[ActiveDir] Unresolved SIDs in ACL
Title: Unresolved SIDs in ACL
joe,
The script owner realised just after I posted that the
domain name was constructed wrongly in the script :(
Sorry to waste your time.
neil
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of
joeSent: 17 January 2006 23:50To:
ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] Unresolved SIDs
in ACL
Do the SIDs at least have the Domain portion of the SID
correct? How far off are they from the real SID of the
groups?
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of
[EMAIL PROTECTED]Sent: Tuesday, January 17, 2006 10:55
AMTo: ActiveDir@mail.activedir.orgSubject: [ActiveDir]
Unresolved SIDs in ACL
I have a script, which creates a pre-defined OU
structure, creates groups and permissions the OUs with these groups. The script
performs these steps in the order given.
I have 2 test environments and have executed the
script in each.
In one environment (all w2k3 sp1 DCs, dfl and ffl=2),
the script works fine and all OUs and ACEs/ACLs are correct.
In the other environment (also w2k3 sp1 DCs and
dfl/ffl=2) the script works fine but all new ACEs are shown as SIDs when viewed
thru the ACL editor. Eventually, these unresolved SIDs are shown as 'account
unknown'. I have used sidtoname (thanks joe!) and that shows that the SID cannot
be resolved to a name (as expected, I guess).
I'm sure someone must have seen this strange
behaviour before and has some suggestions. I would suspect the latter
environment to be at blame, but it was only built very recently and is still
pristine.
All suggestions very welcome.
Thanks, neil
___Neil RustonGlobal Technology
InfrastructureNomura
International plc
PLEASE READ: The
information contained in this email is confidential and
intended for the
named recipient(s) only. If you are not an intended
recipient of this
email please notify the sender immediately and delete your
copy from your
system. You must not copy, distribute or take any further
action in reliance
on it. Email is not a secure method of communication and
Nomura International
plc ('NIplc') will not, to the extent permitted by law,
accept
responsibility or liability for (a) the accuracy or completeness of,
or (b) the presence
of any virus, worm or similar malicious or disabling
code in, this
message or any attachment(s) to it. If verification of this
email is sought then
please request a hard copy. Unless otherwise stated
this email: (1) is
not, and should not be treated or relied upon as,
investment research;
(2) contains views or opinions that are solely those of
the author and do
not necessarily represent those of NIplc; (3) is intended
for informational
purposes only and is not a recommendation, solicitation or
offer to buy or sell
securities or related financial instruments. NIplc
does not provide
investment services to private customers. Authorised and
regulated by the
Financial Services Authority. Registered in England
no. 1550505 VAT No.
447 2492 35. Registered Office: 1 St Martin's-le-Grand,
London, EC1A 4NP. A
member of the Nomura group of companies. PLEASE READ: The information contained in this email is confidential and
intended for the named recipient(s) only. If you are not an intended
recipient of this email please notify the sender immediately and delete your
copy from your system. You must not copy, distribute or take any further
action in reliance on it. Email is not a secure method of communication and
Nomura International plc ('NIplc') will not, to the extent permitted by law,
accept responsibility or liability for (a) the accuracy or completeness of,
or (b) the presence of any virus, worm or similar malicious or disabling
code in, this message or any attachment(s) to it. If verification of this
email is sought then please request a hard copy. Unless otherwise stated
this email: (1) is not, and should not be treated or relied upon as,
investment research; (2) contains views or opinions that are solely those of
the author and do not necessarily represent those of NIplc; (3) is intended
for informational purposes only and is not a recommendation, solicitation or
offer to buy or sell securities or related financial instruments. NIplc
does not provide investment services to private customers. Authorised and
regulated by the Financial Services Authority. Registered in England
no. 1550505 VAT No. 447 2492 35. Registered Office: 1 St Martin's-le-Grand,
London, EC1A 4NP. A member of the Nomura group of companies.
RE: [ActiveDir] Migrate domain to separate forest
Thanks for your reply, Gil. You wrote: Just out of curiosity, why do they think they want their own forest? Because they want to have their out-of-office replies go to the internet, and our security policy won't let 'em do it because it affects everybody else, too! In any case, there's no way that I'm aware of to carve off a domain and make it a new forest root... I think you'll have to create the forest and migrate the users and resources. That's what I thought. -- Larry Wahlers Concordia Technologies The Lutheran Church - Missouri Synod mailto:[EMAIL PROTECTED] direct office line: (314) 996-1876 List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
[ActiveDir] Multiple Password Policies
Title: Unresolved SIDs in ACL I was just asked to look at this application that was recently released: http://www.specopssoft.com/products/specopspasswordpolicy/Default.asp It seems like someone did some good programming around the password filter dll concept and then tied it into security groups and GPOs. Has anyone seen this application and what do you guys think about it? Thanks, Charlie
RE: [ActiveDir] Manage Your Server - Removing from Default User
Everyone, thanks for the replies. Appreciate
the help.
Yes, we deploy new servers almost daily,
and we have developers and application administrators who log in to the
systems.
That being said, I did not want them
to be able to configure server roles (among many other things...) Also
locked them out of C:\Windows\System32\mshta.exe
Thanks,
Jbl
[EMAIL PROTECTED]
Sent by: [EMAIL PROTECTED]
01/17/2006 12:07 PM
Please respond to
ActiveDir@mail.activedir.org
To
ActiveDir@mail.activedir.org
cc
Subject
RE: [ActiveDir] Manage Your
Server - Removing from Default User
The padawan teaches the teacher
:)
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Darren
Mar-Elia
Sent: 17 January 2006 17:01
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] Manage Your Server - Removing from Default
User
Ha. Thanks Neil. And I wasted
a perfectly good 5 minutes creating a custom ADM because I didn't bother
to look under Computer Config
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of [EMAIL PROTECTED]
Sent: Tuesday, January 17, 2006 8:45 AM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] Manage Your Server - Removing from Default
User
Imagine an environment where servers
are built on a daily basis - there is a need to stop the 'manage your server'
page from appearing on all servers.
It can be done as follows:
Computer config / admin templates
/ system / do not display manage your server at logon
neil
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Kelli Driesenga
Sent: 17 January 2006 16:19
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] Manage Your Server - Removing from Default
User
why are you having multiple people
log into your server? We only allow Admin access and there are only
two people with that kind of access.
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of [EMAIL PROTECTED]
Sent: Tuesday, January 17, 2006 11:06 AM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] Manage Your Server - Removing from Default
User
Kelli, thanks for the feedback.
Clicking the checkbox will only affect the currently logged in user.
Basically, I am looking around for something system-wide, so that everyone
who logs in does not recieve the Manage Your Server applet.
Kelli Driesenga
[EMAIL PROTECTED]
Sent by: [EMAIL PROTECTED]
01/17/2006 10:50 AM
Please respond to
ActiveDir@mail.activedir.org
To
ActiveDir@mail.activedir.org
cc
Subject
RE: [ActiveDir] Manage Your
Server - Removing from Default User
there should be a checkbox in the lower left hand corner that will allow
you to turn it off at startup
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of [EMAIL PROTECTED]
Sent: Tuesday, January 17, 2006 10:43 AM
To: ActiveDir@mail.activedir.org
Subject: [ActiveDir] Manage Your Server - Removing from Default User
Does anyone know how to stop the Manage Your Server applet
from popping up for new users who login to a Windows Server 2003 system?
I am digging thru the registry and not having much luck identifying which
key may control that setting.
Thanks!
JBL
This e-mail, and any attachment, is intended only for the person or entity
to which it is addressed and may contain confidential and/or privileged
material. Any review, re-transmission, copying, dissemination or other
use of this information by persons or entities other than the intended
recipient is prohibited. If you received this in error, please contact
the sender and delete the material from any computer. The contents of this
message may contain personal views which are not the views of Discovery
Communications, Inc. (DCI).
This e-mail, and any attachment, is intended only for the person or entity
to which it is addressed and may contain confidential and/or privileged
material. Any review, re-transmission, copying, dissemination or other
use of this information by persons or entities other than the intended
recipient is prohibited. If you received this in error, please contact
the sender and delete the material from any computer. The contents of this
message may contain personal views which are not the views of Discovery
Communications, Inc. (DCI).
PLEASE READ: The information contained in
this email is confidential and
intended for the named recipient(s) only.
If you are not an intended
recipient of this email please notify the
sender immediately and delete your
copy from your system. You must not copy,
distribute or take any further
action in reliance on it. Email is not a
secure method of communication and
Nomura International plc ('NIplc') will not,
to the extent permitted by law,
accept responsibility or liability for (a)
the accuracy or completeness of,
or (b) the presence of any virus, worm or
similar malicious or disabling
code in, this message or any attachment(s)
to it. If verification of this
email is sought then please request a hard
copy. Unless
RE: [ActiveDir] Multiple Password Policies
Title: Unresolved SIDs in ACL
I have not used or assessed a product like this, but I
would guess that a client side GPO extension is required. This may not be
feasible in certain environments.
neil
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Carerros,
CharlesSent: 18 January 2006 13:58To:
'ActiveDir@mail.activedir.org'Subject: [ActiveDir] Multiple Password
Policies
I was
just asked to look at this application that was recently
released:
http://www.specopssoft.com/products/specopspasswordpolicy/Default.asp
It
seems like someone did some good programming around the password filter dll
concept and then tied it into security groups and GPOs.
Has
anyone seen this application and what do you guys think about
it?
Thanks,
Charlie
PLEASE READ: The information contained in this email is confidential and
intended for the named recipient(s) only. If you are not an intended
recipient of this email please notify the sender immediately and delete your
copy from your system. You must not copy, distribute or take any further
action in reliance on it. Email is not a secure method of communication and
Nomura International plc ('NIplc') will not, to the extent permitted by law,
accept responsibility or liability for (a) the accuracy or completeness of,
or (b) the presence of any virus, worm or similar malicious or disabling
code in, this message or any attachment(s) to it. If verification of this
email is sought then please request a hard copy. Unless otherwise stated
this email: (1) is not, and should not be treated or relied upon as,
investment research; (2) contains views or opinions that are solely those of
the author and do not necessarily represent those of NIplc; (3) is intended
for informational purposes only and is not a recommendation, solicitation or
offer to buy or sell securities or related financial instruments. NIplc
does not provide investment services to private customers. Authorised and
regulated by the Financial Services Authority. Registered in England
no. 1550505 VAT No. 447 2492 35. Registered Office: 1 St Martin's-le-Grand,
London, EC1A 4NP. A member of the Nomura group of companies.
RE: [ActiveDir] Manage Your Server - Removing from Default User
Ah Darren you need the Make-or-Buy talk J funny that you could
write one quicker than you could find it. I hope longhorn server includes the
ability to search for a group policy setting the way vista lets you search the
start menu that would be nice
---
Rich Milburn
MCSE, Microsoft MVP -
Directory Services
Sr Network Analyst, Field Platform Development
Applebee's International, Inc.
4551 W. 107th St
Overland Park, KS 66207
913-967-2819
--
I love the smell
of red herrings in the morning - anonymous
From:
[EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Darren Mar-Elia
Sent: Tuesday, January 17, 2006
11:01 AM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] Manage
Your Server - Removing from Default User
Ha. Thanks Neil. And I wasted a perfectly
good 5 minutes creating a custom ADM because I didn't bother to look under
Computer Config
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On
Behalf Of [EMAIL PROTECTED]
Sent: Tuesday, January 17, 2006
8:45 AM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] Manage
Your Server - Removing from Default User
Imagine an environment where servers are
built on a daily basis - there is a need to stop the 'manage your server' page
from appearing on all servers.
It can be done as follows:
Computer config / admin templates / system
/ do not display manage your server at logon
neil
From:
[EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Kelli Driesenga
Sent: 17 January 2006 16:19
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] Manage
Your Server - Removing from Default User
why are you having multiple people log
into your server? We only allow Admin access and there are only two
people with that kind of access.
From:
[EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of [EMAIL PROTECTED]
Sent: Tuesday, January 17, 2006
11:06 AM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] Manage
Your Server - Removing from Default User
Kelli, thanks for the feedback.
Clicking
the checkbox will only affect the currently logged in user.
Basically,
I am looking around for something system-wide, so that everyone who logs in
does not recieve the Manage Your Server applet.
Kelli Driesenga
[EMAIL PROTECTED]
Sent
by: [EMAIL PROTECTED]
01/17/2006 10:50 AM
Please
respond to
ActiveDir@mail.activedir.org
To
ActiveDir@mail.activedir.org
cc
Subject
RE: [ActiveDir] Manage Your Server - Removing
from Default User
there should be a checkbox in the lower left hand
corner that will allow you to turn it off at startup
From:
[EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of [EMAIL PROTECTED]
Sent: Tuesday, January 17, 2006 10:43 AM
To: ActiveDir@mail.activedir.org
Subject: [ActiveDir] Manage Your Server - Removing from Default User
Does anyone know how to stop the Manage Your Server applet from
popping up for new users who login to a Windows Server 2003 system?
I am digging thru the registry and not having much luck identifying which key
may control that setting.
Thanks!
JBL
This e-mail, and any attachment, is intended only for the person or entity to
which it is addressed and may contain confidential and/or privileged material.
Any review, re-transmission, copying, dissemination or other use of this
information by persons or entities other than the intended recipient is
prohibited. If you received this in error, please contact the sender and delete
the material from any computer. The contents of this message may contain
personal views which are not the views of Discovery Communications, Inc. (DCI).
This
e-mail, and any attachment, is intended only for the person or entity to which
it is addressed and may contain confidential and/or privileged material. Any
review, re-transmission, copying, dissemination or other use of this
information by persons or entities other than the intended recipient is
prohibited. If you received this in error, please contact the sender and delete
the material from any computer. The contents of this message may contain
personal views which are not the views of Discovery Communications, Inc. (DCI).
PLEASE READ: The information contained in this email is
confidential and
intended for the named recipient(s) only. If you are not an
intended
recipient of this email please notify the sender immediately
and delete your
copy from your system. You must not copy, distribute or take
any further
action in reliance on it. Email is not a secure method of
communication and
Nomura International plc ('NIplc') will not, to
RE: [ActiveDir] Congrat Jorge !!!!!
Title: Congrat Jorge ! Brian when I need your help Ill ask :op Who wouldve thought there were TWO people from here on this list?? (Ill bet there are THREE hehe) --- Rich Milburn MCSE, Microsoft MVP - Directory Services Sr Network Analyst, Field Platform Development Applebee's International, Inc. 4551 W. 107th St Overland Park, KS 66207 913-967-2819 -- I love the smell of red herrings in the morning - anonymous From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Brian Desmond Sent: Monday, January 16, 2006 3:08 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Congrat Jorge ! You guys go all the way to HR to fix this sort of issue? Investigate QOS and the rate-limit commands on your routers and switches. Really, just rate-limit his port to 128000 exceed-action drop. Will save the paperwork with HR. ;) Thanks, Brian Desmond [EMAIL PROTECTED] c - 312.731.3132 From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Brenden Bryan Sent: Monday, January 16, 2006 3:40 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Congrat Jorge ! Yeah, you'll be getting a call from HR to fix this issue. _ Brenden C. Bryan Sr. Network Analyst ITG / Networks and Operations Applebee's International Inc. 913.967.4194 / 816.309.2888 [EMAIL PROTECTED] From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Rich Milburn Sent: Monday, January 16, 2006 8:43 AM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Congrat Jorge ! Yes I had you confused with someone but I figured it out now. Hope you can make it to Redmond this year J Mostly its the MSDN or TN+ subs that come through, though there can be a fair bit there. I think my network guys wish my MSDN shipment was bigger though, because I always top the list on bandwidth usage from downloading from MSDN J --- Rich Milburn MCSE, Microsoft MVP - Directory Services Sr Network Analyst, Field Platform Development Applebee's International, Inc. 4551 W. 107th St Overland Park, KS 66207 913-967-2819 -- I love the smell of red herrings in the morning - anonymous From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Almeida Pinto, Jorge de Sent: Friday, January 13, 2006 6:06 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Congrat Jorge ! Thanks Rich Are you talking about the summit? Nope... I have never been to Redmond. For me this is the first MVP nomination and award! ;-) I also heard from a dutch friend of mine who is also MVP, to saw a bigger hole (letterbox)in the door so that the postman can shove all the stuff through it ;-) jorge From: [EMAIL PROTECTED] on behalf of Rich Milburn Sent: Fri 2006-01-13 23:32 To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Congrat Jorge ! Yes congrats Jorge - and all the others who made it for the first time or were renewed. Although I think Im confused, Friday and all that, and too lazy to log in and check, but Jorge werent you in Redmond last fall?? Yes you get a little card, and a pin (has anyone actually ever worn those pins in public?), and some other stuff. There is a lot of info at http://mvp.support.microsoft.com There is also a lot of content on http://mvps.org as well as other sites. --- Rich Milburn MCSE, Microsoft MVP - Directory Services Sr Network Analyst, Field Platform Development Applebee's International, Inc. 4551 W. 107th St Overland Park, KS 66207 913-967-2819 -- I love the smell of red herrings in the morning - anonymous From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of TIROA YANN Sent: Friday, January 13, 2006 1:00 PM To: ActiveDir@mail.activedir.org Subject: [ActiveDir] Congrat Jorge ! Just read jorge's blog @ http://blogs.dirteam.com/blogs/jorge/archive/2006/01/07/387.aspx Congrat jorge for your nomination as a MVP. :o) Will u have a microsoft professional card as the MCP/MCSE one ? Yann ---APPLEBEE'S INTERNATIONAL, INC. CONFIDENTIALITY NOTICE--- PRIVILEGED / CONFIDENTIAL INFORMATION may be contained in this message or any attachments. This information is strictly confidential and may be subject to attorney-client privilege. This message is intended only for the use of the named addressee. If you are not the intended recipient of this message, unauthorized forwarding, printing, copying, distribution, or using such information is strictly prohibited and
RE: [ActiveDir] Manage Your Server - Removing from Default User
If you can write one faster than finding it, I saw write away! From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Rich MilburnSent: Wednesday, January 18, 2006 9:53 AMTo: ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] Manage Your Server - Removing from Default User Ah Darren you need the Make-or-Buy talk J funny that you could write one quicker than you could find it. I hope longhorn server includes the ability to search for a group policy setting the way vista lets you search the start menu that would be nice ---Rich MilburnMCSE, Microsoft MVP - Directory ServicesSr Network Analyst, Field Platform DevelopmentApplebee's International, Inc.4551 W. 107th StOverland Park, KS 66207913-967-2819--I love the smell of red herrings in the morning - anonymous From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Darren Mar-EliaSent: Tuesday, January 17, 2006 11:01 AMTo: ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] Manage Your Server - Removing from Default User Ha. Thanks Neil. And I wasted a perfectly good 5 minutes creating a custom ADM because I didn't bother to look under Computer Config From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of [EMAIL PROTECTED]Sent: Tuesday, January 17, 2006 8:45 AMTo: ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] Manage Your Server - Removing from Default User Imagine an environment where servers are built on a daily basis - there is a need to stop the 'manage your server' page from appearing on all servers. It can be done as follows: Computer config / admin templates / system / "do not display manage your server at logon" neil From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Kelli DriesengaSent: 17 January 2006 16:19To: ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] Manage Your Server - Removing from Default User why are you having multiple people log into your server? We only allow Admin access and there are only two people with that kind of access. From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of [EMAIL PROTECTED]Sent: Tuesday, January 17, 2006 11:06 AMTo: ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] Manage Your Server - Removing from Default User Kelli, thanks for the feedback. Clicking the checkbox will only affect the currently logged in user. Basically, I am looking around for something system-wide, so that everyone who logs in does not recieve the "Manage Your Server" applet. "Kelli Driesenga" [EMAIL PROTECTED] Sent by: [EMAIL PROTECTED] 01/17/2006 10:50 AM Please respond toActiveDir@mail.activedir.org To ActiveDir@mail.activedir.org cc Subject RE: [ActiveDir] Manage Your Server - Removing from Default User there should be a checkbox in the lower left hand corner that will allow you to turn it off at startup From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of [EMAIL PROTECTED]Sent: Tuesday, January 17, 2006 10:43 AMTo: ActiveDir@mail.activedir.orgSubject: [ActiveDir] Manage Your Server - Removing from Default UserDoes anyone know how to stop the "Manage Your Server" applet from popping up for new users who login to a Windows Server 2003 system? I am digging thru the registry and not having much luck identifying which key may control that setting. Thanks!JBL This e-mail, and any attachment, is intended only for the person or entity to which it is addressed and may contain confidential and/or privileged material. Any review, re-transmission, copying, dissemination or other use of this information by persons or entities other than the intended recipient is prohibited. If you received this in error, please contact the sender and delete the material from any computer. The contents of this message may contain personal views which are not the views of Discovery Communications, Inc. (DCI). This e-mail, and any attachment, is intended only for the person or entity to which it is addressed and may contain confidential and/or privileged material. Any review, re-transmission, copying, dissemination or other use of this information by persons or entities other than the intended recipient is prohibited. If you received this in error, please contact the sender and delete the material from any computer. The contents of this message may contain personal views which are not the views of Discovery Communications,
RE: [ActiveDir] Multiple Password Policies
Title: Unresolved SIDs in ACL
Ditto whjat Neil said.
These are things you need to test very very very very very
much. They are hooked into a very core part of your DCs. You want to really load
a DC up and stress test the crap out of the tool it to see how it handles things
and try to get as much technical detail as possible. Since it is sending rule
info back to the clients something will have to be on the clients which bothers
some people, this will be added software to clients as well as possibly servers.
Also how does it handle if someone scripts a password change or uses something
other than the standard Windows GUI to change a password? Do you
care?
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of
[EMAIL PROTECTED]Sent: Wednesday, January 18, 2006 9:11
AMTo: ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir]
Multiple Password Policies
I have not used or assessed a product like this, but I
would guess that a client side GPO extension is required. This may not be
feasible in certain environments.
neil
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Carerros,
CharlesSent: 18 January 2006 13:58To:
'ActiveDir@mail.activedir.org'Subject: [ActiveDir] Multiple Password
Policies
I was
just asked to look at this application that was recently
released:
http://www.specopssoft.com/products/specopspasswordpolicy/Default.asp
It
seems like someone did some good programming around the password filter dll
concept and then tied it into security groups and GPOs.
Has
anyone seen this application and what do you guys think about
it?
Thanks,
Charlie
PLEASE READ: The
information contained in this email is confidential and
intended for the
named recipient(s) only. If you are not an intended
recipient of this
email please notify the sender immediately and delete your
copy from your
system. You must not copy, distribute or take any further
action in reliance
on it. Email is not a secure method of communication and
Nomura International
plc ('NIplc') will not, to the extent permitted by law,
accept
responsibility or liability for (a) the accuracy or completeness of,
or (b) the presence
of any virus, worm or similar malicious or disabling
code in, this
message or any attachment(s) to it. If verification of this
email is sought then
please request a hard copy. Unless otherwise stated
this email: (1) is
not, and should not be treated or relied upon as,
investment research;
(2) contains views or opinions that are solely those of
the author and do
not necessarily represent those of NIplc; (3) is intended
for informational
purposes only and is not a recommendation, solicitation or
offer to buy or sell
securities or related financial instruments. NIplc
does not provide
investment services to private customers. Authorised and
regulated by the
Financial Services Authority. Registered in England
no. 1550505 VAT No.
447 2492 35. Registered Office: 1 St Martin's-le-Grand,
London, EC1A 4NP. A
member of the Nomura group of companies.
RE: [ActiveDir] Unresolved SIDs in ACL
Title: Unresolved SIDs in ACL
Ah. Kind of scary that the script created the ACEs at all,
should have errored every time that you tried to apply a bad ACE.
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of
[EMAIL PROTECTED]Sent: Wednesday, January 18, 2006 7:37
AMTo: ActiveDir@mail.activedir.orgSubject: [ActiveDir]
Unresolved SIDs in ACL
joe,
The script owner realised just after I posted that the
domain name was constructed wrongly in the script :(
Sorry to waste your time.
neil
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of
joeSent: 17 January 2006 23:50To:
ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] Unresolved SIDs
in ACL
Do the SIDs at least have the Domain portion of the SID
correct? How far off are they from the real SID of the
groups?
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of
[EMAIL PROTECTED]Sent: Tuesday, January 17, 2006 10:55
AMTo: ActiveDir@mail.activedir.orgSubject: [ActiveDir]
Unresolved SIDs in ACL
I have a script, which creates a pre-defined OU
structure, creates groups and permissions the OUs with these groups. The script
performs these steps in the order given.
I have 2 test environments and have executed the
script in each.
In one environment (all w2k3 sp1 DCs, dfl and ffl=2),
the script works fine and all OUs and ACEs/ACLs are correct.
In the other environment (also w2k3 sp1 DCs and
dfl/ffl=2) the script works fine but all new ACEs are shown as SIDs when viewed
thru the ACL editor. Eventually, these unresolved SIDs are shown as 'account
unknown'. I have used sidtoname (thanks joe!) and that shows that the SID cannot
be resolved to a name (as expected, I guess).
I'm sure someone must have seen this strange
behaviour before and has some suggestions. I would suspect the latter
environment to be at blame, but it was only built very recently and is still
pristine.
All suggestions very welcome.
Thanks, neil
___Neil RustonGlobal Technology
InfrastructureNomura
International plc
PLEASE READ: The
information contained in this email is confidential and
intended for the
named recipient(s) only. If you are not an intended
recipient of this
email please notify the sender immediately and delete your
copy from your
system. You must not copy, distribute or take any further
action in reliance
on it. Email is not a secure method of communication and
Nomura International
plc ('NIplc') will not, to the extent permitted by law,
accept
responsibility or liability for (a) the accuracy or completeness of,
or (b) the presence
of any virus, worm or similar malicious or disabling
code in, this
message or any attachment(s) to it. If verification of this
email is sought then
please request a hard copy. Unless otherwise stated
this email: (1) is
not, and should not be treated or relied upon as,
investment research;
(2) contains views or opinions that are solely those of
the author and do
not necessarily represent those of NIplc; (3) is intended
for informational
purposes only and is not a recommendation, solicitation or
offer to buy or sell
securities or related financial instruments. NIplc
does not provide
investment services to private customers. Authorised and
regulated by the
Financial Services Authority. Registered in England
no. 1550505 VAT No.
447 2492 35. Registered Office: 1 St Martin's-le-Grand,
London, EC1A 4NP. A
member of the Nomura group of companies.
PLEASE READ: The
information contained in this email is confidential and
intended for the
named recipient(s) only. If you are not an intended
recipient of this
email please notify the sender immediately and delete your
copy from your
system. You must not copy, distribute or take any further
action in reliance
on it. Email is not a secure method of communication and
Nomura International
plc ('NIplc') will not, to the extent permitted by law,
accept
responsibility or liability for (a) the accuracy or completeness of,
or (b) the presence
of any virus, worm or similar malicious or disabling
code in, this
message or any attachment(s) to it. If verification of this
email is sought then
please request a hard copy. Unless otherwise stated
this email: (1) is
not, and should not be treated or relied upon as,
investment research;
(2) contains views or opinions that are solely those of
the author and do
not necessarily represent those of NIplc; (3) is intended
for informational
purposes only and is not a recommendation, solicitation or
offer to buy or sell
securities or related financial instruments. NIplc
does not provide
investment services to private customers. Authorised and
regulated by the
Financial Services Authority. Registered in England
no. 1550505 VAT No.
447 2492 35. Registered Office: 1 St Martin's-le-Grand,
London, EC1A 4NP. A
member of the Nomura group of companies.
RE: [ActiveDir] ADPrep Version Questions
Ah don't worry about it, I figured you were just disconnected there when I saw the first question at all. That is why I counted it out. :) From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Noah EigerSent: Tuesday, January 17, 2006 8:38 PMTo: ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] ADPrep Version Questions Oh (blush) Dont mind me. Im just over here re-learning that whole tens, hundreds, thousands, etc thing. Ugh! (eyes roll skyward, head shakes) ;-) Sorry for the wasted bandwidth. From: joe [mailto:[EMAIL PROTECTED] Sent: Tuesday, January 17, 2006 5:27 PMTo: ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] ADPrep Version Questions one thousand eight hundred and thirty is greater than one hundred ninety six. The SP1 version is the most recent and highest version of adprep. 0 1 2 3 4 5 6 ... 194 195 196 197 198 199 200 ... 1826 1827 1828 1829 1830 1831 1832 1833 1834 1835 ... joe From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Noah EigerSent: Tuesday, January 17, 2006 7:12 PMTo: ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] ADPrep Version Questions yes From: joe [mailto:[EMAIL PROTECTED] Sent: Tuesday, January 17, 2006 3:48 PMTo: ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] ADPrep Version Questions Are you asking if 1830 196 ? From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Noah EigerSent: Tuesday, January 17, 2006 6:44 PMTo: ActiveDir@mail.activedir.orgSubject: [ActiveDir] ADPrep Version Questions Hi- I am preparing to upgrade a W2k domain to W2k3. I want to use the latest version of ADPrep. I have found the following info and am confused: For ADPrep on the following - From Windows Server 2003 CD: 5.2.3790.0 July 22, 2004, 9:07:08 AM from WindowsServer2003-KB889101-SP1-x86-ENU.exe: 5.2.3790.1830 November 07, 2005, 5:48:59 PM listed in MSKB / Hotfix 324392 5.2.3790.196 July 23, 2004, 9:04 Am I reading that correctly: the one from SP1 is a lower version and later date than the one in the hotfix? Which one is the latest? Thanks. -- nme --No virus found in this outgoing message.Checked by AVG Free Edition.Version: 7.1.375 / Virus Database: 267.14.19/231 - Release Date: 1/16/2006 --No virus found in this incoming message.Checked by AVG Free Edition.Version: 7.1.375 / Virus Database: 267.14.19/231 - Release Date: 1/16/2006 --No virus found in this outgoing message.Checked by AVG Free Edition.Version: 7.1.375 / Virus Database: 267.14.19/231 - Release Date: 1/16/2006 --No virus found in this incoming message.Checked by AVG Free Edition.Version: 7.1.375 / Virus Database: 267.14.19/231 - Release Date: 1/16/2006 --No virus found in this outgoing message.Checked by AVG Free Edition.Version: 7.1.375 / Virus Database: 267.14.19/231 - Release Date: 1/16/2006
RE: [ActiveDir] Congrat Jorge !!!!!
Title: Congrat Jorge ! Im here when you need me. Thanks, Brian Desmond [EMAIL PROTECTED] c - 312.731.3132 From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Rich Milburn Sent: Wednesday, January 18, 2006 9:58 AM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Congrat Jorge ! Brian when I need your help Ill ask :op Who wouldve thought there were TWO people from here on this list?? (Ill bet there are THREE hehe) --- Rich Milburn MCSE, Microsoft MVP - Directory Services Sr Network Analyst, Field Platform Development Applebee's International, Inc. 4551 W. 107th St Overland Park, KS 66207 913-967-2819 -- I love the smell of red herrings in the morning - anonymous From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Brian Desmond Sent: Monday, January 16, 2006 3:08 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Congrat Jorge ! You guys go all the way to HR to fix this sort of issue? Investigate QOS and the rate-limit commands on your routers and switches. Really, just rate-limit his port to 128000 exceed-action drop. Will save the paperwork with HR. ;) Thanks, Brian Desmond [EMAIL PROTECTED] c - 312.731.3132 From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Brenden Bryan Sent: Monday, January 16, 2006 3:40 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Congrat Jorge ! Yeah, you'll be getting a call from HR to fix this issue. _ Brenden C. Bryan Sr. Network Analyst ITG / Networks and Operations Applebee's International Inc. 913.967.4194 / 816.309.2888 [EMAIL PROTECTED] From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Rich Milburn Sent: Monday, January 16, 2006 8:43 AM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Congrat Jorge ! Yes I had you confused with someone but I figured it out now. Hope you can make it to Redmond this year J Mostly its the MSDN or TN+ subs that come through, though there can be a fair bit there. I think my network guys wish my MSDN shipment was bigger though, because I always top the list on bandwidth usage from downloading from MSDN J --- Rich Milburn MCSE, Microsoft MVP - Directory Services Sr Network Analyst, Field Platform Development Applebee's International, Inc. 4551 W. 107th St Overland Park, KS 66207 913-967-2819 -- I love the smell of red herrings in the morning - anonymous From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Almeida Pinto, Jorge de Sent: Friday, January 13, 2006 6:06 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Congrat Jorge ! Thanks Rich Are you talking about the summit? Nope... I have never been to Redmond. For me this is the first MVP nomination and award! ;-) I also heard from a dutch friend of mine who is also MVP, to saw a bigger hole (letterbox)in the door so that the postman can shove all the stuff through it ;-) jorge From: [EMAIL PROTECTED] on behalf of Rich Milburn Sent: Fri 2006-01-13 23:32 To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Congrat Jorge ! Yes congrats Jorge - and all the others who made it for the first time or were renewed. Although I think Im confused, Friday and all that, and too lazy to log in and check, but Jorge werent you in Redmond last fall?? Yes you get a little card, and a pin (has anyone actually ever worn those pins in public?), and some other stuff. There is a lot of info at http://mvp.support.microsoft.com There is also a lot of content on http://mvps.org as well as other sites. --- Rich Milburn MCSE, Microsoft MVP - Directory Services Sr Network Analyst, Field Platform Development Applebee's International, Inc. 4551 W. 107th St Overland Park, KS 66207 913-967-2819 -- I love the smell of red herrings in the morning - anonymous From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of TIROA YANN Sent: Friday, January 13, 2006 1:00 PM To: ActiveDir@mail.activedir.org Subject: [ActiveDir] Congrat Jorge ! Just read jorge's blog @ http://blogs.dirteam.com/blogs/jorge/archive/2006/01/07/387.aspx Congrat jorge for your nomination as a MVP. :o) Will u have a microsoft professional card as the MCP/MCSE one ? Yann ---APPLEBEE'S INTERNATIONAL, INC. CONFIDENTIALITY NOTICE--- PRIVILEGED / CONFIDENTIAL INFORMATION may be contained in this message or any attachments. This
RE: [ActiveDir] Multiple Password Policies
Title: Unresolved SIDs in ACL
I know these guys at Specopssoft and they have done some
cool stuff with GP, but its not clear to me how this could be accomplished with
just some CSEs. This seems like it would require some fiddling at the DCs as
well. Maybe one of them is on this list and can elucidate us?
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of
[EMAIL PROTECTED]Sent: Wednesday, January 18, 2006 6:11
AMTo: ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir]
Multiple Password Policies
I have not used or assessed a product like this, but I
would guess that a client side GPO extension is required. This may not be
feasible in certain environments.
neil
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Carerros,
CharlesSent: 18 January 2006 13:58To:
'ActiveDir@mail.activedir.org'Subject: [ActiveDir] Multiple Password
Policies
I was
just asked to look at this application that was recently
released:
http://www.specopssoft.com/products/specopspasswordpolicy/Default.asp
It
seems like someone did some good programming around the password filter dll
concept and then tied it into security groups and GPOs.
Has
anyone seen this application and what do you guys think about
it?
Thanks,
Charlie
PLEASE READ: The
information contained in this email is confidential and
intended for the
named recipient(s) only. If you are not an intended
recipient of this
email please notify the sender immediately and delete your
copy from your
system. You must not copy, distribute or take any further
action in reliance
on it. Email is not a secure method of communication and
Nomura International
plc ('NIplc') will not, to the extent permitted by law,
accept
responsibility or liability for (a) the accuracy or completeness of,
or (b) the presence
of any virus, worm or similar malicious or disabling
code in, this
message or any attachment(s) to it. If verification of this
email is sought then
please request a hard copy. Unless otherwise stated
this email: (1) is
not, and should not be treated or relied upon as,
investment research;
(2) contains views or opinions that are solely those of
the author and do
not necessarily represent those of NIplc; (3) is intended
for informational
purposes only and is not a recommendation, solicitation or
offer to buy or sell
securities or related financial instruments. NIplc
does not provide
investment services to private customers. Authorised and
regulated by the
Financial Services Authority. Registered in England
no. 1550505 VAT No.
447 2492 35. Registered Office: 1 St Martin's-le-Grand,
London, EC1A 4NP. A
member of the Nomura group of companies.
RE: [ActiveDir] Multiple Password Policies
Title: Unresolved SIDs in ACL
This company doesn't provide a large amount of
documentation on how they are doing this password change but it seems like they
are using the MS supported method.
As for scripting password resets, I'm very concerned
especially if this gets implemented I will need to see how it will function with
test domains.
I'm also not a big fan of putting an extra component on
everyone's desktop (which you only have to do if you want the end-users to see
an accurate password change error if one occurs).
I guess the first question I should have asked
is:
Has anyone used a password filter dll to create
a custom password rule? And if so, have you seen any issues with
it?
One thing that is interesting with this application, and
something that I'm wary of, is that their GPO adm becomes a component of the
Default Domain Policy (due the domain password policy). I'm not a real big
fan of modifying that policy.
Thanks for the input though, I would have overlooked the
scripting testing component.
Charlie
From: joe [mailto:[EMAIL PROTECTED]
Sent: Wednesday, January 18, 2006 9:11 AMTo:
ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] Multiple
Password Policies
Ditto whjat Neil said.
These are things you need to test very very very very very
much. They are hooked into a very core part of your DCs. You want to really load
a DC up and stress test the crap out of the tool it to see how it handles things
and try to get as much technical detail as possible. Since it is sending rule
info back to the clients something will have to be on the clients which bothers
some people, this will be added software to clients as well as possibly servers.
Also how does it handle if someone scripts a password change or uses something
other than the standard Windows GUI to change a password? Do you
care?
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of
[EMAIL PROTECTED]Sent: Wednesday, January 18, 2006 9:11
AMTo: ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir]
Multiple Password Policies
I have not used or assessed a product like this, but I
would guess that a client side GPO extension is required. This may not be
feasible in certain environments.
neil
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Carerros,
CharlesSent: 18 January 2006 13:58To:
'ActiveDir@mail.activedir.org'Subject: [ActiveDir] Multiple Password
Policies
I was
just asked to look at this application that was recently
released:
http://www.specopssoft.com/products/specopspasswordpolicy/Default.asp
It
seems like someone did some good programming around the password filter dll
concept and then tied it into security groups and GPOs.
Has
anyone seen this application and what do you guys think about
it?
Thanks,
Charlie
PLEASE READ: The
information contained in this email is confidential and
intended for the
named recipient(s) only. If you are not an intended
recipient of this
email please notify the sender immediately and delete your
copy from your
system. You must not copy, distribute or take any further
action in reliance
on it. Email is not a secure method of communication and
Nomura International
plc ('NIplc') will not, to the extent permitted by law,
accept
responsibility or liability for (a) the accuracy or completeness of,
or (b) the presence
of any virus, worm or similar malicious or disabling
code in, this
message or any attachment(s) to it. If verification of this
email is sought then
please request a hard copy. Unless otherwise stated
this email: (1) is
not, and should not be treated or relied upon as,
investment research;
(2) contains views or opinions that are solely those of
the author and do
not necessarily represent those of NIplc; (3) is intended
for informational
purposes only and is not a recommendation, solicitation or
offer to buy or sell
securities or related financial instruments. NIplc
does not provide
investment services to private customers. Authorised and
regulated by the
Financial Services Authority. Registered in England
no. 1550505 VAT No.
447 2492 35. Registered Office: 1 St Martin's-le-Grand,
London, EC1A 4NP. A
member of the Nomura group of companies.
RE: [ActiveDir] Manage Your Server - Removing from Default User
That would be nice, but...no, I don't think search will be any better. I suppose you could consider it a step up that the "new" ADM file format will be XML. However I think in that case, the equation below would have been reversed. I don't know about you, but I'm much slower creating well-formed XML than I am hacking away in notepad... From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Rich MilburnSent: Wednesday, January 18, 2006 6:53 AMTo: ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] Manage Your Server - Removing from Default User Ah Darren you need the Make-or-Buy talk J funny that you could write one quicker than you could find it. I hope longhorn server includes the ability to search for a group policy setting the way vista lets you search the start menu that would be nice ---Rich MilburnMCSE, Microsoft MVP - Directory ServicesSr Network Analyst, Field Platform DevelopmentApplebee's International, Inc.4551 W. 107th StOverland Park, KS 66207913-967-2819--I love the smell of red herrings in the morning - anonymous From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Darren Mar-EliaSent: Tuesday, January 17, 2006 11:01 AMTo: ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] Manage Your Server - Removing from Default User Ha. Thanks Neil. And I wasted a perfectly good 5 minutes creating a custom ADM because I didn't bother to look under Computer Config From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of [EMAIL PROTECTED]Sent: Tuesday, January 17, 2006 8:45 AMTo: ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] Manage Your Server - Removing from Default User Imagine an environment where servers are built on a daily basis - there is a need to stop the 'manage your server' page from appearing on all servers. It can be done as follows: Computer config / admin templates / system / "do not display manage your server at logon" neil From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Kelli DriesengaSent: 17 January 2006 16:19To: ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] Manage Your Server - Removing from Default User why are you having multiple people log into your server? We only allow Admin access and there are only two people with that kind of access. From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of [EMAIL PROTECTED]Sent: Tuesday, January 17, 2006 11:06 AMTo: ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] Manage Your Server - Removing from Default User Kelli, thanks for the feedback. Clicking the checkbox will only affect the currently logged in user. Basically, I am looking around for something system-wide, so that everyone who logs in does not recieve the "Manage Your Server" applet. "Kelli Driesenga" [EMAIL PROTECTED] Sent by: [EMAIL PROTECTED] 01/17/2006 10:50 AM Please respond toActiveDir@mail.activedir.org To ActiveDir@mail.activedir.org cc Subject RE: [ActiveDir] Manage Your Server - Removing from Default User there should be a checkbox in the lower left hand corner that will allow you to turn it off at startup From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of [EMAIL PROTECTED]Sent: Tuesday, January 17, 2006 10:43 AMTo: ActiveDir@mail.activedir.orgSubject: [ActiveDir] Manage Your Server - Removing from Default UserDoes anyone know how to stop the "Manage Your Server" applet from popping up for new users who login to a Windows Server 2003 system? I am digging thru the registry and not having much luck identifying which key may control that setting. Thanks!JBL This e-mail, and any attachment, is intended only for the person or entity to which it is addressed and may contain confidential and/or privileged material. Any review, re-transmission, copying, dissemination or other use of this information by persons or entities other than the intended recipient is prohibited. If you received this in error, please contact the sender and delete the material from any computer. The contents of this message may contain personal views which are not the views of Discovery Communications, Inc. (DCI). This e-mail, and any attachment, is intended only for the person or entity to which it is addressed and may contain confidential and/or privileged material. Any review, re-transmission, copying, dissemination or other use of this information by
RE: [ActiveDir] Unresolved SIDs in ACL
Title: Unresolved SIDs in ACL
Amazing what On Error Resume Next will do
for you eh?
---
Rich Milburn
MCSE, Microsoft MVP -
Directory Services
Sr Network Analyst, Field Platform Development
Applebee's International, Inc.
4551 W. 107th St
Overland Park, KS 66207
913-967-2819
--
I love the smell
of red herrings in the morning - anonymous
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On
Behalf Of joe
Sent: Wednesday, January 18, 2006
9:12 AM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir]
Unresolved SIDs in ACL
Ah. Kind of scary that the script created
the ACEs at all, should have errored every time that you tried to apply a bad
ACE.
From:
[EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of [EMAIL PROTECTED]
Sent: Wednesday, January 18, 2006
7:37 AM
To: ActiveDir@mail.activedir.org
Subject: [ActiveDir] Unresolved
SIDs in ACL
joe,
The script owner realised just after I
posted that the domain name was constructed wrongly in the script :(
Sorry to waste your time.
neil
From:
[EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of joe
Sent: 17 January 2006 23:50
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir]
Unresolved SIDs in ACL
Do the SIDs at least have the Domain
portion of the SID correct? How far off are they from the real SID of the
groups?
From:
[EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of [EMAIL PROTECTED]
Sent: Tuesday, January 17, 2006
10:55 AM
To: ActiveDir@mail.activedir.org
Subject: [ActiveDir] Unresolved
SIDs in ACL
I
have a script, which creates a pre-defined OU structure, creates groups and
permissions the OUs with these groups. The script performs these steps in the
order given.
I
have 2 test environments and have executed the script in each.
In
one environment (all w2k3 sp1 DCs, dfl and ffl=2), the script works fine and
all OUs and ACEs/ACLs are correct.
In
the other environment (also w2k3 sp1 DCs and dfl/ffl=2) the script works fine
but all new ACEs are shown as SIDs when viewed thru the ACL editor. Eventually,
these unresolved SIDs are shown as 'account unknown'. I have used sidtoname
(thanks joe!) and that shows that the SID cannot be resolved to a name (as
expected, I guess).
I'm
sure someone must have seen this strange behaviour before and has some
suggestions. I would suspect the latter environment to be at blame, but it was
only built very recently and is still pristine.
All
suggestions very welcome.
Thanks,
neil
___
Neil Ruston
Global Technology Infrastructure
Nomura International plc
PLEASE READ: The information contained in this email is
confidential and
intended for the named recipient(s) only. If you are not an
intended
recipient of this email please notify the sender immediately
and delete your
copy from your system. You must not copy, distribute or take
any further
action in reliance on it. Email is not a secure method of
communication and
Nomura International plc ('NIplc') will not, to the extent
permitted by law,
accept responsibility or liability for (a) the accuracy or
completeness of,
or (b) the presence of any virus, worm or similar malicious
or disabling
code in, this message or any attachment(s) to it. If
verification of this
email is sought then please request a hard copy. Unless
otherwise stated
this email: (1) is not, and should not be treated or relied
upon as,
investment research; (2) contains views or opinions that are
solely those of
the author and do not necessarily represent those of NIplc;
(3) is intended
for informational purposes only and is not a recommendation,
solicitation or
offer to buy or sell securities or related financial instruments.
NIplc
does not provide investment services to private customers.
Authorised and
regulated by the Financial Services Authority. Registered in
England
no. 1550505 VAT No. 447 2492 35. Registered Office: 1 St Martin's-le-Grand,
London, EC1A 4NP. A member of the
Nomura group of companies.
PLEASE READ: The information contained in this email is
confidential and
intended for the named recipient(s) only. If you are not an
intended
recipient of this email please notify the sender immediately
and delete your
copy from your system. You must not copy, distribute or take
any further
action in reliance on it. Email is not a secure method of
communication and
Nomura International plc ('NIplc') will not, to the extent
permitted by law,
accept responsibility or liability for (a) the accuracy or
completeness of,
or (b) the presence of any virus, worm or similar malicious
or disabling
code in, this message or any attachment(s) to it. If
verification of this
email is sought then please request
RE: [ActiveDir] ADPrep Version Questions
It's a common source of confusion.
Ask a user if version 1.4.4 is newer or older than 1.4.3.4
:)
Some say "344 therefore the latter is newer" some say
"43 therefore the former is newer"
neil
PS The purist in me would say that without a leading 0, the
196 below looks like 1 thousand 9 hundred and 60 and 19601830. it's all
about justification, when dealing with the decimal notation
:)
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of
joeSent: 18 January 2006 15:13To:
ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] ADPrep Version
Questions
Ah don't worry about it, I figured you were just
disconnected there when I saw the first question at all. That is why I counted
it out. :)
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Noah
EigerSent: Tuesday, January 17, 2006 8:38 PMTo:
ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] ADPrep Version
Questions
Oh (blush)
Dont mind me. Im just over here
re-learning that whole tens, hundreds, thousands, etc thing.
Ugh! (eyes roll skyward, head
shakes)
;-)
Sorry for the wasted
bandwidth.
From: joe [mailto:[EMAIL PROTECTED]
Sent: Tuesday, January 17,
2006 5:27 PMTo:
ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] ADPrep Version
Questions
one thousand eight hundred and thirty is
greater than one hundred ninety six. The SP1 version is the most recent and
highest version of adprep.
0
1
2
3
4
5
6
...
194
195
196
197
198
199
200
...
1826
1827
1828
1829
1830
1831
1832
1833
1834
1835
...
joe
From:
[EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]
On Behalf Of Noah
EigerSent: Tuesday, January
17, 2006 7:12 PMTo:
ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] ADPrep Version
Questions
yes
From: joe [mailto:[EMAIL PROTECTED]
Sent: Tuesday, January 17,
2006 3:48 PMTo:
ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] ADPrep Version
Questions
Are you asking if 1830 196
?
From:
[EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]
On Behalf Of Noah
EigerSent: Tuesday, January
17, 2006 6:44 PMTo:
ActiveDir@mail.activedir.orgSubject: [ActiveDir] ADPrep Version
Questions
Hi-
I am
preparing to upgrade a W2k domain to W2k3. I want to use the latest version of
ADPrep. I have found the following info and am
confused:
For
ADPrep on the following -
From
Windows Server 2003 CD:
5.2.3790.0
July 22, 2004, 9:07:08 AM
from
WindowsServer2003-KB889101-SP1-x86-ENU.exe:
5.2.3790.1830
November 07, 2005, 5:48:59 PM
listed
in MSKB / Hotfix 324392
5.2.3790.196
July 23, 2004, 9:04
Am I
reading that correctly: the one from SP1 is a lower version and later date than
the one in the hotfix? Which one is the latest?
Thanks.
--
nme
--No
virus found in this outgoing message.Checked by AVG Free
Edition.Version: 7.1.375 / Virus Database: 267.14.19/231 - Release Date:
1/16/2006
--No
virus found in this incoming message.Checked by AVG Free
Edition.Version: 7.1.375 / Virus Database: 267.14.19/231 - Release Date:
1/16/2006
--No
virus found in this outgoing message.Checked by AVG Free
Edition.Version: 7.1.375 / Virus Database: 267.14.19/231 - Release Date:
1/16/2006
--No virus found in this incoming message.Checked by AVG
Free Edition.Version: 7.1.375 / Virus Database: 267.14.19/231 - Release
Date: 1/16/2006
--No virus found in this outgoing message.Checked by AVG
Free Edition.Version: 7.1.375 / Virus Database: 267.14.19/231 - Release
Date: 1/16/2006PLEASE READ: The information contained in this email is confidential and
intended for the named recipient(s) only. If you are not an intended
recipient of this email please notify the sender immediately and delete your
copy from your system. You must not copy, distribute or take any further
action in reliance on it. Email is not a secure method of communication and
Nomura International plc ('NIplc') will not, to the extent permitted by law,
accept responsibility or liability for (a) the accuracy or completeness of,
or (b) the presence of any virus, worm or similar malicious or disabling
code in, this message or any attachment(s) to it. If verification of this
email is sought then please request a hard copy. Unless otherwise stated
this email: (1) is not, and should not be treated or relied upon as,
investment research; (2) contains views or opinions that are solely those of
the author and do not necessarily represent those of NIplc; (3) is intended
for informational purposes only and is not a recommendation, solicitation or
offer to buy or sell securities or related financial instruments. NIplc
does not provide investment services to private customers. Authorised and
regulated by the Financial Services Authority. Registered in England
no. 1550505 VAT No. 447 2492 35. Registered Office: 1 St Martin's-le-Grand,
London, EC1A 4NP. A member of the Nomura group of companies.
Re: [ActiveDir] ADPrep Version Questions
The versionj of adprep.exe that is included with R2. is 5.2.3790.2075JeremyOn 1/17/06, Noah Eiger [EMAIL PROTECTED] wrote: Hi- I am preparing to upgrade a W2k domain to W2k3. I want to use the latest version of ADPrep. I have found the following info and am confused: For ADPrep on the following - From Windows Server 2003 CD: 5.2.3790. 0 July 22, 2004, 9:07:08 AM from WindowsServer2003-KB889101-SP1-x86-ENU.exe: 5.2.3790.1830 November 07, 2005, 5:48:59 PM listed in MSKB / Hotfix 3243925.2.3790.196 July 23, 2004, 9:04 Am I reading that correctly: the one from SP1 is a lower version and later date than the one in the hotfix? Which one is the "latest"? Thanks. -- nme -- No virus found in this outgoing message. Checked by AVG Free Edition. Version: 7.1.375 / Virus Database: 267.14.19/231 - Release Date: 1/16/2006
[ActiveDir] OT: Gauging AD experience
I am trying to figure out how one gauges their AD experience. For example, I have designed, implemented and maintained an AD/Exchange environment of 5000 users with 1000 workstations from the ground up, alone. The environment is only 3 sites, with little complexity. I now work for a company maintaining a directory of about 150 users and 150 workstations. And the more local AD people I talk to, the more confident I am that I know quite a bit about AD compared to them (only talking about the people I have metnot generalizing the entire industry). Although I am not a guru like some on this list, I would like to get myself to the place where I can say yeah, I can design your 50,000 user / 15 site infrastructure. Or is that even possible? Is a project of that size several directory experts working together? I honestly believe that I could perform such a task, but knowing that I would make some mistakes that a VERY experienced person would not. So, I guess my question is: How do I get to where I want to be? Consult? Try to get a job with the biggest company I can? There may be no real answer, but I thought it was worth asking because I have been thinking about it for a couple of months and dont know where to start to move forward, and this is the only place I know that has people that I consider AD gurus (or gods even)
RE: [ActiveDir] ADPrep Version Questions
Oh just what I need: more of those number-things to confuse me ;-) But seriously folks, would you recommend using this R2 version for the migration from W2k to W2k3? Yes, we plan to implement R2 on some machines in the domain. -- nme From: Jeremy Olson [mailto:[EMAIL PROTECTED] Sent: Wednesday, January 18, 2006 8:44 AM To: ActiveDir@mail.activedir.org Subject: Re: [ActiveDir] ADPrep Version Questions The versionj of adprep.exe that is included with R2. is 5.2.3790.2075 Jeremy On 1/17/06, Noah Eiger [EMAIL PROTECTED] wrote: Hi- I am preparing to upgrade a W2k domain to W2k3. I want to use the latest version of ADPrep. I have found the following info and am confused: For ADPrep on the following - From Windows Server 2003 CD: 5.2.3790. 0 July 22, 2004, 9:07:08 AM from WindowsServer2003-KB889101-SP1-x86-ENU.exe: 5.2.3790.1830 November 07, 2005, 5:48:59 PM listed in MSKB / Hotfix 324392 5.2.3790.196 July 23, 2004, 9:04 Am I reading that correctly: the one from SP1 is a lower version and later date than the one in the hotfix? Which one is the latest? Thanks. -- nme -- No virus found in this outgoing message. Checked by AVG Free Edition. Version: 7.1.375 / Virus Database: 267.14.19/231 - Release Date: 1/16/2006 -- No virus found in this incoming message. Checked by AVG Free Edition. Version: 7.1.375 / Virus Database: 267.14.20/233 - Release Date: 1/18/2006 -- No virus found in this outgoing message. Checked by AVG Free Edition. Version: 7.1.375 / Virus Database: 267.14.20/233 - Release Date: 1/18/2006
RE: [ActiveDir] OT: Gauging AD experience
Consulting is the way to see the world (sometimes quite literally) and figure out what in particular you like most and are best at IMHO. My biggest project, AD and Exchange for half million users, 80K devices, 650 sites, 70 DCs is really two people running it. Thanks, Brian Desmond [EMAIL PROTECTED] c - 312.731.3132 From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Douglas M. Long Sent: Wednesday, January 18, 2006 11:49 AM To: ActiveDir@mail.activedir.org Subject: [ActiveDir] OT: Gauging AD experience I am trying to figure out how one gauges their AD experience. For example, I have designed, implemented and maintained an AD/Exchange environment of 5000 users with 1000 workstations from the ground up, alone. The environment is only 3 sites, with little complexity. I now work for a company maintaining a directory of about 150 users and 150 workstations. And the more local AD people I talk to, the more confident I am that I know quite a bit about AD compared to them (only talking about the people I have metnot generalizing the entire industry). Although I am not a guru like some on this list, I would like to get myself to the place where I can say yeah, I can design your 50,000 user / 15 site infrastructure. Or is that even possible? Is a project of that size several directory experts working together? I honestly believe that I could perform such a task, but knowing that I would make some mistakes that a VERY experienced person would not. So, I guess my question is: How do I get to where I want to be? Consult? Try to get a job with the biggest company I can? There may be no real answer, but I thought it was worth asking because I have been thinking about it for a couple of months and dont know where to start to move forward, and this is the only place I know that has people that I consider AD gurus (or gods even)
[ActiveDir] Move AD from one SBS Server to another?
I have a friend that has an SBS 2003 Server running in his business. The server was installed from an eval. disk and then someone used some kind of hack on it to get it to not expire. The server now cannot be updated to the latest service packs, etc. and has other problems. I was asked to help out with the situation and there is now a legit. SBS Server running but all of the AD info is on the old machine and all of the users log into the old domain - I need to come up with a solution if one exists to transfer the domain to the new server so that all of the users don't lose their desktop settings, etc. I am familiar with using DCPROMO and my thought is to DCPROMO the new server - join it to the existing domain and then DCPROMO it back to a domain controller - problem is, I have seen problems with SBS Servers before and the failing that can occur with the SBCORE service - looking for possible solutions? List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
RE: [ActiveDir] Multiple Password Policies
Title: Unresolved SIDs in ACL
Darren, you are
correct, as usual when it is anything related to GP :)
No, this is not
possible to perform using only CSEs, Specops Password Policy uses a Password
Filter as Joe implicitly stated in another post regarding this. Ill keep this
post as short as possible and keep sales stuff out, and also try to give some
behind the scenes info on how password polices are evaluated in AD. If anyone
wants more info, just contact me, but I am normally trying to not post product
info in new letters, since I know how annoyed I become when I see that
myself
What happens when a
user changes his/her password is that the Domain Controller that the user have a
session with (actually this is not always true it can be another DC sometimes,
but it does not really matter) evaluates the password by passing it though one
or more so called Password Filters, to ensure that it meets the requirement of
the Security Policy set by the organization. This is actually what happens when
using the out-of-the-box domain password policy for AD. You configure it using
GP and then this is evaluated using the Password Filter supplied by Microsoft.
So what Specops Password Policy adds is a new Password Filter that is evaluated
when a user changes the password in conjunction with the built-in filter, but
with for example the possibility to have more than one
rule.
The way password
filters works, it does not matter if the change is interactively, using a
script, OWA etc, all changes have to go through the DC, and all installed
Password Filters. So this means that there are no ways around the
filters.
For anyone of you that
wants toreally dig into password filters, here is all the info youll ever
need about them:
http://msdn.microsoft.com/library/default.asp?url="">
Best,
Thorbjörn
Sjövold
Special Operation
Software
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Darren
Mar-EliaSent: Wednesday, January 18, 2006 4:22 PMTo:
ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] Multiple
Password Policies
I know these guys at Specopssoft and they have done some
cool stuff with GP, but its not clear to me how this could be accomplished with
just some CSEs. This seems like it would require some fiddling at the DCs as
well. Maybe one of them is on this list and can elucidate us?
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of
[EMAIL PROTECTED]Sent: Wednesday, January 18, 2006 6:11
AMTo: ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir]
Multiple Password Policies
I have not used or assessed a product like this, but I
would guess that a client side GPO extension is required. This may not be
feasible in certain environments.
neil
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Carerros,
CharlesSent: 18 January 2006 13:58To:
'ActiveDir@mail.activedir.org'Subject: [ActiveDir] Multiple Password
Policies
I was
just asked to look at this application that was recently
released:
http://www.specopssoft.com/products/specopspasswordpolicy/Default.asp
It
seems like someone did some good programming around the password filter dll
concept and then tied it into security groups and GPOs.
Has
anyone seen this application and what do you guys think about
it?
Thanks,
Charlie
PLEASE READ: The
information contained in this email is confidential and
intended for the
named recipient(s) only. If you are not an intended
recipient of this
email please notify the sender immediately and delete your
copy from your
system. You must not copy, distribute or take any further
action in reliance
on it. Email is not a secure method of communication and
Nomura International
plc ('NIplc') will not, to the extent permitted by law,
accept
responsibility or liability for (a) the accuracy or completeness of,
or (b) the presence
of any virus, worm or similar malicious or disabling
code in, this
message or any attachment(s) to it. If verification of this
email is sought then
please request a hard copy. Unless otherwise stated
this email: (1) is
not, and should not be treated or relied upon as,
investment research;
(2) contains views or opinions that are solely those of
the author and do
not necessarily represent those of NIplc; (3) is intended
for informational
purposes only and is not a recommendation, solicitation or
offer to buy or sell
securities or related financial instruments. NIplc
does not provide
investment services to private customers. Authorised and
regulated by the
Financial Services Authority. Registered in England
no. 1550505 VAT No.
447 2492 35. Registered Office: 1 St Martin's-le-Grand,
London, EC1A 4NP. A
member of the Nomura group of companies.
[ActiveDir] AD computer accounts being removed
Occasionally computers will lose their account in Active Directory for no apparent reason.Sometimes it is a computer that has just joined the domain, while other times the machine has been a member of the domain for 2 years. The computer can only be logged on by a local account (not a domain account). To remedy this, the computer has to be disjoined from the domain, join a workgroup, then join the domain again. As I am sure you all are aware, this is not only time consuming, but very inappropriate to have to do. Has anyone else had this experience and how have you fixed it? Thanks, Brenda
[ActiveDir] AD DNS in Windows delegation to Novell DNS
Hi Team, Wanted to know what are the pro's and con's of delegating the DNS zone created in Windows DNS for 2003AD being delegated to Novell DNS as the client wants to use Novell as the primary Regards, Chandra Burra
RE: [ActiveDir] AD computer accounts being removed
Brenda- I see the k12 email address (I run AD for Chicago Public Schools), first question I have to ask is do you have any lockdown software on these computers? DeepFreeze, Fortress, or similar? This will screw with and hose up computer password sync. Thanks, Brian Desmond [EMAIL PROTECTED] c - 312.731.3132 From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Brenda Casey Sent: Wednesday, January 18, 2006 12:42 PM To: ActiveDir@mail.activedir.org Subject: [ActiveDir] AD computer accounts being removed Occasionally computers will lose their account in Active Directory for no apparent reason.Sometimes it is a computer that has just joined the domain, while other times the machine has been a member of the domain for 2 years. The computer can only be logged on by a local account (not a domain account). To remedy this, the computer has to be disjoined from the domain, join a workgroup, then join the domain again. As I am sure you all are aware, this is not only time consuming, but very inappropriate to have to do. Has anyone else had this experience and how have you fixed it? Thanks, Brenda
RE: [ActiveDir] Site link connection not created
Joe, youre exactly right, only I DO have the site link defined. Any other reason why it may not get created automatically? From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of joe Sent: Wednesday, January 11, 2006 8:55 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Site link connection not created I think you mean connection objects aren't being created? If so, it is probably due to not having an enabledsite link defined for the site tying it to some other site(s). At least that is the only time I have seen that happen. From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Harding, Devon Sent: Tuesday, January 10, 2006 3:50 PM To: ActiveDir@mail.activedir.org Subject: [ActiveDir] Site link connection not created What would cause a site link connection from two sites not to automatically create? If I manually create the connection, the KCC updates with the correct info about other sites, but for some reason its not automatically creating the connection. What ports are required for automatic creation? Devon Harding Windows Systems Engineer Southern Wine Spirits - BSG 954-602-2469 __ This message and any attachments are solely for the intended recipient and may contain confidential or privileged information. If you are not the intended recipient, any disclosure, copying, use or distribution of the information included in the message and any attachments is prohibited. If you have received this communication in error, please notify us by reply e-mail and immediately and permanently delete this message and any attachments. Thank You. __ This message and any attachments are solely for the intended recipient and may contain confidential or privileged information. If you are not the intended recipient, any disclosure, copying, use or distribution of the information included in the message and any attachments is prohibited. If you have received this communication in error, please notify us by reply e-mail and immediately and permanently delete this message and any attachments. Thank You.
RE: [ActiveDir] AD computer accounts being removed
When you say "lose their account", do you mean the computer object in AD disappears? Or something else? -g From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Brenda CaseySent: Wednesday, January 18, 2006 10:42 AMTo: ActiveDir@mail.activedir.orgSubject: [ActiveDir] AD computer accounts being removed Occasionally computers will lose their account in Active Directory for no apparent reason.Sometimes it is a computer that has just joined the domain, while other times the machine has been a member of the domain for 2 years. The computer can only be logged on by a local account (not a domain account). To remedy this, the computer has to be disjoined from the domain, join a workgroup, then join the domain again. As I am sure you all are aware, this is not only time consuming, but very inappropriate to have to do. Has anyone else had this experience and how have you fixed it? Thanks, Brenda
RE: [ActiveDir] OT: Gauging AD experience
Internosis is now EMC Microsoft Practice. Doug, contact me offline if you are considering this option. [EMAIL PROTECTED] From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Gil Kirkpatrick Sent: Wednesday, January 18, 2006 12:17 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] OT: Gauging AD experience Hiring on with an IT services company that does large Windows projects would probably be the best way to develop the experience you're looking for. That way you get exposure to many different environments, requirements, people, and projects. HP, Internosis, LogicaCMG, and Microsoft Consulting Servicesare some examples, and there are tens or hundreds of others. Some smaller consulting companies like Oxford Computer Group focus on IdM projects and will sometimes get pulled into AD projects in an advisory capacity. From a career standpoint, I would look more to the broader IdM technologies. AD expertise is rapidly becoming comoditized, and inlarger enterprise environments, AD is but one component of the IdM and security infrastructure. Moving forward, MIIS and ADFS are going to take center stage in the WIndows environment, and AD is going to be pushed more into the background. AD will still be a critical component, and there will always be a need for architects who can design large AD infrastructures. ButAD won't be where the action is. -gil From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Douglas M. Long Sent: Wednesday, January 18, 2006 9:49 AM To: ActiveDir@mail.activedir.org Subject: [ActiveDir] OT: Gauging AD experience I am trying to figure out how one gauges their AD experience. For example, I have designed, implemented and maintained an AD/Exchange environment of 5000 users with 1000 workstations from the ground up, alone. The environment is only 3 sites, with little complexity. I now work for a company maintaining a directory of about 150 users and 150 workstations. And the more local AD people I talk to, the more confident I am that I know quite a bit about AD compared to them (only talking about the people I have metnot generalizing the entire industry). Although I am not a guru like some on this list, I would like to get myself to the place where I can say yeah, I can design your 50,000 user / 15 site infrastructure. Or is that even possible? Is a project of that size several directory experts working together? I honestly believe that I could perform such a task, but knowing that I would make some mistakes that a VERY experienced person would not. So, I guess my question is: How do I get to where I want to be? Consult? Try to get a job with the biggest company I can? There may be no real answer, but I thought it was worth asking because I have been thinking about it for a couple of months and dont know where to start to move forward, and this is the only place I know that has people that I consider AD gurus (or gods even)
RE: [ActiveDir] AD DNS in Windows delegation to Novell DNS
I'm not familiar with Novell's DNS implementation... I assume it is based on BIND? See http://www.microsoft.com/technet/prodtechnol/windowsserver2003/library/ServerHelp/73c0ae36-8058-43d1-8809-046eb03b73fb.mspxand http://www.microsoft.com/technet/archive/interopmigration/linux/mvc/cfgbind.mspx. -gil From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Chandra BurraSent: Wednesday, January 18, 2006 10:55 AMTo: ActiveDir@mail.activedir.orgSubject: [ActiveDir] AD DNS in Windows delegation to Novell DNS Hi Team, Wanted to know what are the pro's and con's of delegating the DNS zone created in Windows DNS for 2003AD being delegated to Novell DNS as the client wants to use Novell as the primary Regards, Chandra Burra
RE: [ActiveDir] OT: Gauging AD experience
Gils thoughts match with mine as well. AD is a critical infrastructure component and designing it properly is important. However, the real complexities of AD come into play as the ancillary systems leveraging the directory increase and as multiple directories need to be integrated in some fashion to support a great IdM need. One of the things that I would encourage you to do is determine what your goals are. As Gil alluded to, if your goals are to be able to design large AD deployments, you may be locking yourself into an undesirable path. On the other hand, if you want to become an expert at managing, operating and diagnosing AD you will have a longer career life, but even that will become less important as the various tools improve that said, working in this role will likely give you greater exposure to those ancillary systems. In general I would encourage you to have a look at and understand Microsoft DSI and determine where in that mix your interest lies. Conceptually DSI is the way forward regardless of what you call it (Adaptive Enterprise, On Demand, etc.) or what technologies are supporting it (MS or non-MS). Finding a sweet spot in that mix will certainly prove to be valuable over the next 7 10 years. Also, you might look at the Microsoft Certified Architect program and understand its competencies and direction I believe that this role in an organization is becoming more valuable and will continue to increase over the next couple of years. Regards, Aric Bernard From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Gil Kirkpatrick Sent: Wednesday, January 18, 2006 9:17 AM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] OT: Gauging AD experience Hiring on with an IT services company that does large Windows projects would probably be the best way to develop the experience you're looking for. That way you get exposure to many different environments, requirements, people, and projects. HP, Internosis, LogicaCMG, and Microsoft Consulting Servicesare some examples, and there are tens or hundreds of others. Some smaller consulting companies like Oxford Computer Group focus on IdM projects and will sometimes get pulled into AD projects in an advisory capacity. From a career standpoint, I would look more to the broader IdM technologies. AD expertise is rapidly becoming comoditized, and inlarger enterprise environments, AD is but one component of the IdM and security infrastructure. Moving forward, MIIS and ADFS are going to take center stage in the WIndows environment, and AD is going to be pushed more into the background. AD will still be a critical component, and there will always be a need for architects who can design large AD infrastructures. ButAD won't be where the action is. -gil From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Douglas M. Long Sent: Wednesday, January 18, 2006 9:49 AM To: ActiveDir@mail.activedir.org Subject: [ActiveDir] OT: Gauging AD experience I am trying to figure out how one gauges their AD experience. For example, I have designed, implemented and maintained an AD/Exchange environment of 5000 users with 1000 workstations from the ground up, alone. The environment is only 3 sites, with little complexity. I now work for a company maintaining a directory of about 150 users and 150 workstations. And the more local AD people I talk to, the more confident I am that I know quite a bit about AD compared to them (only talking about the people I have metnot generalizing the entire industry). Although I am not a guru like some on this list, I would like to get myself to the place where I can say yeah, I can design your 50,000 user / 15 site infrastructure. Or is that even possible? Is a project of that size several directory experts working together? I honestly believe that I could perform such a task, but knowing that I would make some mistakes that a VERY experienced person would not. So, I guess my question is: How do I get to where I want to be? Consult? Try to get a job with the biggest company I can? There may be no real answer, but I thought it was worth asking because I have been thinking about it for a couple of months and dont know where to start to move forward, and this is the only place I know that has people that I consider AD gurus (or gods even)
RE: [ActiveDir] OT: Gauging AD experience
Yikes, I missed that one! When did that happen? -g From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Robinson, ChuckSent: Wednesday, January 18, 2006 11:09 AMTo: ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] OT: Gauging AD experience Internosis is now EMC Microsoft Practice. Doug, contact me offline if you are considering this option. [EMAIL PROTECTED] From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Gil KirkpatrickSent: Wednesday, January 18, 2006 12:17 PMTo: ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] OT: Gauging AD experience Hiring on with an IT services company that does large Windows projects would probably be the best way to develop the experience you're looking for. That way you get exposure to many different environments, requirements, people, and projects. HP, Internosis, LogicaCMG, and Microsoft Consulting Servicesare some examples, and there are tens or hundreds of others. Some smaller consulting companies like Oxford Computer Group focus on IdM projects and will sometimes get pulled into AD projects in an advisory capacity. From a career standpoint, I would look more to the broader IdM technologies. AD expertise is rapidly becoming comoditized, and inlarger enterprise environments, AD is but one component of the IdM and security infrastructure. Moving forward, MIIS and ADFS are going to take center stage in the WIndows environment, and AD is going to be pushed more into the background. AD will still be a critical component, and there will always be a need for architects who can design large AD infrastructures. ButAD won't be where the action is. -gil From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Douglas M. LongSent: Wednesday, January 18, 2006 9:49 AMTo: ActiveDir@mail.activedir.orgSubject: [ActiveDir] OT: Gauging AD experience I am trying to figure out how one gauges their AD experience. For example, I have designed, implemented and maintained an AD/Exchange environment of 5000 users with 1000 workstations from the ground up, alone. The environment is only 3 sites, with little complexity. I now work for a company maintaining a directory of about 150 users and 150 workstations. And the more local AD people I talk to, the more confident I am that I know quite a bit about AD compared to them (only talking about the people I have metnot generalizing the entire industry). Although I am not a guru like some on this list, I would like to get myself to the place where I can say yeah, I can design your 50,000 user / 15 site infrastructure. Or is that even possible? Is a project of that size several directory experts working together? I honestly believe that I could perform such a task, but knowing that I would make some mistakes that a VERY experienced person would not. So, I guess my question is: How do I get to where I want to be? Consult? Try to get a job with the biggest company I can? There may be no real answer, but I thought it was worth asking because I have been thinking about it for a couple of months and dont know where to start to move forward, and this is the only place I know that has people that I consider AD gurus (or gods even)
RE: [ActiveDir] OT: Gauging AD experience
Avanade is another onea joint venture between Microsoft and Accenture. Looking at the same question myself in the last couple of months, Ive come to the same conclusion as Gil. Al Maurer Service Manager, Naming and Authentication Services IT | Information Technology Agilent Technologies (719) 590-2639; Telnet 590-2639 http://activedirectory.it.agilent.com From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Gil Kirkpatrick Sent: Wednesday, January 18, 2006 11:53 AM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] OT: Gauging AD experience Yikes, I missed that one! When did that happen? -g From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Robinson, Chuck Sent: Wednesday, January 18, 2006 11:09 AM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] OT: Gauging AD experience Internosis is now EMC Microsoft Practice. Doug, contact me offline if you are considering this option. [EMAIL PROTECTED] From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Gil Kirkpatrick Sent: Wednesday, January 18, 2006 12:17 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] OT: Gauging AD experience Hiring on with an IT services company that does large Windows projects would probably be the best way to develop the experience you're looking for. That way you get exposure to many different environments, requirements, people, and projects. HP, Internosis, LogicaCMG, and Microsoft Consulting Servicesare some examples, and there are tens or hundreds of others. Some smaller consulting companies like Oxford Computer Group focus on IdM projects and will sometimes get pulled into AD projects in an advisory capacity. From a career standpoint, I would look more to the broader IdM technologies. AD expertise is rapidly becoming comoditized, and inlarger enterprise environments, AD is but one component of the IdM and security infrastructure. Moving forward, MIIS and ADFS are going to take center stage in the WIndows environment, and AD is going to be pushed more into the background. AD will still be a critical component, and there will always be a need for architects who can design large AD infrastructures. ButAD won't be where the action is. -gil From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Douglas M. Long Sent: Wednesday, January 18, 2006 9:49 AM To: ActiveDir@mail.activedir.org Subject: [ActiveDir] OT: Gauging AD experience I am trying to figure out how one gauges their AD experience. For example, I have designed, implemented and maintained an AD/Exchange environment of 5000 users with 1000 workstations from the ground up, alone. The environment is only 3 sites, with little complexity. I now work for a company maintaining a directory of about 150 users and 150 workstations. And the more local AD people I talk to, the more confident I am that I know quite a bit about AD compared to them (only talking about the people I have metnot generalizing the entire industry). Although I am not a guru like some on this list, I would like to get myself to the place where I can say yeah, I can design your 50,000 user / 15 site infrastructure. Or is that even possible? Is a project of that size several directory experts working together? I honestly believe that I could perform such a task, but knowing that I would make some mistakes that a VERY experienced person would not. So, I guess my question is: How do I get to where I want to be? Consult? Try to get a job with the biggest company I can? There may be no real answer, but I thought it was worth asking because I have been thinking about it for a couple of months and dont know where to start to move forward, and this is the only place I know that has people that I consider AD gurus (or gods even)
RE: [ActiveDir] AD computer accounts being removed
No, there is not any lockdown type of software on these machines. Thanks, Brenda Brenda CaseyNetwork Manager Billings Public Schools [EMAIL PROTECTED] 406-247-3792 From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Brian DesmondSent: Wednesday, January 18, 2006 11:02 AMTo: ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] AD computer accounts being removed Brenda- I see the k12 email address (I run AD for Chicago Public Schools), first question I have to ask is do you have any lockdown software on these computers? DeepFreeze, Fortress, or similar? This will screw with and hose up computer password sync. Thanks,Brian Desmond [EMAIL PROTECTED] c - 312.731.3132 From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Brenda CaseySent: Wednesday, January 18, 2006 12:42 PMTo: ActiveDir@mail.activedir.orgSubject: [ActiveDir] AD computer accounts being removed Occasionally computers will lose their account in Active Directory for no apparent reason.Sometimes it is a computer that has just joined the domain, while other times the machine has been a member of the domain for 2 years. The computer can only be logged on by a local account (not a domain account). To remedy this, the computer has to be disjoined from the domain, join a workgroup, then join the domain again. As I am sure you all are aware, this is not only time consuming, but very inappropriate to have to do. Has anyone else had this experience and how have you fixed it? Thanks, Brenda
RE: [ActiveDir] AD computer accounts being removed
Yes, their computer account in AD is actually gone. Thanks, Brenda Brenda CaseyNetwork Manager Billings Public Schools [EMAIL PROTECTED] 406-247-3792 From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Gil KirkpatrickSent: Wednesday, January 18, 2006 11:14 AMTo: ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] AD computer accounts being removed When you say "lose their account", do you mean the computer object in AD disappears? Or something else? -g From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Brenda CaseySent: Wednesday, January 18, 2006 10:42 AMTo: ActiveDir@mail.activedir.orgSubject: [ActiveDir] AD computer accounts being removed Occasionally computers will lose their account in Active Directory for no apparent reason.Sometimes it is a computer that has just joined the domain, while other times the machine has been a member of the domain for 2 years. The computer can only be logged on by a local account (not a domain account). To remedy this, the computer has to be disjoined from the domain, join a workgroup, then join the domain again. As I am sure you all are aware, this is not only time consuming, but very inappropriate to have to do. Has anyone else had this experience and how have you fixed it? Thanks, Brenda
RE: [ActiveDir] AD computer accounts being removed
Title: Message Brenda, FWIW: It happens to me when I clone a workstation then try to join that workstation to the domain in order to change the computer name. AD sees 2 machines with the same name, gives me a notification and lets the 2nd one in. Then when the original machine with that name logs in next time, it isn't seen on the network. Then I have to do the same thing you did - with the original machine. Thenall is wellagain. Don't know if that will help, but it might narrow down the problem some. Gary Gary Polvinale Denton ATD -Original Message-From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Brenda CaseySent: Wednesday, January 18, 2006 2:24 PMTo: ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] AD computer accounts being removed Yes, their computer account in AD is actually gone. Thanks, Brenda Brenda CaseyNetwork Manager Billings Public Schools [EMAIL PROTECTED] 406-247-3792 From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Gil KirkpatrickSent: Wednesday, January 18, 2006 11:14 AMTo: ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] AD computer accounts being removed When you say "lose their account", do you mean the computer object in AD disappears? Or something else? -g From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Brenda CaseySent: Wednesday, January 18, 2006 10:42 AMTo: ActiveDir@mail.activedir.orgSubject: [ActiveDir] AD computer accounts being removed Occasionally computers will lose their account in Active Directory for no apparent reason.Sometimes it is a computer that has just joined the domain, while other times the machine has been a member of the domain for 2 years. The computer can only be logged on by a local account (not a domain account). To remedy this, the computer has to be disjoined from the domain, join a workgroup, then join the domain again. As I am sure you all are aware, this is not only time consuming, but very inappropriate to have to do. Has anyone else had this experience and how have you fixed it? Thanks, Brenda
RE: [ActiveDir] OT: Gauging AD experience
Last week, http://www.emc.com/news/emc_releases/showRelease.jsp?id=3796 From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Gil Kirkpatrick Sent: Wednesday, January 18, 2006 1:53 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] OT: Gauging AD experience Yikes, I missed that one! When did that happen? -g From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Robinson, Chuck Sent: Wednesday, January 18, 2006 11:09 AM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] OT: Gauging AD experience Internosis is now EMC Microsoft Practice. Doug, contact me offline if you are considering this option. [EMAIL PROTECTED] From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Gil Kirkpatrick Sent: Wednesday, January 18, 2006 12:17 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] OT: Gauging AD experience Hiring on with an IT services company that does large Windows projects would probably be the best way to develop the experience you're looking for. That way you get exposure to many different environments, requirements, people, and projects. HP, Internosis, LogicaCMG, and Microsoft Consulting Servicesare some examples, and there are tens or hundreds of others. Some smaller consulting companies like Oxford Computer Group focus on IdM projects and will sometimes get pulled into AD projects in an advisory capacity. From a career standpoint, I would look more to the broader IdM technologies. AD expertise is rapidly becoming comoditized, and inlarger enterprise environments, AD is but one component of the IdM and security infrastructure. Moving forward, MIIS and ADFS are going to take center stage in the WIndows environment, and AD is going to be pushed more into the background. AD will still be a critical component, and there will always be a need for architects who can design large AD infrastructures. ButAD won't be where the action is. -gil From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Douglas M. Long Sent: Wednesday, January 18, 2006 9:49 AM To: ActiveDir@mail.activedir.org Subject: [ActiveDir] OT: Gauging AD experience I am trying to figure out how one gauges their AD experience. For example, I have designed, implemented and maintained an AD/Exchange environment of 5000 users with 1000 workstations from the ground up, alone. The environment is only 3 sites, with little complexity. I now work for a company maintaining a directory of about 150 users and 150 workstations. And the more local AD people I talk to, the more confident I am that I know quite a bit about AD compared to them (only talking about the people I have metnot generalizing the entire industry). Although I am not a guru like some on this list, I would like to get myself to the place where I can say yeah, I can design your 50,000 user / 15 site infrastructure. Or is that even possible? Is a project of that size several directory experts working together? I honestly believe that I could perform such a task, but knowing that I would make some mistakes that a VERY experienced person would not. So, I guess my question is: How do I get to where I want to be? Consult? Try to get a job with the biggest company I can? There may be no real answer, but I thought it was worth asking because I have been thinking about it for a couple of months and dont know where to start to move forward, and this is the only place I know that has people that I consider AD gurus (or gods even)
RE: [ActiveDir] AD computer accounts being removed
I dont have any suggestions for why its happening or how to prevent it, but I do have a tip for speeding up the rejoin process. Ive never had a problem ignoring the reboot prompt after you remove it from the domain. So basically, I just add it to a workgroup, ignore the reboot prompt, add to the domain, then reboot. This saves you a reboot which is really what makes this so time consuming. Also, Dan Holme suggested just changing the name of the domain from its DNS name to its NetBIOS name. For example, if the domain box shows MICROSOFT, change it to Microsoft.com or vice-versa. This seems to trigger a domain rejoin without having to join the workgroup. From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Brenda Casey Sent: Wednesday, January 18, 2006 11:42 AM To: ActiveDir@mail.activedir.org Subject: [ActiveDir] AD computer accounts being removed Occasionally computers will lose their account in Active Directory for no apparent reason.Sometimes it is a computer that has just joined the domain, while other times the machine has been a member of the domain for 2 years. The computer can only be logged on by a local account (not a domain account). To remedy this, the computer has to be disjoined from the domain, join a workgroup, then join the domain again. As I am sure you all are aware, this is not only time consuming, but very inappropriate to have to do. Has anyone else had this experience and how have you fixed it? Thanks, Brenda
RE: [ActiveDir] AD computer accounts being removed
Title: Message Hi Gary, Try looking at this article from MS regarding 'Resetting computer accounts in Windows 2000 and Windows XP'. http://support.microsoft.com/kb/216393/EN-US/ Also, you join the computer to the domain and then change its name? Do you reset the SIDs of the cloned workstation using GhostWalker or Sysprep? -Nav From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of GarypholdSent: Wednesday, January 18, 2006 3:04 PMTo: ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] AD computer accounts being removed Brenda, FWIW: It happens to me when I clone a workstation then try to join that workstation to the domain in order to change the computer name. AD sees 2 machines with the same name, gives me a notification and lets the 2nd one in. Then when the original machine with that name logs in next time, it isn't seen on the network. Then I have to do the same thing you did - with the original machine. Thenall is wellagain. Don't know if that will help, but it might narrow down the problem some. Gary Gary Polvinale Denton ATD -Original Message-From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Brenda CaseySent: Wednesday, January 18, 2006 2:24 PMTo: ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] AD computer accounts being removed Yes, their computer account in AD is actually gone. Thanks, Brenda Brenda CaseyNetwork Manager Billings Public Schools [EMAIL PROTECTED] 406-247-3792 From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Gil KirkpatrickSent: Wednesday, January 18, 2006 11:14 AMTo: ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] AD computer accounts being removed When you say "lose their account", do you mean the computer object in AD disappears? Or something else? -g From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Brenda CaseySent: Wednesday, January 18, 2006 10:42 AMTo: ActiveDir@mail.activedir.orgSubject: [ActiveDir] AD computer accounts being removed Occasionally computers will lose their account in Active Directory for no apparent reason.Sometimes it is a computer that has just joined the domain, while other times the machine has been a member of the domain for 2 years. The computer can only be logged on by a local account (not a domain account). To remedy this, the computer has to be disjoined from the domain, join a workgroup, then join the domain again. As I am sure you all are aware, this is not only time consuming, but very inappropriate to have to do. Has anyone else had this experience and how have you fixed it? Thanks, Brenda
RE: [ActiveDir] AD computer accounts being removed
Title: Message Gary- Are you implying you dont sysprep your images? Thanks, Brian Desmond [EMAIL PROTECTED] c - 312.731.3132 From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Garyphold Sent: Wednesday, January 18, 2006 3:04 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] AD computer accounts being removed Brenda, FWIW: It happens to me when I clone a workstation then try to join that workstation to the domain in order to change the computer name. AD sees 2 machines with the same name, gives me a notification and lets the 2nd one in. Then when the original machine with that name logs in next time, it isn't seen on the network. Then I have to do the same thing you did - with the original machine. Thenall is wellagain. Don't know if that will help, but it might narrow down the problem some. Gary Gary Polvinale Denton ATD -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Brenda Casey Sent: Wednesday, January 18, 2006 2:24 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] AD computer accounts being removed Yes, their computer account in AD is actually gone. Thanks, Brenda Brenda Casey Network Manager Billings Public Schools [EMAIL PROTECTED] 406-247-3792 From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Gil Kirkpatrick Sent: Wednesday, January 18, 2006 11:14 AM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] AD computer accounts being removed When you say lose their account, do you mean the computer object in AD disappears? Or something else? -g From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Brenda Casey Sent: Wednesday, January 18, 2006 10:42 AM To: ActiveDir@mail.activedir.org Subject: [ActiveDir] AD computer accounts being removed Occasionally computers will lose their account in Active Directory for no apparent reason.Sometimes it is a computer that has just joined the domain, while other times the machine has been a member of the domain for 2 years. The computer can only be logged on by a local account (not a domain account). To remedy this, the computer has to be disjoined from the domain, join a workgroup, then join the domain again. As I am sure you all are aware, this is not only time consuming, but very inappropriate to have to do. Has anyone else had this experience and how have you fixed it? Thanks, Brenda
RE: [ActiveDir] AD computer accounts being removed
You might enable auditing on the appropriate OU to find out who is doing the deleting. You need to enable AD auditing in the Domain Controllers group policy, and then add auditing entries on the security descriptor of the appropriate OU, e.g CN=Computers to track creation and deletion of Computer objects. From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Brenda CaseySent: Wednesday, January 18, 2006 12:24 PMTo: ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] AD computer accounts being removed Yes, their computer account in AD is actually gone. Thanks, Brenda Brenda CaseyNetwork Manager Billings Public Schools [EMAIL PROTECTED] 406-247-3792 From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Gil KirkpatrickSent: Wednesday, January 18, 2006 11:14 AMTo: ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] AD computer accounts being removed When you say "lose their account", do you mean the computer object in AD disappears? Or something else? -g From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Brenda CaseySent: Wednesday, January 18, 2006 10:42 AMTo: ActiveDir@mail.activedir.orgSubject: [ActiveDir] AD computer accounts being removed Occasionally computers will lose their account in Active Directory for no apparent reason.Sometimes it is a computer that has just joined the domain, while other times the machine has been a member of the domain for 2 years. The computer can only be logged on by a local account (not a domain account). To remedy this, the computer has to be disjoined from the domain, join a workgroup, then join the domain again. As I am sure you all are aware, this is not only time consuming, but very inappropriate to have to do. Has anyone else had this experience and how have you fixed it? Thanks, Brenda
RE: [ActiveDir] AD computer accounts being removed
We have seen the same thing in our organization, and I am investigating whether our technician that does the images for our desktop deployments has been using the wrong version of Sysprep. I read on the MS site that there are versions of Sysprep for different OS levels (or service packs). Just a thought. -;) Doug Ferguson Windows Systems Administrator Hynix Semiconductor Manufacturing America, Inc. From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Brenda Casey Sent: Wednesday, January 18, 2006 9:42 AM To: ActiveDir@mail.activedir.org Subject: [ActiveDir] AD computer accounts being removed Occasionally computers will lose their account in Active Directory for no apparent reason.Sometimes it is a computer that has just joined the domain, while other times the machine has been a member of the domain for 2 years. The computer can only be logged on by a local account (not a domain account). To remedy this, the computer has to be disjoined from the domain, join a workgroup, then join the domain again. As I am sure you all are aware, this is not only time consuming, but very inappropriate to have to do. Has anyone else had this experience and how have you fixed it? Thanks, Brenda
RE: [ActiveDir] Migrate domain to separate forest
Because they want to have their out-of-office replies go to the internet hmm - that puts a whole new meaning to the requirements of a different forest. So just to get OOO replies configured the way they want, they're giving up being managed in the same forest and being in the same Exchange Org, having the same GAL as the rest as the company (or requiring extra mechanism to sync the users/contacts), or being able to easily share calendar data, simplifying resource sharing between any part of the company or allowing easy transition of users between other parts of the organiation. way to go. I certainly know of other reasons to create a separate forest, but I hadn't considered OOO configurations to be one of them :-) /Guido -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Larry Wahlers Sent: Mittwoch, 18. Januar 2006 14:50 To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Migrate domain to separate forest Thanks for your reply, Gil. You wrote: Just out of curiosity, why do they think they want their own forest? Because they want to have their out-of-office replies go to the internet, and our security policy won't let 'em do it because it affects everybody else, too! In any case, there's no way that I'm aware of to carve off a domain and make it a new forest root... I think you'll have to create the forest and migrate the users and resources. That's what I thought. -- Larry Wahlers Concordia Technologies The Lutheran Church - Missouri Synod mailto:[EMAIL PROTECTED] direct office line: (314) 996-1876 List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
Re: [ActiveDir] AD computer accounts being removed
On 1/18/06, Crawford, Scott [EMAIL PROTECTED] wrote: For example, if the domain box shows MICROSOFT, change it to Microsoft.com or vice-versa. This seems to trigger a domain rejoin without having to join the workgroup. snip On a side-note - is there a command line utility which will allow a workstation to be renamed/joined to a domain? I'm aware of a way of creating a computer account using the NET command, but this has to be done from the server, and ideally, I'm hoping there's a way of joining from the NT4/2kpro/XP workstations. -- AdamT Maidenhead is *not* in Kent List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
RE: [ActiveDir] OU Delegation
Boy, I just had a consultant recommend an empty root as best practice for a divestiture were doing. Like Gil and Joe, I really dont see the benefit (nor could the consultant name anything specifically). We have a single domain and delegate OU rights based basically on an administrative teams need to manage a group of resources, typically computers. Users, groups and Exchange are managed centrally. Moving things around within one domain is a whole lot easier than among domains. AL Al Maurer Service Manager, Naming and Authentication Services IT | Information Technology Agilent Technologies (719) 590-2639; Telnet 590-2639 http://activedirectory.it.agilent.com From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Gil Kirkpatrick Sent: Thursday, January 12, 2006 10:50 AM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] OU Delegation As joe says, it depends. AD architecture is always a cost/benefit discussion, and most people don't really understand 1) the real benefits of multiple domains, and 2) the additional costs of running multiple domains. For instance, additional security is often cited as a benefit of an empty root. An empty root maybe provides a little additional security, but not much. The benefit depends on your own risk evaluation. On the other hand, the ongoing operational cost of a two domainforestis considerably higher than a single domain forest. Additional hardware costs, additional diagnostic complexity, and a more complicated DR situation all add to the costs of running multiple domains. My general recommendationis tostick with a single domain if you can, and add additional domains if you need to for password policy or controlling replicationtraffic. And if you find you have to have multiple domains anyway, use an empty root, because the incremental cost of an additional domain if you already have more than one is pretty small. But, it depends. -gil From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of joe Sent: Thursday, January 12, 2006 9:32 AM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] OU Delegation Ah good ol best practices. :) What is recommended? Whatever is best for the customer of course. I guess my question is why one domain and one root versus just one domain? What is the purpose of the root? I am not saying this is bad by any stretch, there are good valid reasons for a root with other domains hanging off of it. Just curious what the decision flow was like to do it. Hopefully it wasn't something along the lines of reading an empty root is good somewhere and going for it as it is totally context sensitive. I would say the overall design goal, especially when Exchange is involved is to use a single domain forest. However, if there is a good reason to add more domains, do it. Usually when someone says they have a domain and a root they mean they have a domain and an EMPTY root and I wonder about how the decision was arrived at. We have had this discussion previously on the list where some people are gung ho empty root and some people are gung ho no-empty root and both pointing at best practices. I am more of the does it make sense in this specific situation kind of person. From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Harding, Devon Sent: Thursday, January 12, 2006 11:12 AM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] OU Delegation Well, I just thought it would be best practice to consolidate multiple domains to one. Whats recommended? From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of joe Sent: Wednesday, January 11, 2006 7:58 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] OU Delegation You want to look at a couple of main points 1. How do you plan to delegate the permisisons, I.E. the groupings of machines, users, etc. 2. How do you play to do GPOs if at all. 3. How is the administration really going to work. For instance, if you use a provisioning system for managing users (highly recommended) you don't generally want to delegate those to local OU admins but instead keep them in a main OU that the provisioning system only has control to. Why one domain and one root domain? I am not arguing one way or the other, just curious for the reasoning. From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Harding, Devon Sent: Wednesday, January 11, 2006 4:24 PM To: ActiveDir@mail.activedir.org Subject: [ActiveDir] OU Delegation Were in the process of consolidating 21 child domains into just one and one root. We want to separate the divisions (domains) into different OUs. Is there a guide or best practice out there on delegating admin permissions on OUs? Also, weve got Exchange permissions to deal with too. Devon Harding Windows Systems Engineer Southern Wine Spirits - BSG 954-602-2469 __ This
RE: [ActiveDir] AD computer accounts being removed
Look at netdom.exe -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of AdamT Sent: Wednesday, January 18, 2006 3:03 PM To: ActiveDir@mail.activedir.org Subject: Re: [ActiveDir] AD computer accounts being removed On 1/18/06, Crawford, Scott [EMAIL PROTECTED] wrote: For example, if the domain box shows MICROSOFT, change it to Microsoft.com or vice-versa. This seems to trigger a domain rejoin without having to join the workgroup. snip On a side-note - is there a command line utility which will allow a workstation to be renamed/joined to a domain? I'm aware of a way of creating a computer account using the NET command, but this has to be done from the server, and ideally, I'm hoping there's a way of joining from the NT4/2kpro/XP workstations. -- AdamT Maidenhead is *not* in Kent List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
RE: [ActiveDir] AD computer accounts being removed
I would use NETDOM JOIN. Type NETDOM JOIN /? To see the syntax. -;) Doug Ferguson Windows Systems Administrator Hynix Semiconductor Manufacturing America, Inc. -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of AdamT Sent: Wednesday, January 18, 2006 2:03 PM To: ActiveDir@mail.activedir.org Subject: Re: [ActiveDir] AD computer accounts being removed On 1/18/06, Crawford, Scott [EMAIL PROTECTED] wrote: For example, if the domain box shows MICROSOFT, change it to Microsoft.com or vice-versa. This seems to trigger a domain rejoin without having to join the workgroup. snip On a side-note - is there a command line utility which will allow a workstation to be renamed/joined to a domain? I'm aware of a way of creating a computer account using the NET command, but this has to be done from the server, and ideally, I'm hoping there's a way of joining from the NT4/2kpro/XP workstations. -- AdamT Maidenhead is *not* in Kent List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
[ActiveDir] adfind question
Hi I am trying to write a little batch file that will report various version numbers to me on each DC to help monitor the W2k3 upgrade process. I am having trouble getting adfind to report the objectVersion of the Schema. When I run: adfind DC1 b CN=Schema,CN=Configuration,DC=myco,DC=private I get a torrent of stuff including the attribute that I want. (That is an attribute right?) When I try to filter or limit the output, I dont get what I want. For example, adfind DC1 b CN=Schema,CN=Configuration,DC=myco,DC=private objectVersion Gives me a list of all of the objects under Schema. How can I limit this? (Or, does anyone have a script that already checks all this stuff?) Thanks. -- nme -- No virus found in this outgoing message. Checked by AVG Free Edition. Version: 7.1.375 / Virus Database: 267.14.20/233 - Release Date: 1/18/2006
RE: [ActiveDir] AD computer accounts being removed
Title: Message Gary, Brian, I do not use Sysprep on my images and have yet to come across any problems, but there may be one big difference with my images, before I ghost them or create the image I put the said machine into a workgroup and then create image. After I have imaged a computer I log on and change the Computer Name reboot and then join the domain with the new computer name, should I be using Sysprep? And Brenda I have experienced your problem but I have never noticed the accounts actually being out of AD, anyways most times for me a simple reboot works although I have had to actually ghost computers in order to rejoin the domain because I do not have any local accounts active on my computers in the school, makes it a little safer J but with that comes more work L From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Brian Desmond Sent: Wednesday, January 18, 2006 12:38 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] AD computer accounts being removed Gary- Are you implying you dont sysprep your images? Thanks, Brian Desmond [EMAIL PROTECTED] c - 312.731.3132 From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Garyphold Sent: Wednesday, January 18, 2006 3:04 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] AD computer accounts being removed Brenda, FWIW: It happens to me when I clone a workstation then try to join that workstation to the domain in order to change the computer name. AD sees 2 machines with the same name, gives me a notification and lets the 2nd one in. Then when the original machine with that name logs in next time, it isn't seen on the network. Then I have to do the same thing you did - with the original machine. Thenall is wellagain. Don't know if that will help, but it might narrow down the problem some. Gary Gary Polvinale Denton ATD -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Brenda Casey Sent: Wednesday, January 18, 2006 2:24 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] AD computer accounts being removed Yes, their computer account in AD is actually gone. Thanks, Brenda Brenda Casey Network Manager Billings Public Schools [EMAIL PROTECTED] 406-247-3792 From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Gil Kirkpatrick Sent: Wednesday, January 18, 2006 11:14 AM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] AD computer accounts being removed When you say lose their account, do you mean the computer object in AD disappears? Or something else? -g From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Brenda Casey Sent: Wednesday, January 18, 2006 10:42 AM To: ActiveDir@mail.activedir.org Subject: [ActiveDir] AD computer accounts being removed Occasionally computers will lose their account in Active Directory for no apparent reason.Sometimes it is a computer that has just joined the domain, while other times the machine has been a member of the domain for 2 years. The computer can only be logged on by a local account (not a domain account). To remedy this, the computer has to be disjoined from the domain, join a workgroup, then join the domain again. As I am sure you all are aware, this is not only time consuming, but very inappropriate to have to do. Has anyone else had this experience and how have you fixed it? Thanks, Brenda
RE: [ActiveDir] OU Delegation
Tell him he needs to go to DEC. Its where all the cool AD people go :) -g From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of [EMAIL PROTECTED]Sent: Wednesday, January 18, 2006 3:11 PMTo: ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] OU Delegation Boy, I just had a consultant recommend an empty root as best practice for a divestiture were doing. Like Gil and Joe, I really dont see the benefit (nor could the consultant name anything specifically). We have a single domain and delegate OU rights based basically on an administrative teams need to manage a group of resources, typically computers. Users, groups and Exchange are managed centrally. Moving things around within one domain is a whole lot easier than among domains. AL Al Maurer Service Manager, Naming and Authentication Services IT | Information Technology Agilent Technologies (719) 590-2639; Telnet 590-2639 http://activedirectory.it.agilent.com From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Gil KirkpatrickSent: Thursday, January 12, 2006 10:50 AMTo: ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] OU Delegation As joe says, "it depends". AD architecture is always a cost/benefit discussion, and most people don't really understand 1) the real benefits of multiple domains, and 2) the additional costs of running multiple domains. For instance, "additional security" is often cited as a benefit of an empty root. An empty root maybe provides a little additional security, but not much. The benefit depends on your own risk evaluation. On the other hand, the ongoing operational cost of a two domainforestis considerably higher than a single domain forest. Additional hardware costs, additional diagnostic complexity, and a more complicated DR situation all add to the costs of running multiple domains. My general recommendationis tostick with a single domain if you can, and add additional domains if you need to for password policy or controlling replicationtraffic. And if you find you have to have multiple domains anyway, use an empty root, because the incremental cost of an additional domain if you already have more than one is pretty small. But, "it depends". -gil From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of joeSent: Thursday, January 12, 2006 9:32 AMTo: ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] OU Delegation Ah good ol best practices. :) What is recommended? Whatever is best for the customer of course. I guess my question is why one domain and one root versus just one domain? What is the purpose of the root? I am not saying this is bad by any stretch, there are good valid reasons for a root with other domains hanging off of it. Just curious what the decision flow was like to do it. Hopefully it wasn't something along the lines of reading "an empty root" is good somewhere and going for it as it is totally context sensitive. I would say the overall design goal, especially when Exchange is involved is to use a single domain forest. However, if there is a good reason to add more domains, do it. Usually when someone says they have a domain and a root they mean they have a domain and an EMPTY root and I wonder about how the decision was arrived at. We have had this discussion previously on the list where some people are gung ho empty root and some people are gung ho no-empty root and both pointing at best practices. I am more of the does it make sense in this specific situation kind of person. From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Harding, DevonSent: Thursday, January 12, 2006 11:12 AMTo: ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] OU Delegation Well, I just thought it would be best practice to consolidate multiple domains to one. Whats recommended? From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of joeSent: Wednesday, January 11, 2006 7:58 PMTo: ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] OU Delegation You want to look at a couple of main points 1. How do you plan to delegate the permisisons, I.E. the groupings of machines, users, etc. 2. How do you play to do GPOs if at all. 3. How is the administration really going to work. For instance, if you use a provisioning system for managing users (highly recommended) you don't generally want to delegate those to local OU admins but instead keep them in a main OU that the provisioning system only has control to. Why one domain and one root domain? I am not arguing one way or the other, just curious for the reasoning. From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Harding, DevonSent: Wednesday, January 11, 2006 4:24 PMTo: ActiveDir@mail.activedir.orgSubject: [ActiveDir] OU Delegation Were in the process of consolidating 21 child domains into just one and one root. We want to separate the divisions (domains) into different OUs. Is there a guide
RE: [ActiveDir] adfind question
Maybe you want "-h DC1"? Otherwise I'm not sure of the arg you're passing there. From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Noah EigerSent: Wednesday, January 18, 2006 5:27 PMTo: ActiveDir@mail.activedir.orgSubject: [ActiveDir] adfind question Hi I am trying to write a little batch file that will report various version numbers to me on each DC to help monitor the W2k3 upgrade process. I am having trouble getting adfind to report the objectVersion of the Schema. When I run: adfind DC1 b CN=Schema,CN=Configuration,DC=myco,DC=private I get a torrent of stuff including the attribute that I want. (That is an attribute right?) When I try to filter or limit the output, I dont get what I want. For example, adfind DC1 b CN=Schema,CN=Configuration,DC=myco,DC=private objectVersion Gives me a list of all of the objects under Schema. How can I limit this? (Or, does anyone have a script that already checks all this stuff?) Thanks. -- nme --No virus found in this outgoing message.Checked by AVG Free Edition.Version: 7.1.375 / Virus Database: 267.14.20/233 - Release Date: 1/18/2006 To find out more about Reuters visit www.about.reuters.com Any views expressed in this message are those of the individual sender, except where the sender specifically states them to be the views of Reuters Ltd.
RE: [ActiveDir] Migrate domain to separate forest
Someone needs to do a cost-benefit analysis. I would guess that 2 forests = 1.6x the operations costs more or less. I don't know Exchange at all... isn't there some way to constrain the policy to a subset of mailboxes? -gil -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Grillenmeier, Guido Sent: Wednesday, January 18, 2006 2:44 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Migrate domain to separate forest Because they want to have their out-of-office replies go to the internet hmm - that puts a whole new meaning to the requirements of a different forest. So just to get OOO replies configured the way they want, they're giving up being managed in the same forest and being in the same Exchange Org, having the same GAL as the rest as the company (or requiring extra mechanism to sync the users/contacts), or being able to easily share calendar data, simplifying resource sharing between any part of the company or allowing easy transition of users between other parts of the organiation. way to go. I certainly know of other reasons to create a separate forest, but I hadn't considered OOO configurations to be one of them :-) /Guido -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Larry Wahlers Sent: Mittwoch, 18. Januar 2006 14:50 To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Migrate domain to separate forest Thanks for your reply, Gil. You wrote: Just out of curiosity, why do they think they want their own forest? Because they want to have their out-of-office replies go to the internet, and our security policy won't let 'em do it because it affects everybody else, too! In any case, there's no way that I'm aware of to carve off a domain and make it a new forest root... I think you'll have to create the forest and migrate the users and resources. That's what I thought. -- Larry Wahlers Concordia Technologies The Lutheran Church - Missouri Synod mailto:[EMAIL PROTECTED] direct office line: (314) 996-1876 List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
Re: [ActiveDir] AD computer accounts being removed
On 1/18/06, Aaron Visser [EMAIL PROTECTED] wrote: snip I have had to actually ghost computers in order to rejoin the domain because I do not have any local accounts active on my computers in the school, makes it a little safer J but with that comes more work L Surely it's not possible to delete the administrator account? You might be able to disable it, but IIRC, you can reset the password and unlock/re-enable to account using the infamous bootdisk at: http://home.eunet.no/~pnordahl/ntpasswd/ Shouldn't need to re-image. -- AdamT Maidenhead is *not* in Kent List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
Re: [ActiveDir] AD computer accounts being removed
On 1/18/06, Doug Ferguson [EMAIL PROTECTED] wrote: I would use NETDOM JOIN. Type NETDOM JOIN /? To see the syntax. Thanks, I'll look in to that. Would save me lots of time talking engineers through the process of joining a domain when they turn up to install new PCs. I'm also somewhat unhappy with reading out account passwords over the phone to engineers I've never met. Netdom and psexec ought to take care of this for me ;-) -- AdamT Maidenhead is *not* in Kent List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
RE: [ActiveDir] adfind question
Try it as adfind -h DC1 -b "cn=schema,cn=configuration,dc=myco,dc=private" -s base objectVersion From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Noah EigerSent: Wednesday, January 18, 2006 3:27 PMTo: ActiveDir@mail.activedir.orgSubject: [ActiveDir] adfind question Hi I am trying to write a little batch file that will report various version numbers to me on each DC to help monitor the W2k3 upgrade process. I am having trouble getting adfind to report the objectVersion of the Schema. When I run: adfind DC1 b CN=Schema,CN=Configuration,DC=myco,DC=private I get a torrent of stuff including the attribute that I want. (That is an attribute right?) When I try to filter or limit the output, I dont get what I want. For example, adfind DC1 b CN=Schema,CN=Configuration,DC=myco,DC=private objectVersion Gives me a list of all of the objects under Schema. How can I limit this? (Or, does anyone have a script that already checks all this stuff?) Thanks. -- nme --No virus found in this outgoing message.Checked by AVG Free Edition.Version: 7.1.375 / Virus Database: 267.14.20/233 - Release Date: 1/18/2006
RE: [ActiveDir] adfind question
Try: adfind -schema -s base objectVersion AdFind V01.27.00cpp Joe Richards ([EMAIL PROTECTED]) November 2005 Using server: DC:389 Directory: Windows Server 2003 Base DN: CN=Schema,CN=Configuration,DC=domain,DC=local dn:CN=Schema,CN=Configuration,DC=domain,DC=local objectVersion: 30 1 Objects returned Cheers, jorge From: [EMAIL PROTECTED] on behalf of Noah Eiger Sent: Wed 2006-01-18 23:27 To: ActiveDir@mail.activedir.org Subject: [ActiveDir] adfind question Hi - I am trying to write a little batch file that will report various version numbers to me on each DC to help monitor the W2k3 upgrade process. I am having trouble getting adfind to report the objectVersion of the Schema. When I run: adfind -DC1 -b CN=Schema,CN=Configuration,DC=myco,DC=private I get a torrent of stuff including the attribute that I want. (That is an attribute right?) When I try to filter or limit the output, I don't get what I want. For example, adfind -DC1 -b CN=Schema,CN=Configuration,DC=myco,DC=private objectVersion Gives me a list of all of the objects under Schema. How can I limit this? (Or, does anyone have a script that already checks all this stuff?) Thanks. -- nme -- No virus found in this outgoing message. Checked by AVG Free Edition. Version: 7.1.375 / Virus Database: 267.14.20/233 - Release Date: 1/18/2006 This e-mail and any attachment is for authorised use by the intended recipient(s) only. It may contain proprietary material, confidential information and/or be subject to legal privilege. It should not be copied, disclosed to, retained or used by, any other party. If you are not an intended recipient then please promptly delete this e-mail and any attachment and all copies and inform the sender. Thank you. winmail.dat
RE: [ActiveDir] OU Delegation
Well, if I were going this time, Id tell you in person which consulting firm he worked for. HINT: its none of the ones weve mentioned in this thread as being AD experts. J Al Maurer Service Manager, Naming and Authentication Services IT | Information Technology Agilent Technologies (719) 590-2639; Telnet 590-2639 http://activedirectory.it.agilent.com From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Gil Kirkpatrick Sent: Wednesday, January 18, 2006 3:56 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] OU Delegation Tell him he needs to go to DEC. Its where all the cool AD people go :) -g From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of [EMAIL PROTECTED] Sent: Wednesday, January 18, 2006 3:11 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] OU Delegation Boy, I just had a consultant recommend an empty root as best practice for a divestiture were doing. Like Gil and Joe, I really dont see the benefit (nor could the consultant name anything specifically). We have a single domain and delegate OU rights based basically on an administrative teams need to manage a group of resources, typically computers. Users, groups and Exchange are managed centrally. Moving things around within one domain is a whole lot easier than among domains. AL Al Maurer Service Manager, Naming and Authentication Services IT | Information Technology Agilent Technologies (719) 590-2639; Telnet 590-2639 http://activedirectory.it.agilent.com From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Gil Kirkpatrick Sent: Thursday, January 12, 2006 10:50 AM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] OU Delegation As joe says, it depends. AD architecture is always a cost/benefit discussion, and most people don't really understand 1) the real benefits of multiple domains, and 2) the additional costs of running multiple domains. For instance, additional security is often cited as a benefit of an empty root. An empty root maybe provides a little additional security, but not much. The benefit depends on your own risk evaluation. On the other hand, the ongoing operational cost of a two domainforestis considerably higher than a single domain forest. Additional hardware costs, additional diagnostic complexity, and a more complicated DR situation all add to the costs of running multiple domains. My general recommendationis tostick with a single domain if you can, and add additional domains if you need to for password policy or controlling replicationtraffic. And if you find you have to have multiple domains anyway, use an empty root, because the incremental cost of an additional domain if you already have more than one is pretty small. But, it depends. -gil From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of joe Sent: Thursday, January 12, 2006 9:32 AM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] OU Delegation Ah good ol best practices. :) What is recommended? Whatever is best for the customer of course. I guess my question is why one domain and one root versus just one domain? What is the purpose of the root? I am not saying this is bad by any stretch, there are good valid reasons for a root with other domains hanging off of it. Just curious what the decision flow was like to do it. Hopefully it wasn't something along the lines of reading an empty root is good somewhere and going for it as it is totally context sensitive. I would say the overall design goal, especially when Exchange is involved is to use a single domain forest. However, if there is a good reason to add more domains, do it. Usually when someone says they have a domain and a root they mean they have a domain and an EMPTY root and I wonder about how the decision was arrived at. We have had this discussion previously on the list where some people are gung ho empty root and some people are gung ho no-empty root and both pointing at best practices. I am more of the does it make sense in this specific situation kind of person. From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Harding, Devon Sent: Thursday, January 12, 2006 11:12 AM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] OU Delegation Well, I just thought it would be best practice to consolidate multiple domains to one. Whats recommended? From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of joe Sent: Wednesday, January 11, 2006 7:58 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] OU Delegation You want to look at a couple of main points 1. How do you plan to delegate the permisisons, I.E. the groupings of machines, users, etc. 2. How do you play to do GPOs if at all. 3. How is the administration really going to work. For instance, if you use a provisioning system for managing users (highly recommended) you don't generally want to delegate
FW: [ActiveDir] adfind question
Whoops...sorry...and also "-s base" From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of David CliffeSent: Wednesday, January 18, 2006 6:07 PMTo: ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] adfind question Maybe you want "-h DC1"? Otherwise I'm not sure of the arg you're passing there. From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Noah EigerSent: Wednesday, January 18, 2006 5:27 PMTo: ActiveDir@mail.activedir.orgSubject: [ActiveDir] adfind question Hi I am trying to write a little batch file that will report various version numbers to me on each DC to help monitor the W2k3 upgrade process. I am having trouble getting adfind to report the objectVersion of the Schema. When I run: adfind DC1 b CN=Schema,CN=Configuration,DC=myco,DC=private I get a torrent of stuff including the attribute that I want. (That is an attribute right?) When I try to filter or limit the output, I dont get what I want. For example, adfind DC1 b CN=Schema,CN=Configuration,DC=myco,DC=private objectVersion Gives me a list of all of the objects under Schema. How can I limit this? (Or, does anyone have a script that already checks all this stuff?) Thanks. -- nme --No virus found in this outgoing message.Checked by AVG Free Edition.Version: 7.1.375 / Virus Database: 267.14.20/233 - Release Date: 1/18/2006To find out more about Reuters visit www.about.reuters.comAny views expressed in this message are those of the individual sender, except where the sender specifically states them to be the views of Reuters Ltd. To find out more about Reuters visit www.about.reuters.com Any views expressed in this message are those of the individual sender, except where the sender specifically states them to be the views of Reuters Ltd.
[ActiveDir] LDAP and Global Catalog
Hi all, Please update me that on which port communication between LDAP and Global Catalog takes place. -- RD List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
RE: [ActiveDir] OU Delegation
I heard you weren't going to make it this year. High suckage factor. -g From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of [EMAIL PROTECTED]Sent: Wednesday, January 18, 2006 4:21 PMTo: ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] OU Delegation Well, if I were going this time, Id tell you in person which consulting firm he worked for. HINT: its none of the ones weve mentioned in this thread as being AD experts. J Al Maurer Service Manager, Naming and Authentication Services IT | Information Technology Agilent Technologies (719) 590-2639; Telnet 590-2639 http://activedirectory.it.agilent.com From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Gil KirkpatrickSent: Wednesday, January 18, 2006 3:56 PMTo: ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] OU Delegation Tell him he needs to go to DEC. Its where all the cool AD people go :) -g From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of [EMAIL PROTECTED]Sent: Wednesday, January 18, 2006 3:11 PMTo: ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] OU Delegation Boy, I just had a consultant recommend an empty root as best practice for a divestiture were doing. Like Gil and Joe, I really dont see the benefit (nor could the consultant name anything specifically). We have a single domain and delegate OU rights based basically on an administrative teams need to manage a group of resources, typically computers. Users, groups and Exchange are managed centrally. Moving things around within one domain is a whole lot easier than among domains. AL Al Maurer Service Manager, Naming and Authentication Services IT | Information Technology Agilent Technologies (719) 590-2639; Telnet 590-2639 http://activedirectory.it.agilent.com From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Gil KirkpatrickSent: Thursday, January 12, 2006 10:50 AMTo: ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] OU Delegation As joe says, "it depends". AD architecture is always a cost/benefit discussion, and most people don't really understand 1) the real benefits of multiple domains, and 2) the additional costs of running multiple domains. For instance, "additional security" is often cited as a benefit of an empty root. An empty root maybe provides a little additional security, but not much. The benefit depends on your own risk evaluation. On the other hand, the ongoing operational cost of a two domainforestis considerably higher than a single domain forest. Additional hardware costs, additional diagnostic complexity, and a more complicated DR situation all add to the costs of running multiple domains. My general recommendationis tostick with a single domain if you can, and add additional domains if you need to for password policy or controlling replicationtraffic. And if you find you have to have multiple domains anyway, use an empty root, because the incremental cost of an additional domain if you already have more than one is pretty small. But, "it depends". -gil From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of joeSent: Thursday, January 12, 2006 9:32 AMTo: ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] OU Delegation Ah good ol best practices. :) What is recommended? Whatever is best for the customer of course. I guess my question is why one domain and one root versus just one domain? What is the purpose of the root? I am not saying this is bad by any stretch, there are good valid reasons for a root with other domains hanging off of it. Just curious what the decision flow was like to do it. Hopefully it wasn't something along the lines of reading "an empty root" is good somewhere and going for it as it is totally context sensitive. I would say the overall design goal, especially when Exchange is involved is to use a single domain forest. However, if there is a good reason to add more domains, do it. Usually when someone says they have a domain and a root they mean they have a domain and an EMPTY root and I wonder about how the decision was arrived at. We have had this discussion previously on the list where some people are gung ho empty root and some people are gung ho no-empty root and both pointing at best practices. I am more of the does it make sense in this specific situation kind of person. From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Harding, DevonSent: Thursday, January 12, 2006 11:12 AMTo: ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] OU Delegation Well, I just thought it would be best practice to consolidate multiple domains to one. Whats recommended? From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of joeSent: Wednesday, January 11, 2006 7:58 PMTo: ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] OU Delegation You want to look at a couple of main points 1. How do you plan to delegate the permisisons, I.E. the
RE: [ActiveDir] adfind question
Thanks all. I guess I needed the –s base. And yes, David, I omitted the –h. I checked and that omission was only in my post, not in the actual script. Thanks again. -- nme _ From: Almeida Pinto, Jorge de [mailto:[EMAIL PROTECTED] Sent: Wednesday, January 18, 2006 3:11 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] adfind question Try: adfind -schema -s base objectVersion AdFind V01.27.00cpp Joe Richards (HYPERLINK mailto:[EMAIL PROTECTED][EMAIL PROTECTED]) November 2005 Using server: DC:389 Directory: Windows Server 2003 Base DN: CN=Schema,CN=Configuration,DC=domain,DC=local dn:CN=Schema,CN=Configuration,DC=domain,DC=local objectVersion: 30 1 Objects returned Cheers, jorge _ From: [EMAIL PROTECTED] on behalf of Noah Eiger Sent: Wed 2006-01-18 23:27 To: ActiveDir@mail.activedir.org Subject: [ActiveDir] adfind question Hi – I am trying to write a little batch file that will report various version numbers to me on each DC to help monitor the W2k3 upgrade process. I am having trouble getting adfind to report the objectVersion of the Schema. When I run: adfind –DC1 –b “CN=Schema,CN=Configuration,DC=myco,DC=private” I get a torrent of stuff including the attribute that I want. (That is an attribute right?) When I try to filter or limit the output, I don’t get what I want. For example, adfind –DC1 –b “CN=Schema,CN=Configuration,DC=myco,DC=private” objectVersion Gives me a list of all of the objects under Schema. How can I limit this? (Or, does anyone have a script that already checks all this stuff?) Thanks. -- nme -- No virus found in this outgoing message. Checked by AVG Free Edition. Version: 7.1.375 / Virus Database: 267.14.20/233 - Release Date: 1/18/2006 This e-mail and any attachment is for authorised use by the intended recipient(s) only. It may contain proprietary material, confidential information and/or be subject to legal privilege. It should not be copied, disclosed to, retained or used by, any other party. If you are not an intended recipient then please promptly delete this e-mail and any attachment and all copies and inform the sender. Thank you. -- No virus found in this incoming message. Checked by AVG Free Edition. Version: 7.1.375 / Virus Database: 267.14.20/233 - Release Date: 1/18/2006 -- No virus found in this outgoing message. Checked by AVG Free Edition. Version: 7.1.375 / Virus Database: 267.14.20/233 - Release Date: 1/18/2006 attachment: winmail.dat
RE: [ActiveDir] AD computer accounts being removed
Title: Message NO NO NO NO NO BAD BAD BAD You have to use sysprep. Youre getting duplicate SIDs here bad. Thanks, Brian Desmond [EMAIL PROTECTED] c - 312.731.3132 From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Aaron Visser Sent: Wednesday, January 18, 2006 5:44 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] AD computer accounts being removed Gary, Brian, I do not use Sysprep on my images and have yet to come across any problems, but there may be one big difference with my images, before I ghost them or create the image I put the said machine into a workgroup and then create image. After I have imaged a computer I log on and change the Computer Name reboot and then join the domain with the new computer name, should I be using Sysprep? And Brenda I have experienced your problem but I have never noticed the accounts actually being out of AD, anyways most times for me a simple reboot works although I have had to actually ghost computers in order to rejoin the domain because I do not have any local accounts active on my computers in the school, makes it a little safer J but with that comes more work L From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Brian Desmond Sent: Wednesday, January 18, 2006 12:38 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] AD computer accounts being removed Gary- Are you implying you dont sysprep your images? Thanks, Brian Desmond [EMAIL PROTECTED] c - 312.731.3132 From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Garyphold Sent: Wednesday, January 18, 2006 3:04 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] AD computer accounts being removed Brenda, FWIW: It happens to me when I clone a workstation then try to join that workstation to the domain in order to change the computer name. AD sees 2 machines with the same name, gives me a notification and lets the 2nd one in. Then when the original machine with that name logs in next time, it isn't seen on the network. Then I have to do the same thing you did - with the original machine. Thenall is wellagain. Don't know if that will help, but it might narrow down the problem some. Gary Gary Polvinale Denton ATD -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Brenda Casey Sent: Wednesday, January 18, 2006 2:24 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] AD computer accounts being removed Yes, their computer account in AD is actually gone. Thanks, Brenda Brenda Casey Network Manager Billings Public Schools [EMAIL PROTECTED] 406-247-3792 From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Gil Kirkpatrick Sent: Wednesday, January 18, 2006 11:14 AM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] AD computer accounts being removed When you say lose their account, do you mean the computer object in AD disappears? Or something else? -g From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Brenda Casey Sent: Wednesday, January 18, 2006 10:42 AM To: ActiveDir@mail.activedir.org Subject: [ActiveDir] AD computer accounts being removed Occasionally computers will lose their account in Active Directory for no apparent reason.Sometimes it is a computer that has just joined the domain, while other times the machine has been a member of the domain for 2 years. The computer can only be logged on by a local account (not a domain account). To remedy this, the computer has to be disjoined from the domain, join a workgroup, then join the domain again. As I am sure you all are aware, this is not only time consuming, but very inappropriate to have to do. Has anyone else had this experience and how have you fixed it? Thanks, Brenda
RE: [ActiveDir] LDAP and Global Catalog
Defaults: LDAP 3268 LDAP/S 3269 Jerry Welch CPS Systems US/Canada: 888-666-0277 International: +1 703 827 0919 (-4 GMT) IP Phone (Skype): Jerry_Welch ( www.skype.net ) -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Ravi Dogra Sent: Wednesday, January 18, 2006 6:39 PM To: ActiveDir@mail.activedir.org Subject: [ActiveDir] LDAP and Global Catalog Hi all, Please update me that on which port communication between LDAP and Global Catalog takes place. -- RD List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
RE: [ActiveDir] AD computer accounts being removed
Title: Message Let me find my rolled up newspaper... :) From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Brian DesmondSent: Wednesday, January 18, 2006 4:50 PMTo: ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] AD computer accounts being removed NO NO NO NO NO BAD BAD BAD You have to use sysprep. Youre getting duplicate SIDs here bad. Thanks,Brian Desmond [EMAIL PROTECTED] c - 312.731.3132 From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Aaron VisserSent: Wednesday, January 18, 2006 5:44 PMTo: ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] AD computer accounts being removed Gary, Brian, I do not use Sysprep on my images and have yet to come across any problems, but there may be one big difference with my images, before I ghost them or create the image I put the said machine into a workgroup and then create image. After I have imaged a computer I log on and change the Computer Name reboot and then join the domain with the new computer name, should I be using Sysprep? And Brenda I have experienced your problem but I have never noticed the accounts actually being out of AD, anyways most times for me a simple reboot works although I have had to actually ghost computers in order to rejoin the domain because I do not have any local accounts active on my computers in the school, makes it a little safer J but with that comes more work L From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Brian DesmondSent: Wednesday, January 18, 2006 12:38 PMTo: ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] AD computer accounts being removed Gary- Are you implying you dont sysprep your images? Thanks,Brian Desmond [EMAIL PROTECTED] c - 312.731.3132 From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of GarypholdSent: Wednesday, January 18, 2006 3:04 PMTo: ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] AD computer accounts being removed Brenda, FWIW: It happens to me when I clone a workstation then try to join that workstation to the domain in order to change the computer name. AD sees 2 machines with the same name, gives me a notification and lets the 2nd one in. Then when the original machine with that name logs in next time, it isn't seen on the network. Then I have to do the same thing you did - with the original machine. Thenall is wellagain. Don't know if that will help, but it might narrow down the problem some. Gary Gary Polvinale Denton ATD -Original Message-From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Brenda CaseySent: Wednesday, January 18, 2006 2:24 PMTo: ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] AD computer accounts being removed Yes, their computer account in AD is actually gone. Thanks, Brenda Brenda CaseyNetwork Manager Billings Public Schools [EMAIL PROTECTED] 406-247-3792 From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Gil KirkpatrickSent: Wednesday, January 18, 2006 11:14 AMTo: ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] AD computer accounts being removed When you say "lose their account", do you mean the computer object in AD disappears? Or something else? -g From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Brenda CaseySent: Wednesday, January 18, 2006 10:42 AMTo: ActiveDir@mail.activedir.orgSubject: [ActiveDir] AD computer accounts being removed Occasionally computers will lose their account in Active Directory for no apparent reason.Sometimes it is a computer that has just joined the domain, while other times the machine has been a member of the domain for 2 years. The computer can only be logged on by a local account (not a domain account). To remedy this, the computer has to be disjoined from the domain, join a workgroup, then join the domain again. As I am sure you all are aware, this is not only time consuming, but very inappropriate to have to do. Has anyone else had this experience and how have you fixed it? Thanks, Brenda
RE: [ActiveDir] AD computer accounts being removed
No it is not possible to delete that account. (As far as I know) but there are times when the account has been disabled thru a Policy (that is how I disable it) and that program has not worked, I know it doesn't make a lot of sense because why is the policy being enforced if it will not connect to the domain but guess what sometimes it is like that, and if everything always worked the way it was supposed to well then we wouldn't be needed now would we? Aaron Visser -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of AdamT Sent: Wednesday, January 18, 2006 3:10 PM To: ActiveDir@mail.activedir.org Subject: Re: [ActiveDir] AD computer accounts being removed On 1/18/06, Aaron Visser [EMAIL PROTECTED] wrote: snip I have had to actually ghost computers in order to rejoin the domain because I do not have any local accounts active on my computers in the school, makes it a little safer J but with that comes more work L Surely it's not possible to delete the administrator account? You might be able to disable it, but IIRC, you can reset the password and unlock/re-enable to account using the infamous bootdisk at: http://home.eunet.no/~pnordahl/ntpasswd/ Shouldn't need to re-image. -- AdamT Maidenhead is *not* in Kent List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
RE: [ActiveDir] AD computer accounts being removed
Title: Message Well I would agree that is not a safe practice for most but for my application where all Local accounts are disabled I do not see a problem. Taken from http://www.sysinternals.com/Utilities/NewSid.html under the SID Duplication Problem Duplicate SIDs aren't an issue in a Domain-based environment since domain accounts have SID's based on the Domain SID. But, according to Microsoft Knowledge Base article Q162001, Do Not Disk Duplicate Installed Versions of Windows NT, in a Workgroup environment security is based on local account SIDs. Thus, if two computers have users with the same SID, the Workgroup will not be able to distinguish between the users. All resources, including files and Registry keys, that one user has access to, the other will as well. Aaron From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Brian Desmond Sent: Wednesday, January 18, 2006 3:50 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] AD computer accounts being removed NO NO NO NO NO BAD BAD BAD You have to use sysprep. Youre getting duplicate SIDs here bad. Thanks, Brian Desmond [EMAIL PROTECTED] c - 312.731.3132 From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Aaron Visser Sent: Wednesday, January 18, 2006 5:44 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] AD computer accounts being removed Gary, Brian, I do not use Sysprep on my images and have yet to come across any problems, but there may be one big difference with my images, before I ghost them or create the image I put the said machine into a workgroup and then create image. After I have imaged a computer I log on and change the Computer Name reboot and then join the domain with the new computer name, should I be using Sysprep? And Brenda I have experienced your problem but I have never noticed the accounts actually being out of AD, anyways most times for me a simple reboot works although I have had to actually ghost computers in order to rejoin the domain because I do not have any local accounts active on my computers in the school, makes it a little safer J but with that comes more work L From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Brian Desmond Sent: Wednesday, January 18, 2006 12:38 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] AD computer accounts being removed Gary- Are you implying you dont sysprep your images? Thanks, Brian Desmond [EMAIL PROTECTED] c - 312.731.3132 From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Garyphold Sent: Wednesday, January 18, 2006 3:04 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] AD computer accounts being removed Brenda, FWIW: It happens to me when I clone a workstation then try to join that workstation to the domain in order to change the computer name. AD sees 2 machines with the same name, gives me a notification and lets the 2nd one in. Then when the original machine with that name logs in next time, it isn't seen on the network. Then I have to do the same thing you did - with the original machine. Thenall is wellagain. Don't know if that will help, but it might narrow down the problem some. Gary Gary Polvinale Denton ATD -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Brenda Casey Sent: Wednesday, January 18, 2006 2:24 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] AD computer accounts being removed Yes, their computer account in AD is actually gone. Thanks, Brenda Brenda Casey Network Manager Billings Public Schools [EMAIL PROTECTED] 406-247-3792 From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Gil Kirkpatrick Sent: Wednesday, January 18, 2006 11:14 AM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] AD computer accounts being removed When you say lose their account, do you mean the computer object in AD disappears? Or something else? -g From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Brenda Casey Sent: Wednesday, January 18, 2006 10:42 AM To: ActiveDir@mail.activedir.org Subject: [ActiveDir] AD computer accounts being removed Occasionally computers will lose their account in Active Directory for no apparent reason.Sometimes it is a computer that has just joined the domain, while other times the machine has been a member of the domain for 2 years. The computer can only be logged on by a local account (not a domain account). To remedy this, the computer has to be disjoined from the domain, join a workgroup, then join the domain again. As I am sure you all are aware, this is not only time consuming, but very inappropriate to have to do. Has anyone else had this experience and how have you fixed it? Thanks, Brenda
RE: [ActiveDir] Site link connection not created
Just because there is a link defined doesnt mean that a connection object will necessarily be generated. For example, if there are three sites SiteA, SiteB and SiteC all with links to each other and all at the same cost, the ISTG may only create connection objects linking SiteA to SiteB and SiteA to SiteC and not SiteB to SiteC. If this is the only link that references a particular site, then thats an entirely different matter. If there is only one site link, then there has to be something else going on thats preventing the object from being generated. Wed need additional information about your site and domain topology in order to diagnose it further. Wook From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Harding, Devon Sent: Wednesday, January 18, 2006 10:08 AM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Site link connection not created Joe, youre exactly right, only I DO have the site link defined. Any other reason why it may not get created automatically? From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of joe Sent: Wednesday, January 11, 2006 8:55 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Site link connection not created I think you mean connection objects aren't being created? If so, it is probably due to not having an enabledsite link defined for the site tying it to some other site(s). At least that is the only time I have seen that happen. From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Harding, Devon Sent: Tuesday, January 10, 2006 3:50 PM To: ActiveDir@mail.activedir.org Subject: [ActiveDir] Site link connection not created What would cause a site link connection from two sites not to automatically create? If I manually create the connection, the KCC updates with the correct info about other sites, but for some reason its not automatically creating the connection. What ports are required for automatic creation? Devon Harding Windows Systems Engineer Southern Wine Spirits - BSG 954-602-2469 __ This message and any attachments are solely for the intended recipient and may contain confidential or privileged information. If you are not the intended recipient, any disclosure, copying, use or distribution of the information included in the message and any attachments is prohibited. If you have received this communication in error, please notify us by reply e-mail and immediately and permanently delete this message and any attachments. Thank You. __ This message and any attachments are solely for the intended recipient and may contain confidential or privileged information. If you are not the intended recipient, any disclosure, copying, use or distribution of the information included in the message and any attachments is prohibited. If you have received this communication in error, please notify us by reply e-mail and immediately and permanently delete this message and any attachments. Thank You.
[ActiveDir] Accout policy
Sorry for the newbie question. So is it true you can only apply an account policy, for example a password policy to change passwords every 90 days only to the default domain policy? I need to change my policy setting per groups for password expiration, ex finance, HR, etc, for compliance. I thought I could apply a password policy per OU for each group Am I wrong? Thanks Mike
RE: [ActiveDir] Accout policy
Mike- Its a common question. There is currently only one *domain* password policy supported per AD domain. It does not have to be set in the DDP but it does have to be set on a GPO that is linked to the domain (if you have more than one, then the highest in the list wins). So you can't create separate policies for different user groups if those users are domain accounts. What you can do is have separate account policies for local member server or workstationSAM-based accounts, but that isn't what you're asking, is it? Darren From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Mike HogenauerSent: Wednesday, January 18, 2006 4:51 PMTo: ActiveDir@mail.activedir.orgSubject: [ActiveDir] Accout policy Sorry for the newbie question. So is it true you can only apply an account policy, for example a password policy to change passwords every 90 days only to the default domain policy? I need to change my policy setting per groups for password expiration, ex finance, HR, etc, for compliance. I thought I could apply a password policy per OU for each group Am I wrong? Thanks Mike
RE: [ActiveDir] AD computer accounts being removed
Title: Message Sysprep also removes other information which identifies the computer. For example, I once had the pleasure of repairing a network where they had used NewSID to do this and also had bound NetBEUI to every NIC in the LAN. I had 500 computers all claiming the same NetBEUI name. Sysprep takes care of things like this. Highly recommended over any other tool. Thanks, Brian Desmond [EMAIL PROTECTED] c - 312.731.3132 From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Aaron Visser Sent: Wednesday, January 18, 2006 7:27 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] AD computer accounts being removed Well I would agree that is not a safe practice for most but for my application where all Local accounts are disabled I do not see a problem. Taken from http://www.sysinternals.com/Utilities/NewSid.html under the SID Duplication Problem Duplicate SIDs aren't an issue in a Domain-based environment since domain accounts have SID's based on the Domain SID. But, according to Microsoft Knowledge Base article Q162001, Do Not Disk Duplicate Installed Versions of Windows NT, in a Workgroup environment security is based on local account SIDs. Thus, if two computers have users with the same SID, the Workgroup will not be able to distinguish between the users. All resources, including files and Registry keys, that one user has access to, the other will as well. Aaron From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Brian Desmond Sent: Wednesday, January 18, 2006 3:50 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] AD computer accounts being removed NO NO NO NO NO BAD BAD BAD You have to use sysprep. Youre getting duplicate SIDs here bad. Thanks, Brian Desmond [EMAIL PROTECTED] c - 312.731.3132 From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Aaron Visser Sent: Wednesday, January 18, 2006 5:44 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] AD computer accounts being removed Gary, Brian, I do not use Sysprep on my images and have yet to come across any problems, but there may be one big difference with my images, before I ghost them or create the image I put the said machine into a workgroup and then create image. After I have imaged a computer I log on and change the Computer Name reboot and then join the domain with the new computer name, should I be using Sysprep? And Brenda I have experienced your problem but I have never noticed the accounts actually being out of AD, anyways most times for me a simple reboot works although I have had to actually ghost computers in order to rejoin the domain because I do not have any local accounts active on my computers in the school, makes it a little safer J but with that comes more work L From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Brian Desmond Sent: Wednesday, January 18, 2006 12:38 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] AD computer accounts being removed Gary- Are you implying you dont sysprep your images? Thanks, Brian Desmond [EMAIL PROTECTED] c - 312.731.3132 From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Garyphold Sent: Wednesday, January 18, 2006 3:04 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] AD computer accounts being removed Brenda, FWIW: It happens to me when I clone a workstation then try to join that workstation to the domain in order to change the computer name. AD sees 2 machines with the same name, gives me a notification and lets the 2nd one in. Then when the original machine with that name logs in next time, it isn't seen on the network. Then I have to do the same thing you did - with the original machine. Thenall is wellagain. Don't know if that will help, but it might narrow down the problem some. Gary Gary Polvinale Denton ATD -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Brenda Casey Sent: Wednesday, January 18, 2006 2:24 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] AD computer accounts being removed Yes, their computer account in AD is actually gone. Thanks, Brenda Brenda Casey Network Manager Billings Public Schools [EMAIL PROTECTED] 406-247-3792 From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Gil Kirkpatrick Sent: Wednesday, January 18, 2006 11:14 AM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] AD computer accounts being removed When you say lose their account, do you mean the computer object in AD disappears? Or something else? -g From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Brenda Casey Sent: Wednesday, January 18, 2006 10:42 AM To: ActiveDir@mail.activedir.org Subject: [ActiveDir] AD computer accounts being removed Occasionally
RE: [ActiveDir] adfind question
Yep by default I assume you want a subtree search so you get everything, if you want a base level search (i.e. only object that is the base of the query) you use -s base. If you want just the children (not the object, not the grandchildren) you want -s one. Another assumption - if no filter is specified it assumes objectclass=* If no base assumed, I assume you meant to provide one but forgot so throw an error. If no attributes specified, I assume you want * (star set - all default attribs AD returns). If you don't specify an attribute but also specify -sddc (or -sddl for Dean) I assume you want the attributes *, nTSecurityDescriptor _ From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Noah Eiger Sent: Wednesday, January 18, 2006 6:40 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] adfind question Thanks all. I guess I needed the -s base. And yes, David, I omitted the -h. I checked and that omission was only in my post, not in the actual script. Thanks again. -- nme _ From: Almeida Pinto, Jorge de [mailto:[EMAIL PROTECTED] Sent: Wednesday, January 18, 2006 3:11 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] adfind question Try: adfind -schema -s base objectVersion AdFind V01.27.00cpp Joe Richards ([EMAIL PROTECTED]) November 2005 Using server: DC:389 Directory: Windows Server 2003 Base DN: CN=Schema,CN=Configuration,DC=domain,DC=local dn:CN=Schema,CN=Configuration,DC=domain,DC=local objectVersion: 30 1 Objects returned Cheers, jorge _ From: [EMAIL PROTECTED] on behalf of Noah Eiger Sent: Wed 2006-01-18 23:27 To: ActiveDir@mail.activedir.org Subject: [ActiveDir] adfind question Hi - I am trying to write a little batch file that will report various version numbers to me on each DC to help monitor the W2k3 upgrade process. I am having trouble getting adfind to report the objectVersion of the Schema. When I run: adfind -DC1 -b CN=Schema,CN=Configuration,DC=myco,DC=private I get a torrent of stuff including the attribute that I want. (That is an attribute right?) When I try to filter or limit the output, I don't get what I want. For example, adfind -DC1 -b CN=Schema,CN=Configuration,DC=myco,DC=private objectVersion Gives me a list of all of the objects under Schema. How can I limit this? (Or, does anyone have a script that already checks all this stuff?) Thanks. -- nme -- No virus found in this outgoing message. Checked by AVG Free Edition. Version: 7.1.375 / Virus Database: 267.14.20/233 - Release Date: 1/18/2006 This e-mail and any attachment is for authorised use by the intended recipient(s) only. It may contain proprietary material, confidential information and/or be subject to legal privilege. It should not be copied, disclosed to, retained or used by, any other party. If you are not an intended recipient then please promptly delete this e-mail and any attachment and all copies and inform the sender. Thank you. -- No virus found in this incoming message. Checked by AVG Free Edition. Version: 7.1.375 / Virus Database: 267.14.20/233 - Release Date: 1/18/2006 -- No virus found in this outgoing message. Checked by AVG Free Edition. Version: 7.1.375 / Virus Database: 267.14.20/233 - Release Date: 1/18/2006 attachment: winmail.dat
RE: [ActiveDir] Site link connection not created
Does both the DC in the site and the DCs outside of the site see that site link object and that it is connected? Are there connection objects under other DCs that point at the DC that is by itself? From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Harding, DevonSent: Wednesday, January 18, 2006 1:08 PMTo: ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] Site link connection not created Joe, youre exactly right, only I DO have the site link defined. Any other reason why it may not get created automatically? From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of joeSent: Wednesday, January 11, 2006 8:55 PMTo: ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] Site link connection not created I think you mean connection objects aren't being created? If so, it is probably due to not having an enabledsite link defined for the site tying it to some other site(s). At least that is the only time I have seen that happen. From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Harding, DevonSent: Tuesday, January 10, 2006 3:50 PMTo: ActiveDir@mail.activedir.orgSubject: [ActiveDir] Site link connection not created What would cause a site link connection from two sites not to automatically create? If I manually create the connection, the KCC updates with the correct info about other sites, but for some reason its not automatically creating the connection. What ports are required for automatic creation? Devon Harding Windows Systems Engineer Southern Wine Spirits - BSG 954-602-2469 __This message and any attachments are solely for the intendedrecipient and may contain confidential or privileged information.If you are not the intended recipient, any disclosure, copying, useor distribution of the information included in the message and anyattachments is prohibited. If you have received this communicationin error, please notify us by reply e-mail and immediately andpermanently delete this message and any attachments. Thank You. __This message and any attachments are solely for the intendedrecipient and may contain confidential or privileged information.If you are not the intended recipient, any disclosure, copying, useor distribution of the information included in the message and anyattachments is prohibited. If you have received this communicationin error, please notify us by reply e-mail and immediately andpermanently delete this message and any attachments. Thank You.
RE: [ActiveDir] AD computer accounts being removed
Title: Message Well not really. The important SID in question is the Domain SID and that isn't duped. The domain doesn't care about the machine SID. It is still good practice to newsid the machines though. If the accounts are disappearing it is one of two things 1. Someone is deleting it. 2. During the join process something fails and the computer deletes the object out. I don't recall the details of this but I do recall hearing it happen. It happens right after the failed join though, you don't have to wait for it. I have also heard otherpeople who don't have enough rights report the account being disabled instead of deleted. I never verified personally either. From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Brian DesmondSent: Wednesday, January 18, 2006 6:50 PMTo: ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] AD computer accounts being removed NO NO NO NO NO BAD BAD BAD You have to use sysprep. Youre getting duplicate SIDs here bad. Thanks,Brian Desmond [EMAIL PROTECTED] c - 312.731.3132 From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Aaron VisserSent: Wednesday, January 18, 2006 5:44 PMTo: ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] AD computer accounts being removed Gary, Brian, I do not use Sysprep on my images and have yet to come across any problems, but there may be one big difference with my images, before I ghost them or create the image I put the said machine into a workgroup and then create image. After I have imaged a computer I log on and change the Computer Name reboot and then join the domain with the new computer name, should I be using Sysprep? And Brenda I have experienced your problem but I have never noticed the accounts actually being out of AD, anyways most times for me a simple reboot works although I have had to actually ghost computers in order to rejoin the domain because I do not have any local accounts active on my computers in the school, makes it a little safer J but with that comes more work L From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Brian DesmondSent: Wednesday, January 18, 2006 12:38 PMTo: ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] AD computer accounts being removed Gary- Are you implying you dont sysprep your images? Thanks,Brian Desmond [EMAIL PROTECTED] c - 312.731.3132 From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of GarypholdSent: Wednesday, January 18, 2006 3:04 PMTo: ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] AD computer accounts being removed Brenda, FWIW: It happens to me when I clone a workstation then try to join that workstation to the domain in order to change the computer name. AD sees 2 machines with the same name, gives me a notification and lets the 2nd one in. Then when the original machine with that name logs in next time, it isn't seen on the network. Then I have to do the same thing you did - with the original machine. Thenall is wellagain. Don't know if that will help, but it might narrow down the problem some. Gary Gary Polvinale Denton ATD -Original Message-From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Brenda CaseySent: Wednesday, January 18, 2006 2:24 PMTo: ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] AD computer accounts being removed Yes, their computer account in AD is actually gone. Thanks, Brenda Brenda CaseyNetwork Manager Billings Public Schools [EMAIL PROTECTED] 406-247-3792 From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Gil KirkpatrickSent: Wednesday, January 18, 2006 11:14 AMTo: ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] AD computer accounts being removed When you say "lose their account", do you mean the computer object in AD disappears? Or something else? -g From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Brenda CaseySent: Wednesday, January 18, 2006 10:42 AMTo: ActiveDir@mail.activedir.orgSubject: [ActiveDir] AD computer accounts being removed Occasionally computers will lose their account in Active Directory for no apparent reason.Sometimes it is a computer that has just joined the domain, while other times the machine has been a member of the domain for 2 years. The computer can only be logged on by a local account (not a domain account). To remedy this, the computer has to be disjoined from the domain, join a workgroup, then join the domain again. As I am sure you all are aware, this is not only time consuming, but very inappropriate to have to do. Has anyone else had this experience and how have you fixed it? Thanks, Brenda
RE: [ActiveDir] AD computer accounts being removed
Title: Message NetBEUI? Ouch. From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Brian DesmondSent: Wednesday, January 18, 2006 7:59 PMTo: ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] AD computer accounts being removed Sysprep also removes other information which identifies the computer. For example, I once had the pleasure of repairing a network where they had used NewSID to do this and also had bound NetBEUI to every NIC in the LAN. I had 500 computers all claiming the same NetBEUI name. Sysprep takes care of things like this. Highly recommended over any other tool. Thanks,Brian Desmond [EMAIL PROTECTED] c - 312.731.3132 From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Aaron VisserSent: Wednesday, January 18, 2006 7:27 PMTo: ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] AD computer accounts being removed Well I would agree that is not a safe practice for most but for my application where all Local accounts are disabled I do not see a problem. Taken from http://www.sysinternals.com/Utilities/NewSid.html under the SID Duplication Problem Duplicate SIDs aren't an issue in a Domain-based environment since domain accounts have SID's based on the Domain SID. But, according to Microsoft Knowledge Base article Q162001, "Do Not Disk Duplicate Installed Versions of Windows NT", in a Workgroup environment security is based on local account SIDs. Thus, if two computers have users with the same SID, the Workgroup will not be able to distinguish between the users. All resources, including files and Registry keys, that one user has access to, the other will as well. Aaron From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Brian DesmondSent: Wednesday, January 18, 2006 3:50 PMTo: ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] AD computer accounts being removed NO NO NO NO NO BAD BAD BAD You have to use sysprep. Youre getting duplicate SIDs here bad. Thanks,Brian Desmond [EMAIL PROTECTED] c - 312.731.3132 From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Aaron VisserSent: Wednesday, January 18, 2006 5:44 PMTo: ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] AD computer accounts being removed Gary, Brian, I do not use Sysprep on my images and have yet to come across any problems, but there may be one big difference with my images, before I ghost them or create the image I put the said machine into a workgroup and then create image. After I have imaged a computer I log on and change the Computer Name reboot and then join the domain with the new computer name, should I be using Sysprep? And Brenda I have experienced your problem but I have never noticed the accounts actually being out of AD, anyways most times for me a simple reboot works although I have had to actually ghost computers in order to rejoin the domain because I do not have any local accounts active on my computers in the school, makes it a little safer J but with that comes more work L From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Brian DesmondSent: Wednesday, January 18, 2006 12:38 PMTo: ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] AD computer accounts being removed Gary- Are you implying you dont sysprep your images? Thanks,Brian Desmond [EMAIL PROTECTED] c - 312.731.3132 From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of GarypholdSent: Wednesday, January 18, 2006 3:04 PMTo: ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] AD computer accounts being removed Brenda, FWIW: It happens to me when I clone a workstation then try to join that workstation to the domain in order to change the computer name. AD sees 2 machines with the same name, gives me a notification and lets the 2nd one in. Then when the original machine with that name logs in next time, it isn't seen on the network. Then I have to do the same thing you did - with the original machine. Thenall is wellagain. Don't know if that will help, but it might narrow down the problem some. Gary Gary Polvinale Denton ATD -Original Message-From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Brenda CaseySent: Wednesday, January 18, 2006 2:24 PMTo: ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] AD computer accounts being removed Yes, their computer account in AD is actually gone. Thanks, Brenda Brenda CaseyNetwork Manager Billings Public Schools [EMAIL PROTECTED] 406-247-3792 From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Gil KirkpatrickSent: Wednesday, January 18, 2006 11:14 AMTo: ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] AD computer accounts being removed When you say "lose their account", do you mean the computer object in AD disappears? Or something else? -g From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Brenda CaseySent:
RE: [ActiveDir] OU Delegation
Well I didn't say I don't see the benefit of an empty root. I just don't see it as a generic best practice. Sometimes it makes a ton of sense, sometimes someone needs to be slapped for bringing it up. ;o) joe From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of [EMAIL PROTECTED]Sent: Wednesday, January 18, 2006 5:11 PMTo: ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] OU Delegation Boy, I just had a consultant recommend an empty root as best practice for a divestiture were doing. Like Gil and Joe, I really dont see the benefit (nor could the consultant name anything specifically). We have a single domain and delegate OU rights based basically on an administrative teams need to manage a group of resources, typically computers. Users, groups and Exchange are managed centrally. Moving things around within one domain is a whole lot easier than among domains. AL Al Maurer Service Manager, Naming and Authentication Services IT | Information Technology Agilent Technologies (719) 590-2639; Telnet 590-2639 http://activedirectory.it.agilent.com From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Gil KirkpatrickSent: Thursday, January 12, 2006 10:50 AMTo: ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] OU Delegation As joe says, "it depends". AD architecture is always a cost/benefit discussion, and most people don't really understand 1) the real benefits of multiple domains, and 2) the additional costs of running multiple domains. For instance, "additional security" is often cited as a benefit of an empty root. An empty root maybe provides a little additional security, but not much. The benefit depends on your own risk evaluation. On the other hand, the ongoing operational cost of a two domainforestis considerably higher than a single domain forest. Additional hardware costs, additional diagnostic complexity, and a more complicated DR situation all add to the costs of running multiple domains. My general recommendationis tostick with a single domain if you can, and add additional domains if you need to for password policy or controlling replicationtraffic. And if you find you have to have multiple domains anyway, use an empty root, because the incremental cost of an additional domain if you already have more than one is pretty small. But, "it depends". -gil From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of joeSent: Thursday, January 12, 2006 9:32 AMTo: ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] OU Delegation Ah good ol best practices. :) What is recommended? Whatever is best for the customer of course. I guess my question is why one domain and one root versus just one domain? What is the purpose of the root? I am not saying this is bad by any stretch, there are good valid reasons for a root with other domains hanging off of it. Just curious what the decision flow was like to do it. Hopefully it wasn't something along the lines of reading "an empty root" is good somewhere and going for it as it is totally context sensitive. I would say the overall design goal, especially when Exchange is involved is to use a single domain forest. However, if there is a good reason to add more domains, do it. Usually when someone says they have a domain and a root they mean they have a domain and an EMPTY root and I wonder about how the decision was arrived at. We have had this discussion previously on the list where some people are gung ho empty root and some people are gung ho no-empty root and both pointing at best practices. I am more of the does it make sense in this specific situation kind of person. From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Harding, DevonSent: Thursday, January 12, 2006 11:12 AMTo: ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] OU Delegation Well, I just thought it would be best practice to consolidate multiple domains to one. Whats recommended? From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of joeSent: Wednesday, January 11, 2006 7:58 PMTo: ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] OU Delegation You want to look at a couple of main points 1. How do you plan to delegate the permisisons, I.E. the groupings of machines, users, etc. 2. How do you play to do GPOs if at all. 3. How is the administration really going to work. For instance, if you use a provisioning system for managing users (highly recommended) you don't generally want to delegate those to local OU admins but instead keep them in a main OU that the provisioning system only has control to. Why one domain and one root domain? I am not arguing one way or the other, just curious for the reasoning. From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Harding, DevonSent: Wednesday, January 11, 2006 4:24 PMTo: ActiveDir@mail.activedir.orgSubject: [ActiveDir] OU Delegation Were in the process of
RE: [ActiveDir] Migrate domain to separate forest
Yeah if that is true that sounds like a great DCR or maybe something besides Exchange handling the EDGE... -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Grillenmeier, Guido Sent: Wednesday, January 18, 2006 4:44 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Migrate domain to separate forest Because they want to have their out-of-office replies go to the internet hmm - that puts a whole new meaning to the requirements of a different forest. So just to get OOO replies configured the way they want, they're giving up being managed in the same forest and being in the same Exchange Org, having the same GAL as the rest as the company (or requiring extra mechanism to sync the users/contacts), or being able to easily share calendar data, simplifying resource sharing between any part of the company or allowing easy transition of users between other parts of the organiation. way to go. I certainly know of other reasons to create a separate forest, but I hadn't considered OOO configurations to be one of them :-) /Guido -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Larry Wahlers Sent: Mittwoch, 18. Januar 2006 14:50 To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Migrate domain to separate forest Thanks for your reply, Gil. You wrote: Just out of curiosity, why do they think they want their own forest? Because they want to have their out-of-office replies go to the internet, and our security policy won't let 'em do it because it affects everybody else, too! In any case, there's no way that I'm aware of to carve off a domain and make it a new forest root... I think you'll have to create the forest and migrate the users and resources. That's what I thought. -- Larry Wahlers Concordia Technologies The Lutheran Church - Missouri Synod mailto:[EMAIL PROTECTED] direct office line: (314) 996-1876 List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
Re: [ActiveDir] AD computer accounts being removed
On 1/19/06, Aaron Visser [EMAIL PROTECTED] wrote: Taken from http://www.sysinternals.com/Utilities/NewSid.html under the SID Duplication Problem snip Taken from: http://www.windowsitpro.com/Article/ArticleID/14919/14919.html At the start of the GUI phase of installation each NT/2000 installation generates a unique Security IDentifier (SID). If you then clone a workstation each installation would have the same machine SID. This is not a problem in a Windows NT 4.0 domain as users have a SID generated by the domain controller and do not user the local workstation SID for security. It IS a problem in a Windows 2000 domain as the local machine SID is used in nearly all aspects of security and before migrating to 2000 you should resolve any duplicate SID issues which may have been caused by cloning installations. -- AdamT Maidenhead is *not* in Kent List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
RE: [ActiveDir] OT: Gauging AD experience
I would say focusing on the design of big directories is pigeon-holing a little too much. There are only so many big directories that need to be designed. I personally find much more fun in diagnosing good directories that have gone bad than trying to design them. I design if I have to but it isn't what I like. Plus often with the design, it is rarely the case where you actually have all of the info though someone will tell you you do. You find out you don't later on when someone starts complaining or something starts breaking. I am not sure I would go so far to say it is something you let the tools handle though. A lot of the tools out there still aren't doing the greatest job and there are many companies that don't want to spend the millions on those tools that they would be charged for them instead having a few really good people handling it. A tool doesn't see bad things coming when someone is coming at you with the next great thing they want to plug into the AD. If the tool does catch it, it is way too late in the integration cycle. Plus, what if the tool isn't catching the problem? Someone has to be knowledgeable enough too. If you depend solely on your tools to keep your AD running well it is possible you are going to get cut pretty good. When I did Ops, I had several tools that watched what had been determined needed to be watched and then I would just go off and sample things to decide if there was something that maybe could be watched that we weren't watching. That could take the form of just watching a network packets on a DC or a client subnet for an hour or so or just walking the event logs event by event or walking through looking at objects in the directory. Whatever. To get into those positions you want to get in with the companies already mentioned and jump about (and try not to hurt the customer too much with your learning) or find a big company and take whatever entry position you can get and prove yourself and grow into bigger/better positions. Don't expect to, for instance, walk into Walmart and become their AD guy. Maybe you get in as desktop support and get to know the right people and make suggestions on how things can be better and work your way up. You could possibly walk into a company and be there expert right off if your experience is greater than what they currently have or your resume indicates it or they are desperate. But it could end up biting you in the end if you don't turn out to be what they expected. Companies can get mighty pissy if they find out down the road that they are paying 100k+ to someone who would normally be lucky making $45k. joe From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Douglas M. LongSent: Wednesday, January 18, 2006 11:49 AMTo: ActiveDir@mail.activedir.orgSubject: [ActiveDir] OT: Gauging AD experience I am trying to figure out how one gauges their AD experience. For example, I have designed, implemented and maintained an AD/Exchange environment of 5000 users with 1000 workstations from the ground up, alone. The environment is only 3 sites, with little complexity. I now work for a company maintaining a directory of about 150 users and 150 workstations. And the more local AD people I talk to, the more confident I am that I know quite a bit about AD compared to them (only talking about the people I have metnot generalizing the entire industry). Although I am not a guru like some on this list, I would like to get myself to the place where I can say yeah, I can design your 50,000 user / 15 site infrastructure. Or is that even possible? Is a project of that size several directory experts working together? I honestly believe that I could perform such a task, but knowing that I would make some mistakes that a VERY experienced person would not. So, I guess my question is: How do I get to where I want to be? Consult? Try to get a job with the biggest company I can? There may be no real answer, but I thought it was worth asking because I have been thinking about it for a couple of months and dont know where to start to move forward, and this is the only place I know that has people that I consider AD gurus (or gods even)
RE: [ActiveDir] Multiple Password Policies
Title: Unresolved SIDs in ACL
Custom password filters can be extremely troublesome. I
know ~Eric has mentioned having to deal with several issues that came down to
custom filters after digging through debug dumps. They are tied in at a very
tender spot of the DCs and the slightest problems in the code can result in
instability and reduced security or outright security holes.
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Carerros,
CharlesSent: Wednesday, January 18, 2006 10:29 AMTo:
'ActiveDir@mail.activedir.org'Subject: RE: [ActiveDir] Multiple
Password Policies
This company doesn't provide a large amount of
documentation on how they are doing this password change but it seems like they
are using the MS supported method.
As for scripting password resets, I'm very concerned
especially if this gets implemented I will need to see how it will function with
test domains.
I'm also not a big fan of putting an extra component on
everyone's desktop (which you only have to do if you want the end-users to see
an accurate password change error if one occurs).
I guess the first question I should have asked
is:
Has anyone used a password filter dll to create
a custom password rule? And if so, have you seen any issues with
it?
One thing that is interesting with this application, and
something that I'm wary of, is that their GPO adm becomes a component of the
Default Domain Policy (due the domain password policy). I'm not a real big
fan of modifying that policy.
Thanks for the input though, I would have overlooked the
scripting testing component.
Charlie
From: joe [mailto:[EMAIL PROTECTED]
Sent: Wednesday, January 18, 2006 9:11 AMTo:
ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] Multiple
Password Policies
Ditto whjat Neil said.
These are things you need to test very very very very very
much. They are hooked into a very core part of your DCs. You want to really load
a DC up and stress test the crap out of the tool it to see how it handles things
and try to get as much technical detail as possible. Since it is sending rule
info back to the clients something will have to be on the clients which bothers
some people, this will be added software to clients as well as possibly servers.
Also how does it handle if someone scripts a password change or uses something
other than the standard Windows GUI to change a password? Do you
care?
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of
[EMAIL PROTECTED]Sent: Wednesday, January 18, 2006 9:11
AMTo: ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir]
Multiple Password Policies
I have not used or assessed a product like this, but I
would guess that a client side GPO extension is required. This may not be
feasible in certain environments.
neil
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Carerros,
CharlesSent: 18 January 2006 13:58To:
'ActiveDir@mail.activedir.org'Subject: [ActiveDir] Multiple Password
Policies
I was
just asked to look at this application that was recently
released:
http://www.specopssoft.com/products/specopspasswordpolicy/Default.asp
It
seems like someone did some good programming around the password filter dll
concept and then tied it into security groups and GPOs.
Has
anyone seen this application and what do you guys think about
it?
Thanks,
Charlie
PLEASE READ: The
information contained in this email is confidential and
intended for the
named recipient(s) only. If you are not an intended
recipient of this
email please notify the sender immediately and delete your
copy from your
system. You must not copy, distribute or take any further
action in reliance
on it. Email is not a secure method of communication and
Nomura International
plc ('NIplc') will not, to the extent permitted by law,
accept
responsibility or liability for (a) the accuracy or completeness of,
or (b) the presence
of any virus, worm or similar malicious or disabling
code in, this
message or any attachment(s) to it. If verification of this
email is sought then
please request a hard copy. Unless otherwise stated
this email: (1) is
not, and should not be treated or relied upon as,
investment research;
(2) contains views or opinions that are solely those of
the author and do
not necessarily represent those of NIplc; (3) is intended
for informational
purposes only and is not a recommendation, solicitation or
offer to buy or sell
securities or related financial instruments. NIplc
does not provide
investment services to private customers. Authorised and
regulated by the
Financial Services Authority. Registered in England
no. 1550505 VAT No.
447 2492 35. Registered Office: 1 St Martin's-le-Grand,
London, EC1A 4NP. A
member of the Nomura group of companies.
Re: [ActiveDir] LDAP and Global Catalog
Please explain... Wht abt port 389 and 636. and GC at 3268. i m a bit confused here -- RD List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
RE: [ActiveDir] ADPrep Version Questions
Yes. From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Noah EigerSent: Wednesday, January 18, 2006 11:56 AMTo: ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] ADPrep Version Questions Oh just what I need: more of those number-things to confuse me ;-) But seriously folks, would you recommend using this R2 version for the migration from W2k to W2k3? Yes, we plan to implement R2 on some machines in the domain. -- nme From: Jeremy Olson [mailto:[EMAIL PROTECTED] Sent: Wednesday, January 18, 2006 8:44 AMTo: ActiveDir@mail.activedir.orgSubject: Re: [ActiveDir] ADPrep Version Questions The versionj of adprep.exe that is included with R2. is 5.2.3790.2075Jeremy On 1/17/06, Noah Eiger [EMAIL PROTECTED] wrote: Hi- I am preparing to upgrade a W2k domain to W2k3. I want to use the latest version of ADPrep. I have found the following info and am confused: For ADPrep on the following - From Windows Server 2003 CD: 5.2.3790. 0 July 22, 2004, 9:07:08 AM from WindowsServer2003-KB889101-SP1-x86-ENU.exe: 5.2.3790.1830 November 07, 2005, 5:48:59 PM listed in MSKB / Hotfix 324392 5.2.3790.196 July 23, 2004, 9:04 Am I reading that correctly: the one from SP1 is a lower version and later date than the one in the hotfix? Which one is the "latest"? Thanks. -- nme --No virus found in this outgoing message.Checked by AVG Free Edition.Version: 7.1.375 / Virus Database: 267.14.19/231 - Release Date: 1/16/2006 --No virus found in this incoming message.Checked by AVG Free Edition.Version: 7.1.375 / Virus Database: 267.14.20/233 - Release Date: 1/18/2006 --No virus found in this outgoing message.Checked by AVG Free Edition.Version: 7.1.375 / Virus Database: 267.14.20/233 - Release Date: 1/18/2006
RE: [ActiveDir] Unresolved SIDs in ACL
Title: Unresolved SIDs in ACL
It sure as heck shouldn't allow you to write an invalid SID
to the ACL though... The interface should kick back an error of that name can't
be resolved and not set anything. The last time I looked the stuff you could use
from _vbscript_ didn't let you see SIDS, it was all name based. If it is SID
based, sure let it write whatever SID you want like you can with the low level
API calls. But script API access through ADSI/COM should have bumpers on
it.
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Rich
MilburnSent: Wednesday, January 18, 2006 10:46 AMTo:
ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] Unresolved SIDs
in ACL
Amazing what On Error
Resume Next will do for you eh?
---Rich
MilburnMCSE, Microsoft MVP -
Directory ServicesSr
Network Analyst, Field Platform DevelopmentApplebee's International,
Inc.4551
W. 107th
StOverland
Park,
KS 66207913-967-2819--I love the smell of
red herrings in the morning -
anonymous
From:
[EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]
On Behalf Of joeSent: Wednesday, January 18, 2006 9:12
AMTo: ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] Unresolved SIDs in
ACL
Ah. Kind of scary that
the script created the ACEs at all, should have errored every time that you
tried to apply a bad ACE.
From:
[EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]
On Behalf Of
[EMAIL PROTECTED]Sent: Wednesday, January 18, 2006 7:37
AMTo: ActiveDir@mail.activedir.orgSubject: [ActiveDir] Unresolved SIDs in
ACL
joe,
The script owner
realised just after I posted that the domain name was constructed wrongly in the
script :(
Sorry to waste your
time.
neil
From:
[EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]
On Behalf Of joeSent: 17 January 2006 23:50To: ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] Unresolved SIDs in
ACL
Do the SIDs at least
have the Domain portion of the SID correct? How far off are they from the real
SID of the groups?
From:
[EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]
On Behalf Of
[EMAIL PROTECTED]Sent: Tuesday, January 17, 2006 10:55
AMTo: ActiveDir@mail.activedir.orgSubject: [ActiveDir] Unresolved SIDs in
ACL
I
have a script, which creates a pre-defined OU structure, creates groups and
permissions the OUs with these groups. The script performs these steps in the
order given.
I
have 2 test environments and have executed the script in each.
In
one environment (all w2k3 sp1 DCs, dfl and ffl=2), the script works fine and all
OUs and ACEs/ACLs are correct.
In
the other environment (also w2k3 sp1 DCs and dfl/ffl=2) the script works fine
but all new ACEs are shown as SIDs when viewed thru the ACL editor. Eventually,
these unresolved SIDs are shown as 'account unknown'. I have used sidtoname
(thanks joe!) and that shows that the SID cannot be resolved to a name (as
expected, I guess).
I'm
sure someone must have seen this strange behaviour before and has some
suggestions. I would suspect the latter environment to be at blame, but it was
only built very recently and is still pristine.
All
suggestions very welcome.
Thanks, neil
___Neil
RustonGlobal Technology
InfrastructureNomura International
plc
PLEASE READ: The information
contained in this email is confidential and
intended for the named recipient(s)
only. If you are not an intended
recipient of this email please
notify the sender immediately and delete your
copy from your system. You must not
copy, distribute or take any further
action in reliance on it. Email is
not a secure method of communication and
Nomura International plc ('NIplc')
will not, to the extent permitted by law,
accept responsibility or liability
for (a) the accuracy or completeness of,
or (b) the presence of any virus,
worm or similar malicious or disabling
code in, this message or any
attachment(s) to it. If verification of this
email is sought then please request
a hard copy. Unless otherwise stated
this email: (1) is not, and should
not be treated or relied upon as,
investment research; (2) contains
views or opinions that are solely those of
the author and do not necessarily
represent those of NIplc; (3) is intended
for informational purposes only and
is not a recommendation, solicitation or
offer to buy or sell securities or
related financial instruments. NIplc
does not provide investment services
to private customers. Authorised and
regulated by the Financial Services
Authority. Registered in England
no. 1550505 VAT No. 447 2492 35.
Registered Office: 1 St Martin's-le-Grand,
London,
EC1A
4NP. A member of the Nomura group of
companies.
PLEASE READ: The information
contained in this email is confidential and
intended for the named recipient(s)
only. If you are not an intended
recipient of this
RE: [ActiveDir] AD computer accounts being removed
Title: Message Dozen other reasons to run it. Not running sysprep is just a bad idea. Thanks, Brian Desmond [EMAIL PROTECTED] c - 312.731.3132 From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of joe Sent: Wednesday, January 18, 2006 8:11 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] AD computer accounts being removed Well not really. The important SID in question is the Domain SID and that isn't duped. The domain doesn't care about the machine SID. It is still good practice to newsid the machines though. If the accounts are disappearing it is one of two things 1. Someone is deleting it. 2. During the join process something fails and the computer deletes the object out. I don't recall the details of this but I do recall hearing it happen. It happens right after the failed join though, you don't have to wait for it. I have also heard otherpeople who don't have enough rights report the account being disabled instead of deleted. I never verified personally either. From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Brian Desmond Sent: Wednesday, January 18, 2006 6:50 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] AD computer accounts being removed NO NO NO NO NO BAD BAD BAD You have to use sysprep. Youre getting duplicate SIDs here bad. Thanks, Brian Desmond [EMAIL PROTECTED] c - 312.731.3132 From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Aaron Visser Sent: Wednesday, January 18, 2006 5:44 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] AD computer accounts being removed Gary, Brian, I do not use Sysprep on my images and have yet to come across any problems, but there may be one big difference with my images, before I ghost them or create the image I put the said machine into a workgroup and then create image. After I have imaged a computer I log on and change the Computer Name reboot and then join the domain with the new computer name, should I be using Sysprep? And Brenda I have experienced your problem but I have never noticed the accounts actually being out of AD, anyways most times for me a simple reboot works although I have had to actually ghost computers in order to rejoin the domain because I do not have any local accounts active on my computers in the school, makes it a little safer J but with that comes more work L From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Brian Desmond Sent: Wednesday, January 18, 2006 12:38 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] AD computer accounts being removed Gary- Are you implying you dont sysprep your images? Thanks, Brian Desmond [EMAIL PROTECTED] c - 312.731.3132 From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Garyphold Sent: Wednesday, January 18, 2006 3:04 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] AD computer accounts being removed Brenda, FWIW: It happens to me when I clone a workstation then try to join that workstation to the domain in order to change the computer name. AD sees 2 machines with the same name, gives me a notification and lets the 2nd one in. Then when the original machine with that name logs in next time, it isn't seen on the network. Then I have to do the same thing you did - with the original machine. Thenall is wellagain. Don't know if that will help, but it might narrow down the problem some. Gary Gary Polvinale Denton ATD -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Brenda Casey Sent: Wednesday, January 18, 2006 2:24 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] AD computer accounts being removed Yes, their computer account in AD is actually gone. Thanks, Brenda Brenda Casey Network Manager Billings Public Schools [EMAIL PROTECTED] 406-247-3792 From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Gil Kirkpatrick Sent: Wednesday, January 18, 2006 11:14 AM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] AD computer accounts being removed When you say lose their account, do you mean the computer object in AD disappears? Or something else? -g From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Brenda Casey Sent: Wednesday, January 18, 2006 10:42 AM To: ActiveDir@mail.activedir.org Subject: [ActiveDir] AD computer accounts being removed Occasionally computers will lose their account in Active Directory for no apparent reason.Sometimes it is a computer that has just joined the domain, while other times the machine has been a member of the domain for 2 years. The computer can only be logged on by a local account (not a domain account). To remedy this, the computer has to be disjoined from the domain, join a workgroup, then join the domain again. As I am
Re: [ActiveDir] Migrate domain to separate forest
As a newsgrouper/listserver person who gets massive amounts of OOO...can I respectfully say that has to be the stupidest reason for network design in my personal opinion. The amount of social engineering data I can get from OOO's that I on the Internet have no business having at least set up that Exchange setting that OOO won't go to folks where the to is not in the address please? joe wrote: Yeah if that is true that sounds like a great DCR or maybe something besides Exchange handling the EDGE... -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Grillenmeier, Guido Sent: Wednesday, January 18, 2006 4:44 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Migrate domain to separate forest Because they want to have their out-of-office replies go to the internet hmm - that puts a whole new meaning to the requirements of a different forest. So just to get OOO replies configured the way they want, they're giving up being managed in the same forest and being in the same Exchange Org, having the same GAL as the rest as the company (or requiring extra mechanism to sync the users/contacts), or being able to easily share calendar data, simplifying resource sharing between any part of the company or allowing easy transition of users between other parts of the organiation. way to go. I certainly know of other reasons to create a separate forest, but I hadn't considered OOO configurations to be one of them :-) /Guido -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Larry Wahlers Sent: Mittwoch, 18. Januar 2006 14:50 To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Migrate domain to separate forest Thanks for your reply, Gil. You wrote: Just out of curiosity, why do they think they want their own forest? Because they want to have their out-of-office replies go to the internet, and our security policy won't let 'em do it because it affects everybody else, too! In any case, there's no way that I'm aware of to carve off a domain and make it a new forest root... I think you'll have to create the forest and migrate the users and resources. That's what I thought. -- Larry Wahlers Concordia Technologies The Lutheran Church - Missouri Synod mailto:[EMAIL PROTECTED] direct office line: (314) 996-1876 List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ -- Letting your vendors set your risk analysis these days? http://www.threatcode.com List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
RE: [ActiveDir] ADPrep Version Questions
LOL. It isn't a decimal number though... It is a series of variable length decimal numbers separated by the period character... Sort of like an OID 1.2.840.113556.1.4.7000.102.7038 Versioning is a lost art I think though. I am big on xx.yy.zz. xx.=major, yy=minor, zz=really minor, =build. To me... major rev changes for big changes, massive updates or rewrites or drammatic functional changes.minor is added features, bug fixes. really minor is output string changes or remarks in the code being changed, things that don't change thecode flow and don't require any serious testing (I rarely update this one). And build of course ishow many times the bin has been compiled. G:\filever f:\dev\cpp\adfind\adfind.exe--a-- W32i APP ENU 1.29.0.785 shp 950,784 12-22-2005 adfind.exe The current release version ofadfind for instance has been compiled 785 times. Well actually that is incorrect, it has compiled 785 times since V01.08.00. There was a little bug in the routine I had been using to increment the counter and it was resetting on every new minor version rev. If I follow the average I am probably off by 250-300 compile build numbers but I expect it is less than that because as the complexity grew in versions 15 the number of compiles between releases went up due to testing and bug hunting. From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of [EMAIL PROTECTED]Sent: Wednesday, January 18, 2006 10:44 AMTo: ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] ADPrep Version Questions It's a common source of confusion. Ask a user if version 1.4.4 is newer or older than 1.4.3.4 :) Some say "344 therefore the latter is newer" some say "43 therefore the former is newer" neil PS The purist in me would say that without a leading 0, the 196 below looks like 1 thousand 9 hundred and 60 and 19601830. it's all about justification, when dealing with the decimal notation :) From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of joeSent: 18 January 2006 15:13To: ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] ADPrep Version Questions Ah don't worry about it, I figured you were just disconnected there when I saw the first question at all. That is why I counted it out. :) From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Noah EigerSent: Tuesday, January 17, 2006 8:38 PMTo: ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] ADPrep Version Questions Oh (blush) Dont mind me. Im just over here re-learning that whole tens, hundreds, thousands, etc thing. Ugh! (eyes roll skyward, head shakes) ;-) Sorry for the wasted bandwidth. From: joe [mailto:[EMAIL PROTECTED] Sent: Tuesday, January 17, 2006 5:27 PMTo: ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] ADPrep Version Questions one thousand eight hundred and thirty is greater than one hundred ninety six. The SP1 version is the most recent and highest version of adprep. 0 1 2 3 4 5 6 ... 194 195 196 197 198 199 200 ... 1826 1827 1828 1829 1830 1831 1832 1833 1834 1835 ... joe From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Noah EigerSent: Tuesday, January 17, 2006 7:12 PMTo: ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] ADPrep Version Questions yes From: joe [mailto:[EMAIL PROTECTED] Sent: Tuesday, January 17, 2006 3:48 PMTo: ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] ADPrep Version Questions Are you asking if 1830 196 ? From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Noah EigerSent: Tuesday, January 17, 2006 6:44 PMTo: ActiveDir@mail.activedir.orgSubject: [ActiveDir] ADPrep Version Questions Hi- I am preparing to upgrade a W2k domain to W2k3. I want to use the latest version of ADPrep. I have found the following info and am confused: For ADPrep on the following - From Windows Server 2003 CD: 5.2.3790.0 July 22, 2004, 9:07:08 AM from WindowsServer2003-KB889101-SP1-x86-ENU.exe: 5.2.3790.1830 November 07, 2005, 5:48:59 PM listed in MSKB / Hotfix 324392 5.2.3790.196 July 23, 2004, 9:04 Am I reading that correctly: the one from SP1 is a lower version and later date than the one in the hotfix? Which one is the latest? Thanks. -- nme --No virus found in this outgoing message.Checked by AVG Free Edition.Version: 7.1.375 / Virus Database: 267.14.19/231 - Release Date: 1/16/2006 --No virus found in this incoming message.Checked by AVG Free Edition.Version: 7.1.375 / Virus Database: 267.14.19/231 - Release Date: 1/16/2006 --No virus found in this outgoing message.Checked by AVG Free Edition.Version: 7.1.375 / Virus Database: 267.14.19/231 - Release Date: 1/16/2006 --No virus found in this incoming message.Checked by AVG Free Edition.Version: 7.1.375 / Virus Database: 267.14.19/231 - Release Date: 1/16/2006 --No virus found in this outgoing message.Checked by AVG Free Edition.Version: 7.1.375 / Virus Database: 267.14.19/231 - Release Date:
RE: [ActiveDir] AD computer accounts being removed
I would like to see the details of what the issues are. Windows IT Pro mag is a nice mag and all, but there is no real technical review of the articles, you can say about anything you want to and I have seen several examples. Ditto for Redmond Mag and SearchWindows*, etc. I don't think the people actually test the stuff they say in a lot of those articles though they try to state it authoritatively. -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of AdamT Sent: Wednesday, January 18, 2006 8:22 PM To: ActiveDir@mail.activedir.org Subject: Re: [ActiveDir] AD computer accounts being removed On 1/19/06, Aaron Visser [EMAIL PROTECTED] wrote: Taken from http://www.sysinternals.com/Utilities/NewSid.html under the SID Duplication Problem snip Taken from: http://www.windowsitpro.com/Article/ArticleID/14919/14919.html At the start of the GUI phase of installation each NT/2000 installation generates a unique Security IDentifier (SID). If you then clone a workstation each installation would have the same machine SID. This is not a problem in a Windows NT 4.0 domain as users have a SID generated by the domain controller and do not user the local workstation SID for security. It IS a problem in a Windows 2000 domain as the local machine SID is used in nearly all aspects of security and before migrating to 2000 you should resolve any duplicate SID issues which may have been caused by cloning installations. -- AdamT Maidenhead is *not* in Kent List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
RE: [ActiveDir] AD computer accounts being removed
Don't get me wrong though... Sysprep/newsid, follow the process. I am absolutely not telling people to image machines and deploy them without cleaning them up. If you have odd things happening and are not following the recommended processes, it is all on you and you get to take responsibility for what you do. :) -Original Message- From: joe [mailto:[EMAIL PROTECTED] Sent: Wednesday, January 18, 2006 9:01 PM To: 'ActiveDir@mail.activedir.org' Subject: RE: [ActiveDir] AD computer accounts being removed I would like to see the details of what the issues are. Windows IT Pro mag is a nice mag and all, but there is no real technical review of the articles, you can say about anything you want to and I have seen several examples. Ditto for Redmond Mag and SearchWindows*, etc. I don't think the people actually test the stuff they say in a lot of those articles though they try to state it authoritatively. -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of AdamT Sent: Wednesday, January 18, 2006 8:22 PM To: ActiveDir@mail.activedir.org Subject: Re: [ActiveDir] AD computer accounts being removed On 1/19/06, Aaron Visser [EMAIL PROTECTED] wrote: Taken from http://www.sysinternals.com/Utilities/NewSid.html under the SID Duplication Problem snip Taken from: http://www.windowsitpro.com/Article/ArticleID/14919/14919.html At the start of the GUI phase of installation each NT/2000 installation generates a unique Security IDentifier (SID). If you then clone a workstation each installation would have the same machine SID. This is not a problem in a Windows NT 4.0 domain as users have a SID generated by the domain controller and do not user the local workstation SID for security. It IS a problem in a Windows 2000 domain as the local machine SID is used in nearly all aspects of security and before migrating to 2000 you should resolve any duplicate SID issues which may have been caused by cloning installations. -- AdamT Maidenhead is *not* in Kent List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
RE: [ActiveDir] AD DNS in Windows delegation to Novell DNS
Unless Novell's changed what flavor of DNS/feature set they have since NetWare 5.1 (last time I ever saw Novell) it did not support dynamic updates. More specifically, it supported "dynamic updates" but only via a NetWare DHCP server. Also, at the time, the GUI for managing records didn't support the creation of SRV records in the way AD requires. The dialog box's fields were weird. From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Chandra BurraSent: Wednesday, January 18, 2006 11:55 AMTo: ActiveDir@mail.activedir.orgSubject: [ActiveDir] AD DNS in Windows delegation to Novell DNS Hi Team, Wanted to know what are the pro's and con's of delegating the DNS zone created in Windows DNS for 2003AD being delegated to Novell DNS as the client wants to use Novell as the primary Regards, Chandra Burra
RE: [ActiveDir] LDAP and Global Catalog
It looked like you asked for the GC ports, those are 3268 and 3269. If you want the LDAP ports, those are 398 and 636. -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Ravi Dogra Sent: Wednesday, January 18, 2006 8:36 PM To: ActiveDir@mail.activedir.org Subject: Re: [ActiveDir] LDAP and Global Catalog Please explain... Wht abt port 389 and 636. and GC at 3268. i m a bit confused here -- RD List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
[ActiveDir] Possibly useful mod
For those using character set 409 a possible useful addition to ADUC for them. Adds "Operating System Service Pack" to the searchable fields for computers in ADUC, also allows you to select the column to display. adfind -config -f "attributedisplaynames=operatingSystemVersion,Operating System Version" -incldn 409 | admod "attributeDisplayNames:+:operatingSystemServicePack,Operating System Service Pack"
RE: [ActiveDir] LDAP and Global Catalog
389 is the standard LDAP port. 636 is LDAPS - LDAP Over SSL it's comparable to 80 and 443 ... one is unecrypted and one isn't. As far as the GC port, this is LDAP too, but, it's only listening on domain controllers which are global catalogs in your forest. The global catalog holds a partial replica of every object in your forest. The attributes it holds are often known as the partialAttributeSet. Not sure what specifically to tell you here, I think I covered the port. GCs are required for logon, certain apps like Exchange, etc. Thanks, Brian Desmond [EMAIL PROTECTED] c - 312.731.3132 -Original Message- From: [EMAIL PROTECTED] [mailto:ActiveDir- [EMAIL PROTECTED] On Behalf Of Ravi Dogra Sent: Wednesday, January 18, 2006 8:36 PM To: ActiveDir@mail.activedir.org Subject: Re: [ActiveDir] LDAP and Global Catalog Please explain... Wht abt port 389 and 636. and GC at 3268. i m a bit confused here -- RD List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
RE: [ActiveDir] AD computer accounts being removed
And further, I am not trying to say I am always right. Quite the contrary, fully 50% of what I say is flat out incorrect, made up, or complete opinion. Your job is to try to figure out what is and isn't in that 50%. Preferably prior to changing your environment based on something I said. :o) Or to put it another simpler way, mileage varies. What works very well for me may not be in your best interest. I would like to hear the technical details behind the SID issues from that article though. Maybe I will follow the link. Though I doubt what I want is there. Very little serious deep tech in that mag anymore. The tech stuff I previously wrote for them they stopped putting in the mag and started putting in their over the top highly overpriced professional newsletters that were $100+ for 12 tiny little issues that looked like a small school newspaper. joe -Original Message- From: joe [mailto:[EMAIL PROTECTED] Sent: Wednesday, January 18, 2006 9:14 PM To: 'ActiveDir@mail.activedir.org' Subject: RE: [ActiveDir] AD computer accounts being removed Don't get me wrong though... Sysprep/newsid, follow the process. I am absolutely not telling people to image machines and deploy them without cleaning them up. If you have odd things happening and are not following the recommended processes, it is all on you and you get to take responsibility for what you do. :) -Original Message- From: joe [mailto:[EMAIL PROTECTED] Sent: Wednesday, January 18, 2006 9:01 PM To: 'ActiveDir@mail.activedir.org' Subject: RE: [ActiveDir] AD computer accounts being removed I would like to see the details of what the issues are. Windows IT Pro mag is a nice mag and all, but there is no real technical review of the articles, you can say about anything you want to and I have seen several examples. Ditto for Redmond Mag and SearchWindows*, etc. I don't think the people actually test the stuff they say in a lot of those articles though they try to state it authoritatively. -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of AdamT Sent: Wednesday, January 18, 2006 8:22 PM To: ActiveDir@mail.activedir.org Subject: Re: [ActiveDir] AD computer accounts being removed On 1/19/06, Aaron Visser [EMAIL PROTECTED] wrote: Taken from http://www.sysinternals.com/Utilities/NewSid.html under the SID Duplication Problem snip Taken from: http://www.windowsitpro.com/Article/ArticleID/14919/14919.html At the start of the GUI phase of installation each NT/2000 installation generates a unique Security IDentifier (SID). If you then clone a workstation each installation would have the same machine SID. This is not a problem in a Windows NT 4.0 domain as users have a SID generated by the domain controller and do not user the local workstation SID for security. It IS a problem in a Windows 2000 domain as the local machine SID is used in nearly all aspects of security and before migrating to 2000 you should resolve any duplicate SID issues which may have been caused by cloning installations. -- AdamT Maidenhead is *not* in Kent List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
RE: [ActiveDir] AD computer accounts being removed
Title: Message Yep sorry, didn't intend to say it wasn't a good idea. At some point the list will catch up and my post that says that will show up. :) From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Brian DesmondSent: Wednesday, January 18, 2006 8:39 PMTo: ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] AD computer accounts being removed Dozen other reasons to run it. Not running sysprep is just a bad idea. Thanks,Brian Desmond [EMAIL PROTECTED] c - 312.731.3132 From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of joeSent: Wednesday, January 18, 2006 8:11 PMTo: ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] AD computer accounts being removed Well not really. The important SID in question is the Domain SID and that isn't duped. The domain doesn't care about the machine SID. It is still good practice to newsid the machines though. If the accounts are disappearing it is one of two things 1. Someone is deleting it. 2. During the join process something fails and the computer deletes the object out. I don't recall the details of this but I do recall hearing it happen. It happens right after the failed join though, you don't have to wait for it. I have also heard otherpeople who don't have enough rights report the account being disabled instead of deleted. I never verified personally either. From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Brian DesmondSent: Wednesday, January 18, 2006 6:50 PMTo: ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] AD computer accounts being removed NO NO NO NO NO BAD BAD BAD You have to use sysprep. Youre getting duplicate SIDs here bad. Thanks,Brian Desmond [EMAIL PROTECTED] c - 312.731.3132 From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Aaron VisserSent: Wednesday, January 18, 2006 5:44 PMTo: ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] AD computer accounts being removed Gary, Brian, I do not use Sysprep on my images and have yet to come across any problems, but there may be one big difference with my images, before I ghost them or create the image I put the said machine into a workgroup and then create image. After I have imaged a computer I log on and change the Computer Name reboot and then join the domain with the new computer name, should I be using Sysprep? And Brenda I have experienced your problem but I have never noticed the accounts actually being out of AD, anyways most times for me a simple reboot works although I have had to actually ghost computers in order to rejoin the domain because I do not have any local accounts active on my computers in the school, makes it a little safer J but with that comes more work L From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Brian DesmondSent: Wednesday, January 18, 2006 12:38 PMTo: ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] AD computer accounts being removed Gary- Are you implying you dont sysprep your images? Thanks,Brian Desmond [EMAIL PROTECTED] c - 312.731.3132 From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of GarypholdSent: Wednesday, January 18, 2006 3:04 PMTo: ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] AD computer accounts being removed Brenda, FWIW: It happens to me when I clone a workstation then try to join that workstation to the domain in order to change the computer name. AD sees 2 machines with the same name, gives me a notification and lets the 2nd one in. Then when the original machine with that name logs in next time, it isn't seen on the network. Then I have to do the same thing you did - with the original machine. Thenall is wellagain. Don't know if that will help, but it might narrow down the problem some. Gary Gary Polvinale Denton ATD -Original Message-From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Brenda CaseySent: Wednesday, January 18, 2006 2:24 PMTo: ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] AD computer accounts being removed Yes, their computer account in AD is actually gone. Thanks, Brenda Brenda CaseyNetwork Manager Billings Public Schools [EMAIL PROTECTED] 406-247-3792 From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Gil KirkpatrickSent: Wednesday, January 18, 2006 11:14 AMTo: ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] AD computer accounts being removed When you say "lose their account", do you mean the computer object in AD disappears? Or something else? -g From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Brenda CaseySent: Wednesday, January 18, 2006 10:42 AMTo: ActiveDir@mail.activedir.orgSubject: [ActiveDir] AD computer accounts being removed Occasionally computers will lose their account in Active Directory for no apparent reason.Sometimes it is a computer that has just joined the domain, while other times
RE: [ActiveDir] AD computer accounts being removed
Title: Message We have roughly 650 unique nightmare LANs here. Ive seem some interesting things. Have a folder full of screenshots and JPEGs from site visits to prove it. Thanks, Brian Desmond [EMAIL PROTECTED] c - 312.731.3132 From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of joe Sent: Wednesday, January 18, 2006 8:11 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] AD computer accounts being removed NetBEUI? Ouch. From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Brian Desmond Sent: Wednesday, January 18, 2006 7:59 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] AD computer accounts being removed Sysprep also removes other information which identifies the computer. For example, I once had the pleasure of repairing a network where they had used NewSID to do this and also had bound NetBEUI to every NIC in the LAN. I had 500 computers all claiming the same NetBEUI name. Sysprep takes care of things like this. Highly recommended over any other tool. Thanks, Brian Desmond [EMAIL PROTECTED] c - 312.731.3132 From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Aaron Visser Sent: Wednesday, January 18, 2006 7:27 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] AD computer accounts being removed Well I would agree that is not a safe practice for most but for my application where all Local accounts are disabled I do not see a problem. Taken from http://www.sysinternals.com/Utilities/NewSid.html under the SID Duplication Problem Duplicate SIDs aren't an issue in a Domain-based environment since domain accounts have SID's based on the Domain SID. But, according to Microsoft Knowledge Base article Q162001, Do Not Disk Duplicate Installed Versions of Windows NT, in a Workgroup environment security is based on local account SIDs. Thus, if two computers have users with the same SID, the Workgroup will not be able to distinguish between the users. All resources, including files and Registry keys, that one user has access to, the other will as well. Aaron From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Brian Desmond Sent: Wednesday, January 18, 2006 3:50 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] AD computer accounts being removed NO NO NO NO NO BAD BAD BAD You have to use sysprep. Youre getting duplicate SIDs here bad. Thanks, Brian Desmond [EMAIL PROTECTED] c - 312.731.3132 From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Aaron Visser Sent: Wednesday, January 18, 2006 5:44 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] AD computer accounts being removed Gary, Brian, I do not use Sysprep on my images and have yet to come across any problems, but there may be one big difference with my images, before I ghost them or create the image I put the said machine into a workgroup and then create image. After I have imaged a computer I log on and change the Computer Name reboot and then join the domain with the new computer name, should I be using Sysprep? And Brenda I have experienced your problem but I have never noticed the accounts actually being out of AD, anyways most times for me a simple reboot works although I have had to actually ghost computers in order to rejoin the domain because I do not have any local accounts active on my computers in the school, makes it a little safer J but with that comes more work L From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Brian Desmond Sent: Wednesday, January 18, 2006 12:38 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] AD computer accounts being removed Gary- Are you implying you dont sysprep your images? Thanks, Brian Desmond [EMAIL PROTECTED] c - 312.731.3132 From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Garyphold Sent: Wednesday, January 18, 2006 3:04 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] AD computer accounts being removed Brenda, FWIW: It happens to me when I clone a workstation then try to join that workstation to the domain in order to change the computer name. AD sees 2 machines with the same name, gives me a notification and lets the 2nd one in. Then when the original machine with that name logs in next time, it isn't seen on the network. Then I have to do the same thing you did - with the original machine. Thenall is wellagain. Don't know if that will help, but it might narrow down the problem some. Gary Gary Polvinale Denton ATD -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Brenda Casey Sent: Wednesday, January 18, 2006 2:24 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] AD computer accounts being removed Yes, their computer account in AD is actually gone.
Re: [ActiveDir] Move AD from one SBS Server to another?
Where did I miss this one? To make an eval of SBS into a real box you put SBS retail over the top let it run and voila [and hit that person for hacking up a box] www.sbsmigration.com is a package of information/how to/scripts but mostly support. If you've never done this AD glue suck out and migration before, it's worth every penny IMHO. In reality.. we may be the toy server ...the cut down box the all on one box but when it comes to AD...we're AD. But because of sbscore [which you cannot turn off] you have about 7 days for two SBS servers to coexist side by side for a supported ADMT migration before one of them freaks and shuts down. Because of the no trust stuff you have three choices: 1. Preserve the domain/computer name method AKA the ... Joe would have been proud of me as I was using black commands the other day to seize roles Using Ntdsutil.exe to transfer or seize FSMO roles to a domain controller: http://support.microsoft.com/kb/255504 The process is basically seizing the roles. Okay here's basically what you do. Old box. Build new box that is a member server. Join it as an additional DC. Make it a global catalog. Replicate [if Win2k3 sp1 ensure firewall is off otherwise that replication may take a lnnng time] Cut the cord on the old server. Force the temp DC to become the PDC/5 roles and all that Go into the AD metadata [Joe would have been so proud...no GUI] and clean up the old box. Clean out Exchange info. [I'm sure I'm missing steps which is why in SBSland we recommend Jeff's kit] Okay now.. build a second box. This time it's your real honest to goodness box. Name it the same name and everything. Make it a additional DC. Again replicate the AD gunk. Cut the cord between the two boxes. Seize the roles. Stick the SBS 2003 disk one back in and finish the integrated install [since you hacked up the eval.. let's not assume that you set this little guy up with wizards. Restore data. Stick Exchange in there and remount/attach mailboxes. Basically done. Desktop icons do not BUDGE a single IOTA from their locations on the desktops. 2. Option two. Microsoft's ADMT method where we change the domain name and the computer name and screw up the desktops. Yes it's the supported MS way but we really don't like it Google on migration SBS and you'll see the docs. Use XP's file and transf wiz to help you put the desktop icons EXACTLY BACK as the person had them to minimize user freakout. 3. Option three. Clean, pst park, sneaker net. Build new server, Sneakernet to each workstation, park out mailboxes into pst files, if XP use file and transfer wiz to park desktop profile so boss/employees won't freak when workstation changes on Monday Connect to new server domain Import mail into new Exchange breaking single instance storage Do file and transf wiz to put icons EXACTLY back so that boss doesn't freak kinda see which one we prefer these days? You don't have to buy the kit... but if you've never done an AD seize role thingy. Jeff is there as your safety net. What you are in reality paying for is him being there to guide you. Yes, it's worth it IMHO if you are a newbie to AD glue suck out and transfer. joe wrote: We need the SBS mom for this one... I am sure she knows someone who can help with this. -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Dan Tesch Sent: Wednesday, January 18, 2006 12:07 PM To: ActiveDir@mail.activedir.org Subject: [ActiveDir] Move AD from one SBS Server to another? I have a friend that has an SBS 2003 Server running in his business. The server was installed from an eval. disk and then someone used some kind of hack on it to get it to not expire. The server now cannot be updated to the latest service packs, etc. and has other problems. I was asked to help out with the situation and there is now a legit. SBS Server running but all of the AD info is on the old machine and all of the users log into the old domain - I need to come up with a solution if one exists to transfer the domain to the new server so that all of the users don't lose their desktop settings, etc. I am familiar with using DCPROMO and my thought is to DCPROMO the new server - join it to the existing domain and then DCPROMO it back to a domain controller - problem is, I have seen problems with SBS Servers before and the failing that can occur with the SBCORE service - looking for possible solutions? List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ -- Letting your vendors set your risk analysis these days? http://www.threatcode.com List info :
Re: [ActiveDir] Move AD from one SBS Server to another?
I don't know if I made it clear enough but in version one ...the domain name is the same as the original box, the computer name, etc. The worksations won't freak. Susan Bradley, CPA aka Ebitz - SBS Rocks [MVP] wrote: Where did I miss this one? To make an eval of SBS into a real box you put SBS retail over the top let it run and voila [and hit that person for hacking up a box] www.sbsmigration.com is a package of information/how to/scripts but mostly support. If you've never done this AD glue suck out and migration before, it's worth every penny IMHO. In reality.. we may be the toy server ...the cut down box the all on one box but when it comes to AD...we're AD. But because of sbscore [which you cannot turn off] you have about 7 days for two SBS servers to coexist side by side for a supported ADMT migration before one of them freaks and shuts down. Because of the no trust stuff you have three choices: 1. Preserve the domain/computer name method AKA the ... Joe would have been proud of me as I was using black commands the other day to seize roles Using Ntdsutil.exe to transfer or seize FSMO roles to a domain controller: http://support.microsoft.com/kb/255504 The process is basically seizing the roles. Okay here's basically what you do. Old box. Build new box that is a member server. Join it as an additional DC. Make it a global catalog. Replicate [if Win2k3 sp1 ensure firewall is off otherwise that replication may take a lnnng time] Cut the cord on the old server. Force the temp DC to become the PDC/5 roles and all that Go into the AD metadata [Joe would have been so proud...no GUI] and clean up the old box. Clean out Exchange info. [I'm sure I'm missing steps which is why in SBSland we recommend Jeff's kit] Okay now.. build a second box. This time it's your real honest to goodness box. Name it the same name and everything. Make it a additional DC. Again replicate the AD gunk. Cut the cord between the two boxes. Seize the roles. Stick the SBS 2003 disk one back in and finish the integrated install [since you hacked up the eval.. let's not assume that you set this little guy up with wizards. Restore data. Stick Exchange in there and remount/attach mailboxes. Basically done. Desktop icons do not BUDGE a single IOTA from their locations on the desktops. 2. Option two. Microsoft's ADMT method where we change the domain name and the computer name and screw up the desktops. Yes it's the supported MS way but we really don't like it Google on migration SBS and you'll see the docs. Use XP's file and transf wiz to help you put the desktop icons EXACTLY BACK as the person had them to minimize user freakout. 3. Option three. Clean, pst park, sneaker net. Build new server, Sneakernet to each workstation, park out mailboxes into pst files, if XP use file and transfer wiz to park desktop profile so boss/employees won't freak when workstation changes on Monday Connect to new server domain Import mail into new Exchange breaking single instance storage Do file and transf wiz to put icons EXACTLY back so that boss doesn't freak kinda see which one we prefer these days? You don't have to buy the kit... but if you've never done an AD seize role thingy. Jeff is there as your safety net. What you are in reality paying for is him being there to guide you. Yes, it's worth it IMHO if you are a newbie to AD glue suck out and transfer. joe wrote: We need the SBS mom for this one... I am sure she knows someone who can help with this. -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Dan Tesch Sent: Wednesday, January 18, 2006 12:07 PM To: ActiveDir@mail.activedir.org Subject: [ActiveDir] Move AD from one SBS Server to another? I have a friend that has an SBS 2003 Server running in his business. The server was installed from an eval. disk and then someone used some kind of hack on it to get it to not expire. The server now cannot be updated to the latest service packs, etc. and has other problems. I was asked to help out with the situation and there is now a legit. SBS Server running but all of the AD info is on the old machine and all of the users log into the old domain - I need to come up with a solution if one exists to transfer the domain to the new server so that all of the users don't lose their desktop settings, etc. I am familiar with using DCPROMO and my thought is to DCPROMO the new server - join it to the existing domain and then DCPROMO it back to a domain controller - problem is, I have seen problems with SBS Servers before and the failing that can occur with the SBCORE service - looking for possible solutions? List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ:
Re: [ActiveDir] Move AD from one SBS Server to another?
One way to do this is use Jeff Middleton's Swing Migration to accomplish this. I have done this many times with great success. http://www.sbsmigration.com/ The essentials are below. There is more to this process but it is only an overview. Plan on about 8 hours or more the first time you do it as there are alot of steps to follow to ensure this is a smooth move. I my opinion, it is worth paying for the toolkit if you are serious about saving the AD information. 1. Build new SBS box to the point just before the SBS parts (Exchange, Sharepoint, AD, Etc) are installed 2. DC Promo SBS box into old domain 3. Transfer AD, DNS, and WINS info 4. Remove new server from Domain 5. Cleanup AD 6. Put new server back in One nice thing is the fact that the new machine retains same server name as before so mapped drives and such are retained. On 1/18/06, joe [EMAIL PROTECTED] wrote: We need the SBS mom for this one... I am sure she knows someone who can help with this. -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Dan Tesch Sent: Wednesday, January 18, 2006 12:07 PM To: ActiveDir@mail.activedir.org Subject: [ActiveDir] Move AD from one SBS Server to another? I have a friend that has an SBS 2003 Server running in his business. The server was installed from an eval. disk and then someone used some kind of hack on it to get it to not expire. The server now cannot be updated to the latest service packs, etc. and has other problems. I was asked to help out with the situation and there is now a legit. SBS Server running but all of the AD info is on the old machine and all of the users log into the old domain - I need to come up with a solution if one exists to transfer the domain to the new server so that all of the users don't lose their desktop settings, etc. I am familiar with using DCPROMO and my thought is to DCPROMO the new server - join it to the existing domain and then DCPROMO it back to a domain controller - problem is, I have seen problems with SBS Servers before and the failing that can occur with the SBCORE service - looking for possible solutions? List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ -- Matt Johnson, MCSE, MCSA, Network+, A+ MWJ Computing [EMAIL PROTECTED] Subtle and insubstantial, the expert leaves no trace; divinely mysterious, he is inaudible. Thus he is the master of his enemy's fate. —Sun Tzu
[ActiveDir] Changing Employee ID from workstation
Sähköpostiosoitteeni muuttuu 31.12.2005, käyttäjätunnusosa pysyy entisenä, uusi toimialuetunnus on PKSSK.FI. ([EMAIL PROTECTED]).---BeginMessage--- Hello list, I've been using vbs-script for some time already to add an Employee ID manually through ADUC, but the problem is that I always have to make a remote desktop connection to the ADUC of DC to do that. Isn't it possible to do it from theconsole atmy workstation? Even if I add script to my computer (I don't know if thatis evennecessary)I still can't see"Employee ID" in the context menu, when I right click the user.. Thanx, marko ---End Message---
