain(strDomainNC) ' Added to run against the original parent NC While Not oRecordSet.Eof strDomainNC = oRecordSet.Fields(0) TextStream.WriteLine ++ strDomainNC PerDomain(strDomainNC) oRecordSet.MoveNext Wend End If Did this just not run correctly for me in its original configuration, did I miss something, or is it really just wrong as posted? Joe Pochedley A computer terminal is not some clunky old television with a typewriter in front of it. It is an interface where the mind and body can connect with the universe and move bits of it about. -Douglas Adams -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Al Mulnick Sent: Wednesday, November 09, 2005 1:11 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Automating NoMas Something like this might be of interest. http://www.microsoft.com/technet/prodtechnol/exchange/guides/DROpsGuide/a209faf9-91a1-46d7-8a6d-538ce3fba85d.mspx The best way would be to disassociate the mailbox from the account and maintain the mailbox for as long as the account retention requires (keep them matched). That would require you to keep track of where a user's mailstore is located of course. Note, this approach doesn't scale well. At all. That's why the above mentioned script exists in the first place. Most people want to keep the user and the mailbox objects tied together until both are removed (if removed at all). Or, they tend to have a separate group that does AD administration but has nothing to do with the mailbox provisioning which also easily results in this type of situation. I agree with Joe that the ADUC with Exchange integrated tools should handle this more gracefully, but it's never that simple. ;-) -ajm From: Harding, Devon [EMAIL PROTECTED] Reply-To: ActiveDir@mail.activedir.org To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Automating NoMas Date: Wed, 9 Nov 2005 12:25:19 -0500 Ok with that said, what would be the correct way or tools to disable a mail enabled account in Active Directory? -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of joe Sent: Wednesday, November 09, 2005 11:49 AM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Automating NoMas Let me restate this just a little. The issue are due to Exchange Dev having an incomplete understanding of how people do things in the enterprise and assuming that the only time a disabled account could have a mailbox is because it is a resource mailbox so instead of having an attribute for it they assume and then after assuming run into all sorts of issues with their assumption. From our side, it means that we have to adjust how we deprovision accounts to properly populate the directory so Exchange doesn't get its panties in a bunch. And yes, enough of these will get your Exchange server's panties in a bunch. Lots of folks (primarily from MS) like to say these are meaningless and can't hurt anything but I have seen multiple cases where they caused store hangs and queues. I actually got an MS person to admin they were a huge issue about 2-3 years ago but couldn't get the person to give me an email stating that. I understood completely. The interesting thing is that you would at least expect ADUC with the Exchange extensions to properly disable these accounts but nope, we have to handle it manually. But that is ok, we really shouldn't be using ADUC to manage users in larger orgs anyway. No business rules, no decent logging, too many people with too many permissions: you want to use provisioning tools, either self written or purchased. -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of joe Sent: Wednesday, November 09, 2005 10:59 AM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Automating NoMas Correct your deprovisioning process. Those issues are due to incorrectly setting values on mailbox enabled users. Basically bad data is going in the directory and then you are manually swinging back and correcting it. -Original Message- From: [EMAIL
RE: [ActiveDir] scripting file move issue(OT)
Rich has outlined what you'll need to do. I'd probably include an initial check of the destination folder to make sure it's empty before starting any of the copies/moves. http://www.microsoft.com/technet/scriptcenter/scripts/storage/files/default.mspxhas links to snippets that will show you how to list all files in a folder (and thus get a count), as well as how to move or copy files. Hunter From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Tom KernSent: Wednesday, November 09, 2005 1:00 PMTo: ActiveDir@mail.activedir.orgSubject: Re: [ActiveDir] scripting file move issue(OT) thanks i think i might need a little more assistance here. i'm a little out of my depth On 11/9/05, Rich Milburn [EMAIL PROTECTED] wrote: Tom, Suggest you use FSO.MoveFile or Folder.MoveHere in _vbscript_ to do the moving rather than xcopy. You could enumerate files, have a for each loop with a counter, and move files until the counter is divisible by 1000 (or = 1000 and reset), sleep for 15-20 seconds, and continue. After your sleep you could check that the destination folder is empty and if not then sleep again. I'm assuming some familiarity with the _vbscript_ I'm talking about, if you need more specifics just ask. Rich --- Rich Milburn MCSE, Microsoft MVP - Directory ServicesSr Network Analyst, Field Platform Development Applebee's International, Inc.4551 W. 107th StOverland Park, KS 66207 913-967-2819 -- "I am always doing that which I can not do, in order that I may learn how to do it." - Pablo Picasso From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]] On Behalf Of Tom KernSent: Wednesday, November 09, 2005 12:58 PMTo: ActiveDir@mail.activedir.orgSubject: Re: [ActiveDir] scripting file move issue(OT) the source dirs take awhile to refill as they are being filled by xcopy. it copies about 4gig a batch. The destination dir empties in about 10-15secs. also the destinantion dir can only handle 1000 files at a time before being emptied. thanks On 11/9/05, Coleman, Hunter [EMAIL PROTECTED] wrote: Yes, this is scriptable. Perl vs VBS? Either will work, so I'd go with whatever you are most comfortable with. How quickly are your source directories going to refill, and how quickly are is your destination directory going to get cleaned up by the different process? From: [EMAIL PROTECTED] [mailto: [EMAIL PROTECTED]] On Behalf Of Tom KernSent: Wednesday, November 09, 2005 11:30 AMTo: activedirectorySubject: [ActiveDir] scripting file move issue(OT) I'm having a problem trying to figure out how to script or batch file something. I want to move N number of files from a series of sudirectories to another dir and then wait to make sure a different process that is running will remove the files i just moved from the other dir, before moving more N number of files from a series of subdirectories to that dir and continuing the process in this manner until the seires of subdirectories are empty. can i script something like this? would perl be better at this than _vbscript_? can i do this with Robocopy? I read the docs and don't really think so but maybe someone else more familliar with it would know thanks ---APPLEBEE'S INTERNATIONAL, INC. CONFIDENTIALITY NOTICE--- PRIVILEGED / CONFIDENTIAL INFORMATION may be contained in this message or any attachments. This information is strictly confidential and may be subject to attorney-client privilege. This message is intended only for the use of the named addressee. If you are not the intended recipient of this message, unauthorized forwarding, printing, copying, distribution, or using such information is strictly prohibited and may be unlawful. If you have received this in error, you should kindly notify the sender by reply e-mail and immediately destroy this message. Unauthorized interception of this e-mail is a violation of federal criminal law. Applebee's International, Inc. reserves the right to monitor and review the content of all messages sent to and from this e-mail address. Messages sent to or from this e-mail address may be stored on the Applebee's International, Inc. e-mail system.
[ActiveDir] OT: In Servers how much tweaking are you doing?
Steve Riley's WebLog : When security breaks things: http://blogs.technet.com/steriley/archive/2005/11/08/414002.aspx I know that Joe and Exchange still don't see eye to eye...but on your DCs are you doing much tweaking these days? -- Letting your vendors set your risk analysis these days? http://www.threatcode.com List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
RE: [ActiveDir] Automating NoMas
This script may be the answerif it fixes accounts across the whole forest, I can set an At job to run once a week. I do get this erro on some accounts though: -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Al Mulnick Sent: Wednesday, November 09, 2005 1:11 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Automating NoMas Something like this might be of interest. http://www.microsoft.com/technet/prodtechnol/exchange/guides/DROpsGuide/a209faf9-91a1-46d7-8a6d-538ce3fba85d.mspx The best way would be to disassociate the mailbox from the account and maintain the mailbox for as long as the account retention requires (keep them matched). That would require you to keep track of where a user's mailstore is located of course. Note, this approach doesn't scale well. At all. That's why the above mentioned script exists in the first place. Most people want to keep the user and the mailbox objects tied together until both are removed (if removed at all). Or, they tend to have a separate group that does AD administration but has nothing to do with the mailbox provisioning which also easily results in this type of situation. I agree with Joe that the ADUC with Exchange integrated tools should handle this more gracefully, but it's never that simple. ;-) -ajm From: Harding, Devon [EMAIL PROTECTED] Reply-To: ActiveDir@mail.activedir.org To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Automating NoMas Date: Wed, 9 Nov 2005 12:25:19 -0500 Ok with that said, what would be the correct way or tools to disable a mail enabled account in Active Directory? -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of joe Sent: Wednesday, November 09, 2005 11:49 AM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Automating NoMas Let me restate this just a little. The issue are due to Exchange Dev having an incomplete understanding of how people do things in the enterprise and assuming that the only time a disabled account could have a mailbox is because it is a resource mailbox so instead of having an attribute for it they assume and then after assuming run into all sorts of issues with their assumption. From our side, it means that we have to adjust how we deprovision accounts to properly populate the directory so Exchange doesn't get its panties in a bunch. And yes, enough of these will get your Exchange server's panties in a bunch. Lots of folks (primarily from MS) like to say these are meaningless and can't hurt anything but I have seen multiple cases where they caused store hangs and queues. I actually got an MS person to admin they were a huge issue about 2-3 years ago but couldn't get the person to give me an email stating that. I understood completely. The interesting thing is that you would at least expect ADUC with the Exchange extensions to properly disable these accounts but nope, we have to handle it manually. But that is ok, we really shouldn't be using ADUC to manage users in larger orgs anyway. No business rules, no decent logging, too many people with too many permissions: you want to use provisioning tools, either self written or purchased. -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of joe Sent: Wednesday, November 09, 2005 10:59 AM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Automating NoMas Correct your deprovisioning process. Those issues are due to incorrectly setting values on mailbox enabled users. Basically bad data is going in the directory and then you are manually swinging back and correcting it. -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Harding, Devon Sent: Wednesday, November 09, 2005 9:18 AM To: ActiveDir@mail.activedir.org Subject: [ActiveDir] Automating NoMas How can I prevent the Event ID error 9548(MSExchangeIS) from happening? I normally use NoMas to fix em, but I want to prevent them from happening. Would it be possible to create a script that runs like every morning and perform exactly what NoMas does for every child domain I have? Devon Harding Windows Systems Engineer Southern Wine Spirits - BSG 954-602-2469 - __ This message and any attachments are solely for the intended recipient and may contain confidential or privileged information. If you are not the intended recipient, any disclosure, copying, use or distribution of the information included in the message and any attachments is prohibited. If you have received this communication in error, please notify us by reply e-mail and immediately and permanently delete this message and any attachments. Thank You. List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info :
RE: [ActiveDir] Automating NoMas
Failed to get MailboxRights, error 0x8007203A : The server is not operational. -Original Message- From: Harding, Devon Sent: Wednesday, November 09, 2005 4:39 PM To: 'ActiveDir@mail.activedir.org' Subject: RE: [ActiveDir] Automating NoMas This script may be the answerif it fixes accounts across the whole forest, I can set an At job to run once a week. I do get this erro on some accounts though: -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Al Mulnick Sent: Wednesday, November 09, 2005 1:11 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Automating NoMas Something like this might be of interest. http://www.microsoft.com/technet/prodtechnol/exchange/guides/DROpsGuide/a209faf9-91a1-46d7-8a6d-538ce3fba85d.mspx The best way would be to disassociate the mailbox from the account and maintain the mailbox for as long as the account retention requires (keep them matched). That would require you to keep track of where a user's mailstore is located of course. Note, this approach doesn't scale well. At all. That's why the above mentioned script exists in the first place. Most people want to keep the user and the mailbox objects tied together until both are removed (if removed at all). Or, they tend to have a separate group that does AD administration but has nothing to do with the mailbox provisioning which also easily results in this type of situation. I agree with Joe that the ADUC with Exchange integrated tools should handle this more gracefully, but it's never that simple. ;-) -ajm From: Harding, Devon [EMAIL PROTECTED] Reply-To: ActiveDir@mail.activedir.org To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Automating NoMas Date: Wed, 9 Nov 2005 12:25:19 -0500 Ok with that said, what would be the correct way or tools to disable a mail enabled account in Active Directory? -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of joe Sent: Wednesday, November 09, 2005 11:49 AM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Automating NoMas Let me restate this just a little. The issue are due to Exchange Dev having an incomplete understanding of how people do things in the enterprise and assuming that the only time a disabled account could have a mailbox is because it is a resource mailbox so instead of having an attribute for it they assume and then after assuming run into all sorts of issues with their assumption. From our side, it means that we have to adjust how we deprovision accounts to properly populate the directory so Exchange doesn't get its panties in a bunch. And yes, enough of these will get your Exchange server's panties in a bunch. Lots of folks (primarily from MS) like to say these are meaningless and can't hurt anything but I have seen multiple cases where they caused store hangs and queues. I actually got an MS person to admin they were a huge issue about 2-3 years ago but couldn't get the person to give me an email stating that. I understood completely. The interesting thing is that you would at least expect ADUC with the Exchange extensions to properly disable these accounts but nope, we have to handle it manually. But that is ok, we really shouldn't be using ADUC to manage users in larger orgs anyway. No business rules, no decent logging, too many people with too many permissions: you want to use provisioning tools, either self written or purchased. -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of joe Sent: Wednesday, November 09, 2005 10:59 AM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Automating NoMas Correct your deprovisioning process. Those issues are due to incorrectly setting values on mailbox enabled users. Basically bad data is going in the directory and then you are manually swinging back and correcting it. -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Harding, Devon Sent: Wednesday, November 09, 2005 9:18 AM To: ActiveDir@mail.activedir.org Subject: [ActiveDir] Automating NoMas How can I prevent the Event ID error 9548(MSExchangeIS) from happening? I normally use NoMas to fix em, but I want to prevent them from happening. Would it be possible to create a script that runs like every morning and perform exactly what NoMas does for every child domain I have? Devon Harding Windows Systems Engineer Southern Wine Spirits - BSG 954-602-2469 - __ This message and any attachments are solely for the intended recipient and may contain confidential or privileged information. If you are not the intended recipient, any disclosure, copying, use or distribution of the information included in the message and any attachments is prohibited. If you have received this communication in error, please notify us by reply e-mail and immediately and permanently
RE: [ActiveDir] Directory Experts Conference 2006 call for presentations
Title: Directory Experts Conference 2006 call for presentations lmao From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Brian DesmondSent: Tuesday, November 08, 2005 5:16 PMTo: ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] Directory Experts Conference 2006 call for presentations The first two times, I read "DEC 2006 is coming up in March..." and I'm thinking WTF is this dude telling me December 2006 is coming up in March?? Thanks,Brian Desmond [EMAIL PROTECTED] c - 312.731.3132 From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Gil KirkpatrickSent: Tuesday, November 08, 2005 7:02 PMTo: ActiveDir@mail.activedir.orgSubject: [ActiveDir] Directory Experts Conference 2006 call for presentations Greetings list-members DEC 2006 is coming up in March, and I'd like to extend this invitation to you to submit a proposal for a presentation. For those who have not attended DEC before, it is a technology conference focused on MSFT Identity and Access technologies, including AD, ADFS, MIIS, InfoCard, and AZMAN. The typical attendee is an AD or MIIS architect or engineer, usually from a large enterprise deployment, with at least a couple of years of AD experience under their belt. We will also be hosting a "Masters Track" for AD, targeting the true AD gear-heads (think joe, Dean, and Guido, and you get the idea). The conference is in Vegas March 26-29, and promises to be a lot of fun, with great sessions and speakers, and loads of networking opportunities. Feel free to send your proposals to me, or submit them through the DEC web site, www.dec2006.com/callforpapers.cfm. And remember, be excellent to each other, and party on, dudes. -gil Gil Kirkpatrick CTO, NetPro Don''t miss the Directory Experts Conference 2006. More information at www.dec2006.com.
RE: [ActiveDir] OT: In Servers how much tweaking are you doing?
I have about half a page worth of special steps that the out of the box config doesn't do for DCs... Thanks, Brian Desmond [EMAIL PROTECTED] c - 312.731.3132 -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Susan Bradley, CPA aka Ebitz - SBS Rocks [MVP] Sent: Wednesday, November 09, 2005 4:02 PM To: ActiveDir@mail.activedir.org Subject: [ActiveDir] OT: In Servers how much tweaking are you doing? Steve Riley's WebLog : When security breaks things: http://blogs.technet.com/steriley/archive/2005/11/08/414002.aspx I know that Joe and Exchange still don't see eye to eye...but on your DCs are you doing much tweaking these days? -- Letting your vendors set your risk analysis these days? http://www.threatcode.com List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
[ActiveDir] some users do not have allow inheritable permissions set
some users do not have allow inheritable permissions set. The only way I have found to reset that setting is to open each user and check that option off. I have tried running dsacls OU=ou,DC=dc,DC=dc /I:T and it seems to go through ok but does not reset that option. Should that work? Or does anyone know any other way to set that option on multiple users Thanks Ben
Re: [ActiveDir] OT: In Servers how much tweaking are you doing?
Given that his annual cleaning includes bit bucket cleaning. [that nearly had me going for a split second] . does the Master care to share to the Padewan and anyone else that is reading this? Brian Desmond wrote: I have about half a page worth of special steps that the out of the box config doesn't do for DCs... Thanks, Brian Desmond [EMAIL PROTECTED] c - 312.731.3132 -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Susan Bradley, CPA aka Ebitz - SBS Rocks [MVP] Sent: Wednesday, November 09, 2005 4:02 PM To: ActiveDir@mail.activedir.org Subject: [ActiveDir] OT: In Servers how much tweaking are you doing? Steve Riley's WebLog : When security breaks things: http://blogs.technet.com/steriley/archive/2005/11/08/414002.aspx I know that Joe and Exchange still don't see eye to eye...but on your DCs are you doing much tweaking these days? -- Letting your vendors set your risk analysis these days? http://www.threatcode.com List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
RE: [ActiveDir] OT: In Servers how much tweaking are you doing?
We polish the platters and relamp the scsi trays too. Thanks, Brian Desmond [EMAIL PROTECTED] c - 312.731.3132 -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Susan Bradley, CPA aka Ebitz - SBS Rocks [MVP] Sent: Wednesday, November 09, 2005 8:20 PM To: ActiveDir@mail.activedir.org Subject: Re: [ActiveDir] OT: In Servers how much tweaking are you doing? Given that his annual cleaning includes bit bucket cleaning. [that nearly had me going for a split second] . does the Master care to share to the Padewan and anyone else that is reading this? Brian Desmond wrote: I have about half a page worth of special steps that the out of the box config doesn't do for DCs... Thanks, Brian Desmond [EMAIL PROTECTED] c - 312.731.3132 -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Susan Bradley, CPA aka Ebitz - SBS Rocks [MVP] Sent: Wednesday, November 09, 2005 4:02 PM To: ActiveDir@mail.activedir.org Subject: [ActiveDir] OT: In Servers how much tweaking are you doing? Steve Riley's WebLog : When security breaks things: http://blogs.technet.com/steriley/archive/2005/11/08/414002.aspx I know that Joe and Exchange still don't see eye to eye...but on your DCs are you doing much tweaking these days? -- Letting your vendors set your risk analysis these days? http://www.threatcode.com List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
RE: [ActiveDir] Automating NoMas
Me? I don't. I just change the password to a randomly-generated complex one, make domain users its primary group, remove it from all groups except domain users, hide it from GAL and move it to a Terminated OU. That's where it stays until my monthly cleanup script runs, detects its modified date, see if it's longer than x number of days (depending on corporate retention policy), exmerges the mailbox and DELETEs the account. I still have most of the scripts that does all that handy if you are interested. Sincerely, Dèjì Akómöláfé, MCSE+M MCSA+M MCT Microsoft MVP - Directory Services www.readymaids.com - we know IT www.akomolafe.com Do you now realize that Today is the Tomorrow you were worried about Yesterday? -anon From: [EMAIL PROTECTED] on behalf of Harding, Devon Sent: Wed 11/9/2005 9:25 AM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Automating NoMas Ok with that said, what would be the correct way or tools to disable a mail enabled account in Active Directory? -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of joe Sent: Wednesday, November 09, 2005 11:49 AM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Automating NoMas Let me restate this just a little. The issue are due to Exchange Dev having an incomplete understanding of how people do things in the enterprise and assuming that the only time a disabled account could have a mailbox is because it is a resource mailbox so instead of having an attribute for it they assume and then after assuming run into all sorts of issues with their assumption. From our side, it means that we have to adjust how we deprovision accounts to properly populate the directory so Exchange doesn't get its panties in a bunch. And yes, enough of these will get your Exchange server's panties in a bunch. Lots of folks (primarily from MS) like to say these are meaningless and can't hurt anything but I have seen multiple cases where they caused store hangs and queues. I actually got an MS person to admin they were a huge issue about 2-3 years ago but couldn't get the person to give me an email stating that. I understood completely. The interesting thing is that you would at least expect ADUC with the Exchange extensions to properly disable these accounts but nope, we have to handle it manually. But that is ok, we really shouldn't be using ADUC to manage users in larger orgs anyway. No business rules, no decent logging, too many people with too many permissions: you want to use provisioning tools, either self written or purchased. -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of joe Sent: Wednesday, November 09, 2005 10:59 AM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Automating NoMas Correct your deprovisioning process. Those issues are due to incorrectly setting values on mailbox enabled users. Basically bad data is going in the directory and then you are manually swinging back and correcting it. -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Harding, Devon Sent: Wednesday, November 09, 2005 9:18 AM To: ActiveDir@mail.activedir.org Subject: [ActiveDir] Automating NoMas How can I prevent the Event ID error 9548(MSExchangeIS) from happening? I normally use NoMas to fix em, but I want to prevent them from happening. Would it be possible to create a script that runs like every morning and perform exactly what NoMas does for every child domain I have? Devon Harding Windows Systems Engineer Southern Wine Spirits - BSG 954-602-2469 - __ This message and any attachments are solely for the intended recipient and may contain confidential or privileged information. If you are not the intended recipient, any disclosure, copying, use or distribution of the information included in the message and any attachments is prohibited. If you have received this communication in error, please notify us by reply e-mail and immediately and permanently delete this message and any attachments. Thank You. List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive:
[ActiveDir] Distribute file to all desktop
Title: Distribute file to all desktop Hi, Our company is company with one survey which in the exe format. We wanted to push this exe to desktops which are connected to our corporate network. Anyone aware of way to do this in Windows environment? Any freeware tools? Regards, Dinesh Tashildar Cognizant Technology Solutions India Pvt. Ltd. Tel : 91-20-56062600 Extn : 182 Change in number Vnet : 21182 Change in number This e-mail and any files transmitted with it are for the sole use of the intended recipient(s) and may contain confidential and privileged information. If you are not the intended recipient, please contact the sender by reply e-mail and destroy all copies of the original message. Any unauthorised review, use, disclosure, dissemination, forwarding, printing or copying of this email or any action taken in reliance on this e-mail is strictly prohibited and may be unlawful. Visit us at http://www.cognizant.com
RE: [ActiveDir] Distribute file to all desktop
Title: Distribute file to all desktop Dinesh, You could do it through AD and roll out a login script.If it were me I wouldrather get the *.exe put on a network share, have it initialise and advise when the user "took" the survey...Batch file could look somethinglike this: CLS@echo offTITLE Company Surveyif not exist c:\ScriptFlag md c:\ScriptFlagif exist \\%Server%\%Share%\%UserName%.flag goto :eof\\%Server%\%Share%\*.exeecho %date% %time% %UserName% c:\ScriptFlag\%UserName%.flagCopy c:\ScriptFlag\%UserName%.flag \\%Server%\%Share%\EXIT You would of course replace %Sever% and %Share% to suit. James From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Tashildar, Dinesh (Cognizant)Sent: Thursday, November 10, 2005 3:08 PMTo: ActiveDir@mail.activedir.orgSubject: [ActiveDir] Distribute file to all desktop Hi, Our company is company with one survey which in the exe format. We wanted to push this exe to desktops which are connected to our corporate network. Anyone aware of way to do this in Windows environment? Any freeware tools? Regards,Dinesh TashildarCognizant Technology Solutions India Pvt. Ltd.Tel : 91-20-56062600 Extn : 182 Change in numberVnet : 21182 Change in number This e-mail and any files transmitted with it are for the sole use of the intended recipient(s) and may contain confidential and privileged information.If you are not the intended recipient, please contact the sender by reply e-mail and destroy all copies of the original message. Any unauthorised review, use, disclosure, dissemination, forwarding, printing or copying of this email or any action taken in reliance on this e-mail is strictly prohibited and may be unlawful.Visit us at http://www.cognizant.com
RE: [ActiveDir] some users do not have allow inheritable permissions set
Just out of curiosity when you go back an hour later is the box unchecked? This really sounds like the work of AdminSDHolder and the users in question are likely members of protected groups. If you have not looked at the following Knowledge Base article youmay wantto see if this is what you are running into:http://support.microsoft.com/default.aspx?scid=kb;en-us;817433. Thanks, -Steve From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Ben D. KusaSent: Wednesday, November 09, 2005 7:17 PMTo: ActiveDir@mail.activedir.orgSubject: [ActiveDir] some users do not have allow "inheritable permissions" set some users do not have allow "inheritable permissions" set. The only way I have found to reset that setting is to open each user and check that option off. I have tried running dsacls OU=ou,DC=dc,DC=dc /I:T and it seems to go through ok but does not reset that option. Should that work? Or does anyone know any other way to set that option on multiple users Thanks Ben
RE: [ActiveDir] Distribute file to all desktop
Title: Distribute file to all desktop James, Thanks for inputs I didnt get you, what do you mean by have it initialize and advise when the user took the survey ? I am thinking to push this survey in two ways 1. Push it through SMS Only problem I can think, if sms client is not installed on client desktop then he/she will get survey. I dont want to add SMS client dependency on it. 2. Login script would be a good option but survey will run only in case of user log in to desktop. I am looking for similar way (tool or script) like SMS but it does not have client dependency. We wanted to make this survey mandatory to all users, if we send mail and ask users to go and run it from specified location then few users might not open survey as well. Regards, Dinesh Tashildar Ext:182 | Vnet 21182 Change in number From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Blair, James Sent: Thursday, November 10, 2005 11:06 AM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Distribute file to all desktop Dinesh, You could do it through AD and roll out a login script.If it were me I wouldrather get the *.exe put on a network share, have it initialise and advise when the user took the survey...Batch file could look somethinglike this: CLS @echo off TITLE Company Survey if not exist c:\ScriptFlag md c:\ScriptFlag if exist \\%Server%\%Share%\%UserName%.flag goto :eof \\%Server%\%Share%\*.exe echo %date% %time% %UserName% c:\ScriptFlag\%UserName%.flag Copy c:\ScriptFlag\%UserName%.flag \\%Server%\%Share%\ EXIT You would of course replace %Sever% and %Share% to suit. James From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Tashildar, Dinesh (Cognizant) Sent: Thursday, November 10, 2005 3:08 PM To: ActiveDir@mail.activedir.org Subject: [ActiveDir] Distribute file to all desktop Hi, Our company is company with one survey which in the exe format. We wanted to push this exe to desktops which are connected to our corporate network. Anyone aware of way to do this in Windows environment? Any freeware tools? Regards, Dinesh Tashildar Cognizant Technology Solutions India Pvt. Ltd. Tel : 91-20-56062600 Extn : 182 Change in number Vnet : 21182 Change in number This e-mail and any files transmitted with it are for the sole use of the intended recipient(s) and may contain confidential and privileged information. If you are not the intended recipient, please contact the sender by reply e-mail and destroy all copies of the original message. Any unauthorised review, use, disclosure, dissemination, forwarding, printing or copying of this email or any action taken in reliance on this e-mail is strictly prohibited and may be unlawful. Visit us at http://www.cognizant.com This e-mail and any files transmitted with it are for the sole use of the intended recipient(s) and may contain confidential and privileged information. If you are not the intended recipient, please contact the sender by reply e-mail and destroy all copies of the original message. Any unauthorised review, use, disclosure, dissemination, forwarding, printing or copying of this email or any action taken in reliance on this e-mail is strictly prohibited and may be unlawful. Visit us at http://www.cognizant.com
RE: [ActiveDir] Distribute file to all desktop
Title: Distribute file to all desktop Is this a large app or a simple .exe? Pushing via GPO? From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Tashildar, Dinesh (Cognizant)Sent: Wednesday, November 09, 2005 10:46 PMTo: ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] Distribute file to all desktop James, Thanks for inputs I didnt get you, what do you mean by have it initialize and advise when the user took the survey ? I am thinking to push this survey in two ways 1. Push it through SMS Only problem I can think, if sms client is not installed on client desktop then he/she will get survey. I dont want to add SMS client dependency on it. 2. Login script would be a good option but survey will run only in case of user log in to desktop. I am looking for similar way (tool or script) like SMS but it does not have client dependency. We wanted to make this survey mandatory to all users, if we send mail and ask users to go and run it from specified location then few users might not open survey as well. Regards,Dinesh TashildarExt:182 | Vnet 21182 Change in number From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Blair, JamesSent: Thursday, November 10, 2005 11:06 AMTo: ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] Distribute file to all desktop Dinesh, You could do it through AD and roll out a login script.If it were me I wouldrather get the *.exe put on a network share, have it initialise and advise when the user "took" the survey...Batch file could look somethinglike this: CLS@echo offTITLE Company Surveyif not exist c:\ScriptFlag md c:\ScriptFlagif exist \\%Server%\%Share%\%UserName%.flag goto :eof\\%Server%\%Share%\*.exeecho %date% %time% %UserName% c:\ScriptFlag\%UserName%.flagCopy c:\ScriptFlag\%UserName%.flag \\%Server%\%Share%\EXIT You would of course replace %Sever% and %Share% to suit. James From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Tashildar, Dinesh (Cognizant)Sent: Thursday, November 10, 2005 3:08 PMTo: ActiveDir@mail.activedir.orgSubject: [ActiveDir] Distribute file to all desktop Hi, Our company is company with one survey which in the exe format. We wanted to push this exe to desktops which are connected to our corporate network. Anyone aware of way to do this in Windows environment? Any freeware tools? Regards,Dinesh TashildarCognizant Technology Solutions India Pvt. Ltd.Tel : 91-20-56062600 Extn : 182 Change in numberVnet : 21182 Change in number This e-mail and any files transmitted with it are for the sole use of the intended recipient(s) and may contain confidential and privileged information.If you are not the intended recipient, please contact the sender by reply e-mail and destroy all copies of the original message. Any unauthorised review, use, disclosure, dissemination, forwarding, printing or copying of this email or any action taken in reliance on this e-mail is strictly prohibited and may be unlawful.Visit us at http://www.cognizant.com This e-mail and any files transmitted with it are for the sole use of the intended recipient(s) and may contain confidential and privileged information.If you are not the intended recipient, please contact the sender by reply e-mail and destroy all copies of the original message. Any unauthorised review, use, disclosure, dissemination, forwarding, printing or copying of this email or any action taken in reliance on this e-mail is strictly prohibited and may be unlawful.Visit us at http://www.cognizant.com
RE: [ActiveDir] Distribute file to all desktop
Title: Distribute file to all desktop Its a simple exe. Regards, Dinesh Tashildar Ext:182 | Vnet 21182 Change in number From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Alain Lissoir Sent: Thursday, November 10, 2005 12:23 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Distribute file to all desktop Is this a large app or a simple .exe? Pushing via GPO? From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Tashildar, Dinesh (Cognizant) Sent: Wednesday, November 09, 2005 10:46 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Distribute file to all desktop James, Thanks for inputs I didnt get you, what do you mean by have it initialize and advise when the user took the survey ? I am thinking to push this survey in two ways 1. Push it through SMS Only problem I can think, if sms client is not installed on client desktop then he/she will get survey. I dont want to add SMS client dependency on it. 2. Login script would be a good option but survey will run only in case of user log in to desktop. I am looking for similar way (tool or script) like SMS but it does not have client dependency. We wanted to make this survey mandatory to all users, if we send mail and ask users to go and run it from specified location then few users might not open survey as well. Regards, Dinesh Tashildar Ext:182 | Vnet 21182 Change in number From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Blair, James Sent: Thursday, November 10, 2005 11:06 AM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Distribute file to all desktop Dinesh, You could do it through AD and roll out a login script.If it were me I wouldrather get the *.exe put on a network share, have it initialise and advise when the user took the survey...Batch file could look somethinglike this: CLS @echo off TITLE Company Survey if not exist c:\ScriptFlag md c:\ScriptFlag if exist \\%Server%\%Share%\%UserName%.flag goto :eof \\%Server%\%Share%\*.exe echo %date% %time% %UserName% c:\ScriptFlag\%UserName%.flag Copy c:\ScriptFlag\%UserName%.flag \\%Server%\%Share%\ EXIT You would of course replace %Sever% and %Share% to suit. James From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Tashildar, Dinesh (Cognizant) Sent: Thursday, November 10, 2005 3:08 PM To: ActiveDir@mail.activedir.org Subject: [ActiveDir] Distribute file to all desktop Hi, Our company is company with one survey which in the exe format. We wanted to push this exe to desktops which are connected to our corporate network. Anyone aware of way to do this in Windows environment? Any freeware tools? Regards, Dinesh Tashildar Cognizant Technology Solutions India Pvt. Ltd. Tel : 91-20-56062600 Extn : 182 Change in number Vnet : 21182 Change in number This e-mail and any files transmitted with it are for the sole use of the intended recipient(s) and may contain confidential and privileged information. If you are not the intended recipient, please contact the sender by reply e-mail and destroy all copies of the original message. Any unauthorised review, use, disclosure, dissemination, forwarding, printing or copying of this email or any action taken in reliance on this e-mail is strictly prohibited and may be unlawful. Visit us at http://www.cognizant.com This e-mail and any files transmitted with it are for the sole use of the intended recipient(s) and may contain confidential and privileged information. If you are not the intended recipient, please contact the sender by reply e-mail and destroy all copies of the original message. Any unauthorised review, use, disclosure, dissemination, forwarding, printing or copying of this email or any action taken in reliance on this e-mail is strictly prohibited and may be unlawful. Visit us at http://www.cognizant.com This e-mail and any files transmitted with it are for the sole use of the intended recipient(s) and may contain confidential and privileged information. If you are not the intended recipient, please contact the sender by reply e-mail and destroy all copies of the original message. Any unauthorised review, use, disclosure, dissemination, forwarding, printing or copying of this email or any action taken in reliance on this e-mail is strictly prohibited and may be unlawful. Visit us at http://www.cognizant.com
RE: [ActiveDir] some users do not have allow inheritable permissions set
Every hour, the domain controller that has the primary domain controller (PDC) emulator operations master role verifies the ACLs on members of the protected groups and compares them to the ACL on the AdminSDHolder object. If the ACL that is on the AdminSDHolder object is different, the ACLs on the members of the administrative group are reset to match the ACL on the AdminSDHolder object. For more info on the ADMINSDHOLDER object see the following related KB articles Description and Update of the Active Directory AdminSDHolder Object -- MS-KBQ232199 (http://support.microsoft.com/?id=232199) AdminSDHolder Thread Affects Transitive Members of Distribution Groups -- MS-KBQ318180 (http://support.microsoft.com/?id=318180) Delegated permissions are not available and inheritance is automatically disabled -- MS-KBQ817433 (http://support.microsoft.com/?id=817433) Cheers, jorge From: [EMAIL PROTECTED] on behalf of Ben D. Kusa Sent: Thu 11/10/2005 2:16 AM To: ActiveDir@mail.activedir.org Subject: [ActiveDir] some users do not have allow inheritable permissions set some users do not have allow inheritable permissions set. The only way I have found to reset that setting is to open each user and check that option off. I have tried running dsacls OU=ou,DC=dc,DC=dc /I:T and it seems to go through ok but does not reset that option. Should that work? Or does anyone know any other way to set that option on multiple users Thanks Ben This e-mail and any attachment is for authorised use by the intended recipient(s) only. It may contain proprietary material, confidential information and/or be subject to legal privilege. It should not be copied, disclosed to, retained or used by, any other party. If you are not an intended recipient then please promptly delete this e-mail and any attachment and all copies and inform the sender. Thank you. winmail.dat
RE: [ActiveDir] Automating NoMas
With ADMODCMD you can query AD, disable users and add SELF to the ACL. This is something I posted a while ago... What to do with user accounts that are or not mailbox enabled when the corresponding user(s) leave(s) the company. For that and without buying a full blown solution you can create tooling in a simple way if the following process is sufficient for you. IT IS A 5 STEP PROCESS: (1) Be sure to receive some notification a user has left the company (2) Move its user account to a special de-provisioning OU (manually) (3) Schedule a script to run regularly (dayly or weekly or whatever is good for you) to disable AD enabled user accounts in the de-provisioning OU and if the account is mailbox enabled to add the Associated External Account permission to SELF. Also generate and set a difficult password (be carefull with certificates if you use them for encryption!) (4) Schedule a script to run regularly (dayly or weekly or whatever is good for you) to check the de-provisioning OU for disabled user accounts that have been unused for a certain (inactive) period (e.g. 90 days). In a W2K3 domain with Domain Functional Level 'Windows Server 2003' you can use the 'lastLogonTimestamp' attribute that determines the last time a user logged on. In a W2K domain or W2K3 domain with Domain Functional Level 'Windows Server 2000 native' or lower you can use the 'lastLogon' attribute which is less accurate, but that will do. If user accounts are found that meet the prerequisites (disabled and exceed a certain inactive period): * Create a directory for the user in some Archive Location (the archive location is a location where the user's stuff will be copied to, backup for a certain time and after some other period the user's stuff is removed) * Extract all populated attibutes of the user account to the user's archive location (using LDIFDE) * Check if a home directory exists (read attribute and check location) and MOVE it to the user's archive location * Check if a profile directory exists (read attribute and check location) and MOVE it to the user's archive location * Check if a TS home directory exists (read attribute and check location) and MOVE it to the user's archive location * Check if a TS profile directory exists (read attribute and check location) and MOVE it to the user's archive location * Exmerge the mailbox into a PST in the user's archive location (be carefull with large PST sizes!!! e.g. 2GB)(http://support.microsoft.com/default.aspx?scid=kb;en-us;830336)(http://support.microsoft.com/default.aspx?scid=kb;en-us;823176) (5) Schedule a script to run regularly (dayly or weekly or whatever is good for you) to check the all user's archive locations to see which exceed the archiving period for backup (e.g. 60 days). For this compare the folder creation date with the current date. If a user archive location is found and it is older than the current date minus the minimum required archiving period for backup, delete the folder TOOLS USED: * ADModcmd.exe and others from (ADModify.NET) (http://www.gotdotnet.com/workspaces/workspace.aspx?id=f5cbbfa9-e46b-4a7a-8ed8-3e44523f32e2) * Robocopy.exe (W2K3 Resource Kit) (http://www.microsoft.com/downloads/details.aspx?FamilyID=9d467a69-57ff-4ae7-96ee-b18c4790cffddisplaylang=en) * ExMerge.exe (http://www.microsoft.com/downloads/details.aspx?FamilyID=429163EC-DCDF-47DC-96DA-1C12D67327D5displaylang=en) I have build te above for a customer of mine and it works great Cheers, Jorge From: [EMAIL PROTECTED] on behalf of [EMAIL PROTECTED] Sent: Thu 11/10/2005 3:03 AM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Automating NoMas Me? I don't. I just change the password to a randomly-generated complex one, make domain users its primary group, remove it from all groups except domain users, hide it from GAL and move it to a Terminated OU. That's where it stays until my monthly cleanup script runs, detects its modified date, see if it's longer than x number of days (depending on corporate retention policy), exmerges the mailbox and DELETEs the account. I still have most of the scripts that does all that handy if you are interested. Sincerely, Dèjì Akómöláfé, MCSE+M MCSA+M MCT Microsoft MVP - Directory Services www.readymaids.com - we know IT www.akomolafe.com Do you now realize that Today is the Tomorrow you were worried about Yesterday? -anon From: [EMAIL PROTECTED] on behalf of Harding, Devon Sent: Wed 11/9/2005 9:25 AM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Automating NoMas Ok with that said, what would be the correct way or tools to disable a mail enabled account in Active Directory? -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of joe Sent: Wednesday, November 09, 2005 11:49 AM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Automating NoMas Let me restate this just a little. The
Re: [ActiveDir] Distribute file to all desktop
Forgive me if I'm reading this wrong? Are you asking to deploy an executible file to all so that they can run the file? Do they then need local admin rights and have to trust the source of this survey? Isn't that a bit contrary to teaching anti-social engineering practices? In my office all .exe, .zips etc. type of files are blocked being sent via email and our acceptable use policy states that only certain people can install software or executibles even on desktops. Does this violate your security policy? Sorry for the kinda dumb question. Tashildar, Dinesh (Cognizant) wrote: It’s a simple exe. Regards, Dinesh Tashildar Ext:182 | Vnet 21182 _ __ Change in number_ *From:* [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] *On Behalf Of *Alain Lissoir *Sent:* Thursday, November 10, 2005 12:23 PM *To:* ActiveDir@mail.activedir.org *Subject:* RE: [ActiveDir] Distribute file to all desktop Is this a large app or a simple .exe? Pushing via GPO? *From:* [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] *On Behalf Of *Tashildar, Dinesh (Cognizant) *Sent:* Wednesday, November 09, 2005 10:46 PM *To:* ActiveDir@mail.activedir.org *Subject:* RE: [ActiveDir] Distribute file to all desktop James, Thanks for inputs… I didn’t get you, what do you mean by “have it initialize and advise when the user “took” the survey” ? I am thinking to push this survey in two ways 1. Push it through SMS – Only problem I can think, if sms client is not installed on client desktop then he/she will get survey. I don’t want to add SMS client dependency on it. 2. Login script would be a good option but survey will run only in case of user log in to desktop. I am looking for similar way (tool or script) like SMS but it does not have client dependency. We wanted to make this survey mandatory to all users, if we send mail and ask users to go and run it from specified location then few users might not open survey as well. Regards, Dinesh Tashildar Ext:182 | Vnet 21182 _ __ Change in number_ *From:* [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] *On Behalf Of *Blair, James *Sent:* Thursday, November 10, 2005 11:06 AM *To:* ActiveDir@mail.activedir.org *Subject:* RE: [ActiveDir] Distribute file to all desktop Dinesh, You could do it through AD and roll out a login script. If it were me I would rather get the *.exe put on a network share, have it initialise and advise when the user took the survey...Batch file could look something like this: CLS @echo off TITLE Company Survey if not exist c:\ScriptFlag md c:\ScriptFlag if exist \\%Server%\%Share%\%UserName%.flag file:///%5C%5C%25Server%25%5C%25Share%25%5C%25UserName%25.flag goto :eof \\%Server%\%Share%\*.exe file:///%5C%5C%25Server%25%5C%25Share%25%5C*.exe echo %date% %time% %UserName% c:\ScriptFlag\%UserName%.flag Copy c:\ScriptFlag\%UserName%.flag \\%Server%\%Share%\ file:///%5C%5C%25Server%25%5C%25Share%25%5C EXIT You would of course replace %Sever% and %Share% to suit. * James * *From:* [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] *On Behalf Of *Tashildar, Dinesh (Cognizant) *Sent:* Thursday, November 10, 2005 3:08 PM *To:* ActiveDir@mail.activedir.org *Subject:* [ActiveDir] Distribute file to all desktop Hi, Our company is company with one survey which in the exe format. We wanted to push this exe to desktops which are connected to our corporate network. Anyone aware of way to do this in Windows environment? Any freeware tools? *Regards, Dinesh Tashildar *Cognizant Technology Solutions India Pvt. Ltd. Tel : 91-20-56062600 Extn : 182 _ __ Change in number_ Vnet : 21182 _ __ Change in number_ This e-mail and any files transmitted with it are for the sole use of the intended recipient(s) and may contain confidential and privileged information. If you are not the intended recipient, please contact the sender by reply e-mail and destroy all copies of the original message. Any unauthorised review, use, disclosure, dissemination, forwarding, printing or copying of this email or any action taken in reliance on this e-mail is strictly prohibited and may be unlawful. Visit us at http://www.cognizant.com This e-mail and any files transmitted with it are for the sole use of the intended recipient(s) and may contain confidential and privileged information. If you are not the intended recipient, please contact the sender by reply e-mail and destroy all copies of the original message. Any unauthorised review, use, disclosure, dissemination, forwarding, printing or copying of this email or any action taken in reliance on this e-mail is strictly prohibited and may be unlawful. Visit us at http://www.cognizant.com This e-mail and any
RE: [ActiveDir] Distribute file to all desktop
Title: Distribute file to all desktop Have a look at http://www.microsoft.com/technet/prodtechnol/windowsserver2003/library/DepKit/58846816-8fda-4083-9345-922c362b6ba6.mspx However, I don't remember for sure if it is possible to start the app once it is installed. One here will certainly confirmed this or not. /Alain From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Tashildar, Dinesh (Cognizant)Sent: Wednesday, November 09, 2005 10:57 PMTo: ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] Distribute file to all desktop Its a simple exe. Regards,Dinesh TashildarExt:182 | Vnet 21182 Change in number From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Alain LissoirSent: Thursday, November 10, 2005 12:23 PMTo: ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] Distribute file to all desktop Is this a large app or a simple .exe? Pushing via GPO? From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Tashildar, Dinesh (Cognizant)Sent: Wednesday, November 09, 2005 10:46 PMTo: ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] Distribute file to all desktop James, Thanks for inputs I didnt get you, what do you mean by have it initialize and advise when the user took the survey ? I am thinking to push this survey in two ways 1. Push it through SMS Only problem I can think, if sms client is not installed on client desktop then he/she will get survey. I dont want to add SMS client dependency on it. 2. Login script would be a good option but survey will run only in case of user log in to desktop. I am looking for similar way (tool or script) like SMS but it does not have client dependency. We wanted to make this survey mandatory to all users, if we send mail and ask users to go and run it from specified location then few users might not open survey as well. Regards,Dinesh TashildarExt:182 | Vnet 21182 Change in number From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Blair, JamesSent: Thursday, November 10, 2005 11:06 AMTo: ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] Distribute file to all desktop Dinesh, You could do it through AD and roll out a login script.If it were me I wouldrather get the *.exe put on a network share, have it initialise and advise when the user "took" the survey...Batch file could look somethinglike this: CLS@echo offTITLE Company Surveyif not exist c:\ScriptFlag md c:\ScriptFlagif exist \\%Server%\%Share%\%UserName%.flag goto :eof\\%Server%\%Share%\*.exeecho %date% %time% %UserName% c:\ScriptFlag\%UserName%.flagCopy c:\ScriptFlag\%UserName%.flag \\%Server%\%Share%\EXIT You would of course replace %Sever% and %Share% to suit. James From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Tashildar, Dinesh (Cognizant)Sent: Thursday, November 10, 2005 3:08 PMTo: ActiveDir@mail.activedir.orgSubject: [ActiveDir] Distribute file to all desktop Hi, Our company is company with one survey which in the exe format. We wanted to push this exe to desktops which are connected to our corporate network. Anyone aware of way to do this in Windows environment? Any freeware tools? Regards,Dinesh TashildarCognizant Technology Solutions India Pvt. Ltd.Tel : 91-20-56062600 Extn : 182 Change in numberVnet : 21182 Change in number This e-mail and any files transmitted with it are for the sole use of the intended recipient(s) and may contain confidential and privileged information.If you are not the intended recipient, please contact the sender by reply e-mail and destroy all copies of the original message. Any unauthorised review, use, disclosure, dissemination, forwarding, printing or copying of this email or any action taken in reliance on this e-mail is strictly prohibited and may be unlawful.Visit us at http://www.cognizant.com This e-mail and any files transmitted with it are for the sole use of the intended recipient(s) and may contain confidential and privileged information.If you are not the intended recipient, please contact the sender by reply e-mail and destroy all copies of the original message. Any unauthorised review, use, disclosure, dissemination, forwarding, printing or copying of this email or any action taken in reliance on this e-mail is strictly prohibited and may be unlawful.Visit us at http://www.cognizant.com This e-mail and any files transmitted with it are for the sole use of the intended recipient(s) and may contain confidential and privileged information.If you are not the intended recipient, please contact the sender by reply e-mail and destroy all copies of the original message. Any unauthorised review, use, disclosure, dissemination, forwarding, printing or copying of this email
RE: [ActiveDir] Distribute file to all desktop
Susan, This survey in written in VB and converted into exe format. Once I push this exe on all desktop it will display few questions which objective answers. Regards, Dinesh Tashildar Ext:182 | Vnet 21182 Change in number -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Susan Bradley, CPA aka Ebitz - SBS Rocks [MVP] Sent: Thursday, November 10, 2005 12:52 PM To: ActiveDir@mail.activedir.org Subject: Re: [ActiveDir] Distribute file to all desktop Forgive me if I'm reading this wrong? Are you asking to deploy an executible file to all so that they can run the file? Do they then need local admin rights and have to trust the source of this survey? Isn't that a bit contrary to teaching anti-social engineering practices? In my office all .exe, .zips etc. type of files are blocked being sent via email and our acceptable use policy states that only certain people can install software or executibles even on desktops. Does this violate your security policy? Sorry for the kinda dumb question. Tashildar, Dinesh (Cognizant) wrote: It's a simple exe. Regards, Dinesh Tashildar Ext:182 | Vnet 21182 _ __ Change in number_ *From:* [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] *On Behalf Of *Alain Lissoir *Sent:* Thursday, November 10, 2005 12:23 PM *To:* ActiveDir@mail.activedir.org *Subject:* RE: [ActiveDir] Distribute file to all desktop Is this a large app or a simple .exe? Pushing via GPO? *From:* [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] *On Behalf Of *Tashildar, Dinesh (Cognizant) *Sent:* Wednesday, November 09, 2005 10:46 PM *To:* ActiveDir@mail.activedir.org *Subject:* RE: [ActiveDir] Distribute file to all desktop James, Thanks for inputs... I didn't get you, what do you mean by have it initialize and advise when the user took the survey ? I am thinking to push this survey in two ways 1. Push it through SMS - Only problem I can think, if sms client is not installed on client desktop then he/she will get survey. I don't want to add SMS client dependency on it. 2. Login script would be a good option but survey will run only in case of user log in to desktop. I am looking for similar way (tool or script) like SMS but it does not have client dependency. We wanted to make this survey mandatory to all users, if we send mail and ask users to go and run it from specified location then few users might not open survey as well. Regards, Dinesh Tashildar Ext:182 | Vnet 21182 _ __ Change in number_ *From:* [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] *On Behalf Of *Blair, James *Sent:* Thursday, November 10, 2005 11:06 AM *To:* ActiveDir@mail.activedir.org *Subject:* RE: [ActiveDir] Distribute file to all desktop Dinesh, You could do it through AD and roll out a login script. If it were me I would rather get the *.exe put on a network share, have it initialise and advise when the user took the survey...Batch file could look something like this: CLS @echo off TITLE Company Survey if not exist c:\ScriptFlag md c:\ScriptFlag if exist \\%Server%\%Share%\%UserName%.flag file:///%5C%5C%25Server%25%5C%25Share%25%5C%25UserName%25.flag goto :eof \\%Server%\%Share%\*.exe file:///%5C%5C%25Server%25%5C%25Share%25%5C*.exe echo %date% %time% %UserName% c:\ScriptFlag\%UserName%.flag Copy c:\ScriptFlag\%UserName%.flag \\%Server%\%Share%\ file:///%5C%5C%25Server%25%5C%25Share%25%5C EXIT You would of course replace %Sever% and %Share% to suit. * James * *From:* [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] *On Behalf Of *Tashildar, Dinesh (Cognizant) *Sent:* Thursday, November 10, 2005 3:08 PM *To:* ActiveDir@mail.activedir.org *Subject:* [ActiveDir] Distribute file to all desktop Hi, Our company is company with one survey which in the exe format. We wanted to push this exe to desktops which are connected to our corporate network. Anyone aware of way to do this in Windows environment? Any freeware tools? *Regards, Dinesh Tashildar *Cognizant Technology Solutions India Pvt. Ltd. Tel : 91-20-56062600 Extn : 182 _ __ Change in number_ Vnet : 21182 _ __ Change in number_ This e-mail and any files transmitted with it are for the sole use of the intended recipient(s) and may contain confidential and privileged information. If you are not the intended recipient, please contact the sender by reply e-mail and destroy all copies of the original message. Any unauthorised review, use, disclosure, dissemination, forwarding, printing or copying of this email or any action taken in reliance on this e-mail is strictly prohibited and may be unlawful. Visit us at http://www.cognizant.com
RE: [ActiveDir] Distribute file to all desktop
Title: Distribute file to all desktop Dinesh, Dinesh: Thanks for inputs I didnt get you, what do you mean by have it initialize and advise when the user took the survey ? James: If you take a look at the batch file once the *.exe is initiated itputs thedate, time and username to a file and transfers that info toa server. Dinesh: 2. Login script would be a good option but survey will run only in case of user log in to desktop. James: Not sure on your workstation setup here do your users not have to log in? The way the batch file is set up if a user has initiated the *.exe then he/she will not receive it again. James From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Tashildar, Dinesh (Cognizant)Sent: Thursday, November 10, 2005 4:46 PMTo: ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] Distribute file to all desktop James, Thanks for inputs I didnt get you, what do you mean by have it initialize and advise when the user took the survey ? I am thinking to push this survey in two ways 1. Push it through SMS Only problem I can think, if sms client is not installed on client desktop then he/she will get survey. I dont want to add SMS client dependency on it. 2. Login script would be a good option but survey will run only in case of user log in to desktop. I am looking for similar way (tool or script) like SMS but it does not have client dependency. We wanted to make this survey mandatory to all users, if we send mail and ask users to go and run it from specified location then few users might not open survey as well. Regards,Dinesh TashildarExt:182 | Vnet 21182 Change in number From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Blair, JamesSent: Thursday, November 10, 2005 11:06 AMTo: ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] Distribute file to all desktop Dinesh, You could do it through AD and roll out a login script.If it were me I wouldrather get the *.exe put on a network share, have it initialise and advise when the user "took" the survey...Batch file could look somethinglike this: CLS@echo offTITLE Company Surveyif not exist c:\ScriptFlag md c:\ScriptFlagif exist \\%Server%\%Share%\%UserName%.flag goto :eof\\%Server%\%Share%\*.exeecho %date% %time% %UserName% c:\ScriptFlag\%UserName%.flagCopy c:\ScriptFlag\%UserName%.flag \\%Server%\%Share%\EXIT You would of course replace %Sever% and %Share% to suit. James From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Tashildar, Dinesh (Cognizant)Sent: Thursday, November 10, 2005 3:08 PMTo: ActiveDir@mail.activedir.orgSubject: [ActiveDir] Distribute file to all desktop Hi, Our company is company with one survey which in the exe format. We wanted to push this exe to desktops which are connected to our corporate network. Anyone aware of way to do this in Windows environment? Any freeware tools? Regards,Dinesh TashildarCognizant Technology Solutions India Pvt. Ltd.Tel : 91-20-56062600 Extn : 182 Change in numberVnet : 21182 Change in number This e-mail and any files transmitted with it are for the sole use of the intended recipient(s) and may contain confidential and privileged information.If you are not the intended recipient, please contact the sender by reply e-mail and destroy all copies of the original message. Any unauthorised review, use, disclosure, dissemination, forwarding, printing or copying of this email or any action taken in reliance on this e-mail is strictly prohibited and may be unlawful.Visit us at http://www.cognizant.com This e-mail and any files transmitted with it are for the sole use of the intended recipient(s) and may contain confidential and privileged information.If you are not the intended recipient, please contact the sender by reply e-mail and destroy all copies of the original message. Any unauthorised review, use, disclosure, dissemination, forwarding, printing or copying of this email or any action taken in reliance on this e-mail is strictly prohibited and may be unlawful.Visit us at http://www.cognizant.com
Re: [ActiveDir] Distribute file to all desktop
...yeah...but... that's how viruses deploy too right? Put yourself in the role of the stupid end user. How does this look and act to an end user? How easily can it be duplicated and used for social engineering purposes? A recent FBI bulletin indicated that there are two increases of database theft... one based on database hacking...one on social engineering. What procedures are you putting in place for this survey to ensure that your employees can trust the source of this file, know that it came from you, and is doing only what it's supposed to do? My goal in my office is to train pananoid end users. They are my best security device I've got. Tashildar, Dinesh (Cognizant) wrote: Susan, This survey in written in VB and converted into exe format. Once I push this exe on all desktop it will display few questions which objective answers. Regards, Dinesh Tashildar Ext:182 | Vnet 21182 Change in number -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Susan Bradley, CPA aka Ebitz - SBS Rocks [MVP] Sent: Thursday, November 10, 2005 12:52 PM To: ActiveDir@mail.activedir.org Subject: Re: [ActiveDir] Distribute file to all desktop Forgive me if I'm reading this wrong? Are you asking to deploy an executible file to all so that they can run the file? Do they then need local admin rights and have to trust the source of this survey? Isn't that a bit contrary to teaching anti-social engineering practices? In my office all .exe, .zips etc. type of files are blocked being sent via email and our acceptable use policy states that only certain people can install software or executibles even on desktops. Does this violate your security policy? Sorry for the kinda dumb question. Tashildar, Dinesh (Cognizant) wrote: It's a simple exe. Regards, Dinesh Tashildar Ext:182 | Vnet 21182 _ __ Change in number_ *From:* [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] *On Behalf Of *Alain Lissoir *Sent:* Thursday, November 10, 2005 12:23 PM *To:* ActiveDir@mail.activedir.org *Subject:* RE: [ActiveDir] Distribute file to all desktop Is this a large app or a simple .exe? Pushing via GPO? *From:* [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] *On Behalf Of *Tashildar, Dinesh (Cognizant) *Sent:* Wednesday, November 09, 2005 10:46 PM *To:* ActiveDir@mail.activedir.org *Subject:* RE: [ActiveDir] Distribute file to all desktop James, Thanks for inputs... I didn't get you, what do you mean by have it initialize and advise when the user took the survey ? I am thinking to push this survey in two ways 1. Push it through SMS - Only problem I can think, if sms client is not installed on client desktop then he/she will get survey. I don't want to add SMS client dependency on it. 2. Login script would be a good option but survey will run only in case of user log in to desktop. I am looking for similar way (tool or script) like SMS but it does not have client dependency. We wanted to make this survey mandatory to all users, if we send mail and ask users to go and run it from specified location then few users might not open survey as well. Regards, Dinesh Tashildar Ext:182 | Vnet 21182 _ __ Change in number_ *From:* [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] *On Behalf Of *Blair, James *Sent:* Thursday, November 10, 2005 11:06 AM *To:* ActiveDir@mail.activedir.org *Subject:* RE: [ActiveDir] Distribute file to all desktop Dinesh, You could do it through AD and roll out a login script. If it were me I would rather get the *.exe put on a network share, have it initialise and advise when the user took the survey...Batch file could look something like this: CLS @echo off TITLE Company Survey if not exist c:\ScriptFlag md c:\ScriptFlag if exist \\%Server%\%Share%\%UserName%.flag file:///%5C%5C%25Server%25%5C%25Share%25%5C%25UserName%25.flag goto :eof \\%Server%\%Share%\*.exe file:///%5C%5C%25Server%25%5C%25Share%25%5C*.exe echo %date% %time% %UserName% c:\ScriptFlag\%UserName%.flag Copy c:\ScriptFlag\%UserName%.flag \\%Server%\%Share%\ file:///%5C%5C%25Server%25%5C%25Share%25%5C EXIT You would of course replace %Sever% and %Share% to suit. * James * *From:* [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] *On Behalf Of *Tashildar, Dinesh (Cognizant) *Sent:* Thursday, November 10, 2005 3:08 PM *To:* ActiveDir@mail.activedir.org *Subject:* [ActiveDir] Distribute file to all desktop Hi, Our
RE: [ActiveDir] Distribute file to all desktop
Dinesh, Sheepishly I have to agree with Susan here, I only used the login script for new users in a PowerPoint presentation. To get to middle ground what about making it a web survey and rolling out the URL through group policy as a favourite or default home page. At the end of the survey get them to put in their name and transfer the details to a database or have them print out the last page, sign it and forward to their supervisor...On a personal note the word mandatory in a survey urks me... James -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Susan Bradley, CPA aka Ebitz - SBS Rocks [MVP] Sent: Thursday, November 10, 2005 5:47 PM To: ActiveDir@mail.activedir.org Subject: Re: [ActiveDir] Distribute file to all desktop ...yeah...but... that's how viruses deploy too right? Put yourself in the role of the stupid end user. How does this look and act to an end user? How easily can it be duplicated and used for social engineering purposes? A recent FBI bulletin indicated that there are two increases of database theft... one based on database hacking...one on social engineering. What procedures are you putting in place for this survey to ensure that your employees can trust the source of this file, know that it came from you, and is doing only what it's supposed to do? My goal in my office is to train pananoid end users. They are my best security device I've got. Tashildar, Dinesh (Cognizant) wrote: Susan, This survey in written in VB and converted into exe format. Once I push this exe on all desktop it will display few questions which objective answers. Regards, Dinesh Tashildar Ext:182 | Vnet 21182 Change in number -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Susan Bradley, CPA aka Ebitz - SBS Rocks [MVP] Sent: Thursday, November 10, 2005 12:52 PM To: ActiveDir@mail.activedir.org Subject: Re: [ActiveDir] Distribute file to all desktop Forgive me if I'm reading this wrong? Are you asking to deploy an executible file to all so that they can run the file? Do they then need local admin rights and have to trust the source of this survey? Isn't that a bit contrary to teaching anti-social engineering practices? In my office all .exe, .zips etc. type of files are blocked being sent via email and our acceptable use policy states that only certain people can install software or executibles even on desktops. Does this violate your security policy? Sorry for the kinda dumb question. Tashildar, Dinesh (Cognizant) wrote: It's a simple exe. Regards, Dinesh Tashildar Ext:182 | Vnet 21182 _ __ Change in number_ --- - *From:* [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] *On Behalf Of *Alain Lissoir *Sent:* Thursday, November 10, 2005 12:23 PM *To:* ActiveDir@mail.activedir.org *Subject:* RE: [ActiveDir] Distribute file to all desktop Is this a large app or a simple .exe? Pushing via GPO? --- - *From:* [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] *On Behalf Of *Tashildar, Dinesh (Cognizant) *Sent:* Wednesday, November 09, 2005 10:46 PM *To:* ActiveDir@mail.activedir.org *Subject:* RE: [ActiveDir] Distribute file to all desktop James, Thanks for inputs... I didn't get you, what do you mean by have it initialize and advise when the user took the survey ? I am thinking to push this survey in two ways 1. Push it through SMS - Only problem I can think, if sms client is not installed on client desktop then he/she will get survey. I don't want to add SMS client dependency on it. 2. Login script would be a good option but survey will run only in case of user log in to desktop. I am looking for similar way (tool or script) like SMS but it does not have client dependency. We wanted to make this survey mandatory to all users, if we send mail and ask users to go and run it from specified location then few users might not open survey as well. Regards, Dinesh Tashildar Ext:182 | Vnet 21182 _ __ Change in number_ --- - *From:* [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] *On Behalf Of *Blair, James *Sent:* Thursday, November 10, 2005 11:06 AM *To:* ActiveDir@mail.activedir.org *Subject:* RE: [ActiveDir] Distribute file to all desktop Dinesh, You could do it through AD and roll out a login script. If it were me I would rather get the *.exe put on a network share, have it initialise and advise when the user took the survey...Batch file could look something like this: CLS @echo off TITLE Company Survey if not exist c:\ScriptFlag md c:\ScriptFlag if exist
