RE: [ActiveDir] Changing Employee ID from workstation
Is it just me, or are all posts from Marko unreadable / stripped of content?
neil
-Original Message-
From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Marko Inkinen
Sent: 19 January 2006 07:59
To: ActiveDir@mail.activedir.org
Subject: [ActiveDir] Changing Employee ID from workstation
Sähköpostiosoitteeni muuttuu 31.12.2005, käyttäjätunnusosa pysyy entisenä, uusi
toimialuetunnus on PKSSK.FI. ([EMAIL PROTECTED]).
PLEASE READ: The information contained in this email is confidential and
intended for the named recipient(s) only. If you are not an intended
recipient of this email please notify the sender immediately and delete your
copy from your system. You must not copy, distribute or take any further
action in reliance on it. Email is not a secure method of communication and
Nomura International plc ('NIplc') will not, to the extent permitted by law,
accept responsibility or liability for (a) the accuracy or completeness of,
or (b) the presence of any virus, worm or similar malicious or disabling
code in, this message or any attachment(s) to it. If verification of this
email is sought then please request a hard copy. Unless otherwise stated
this email: (1) is not, and should not be treated or relied upon as,
investment research; (2) contains views or opinions that are solely those of
the author and do not necessarily represent those of NIplc; (3) is intended
for informational purposes only and is not a recommendation, solicitation or
offer to buy or sell securities or related financial instruments. NIplc
does not provide investment services to private customers. Authorised and
regulated by the Financial Services Authority. Registered in England
no. 1550505 VAT No. 447 2492 35. Registered Office: 1 St Martin's-le-Grand,
London, EC1A 4NP. A member of the Nomura group of companies.
List info : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
RE: [ActiveDir] Accout policy
I *believe* that setting different password policies on different OUs may be a feature in Longhorn. Cant remember where I heard this, I could of course be completely wrong Jon From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Mike Hogenauer Sent: 19 January 2006 01:52 To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Accout policy Thanks, Yeah Im trying to set different password policies per domain groups From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Darren Mar-Elia Sent: Wednesday, January 18, 2006 4:56 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Accout policy Mike- Its a common question. There is currently only one *domain* password policy supported per AD domain. It does not have to be set in the DDP but it does have to be set on a GPO that is linked to the domain (if you have more than one, then the highest in the list wins). So you can't create separate policies for different user groups if those users are domain accounts. What you can do is have separate account policies for local member server or workstationSAM-based accounts, but that isn't what you're asking, is it? Darren From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Mike Hogenauer Sent: Wednesday, January 18, 2006 4:51 PM To: ActiveDir@mail.activedir.org Subject: [ActiveDir] Accout policy Sorry for the newbie question. So is it true you can only apply an account policy, for example a password policy to change passwords every 90 days only to the default domain policy? I need to change my policy setting per groups for password expiration, ex finance, HR, etc, for compliance. I thought I could apply a password policy per OU for each group Am I wrong? Thanks Mike This e-mail has been scanned for all viruses by Star. The service is powered by MessageLabs. For more information on a proactive anti-virus service working around the clock, around the globe, visit: http://www.star.net.uk
RE: [ActiveDir] AD computer accounts being removed
Title: Message Thanks for the link Nav. I use Symantec (PowerQuest) V2i Desktop (DriveImage). Haven't used Ghost (Ghostwalker) or Sysprep. Been wanting to experiment with Sysprep but haven't had the time. I was thinking about that this morning though. Is there a big learning curve with Sysprep? I use V2i for cloning, becauseI'm already using thatfor backups of all the workstations and all the servers. Hard drive backups instead of tape. Without sysprep, I'm stuck being able to only clone like machines. I really need to learn to use Sysprep. Too many fires burning right now. Gary -Original Message-From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Navroz ShariffSent: Wednesday, January 18, 2006 3:29 PMTo: ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] AD computer accounts being removed Hi Gary, Try looking at this article from MS regarding 'Resetting computer accounts in Windows 2000 and Windows XP'. http://support.microsoft.com/kb/216393/EN-US/ Also, you join the computer to the domain and then change its name? Do you reset the SIDs of the cloned workstation using GhostWalker or Sysprep? -Nav From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of GarypholdSent: Wednesday, January 18, 2006 3:04 PMTo: ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] AD computer accounts being removed Brenda, FWIW: It happens to me when I clone a workstation then try to join that workstation to the domain in order to change the computer name. AD sees 2 machines with the same name, gives me a notification and lets the 2nd one in. Then when the original machine with that name logs in next time, it isn't seen on the network. Then I have to do the same thing you did - with the original machine. Thenall is wellagain. Don't know if that will help, but it might narrow down the problem some. Gary Gary Polvinale Denton ATD -Original Message-From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Brenda CaseySent: Wednesday, January 18, 2006 2:24 PMTo: ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] AD computer accounts being removed Yes, their computer account in AD is actually gone. Thanks, Brenda Brenda CaseyNetwork Manager Billings Public Schools [EMAIL PROTECTED] 406-247-3792 From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Gil KirkpatrickSent: Wednesday, January 18, 2006 11:14 AMTo: ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] AD computer accounts being removed When you say "lose their account", do you mean the computer object in AD disappears? Or something else? -g From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Brenda CaseySent: Wednesday, January 18, 2006 10:42 AMTo: ActiveDir@mail.activedir.orgSubject: [ActiveDir] AD computer accounts being removed Occasionally computers will lose their account in Active Directory for no apparent reason.Sometimes it is a computer that has just joined the domain, while other times the machine has been a member of the domain for 2 years. The computer can only be logged on by a local account (not a domain account). To remedy this, the computer has to be disjoined from the domain, join a workgroup, then join the domain again. As I am sure you all are aware, this is not only time consuming, but very inappropriate to have to do. Has anyone else had this experience and how have you fixed it? Thanks, Brenda
RE: [ActiveDir] AD computer accounts being removed
Title: Message Not implying - I don't. I've been unable to find time to experiment. Yeah, I know - if I used that, I'd have much more time. Can Sysprep be much trouble to learn to use? I guess I have writer's block when it comes to that. Irrational fear of Sysprep. Gary -Original Message-From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Brian DesmondSent: Wednesday, January 18, 2006 3:38 PMTo: ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] AD computer accounts being removed Gary- Are you implying you dont sysprep your images? Thanks,Brian Desmond [EMAIL PROTECTED] c - 312.731.3132 From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of GarypholdSent: Wednesday, January 18, 2006 3:04 PMTo: ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] AD computer accounts being removed Brenda, FWIW: It happens to me when I clone a workstation then try to join that workstation to the domain in order to change the computer name. AD sees 2 machines with the same name, gives me a notification and lets the 2nd one in. Then when the original machine with that name logs in next time, it isn't seen on the network. Then I have to do the same thing you did - with the original machine. Thenall is wellagain. Don't know if that will help, but it might narrow down the problem some. Gary Gary Polvinale Denton ATD -Original Message-From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Brenda CaseySent: Wednesday, January 18, 2006 2:24 PMTo: ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] AD computer accounts being removed Yes, their computer account in AD is actually gone. Thanks, Brenda Brenda CaseyNetwork Manager Billings Public Schools [EMAIL PROTECTED] 406-247-3792 From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Gil KirkpatrickSent: Wednesday, January 18, 2006 11:14 AMTo: ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] AD computer accounts being removed When you say "lose their account", do you mean the computer object in AD disappears? Or something else? -g From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Brenda CaseySent: Wednesday, January 18, 2006 10:42 AMTo: ActiveDir@mail.activedir.orgSubject: [ActiveDir] AD computer accounts being removed Occasionally computers will lose their account in Active Directory for no apparent reason.Sometimes it is a computer that has just joined the domain, while other times the machine has been a member of the domain for 2 years. The computer can only be logged on by a local account (not a domain account). To remedy this, the computer has to be disjoined from the domain, join a workgroup, then join the domain again. As I am sure you all are aware, this is not only time consuming, but very inappropriate to have to do. Has anyone else had this experience and how have you fixed it? Thanks, Brenda
RE: [ActiveDir] AD computer accounts being removed
It IS a problem in a Windows 2000 domain as the local machine SID is used in nearly all aspects of security and before migrating to 2000 you should resolve any duplicate SID issues which may have been caused by cloning installations. Huh..I'm having a small headache and I'm not smoking anything weird here, but... what is this? Shoudn't this be: Duplicate SIDs for objects in the domain are bad and a problem in NT4 and AD. It is not possible to copy an object and dupe the SID. Screwing around with the RID FSMO (AD) could result in dupped SIDs. If dupped SIDs are detected the detecting DC has a mechanism to clean those Although a bad practice, cloned machines which have the same local SID can be in an NT4 domain and AD. The local computer SID will only be used if a user (domain base or not) is a member of a local group on that computer as the group SID on that computer consists of the computer SID and a RID IMHO opinion the writer is mixing the object SID in the domain with the local computer SID... Jorge Van: [EMAIL PROTECTED] namens AdamT Verzonden: do 2006-01-19 02:22 Aan: ActiveDir@mail.activedir.org Onderwerp: Re: [ActiveDir] AD computer accounts being removed On 1/19/06, Aaron Visser [EMAIL PROTECTED] wrote: Taken from http://www.sysinternals.com/Utilities/NewSid.html under the SID Duplication Problem snip Taken from: http://www.windowsitpro.com/Article/ArticleID/14919/14919.html At the start of the GUI phase of installation each NT/2000 installation generates a unique Security IDentifier (SID). If you then clone a workstation each installation would have the same machine SID. This is not a problem in a Windows NT 4.0 domain as users have a SID generated by the domain controller and do not user the local workstation SID for security. It IS a problem in a Windows 2000 domain as the local machine SID is used in nearly all aspects of security and before migrating to 2000 you should resolve any duplicate SID issues which may have been caused by cloning installations. -- AdamT Maidenhead is *not* in Kent List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ This e-mail and any attachment is for authorised use by the intended recipient(s) only. It may contain proprietary material, confidential information and/or be subject to legal privilege. It should not be copied, disclosed to, retained or used by, any other party. If you are not an intended recipient then please promptly delete this e-mail and any attachment and all copies and inform the sender. Thank you. List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
Re: [ActiveDir] [List Owner] IE7 and ActiveDir
On 1/16/06, Rich Milburn [EMAIL PROTECTED] wrote: Server Error in '/' Application. Might be totally unrelated, but there was something similar mentioned recently at: http://discuss.jarretthousenorth.com/newsItems/departments/Microsoft -- AdamT Maidenhead is *not* in Kent List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
RE: [ActiveDir] AD computer accounts being removed
Title: Message Any idea why XP is omitted in this article, but 2k and 2k3 are included? http://support.microsoft.com/?id=162001 Do Not Disk Duplicate Installed Versions of Windows NT --- Rich Milburn MCSE, Microsoft MVP - Directory Services Sr Network Analyst, Field Platform Development Applebee's International, Inc. 4551 W. 107th St Overland Park, KS 66207 913-967-2819 -- I love the smell of red herrings in the morning - anonymous From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Aaron Visser Sent: Wednesday, January 18, 2006 6:27 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] AD computer accounts being removed Well I would agree that is not a safe practice for most but for my application where all Local accounts are disabled I do not see a problem. Taken from http://www.sysinternals.com/Utilities/NewSid.html under the SID Duplication Problem Duplicate SIDs aren't an issue in a Domain-based environment since domain accounts have SID's based on the Domain SID. But, according to Microsoft Knowledge Base article Q162001, Do Not Disk Duplicate Installed Versions of Windows NT, in a Workgroup environment security is based on local account SIDs. Thus, if two computers have users with the same SID, the Workgroup will not be able to distinguish between the users. All resources, including files and Registry keys, that one user has access to, the other will as well. Aaron From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Brian Desmond Sent: Wednesday, January 18, 2006 3:50 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] AD computer accounts being removed NO NO NO NO NO BAD BAD BAD You have to use sysprep. Youre getting duplicate SIDs here bad. Thanks, Brian Desmond [EMAIL PROTECTED] c - 312.731.3132 From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Aaron Visser Sent: Wednesday, January 18, 2006 5:44 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] AD computer accounts being removed Gary, Brian, I do not use Sysprep on my images and have yet to come across any problems, but there may be one big difference with my images, before I ghost them or create the image I put the said machine into a workgroup and then create image. After I have imaged a computer I log on and change the Computer Name reboot and then join the domain with the new computer name, should I be using Sysprep? And Brenda I have experienced your problem but I have never noticed the accounts actually being out of AD, anyways most times for me a simple reboot works although I have had to actually ghost computers in order to rejoin the domain because I do not have any local accounts active on my computers in the school, makes it a little safer J but with that comes more work L From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Brian Desmond Sent: Wednesday, January 18, 2006 12:38 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] AD computer accounts being removed Gary- Are you implying you dont sysprep your images? Thanks, Brian Desmond [EMAIL PROTECTED] c - 312.731.3132 From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Garyphold Sent: Wednesday, January 18, 2006 3:04 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] AD computer accounts being removed Brenda, FWIW: It happens to me when I clone a workstation then try to join that workstation to the domain in order to change the computer name. AD sees 2 machines with the same name, gives me a notification and lets the 2nd one in. Then when the original machine with that name logs in next time, it isn't seen on the network. Then I have to do the same thing you did - with the original machine. Thenall is wellagain. Don't know if that will help, but it might narrow down the problem some. Gary Gary Polvinale Denton ATD -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Brenda Casey Sent: Wednesday, January 18, 2006 2:24 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] AD computer accounts being removed Yes, their computer account in AD is actually gone. Thanks, Brenda Brenda Casey Network Manager Billings Public Schools [EMAIL PROTECTED] 406-247-3792 From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Gil Kirkpatrick Sent: Wednesday, January 18, 2006 11:14 AM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] AD computer accounts being removed When you say lose their account, do you mean the computer object in AD disappears? Or something else? -g From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Brenda Casey Sent:
RE: [ActiveDir] OT: Folder password protection
Thanks, Turned on auditing and did a little management education. That seemed to do the trick.. Thanks Mike -Original Message-From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]On Behalf Of Steve RochfordSent: Tuesday, January 17, 2006 12:34 PMTo: ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] OT: Folder password protection This might be the problem that people can see a folder exists and don't understand that the permissions will stop "bad guys" getting into it. With 2003 you can set things so that if they don't have rights to read the folder then they don't see the folder - this list has discussed "access based enumeration" before and there's lots to be googled! Another way might be some obfuscation - if you don't use folders called things like "finance director - top secret" but just stuff like "folder 1", "folder 2" then it's less obvious what's going on. Normal users will see "folder 1" but if they try to look in then they won't find anything there (assuming permissions are correct!) The FD will look in "folder 1" and find "top secret" etc as a folder in there. Steve From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Rich MilburnSent: 17 January 2006 15:40To: ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] OT: Folder password protection Well one way to do it is set up secondary accounts, put them in a group, give that group (and that group only) access to the folders, and assign the secondary accounts to the people who need the access. OR Try to ascertain what the manager is trying to accomplish, and see if there is another way to set his/her mind at rest. Such as, auditing access on the folders, proving only the accounts specified cannot access the folders, etc. Personally Id try to avoid secondary accounts for that purpose, or 3rd party solutions, as they just add more complexity. But thats just my opinion. Rich ---Rich MilburnMCSE, Microsoft MVP - Directory ServicesSr Network Analyst, Field Platform DevelopmentApplebee's International, Inc.4551 W. 107th StOverland Park, KS 66207913-967-2819--I love the smell of red herrings in the morning - anonymous From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Mike WilliamsSent: Tuesday, January 17, 2006 9:21 AMTo: ActiveDir@mail.activedir.orgSubject: [ActiveDir] OT: Folder password protection Management wants to have certain folders on the serverpassword protected. I have access limited to the folders already, but they want an extra level of comfort. Does anyone do this in their system already, and if so what are suggested solutions. Windows 2003 server SP2 in a Win2000 AD environment. Thanks Mike (Almost full time lurker) Michael P. Williams Information Technology Carlyle Van Lines (660) 747-8128 X 3816 [EMAIL PROTECTED] www.carlylevanlines.com ---APPLEBEE'S INTERNATIONAL, INC. CONFIDENTIALITY NOTICE--- PRIVILEGED / CONFIDENTIAL INFORMATION may be contained in this message or any attachments. This information is strictly confidential and may be subject to attorney-client privilege. This message is intended only for the use of the named addressee. If you are not the intended recipient of this message, unauthorized forwarding, printing, copying, distribution, or using such information is strictly prohibited and may be unlawful. If you have received this in error, you should kindly notify the sender by reply e-mail and immediately destroy this message. Unauthorized interception of this e-mail is a violation of federal criminal law. Applebee's International, Inc. reserves the right to monitor and review the content of all messages sent to and from this e-mail address. Messages sent to or from this e-mail address may be stored on the Applebee's International, Inc. e-mail system.
RE: [ActiveDir] AD computer accounts being removed
And further, I am not trying to say I am always right. Quite the contrary, fully 50% of what I say is flat out incorrect, made up, or complete opinion. Your job is to try to figure out what is and isn't in that 50%. joe, I will not be signing my emails to you anymore with YMYMYM Unless of course, your recant. RH ___ -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] Behalf Of joe Sent: Wednesday, January 18, 2006 9:36 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] AD computer accounts being removed And further, I am not trying to say I am always right. Quite the contrary, fully 50% of what I say is flat out incorrect, made up, or complete opinion. Your job is to try to figure out what is and isn't in that 50%. Preferably prior to changing your environment based on something I said. :o) Or to put it another simpler way, mileage varies. What works very well for me may not be in your best interest. I would like to hear the technical details behind the SID issues from that article though. Maybe I will follow the link. Though I doubt what I want is there. Very little serious deep tech in that mag anymore. The tech stuff I previously wrote for them they stopped putting in the mag and started putting in their over the top highly overpriced professional newsletters that were $100+ for 12 tiny little issues that looked like a small school newspaper. joe -Original Message- From: joe [mailto:[EMAIL PROTECTED] Sent: Wednesday, January 18, 2006 9:14 PM To: 'ActiveDir@mail.activedir.org' Subject: RE: [ActiveDir] AD computer accounts being removed Don't get me wrong though... Sysprep/newsid, follow the process. I am absolutely not telling people to image machines and deploy them without cleaning them up. If you have odd things happening and are not following the recommended processes, it is all on you and you get to take responsibility for what you do. :) -Original Message- From: joe [mailto:[EMAIL PROTECTED] Sent: Wednesday, January 18, 2006 9:01 PM To: 'ActiveDir@mail.activedir.org' Subject: RE: [ActiveDir] AD computer accounts being removed I would like to see the details of what the issues are. Windows IT Pro mag is a nice mag and all, but there is no real technical review of the articles, you can say about anything you want to and I have seen several examples. Ditto for Redmond Mag and SearchWindows*, etc. I don't think the people actually test the stuff they say in a lot of those articles though they try to state it authoritatively. -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of AdamT Sent: Wednesday, January 18, 2006 8:22 PM To: ActiveDir@mail.activedir.org Subject: Re: [ActiveDir] AD computer accounts being removed On 1/19/06, Aaron Visser [EMAIL PROTECTED] wrote: Taken from http://www.sysinternals.com/Utilities/NewSid.html under the SID Duplication Problem snip Taken from: http://www.windowsitpro.com/Article/ArticleID/14919/14919.html At the start of the GUI phase of installation each NT/2000 installation generates a unique Security IDentifier (SID). If you then clone a workstation each installation would have the same machine SID. This is not a problem in a Windows NT 4.0 domain as users have a SID generated by the domain controller and do not user the local workstation SID for security. It IS a problem in a Windows 2000 domain as the local machine SID is used in nearly all aspects of security and before migrating to 2000 you should resolve any duplicate SID issues which may have been caused by cloning installations. -- AdamT Maidenhead is *not* in Kent List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
RE: [ActiveDir] AD computer accounts being removed
Title: Message Is there a big learning curve with Sysprep? Well, there can be. It depends on what you do to your master before you image it. If you do a lot of profile customization, then yes, because sysprep cleans out the profiles, and youll need to figure out how to apply settings to the default profile, or figure out how to script them. Since you are using AD you dont have the lack of GPO issue I did. For example, on our workgroup systems, we create a certain account and set up that profile, lock it down etc. If I sysprep it, that profile gets removed and a new one is created when that user logs into the sysprepped computer without any of the customizations. There are ways around this, but I couldnt solve all of them so for now on our newer XP systems we use a silent install with scripted profile configuration and lockdowns. It takes 38 minutes from DVD incl. Office 2003 install, so its not too bad sysprep using an ximage image took 25 minutes on the same box, most of that was DVD to HDD copy time though. --- Rich Milburn MCSE, Microsoft MVP - Directory Services Sr Network Analyst, Field Platform Development Applebee's International, Inc. 4551 W. 107th St Overland Park, KS 66207 913-967-2819 -- I love the smell of red herrings in the morning - anonymous From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Garyphold Sent: Thursday, January 19, 2006 7:01 AM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] AD computer accounts being removed Thanks for the link Nav. I use Symantec (PowerQuest) V2i Desktop (DriveImage). Haven't used Ghost (Ghostwalker) or Sysprep. Been wanting to experiment with Sysprep but haven't had the time. I was thinking about that this morning though. Is there a big learning curve with Sysprep? I use V2i for cloning, becauseI'm already using thatfor backups of all the workstations and all the servers. Hard drive backups instead of tape. Without sysprep, I'm stuck being able to only clone like machines. I really need to learn to use Sysprep. Too many fires burning right now. Gary -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Navroz Shariff Sent: Wednesday, January 18, 2006 3:29 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] AD computer accounts being removed Hi Gary, Try looking at this article from MS regarding 'Resetting computer accounts in Windows 2000 and Windows XP'. http://support.microsoft.com/kb/216393/EN-US/ Also, you join the computer to the domain and then change its name? Do you reset the SIDs of the cloned workstation using GhostWalker or Sysprep? -Nav From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Garyphold Sent: Wednesday, January 18, 2006 3:04 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] AD computer accounts being removed Brenda, FWIW: It happens to me when I clone a workstation then try to join that workstation to the domain in order to change the computer name. AD sees 2 machines with the same name, gives me a notification and lets the 2nd one in. Then when the original machine with that name logs in next time, it isn't seen on the network. Then I have to do the same thing you did - with the original machine. Thenall is wellagain. Don't know if that will help, but it might narrow down the problem some. Gary Gary Polvinale Denton ATD -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Brenda Casey Sent: Wednesday, January 18, 2006 2:24 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] AD computer accounts being removed Yes, their computer account in AD is actually gone. Thanks, Brenda Brenda Casey Network Manager Billings Public Schools [EMAIL PROTECTED] 406-247-3792 From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Gil Kirkpatrick Sent: Wednesday, January 18, 2006 11:14 AM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] AD computer accounts being removed When you say lose their account, do you mean the computer object in AD disappears? Or something else? -g From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Brenda Casey Sent: Wednesday, January 18, 2006 10:42 AM To: ActiveDir@mail.activedir.org Subject: [ActiveDir] AD computer accounts being removed Occasionally computers will lose their account in Active Directory for no apparent reason.Sometimes it is a computer that has just joined the domain, while other times the machine has been a member of the domain for 2 years. The computer can only be logged on by a local account (not a domain account). To remedy this, the computer has to be disjoined from the domain, join a
RE: [ActiveDir] Changing Employee ID from workstation
I got it as an attached message to that one in Finnish?? Im sure I saw the word reindeer in there somewhere J Marko I need coffee, so maybe thats why, but I think youre saying you have a _vbscript_ that that is launched from a modification of the user context menu you made to ADUC on your DC, and the _vbscript_ works fine, but what is not happening is that using ADUC on your computer, you do not have that modification? Or is the script modifying the context menu on ADUC? Rich -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of [EMAIL PROTECTED] Sent: Thursday, January 19, 2006 2:37 AM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Changing Employee ID from workstation Is it just me, or are all posts from Marko unreadable / stripped of content? neil From: Marko Inkinen [mailto:[EMAIL PROTECTED] Sent: Thursday, January 19, 2006 1:59 AM To: ActiveDir@mail.activedir.org Subject: Changing Employee ID from workstation Hello list, I've been using vbs-script for some time already to add an Employee ID manually through ADUC, but the problem is that I always have to make a remote desktop connection to the ADUC of DC to do that. Isn't it possible to do it from theconsole atmy workstation? Even if I add script to my computer (I don't know if thatis evennecessary)I still can't seeEmployee ID in the context menu, when I right click the user.. Thanx, Marko ---APPLEBEE'S INTERNATIONAL, INC. CONFIDENTIALITY NOTICE--- PRIVILEGED / CONFIDENTIAL INFORMATION may be contained in this message or any attachments. This information is strictly confidential and may be subject to attorney-client privilege. This message is intended only for the use of the named addressee. If you are not the intended recipient of this message, unauthorized forwarding, printing, copying, distribution, or using such information is strictly prohibited and may be unlawful. If you have received this in error, you should kindly notify the sender by reply e-mail and immediately destroy this message. Unauthorized interception of this e-mail is a violation of federal criminal law. Applebee's International, Inc. reserves the right to monitor and review the content of all messages sent to and from this e-mail address. Messages sent to or from this e-mail address may be stored on the Applebee's International, Inc. e-mail system.
RE: [ActiveDir] Migrate domain to separate forest
Susan Bradley wrote: As a newsgrouper/listserver person who gets massive amounts of OOO...can I respectfully say that has to be the stupidest reason for network design in my personal opinion. And Gil Kirkpatrick wrote: Someone needs to do a cost-benefit analysis. I would guess that 2 forests = 1.6x the operations costs more or less. I agree with both of you. You're preaching to the choir here! And, since I'm in the Church biz, I've heard that homily many times, too. I'm a tech, so even though my opinion is respected in our IT department, and my bosses agree wholeheartedly with me, over the years we have had to become almost entirely customer-driven or have all our services outsourced elsewhere. It has already happened with two of our six organizations, and it's about to happen with a third one. This particular org is one of the three that remain. So, I do what I'm told so tomorrow won't see me being walked out the door like so many of my colleagues in the past few years. Our goal here is obviously to show this particular organization how incredibly expensive it will be for them to be in their own forest just so they can have their OoO going to the internet. But, with all the other autonomy they want, it may happen, anyway. Now, to complicate matters, many years ago when I first installed Exchange 5.5 for 5 of our organizations (one had left by then), this organization got their very own Exchange 5.5 server, too. And, I enabled OoO to the internet, mostly because back then, 95% of email was good and only 5% was bad. But, this particular org had only climbed on board with their Exchange server because it was the end of the fiscal year, they had a few grand to spend or lose it, so they got Exchange. Except, they didn't have enough money or microcomputer resources to switch to Exchange, so that server gathered dust for years. Just last June they decided they wanted Exchange, so I convinced them to just format the Exchange 5.5 server and go directly to Exchange 2003. Out of Office was not going to the Internet, because when I upgraded everybody to Exchange 2003, I decided in this day and age of spam and viruses that it was a very bad idea. Management agreed with me. Now, we have two remaining Exchange 5.5 servers, for two of the other orgs. These folks will lose their OoO to the internet, and some of them will raise such a stink that we'll be forced to turn it back on, anyway, thus negating all the work of taking this other org to their own forest. Whew. This is way too long, so everybody have a nice cup of coffee on me - I'll ftp 'em to you! (At least I'll have job security for a really long time, with all this thrashing about.) -- Larry Wahlers Concordia Technologies The Lutheran Church - Missouri Synod mailto:[EMAIL PROTECTED] direct office line: (314) 996-1876 List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
RE: [ActiveDir] OU Delegation
candid=on As we've heard before today - do a cost/benefit study. Is it really prudent to build an extra domain with the incurred over heads just in case someone makes a mistake? There are doubtless other mistakes which can only mitigated by building a separate forest. There may be good reasons (and bad ones too) for building a placeholder domain - these reasons need to be weighed against the incurred costs (over at least a 3 year period). candid=off neil From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Rocky HabeebSent: 19 January 2006 14:37To: ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] OU Delegation "The biggest thing about an empty forest root is it is a safe haven. Safe haven: A domain where the god rights live and you don't apply any gpo's or other things that can get out of hand and hurt you. This actually saved my a__ once at [deleted] when the GPO guys screwed up on the main account domains. The locked down EVERY single userid to kiosk mode. Fortunately they have no rights in the root domain so couldn't do anything to my IDs so I could log onto my PC with the forest root ID and undo what they did." Verbatim quote fromone of the top [I mean "REALLY TOP] AD guys on this list to me in an offline when I asked him about whether or not I should do an empty root. I did it. RH _ -Original Message-From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]On Behalf Of joeSent: Wednesday, January 18, 2006 8:13 PMTo: ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] OU Delegation Well I didn't say I don't see the benefit of an empty root. I just don't see it as a generic best practice. Sometimes it makes a ton of sense, sometimes someone needs to be slapped for bringing it up. ;o) joe From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of [EMAIL PROTECTED]Sent: Wednesday, January 18, 2006 5:11 PMTo: ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] OU Delegation Boy, I just had a consultant recommend an empty root as best practice for a divestiture were doing. Like Gil and Joe, I really dont see the benefit (nor could the consultant name anything specifically). We have a single domain and delegate OU rights based basically on an administrative teams need to manage a group of resources, typically computers. Users, groups and Exchange are managed centrally. Moving things around within one domain is a whole lot easier than among domains. AL Al Maurer Service Manager, Naming and Authentication Services IT | Information Technology Agilent Technologies (719) 590-2639; Telnet 590-2639 http://activedirectory.it.agilent.com From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Gil KirkpatrickSent: Thursday, January 12, 2006 10:50 AMTo: ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] OU Delegation As joe says, "it depends". AD architecture is always a cost/benefit discussion, and most people don't really understand 1) the real benefits of multiple domains, and 2) the additional costs of running multiple domains. For instance, "additional security" is often cited as a benefit of an empty root. An empty root maybe provides a little additional security, but not much. The benefit depends on your own risk evaluation. On the other hand, the ongoing operational cost of a two domainforestis considerably higher than a single domain forest. Additional hardware costs, additional diagnostic complexity, and a more complicated DR situation all add to the costs of running multiple domains. My general recommendationis tostick with a single domain if you can, and add additional domains if you need to for password policy or controlling replicationtraffic. And if you find you have to have multiple domains anyway, use an empty root, because the incremental cost of an additional domain if you already have more than one is pretty small. But, "it depends". -gil From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of joeSent: Thursday, January 12, 2006 9:32 AMTo: ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] OU Delegation Ah good ol best practices. :) What is recommended? Whatever is best for the customer of course. I guess my question is why one domain and one root versus just one domain? What is the purpose of the root? I am not saying this is bad by any stretch, there are good valid reasons for a root with other domains hanging off of it. Just curious what the decision flow was like to do it. Hopefully it wasn't something along the lines of reading "an empty root" is good somewhere and going for it as it is totally context sensitive. I would say the overall design goal, especially when Exchange
RE: [ActiveDir] OU Delegation
"The biggest thing about an empty forest root is it is a safe haven. Safe haven: A domain where the god rights live and you don't apply any gpo's or other things that can get out of hand and hurt you. This actually saved my a__ once at [deleted] when the GPO guys screwed up on the main account domains. The locked down EVERY single userid to kiosk mode. Fortunately they have no rights in the root domain so couldn't do anything to my IDs so I could log onto my PC with the forest root ID and undo what they did." Verbatim quote fromone of the top [I mean "REALLY TOP] AD guys on this list to me in an offline when I asked him about whether or not I should do an empty root. I did it. RH _ -Original Message-From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]On Behalf Of joeSent: Wednesday, January 18, 2006 8:13 PMTo: ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] OU Delegation Well I didn't say I don't see the benefit of an empty root. I just don't see it as a generic best practice. Sometimes it makes a ton of sense, sometimes someone needs to be slapped for bringing it up. ;o) joe From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of [EMAIL PROTECTED]Sent: Wednesday, January 18, 2006 5:11 PMTo: ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] OU Delegation Boy, I just had a consultant recommend an empty root as best practice for a divestiture were doing. Like Gil and Joe, I really dont see the benefit (nor could the consultant name anything specifically). We have a single domain and delegate OU rights based basically on an administrative teams need to manage a group of resources, typically computers. Users, groups and Exchange are managed centrally. Moving things around within one domain is a whole lot easier than among domains. AL Al Maurer Service Manager, Naming and Authentication Services IT | Information Technology Agilent Technologies (719) 590-2639; Telnet 590-2639 http://activedirectory.it.agilent.com From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Gil KirkpatrickSent: Thursday, January 12, 2006 10:50 AMTo: ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] OU Delegation As joe says, "it depends". AD architecture is always a cost/benefit discussion, and most people don't really understand 1) the real benefits of multiple domains, and 2) the additional costs of running multiple domains. For instance, "additional security" is often cited as a benefit of an empty root. An empty root maybe provides a little additional security, but not much. The benefit depends on your own risk evaluation. On the other hand, the ongoing operational cost of a two domainforestis considerably higher than a single domain forest. Additional hardware costs, additional diagnostic complexity, and a more complicated DR situation all add to the costs of running multiple domains. My general recommendationis tostick with a single domain if you can, and add additional domains if you need to for password policy or controlling replicationtraffic. And if you find you have to have multiple domains anyway, use an empty root, because the incremental cost of an additional domain if you already have more than one is pretty small. But, "it depends". -gil From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of joeSent: Thursday, January 12, 2006 9:32 AMTo: ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] OU Delegation Ah good ol best practices. :) What is recommended? Whatever is best for the customer of course. I guess my question is why one domain and one root versus just one domain? What is the purpose of the root? I am not saying this is bad by any stretch, there are good valid reasons for a root with other domains hanging off of it. Just curious what the decision flow was like to do it. Hopefully it wasn't something along the lines of reading "an empty root" is good somewhere and going for it as it is totally context sensitive. I would say the overall design goal, especially when Exchange is involved is to use a single domain forest. However, if there is a good reason to add more domains, do it. Usually when someone says they have a domain and a root they mean they have a domain and an EMPTY root and I wonder about how the decision was arrived at. We have had this discussion previously on the list where some people are gung ho empty root and some people are gung ho no-empty root and both pointing at best practices. I am more of the does it make sense in this specific situation kind of person. From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Harding,
RE: [ActiveDir] AD computer accounts being removed
Sysprep is pretty simple; there's a lot of documentation available on it. As Rich mentioned, you need to set up your customizations under one profile and copy that to the default user profile. Some irksome things change, however. One of my pet peeves is that when you sysprep a PC, the next time it boots, the select OS timeout goes from whatever you have set it to (5 sec in our case) back to the default of 30 sec. I have found that using group policy to make most of the settings changes is better than doing it on the workstation. We start with a sysprepped image that runs the mini-setup when first booted. We then the workstation and place it in the domain, where the GPOs apply to make all the required settings. I was able to go from a boot floppy, ghost, and ghostwalker to a boot CD, sysprep, and ghost (our new laptops don't have floppy drives) in about 4 days of testing and fine-tuning. I took a couple of laptops and a BartPE CD (with ghost added to it) into a spare conference room, didn't answer my phone, and worked it all out. A few days of work and the result is significantly simpler deployment of new images. ** Charlie Kaiser W2K3 MCSA/MCSE/Security, CCNA Systems Engineer Essex Credit / Brickwalk 510 595 5083 ** -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Garyphold Sent: Thursday, January 19, 2006 5:01 AM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] AD computer accounts being removed Thanks for the link Nav. I use Symantec (PowerQuest) V2i Desktop (DriveImage). Haven't used Ghost (Ghostwalker) or Sysprep. Been wanting to experiment with Sysprep but haven't had the time. I was thinking about that this morning though. Is there a big learning curve with Sysprep? I use V2i for cloning, because I'm already using that for backups of all the workstations and all the servers. Hard drive backups instead of tape. Without sysprep, I'm stuck being able to only clone like machines. I really need to learn to use Sysprep. Too many fires burning right now. Gary -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Navroz Shariff Sent: Wednesday, January 18, 2006 3:29 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] AD computer accounts being removed Hi Gary, Try looking at this article from MS regarding 'Resetting computer accounts in Windows 2000 and Windows XP'. http://support.microsoft.com/kb/216393/EN-US/ Also, you join the computer to the domain and then change its name? Do you reset the SIDs of the cloned workstation using GhostWalker or Sysprep? -Nav From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Garyphold Sent: Wednesday, January 18, 2006 3:04 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] AD computer accounts being removed Brenda, FWIW: It happens to me when I clone a workstation then try to join that workstation to the domain in order to change the computer name. AD sees 2 machines with the same name, gives me a notification and lets the 2nd one in. Then when the original machine with that name logs in next time, it isn't seen on the network. Then I have to do the same thing you did - with the original machine. Then all is well again. Don't know if that will help, but it might narrow down the problem some. Gary Gary Polvinale Denton ATD -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Brenda Casey Sent: Wednesday, January 18, 2006 2:24 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] AD computer accounts being removed Yes, their computer account in AD is actually gone. Thanks, Brenda Brenda Casey Network Manager Billings Public Schools [EMAIL PROTECTED] mailto:[EMAIL PROTECTED] 406-247-3792 From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Gil Kirkpatrick Sent: Wednesday, January 18, 2006 11:14 AM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] AD computer accounts being removed When you say lose their account, do you mean the computer object in AD disappears? Or something else? -g From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Brenda Casey Sent: Wednesday, January 18, 2006 10:42 AM To: ActiveDir@mail.activedir.org Subject: [ActiveDir] AD computer accounts being removed Occasionally computers will lose their account in Active Directory for no apparent reason. Sometimes it is a computer that has just joined the domain, while other times the machine has been a member of the domain for 2 years. The computer can only be logged on by a local account (not a domain account). To remedy this, the computer has to be
RE: [ActiveDir] AD computer accounts being removed
Charlie, Thanks for taking the time to explain. I'm in a position where I'm making the big decisions, doing the big work and also doing all the little details (I'm it) including daily problems. Zero training/learning time, zero anything except get to the next fire. I need spend some time learning and using tools like sysprep and GP to get back some of that time. Gary -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Charlie Kaiser Sent: Thursday, January 19, 2006 10:07 AM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] AD computer accounts being removed Sysprep is pretty simple; there's a lot of documentation available on it. As Rich mentioned, you need to set up your customizations under one profile and copy that to the default user profile. Some irksome things change, however. One of my pet peeves is that when you sysprep a PC, the next time it boots, the select OS timeout goes from whatever you have set it to (5 sec in our case) back to the default of 30 sec. I have found that using group policy to make most of the settings changes is better than doing it on the workstation. We start with a sysprepped image that runs the mini-setup when first booted. We then the workstation and place it in the domain, where the GPOs apply to make all the required settings. I was able to go from a boot floppy, ghost, and ghostwalker to a boot CD, sysprep, and ghost (our new laptops don't have floppy drives) in about 4 days of testing and fine-tuning. I took a couple of laptops and a BartPE CD (with ghost added to it) into a spare conference room, didn't answer my phone, and worked it all out. A few days of work and the result is significantly simpler deployment of new images. ** Charlie Kaiser W2K3 MCSA/MCSE/Security, CCNA Systems Engineer Essex Credit / Brickwalk 510 595 5083 ** -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Garyphold Sent: Thursday, January 19, 2006 5:01 AM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] AD computer accounts being removed Thanks for the link Nav. I use Symantec (PowerQuest) V2i Desktop (DriveImage). Haven't used Ghost (Ghostwalker) or Sysprep. Been wanting to experiment with Sysprep but haven't had the time. I was thinking about that this morning though. Is there a big learning curve with Sysprep? I use V2i for cloning, because I'm already using that for backups of all the workstations and all the servers. Hard drive backups instead of tape. Without sysprep, I'm stuck being able to only clone like machines. I really need to learn to use Sysprep. Too many fires burning right now. Gary -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Navroz Shariff Sent: Wednesday, January 18, 2006 3:29 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] AD computer accounts being removed Hi Gary, Try looking at this article from MS regarding 'Resetting computer accounts in Windows 2000 and Windows XP'. http://support.microsoft.com/kb/216393/EN-US/ Also, you join the computer to the domain and then change its name? Do you reset the SIDs of the cloned workstation using GhostWalker or Sysprep? -Nav From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Garyphold Sent: Wednesday, January 18, 2006 3:04 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] AD computer accounts being removed Brenda, FWIW: It happens to me when I clone a workstation then try to join that workstation to the domain in order to change the computer name. AD sees 2 machines with the same name, gives me a notification and lets the 2nd one in. Then when the original machine with that name logs in next time, it isn't seen on the network. Then I have to do the same thing you did - with the original machine. Then all is well again. Don't know if that will help, but it might narrow down the problem some. Gary Gary Polvinale Denton ATD -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Brenda Casey Sent: Wednesday, January 18, 2006 2:24 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] AD computer accounts being removed Yes, their computer account in AD is actually gone. Thanks, Brenda Brenda Casey Network Manager Billings Public Schools [EMAIL PROTECTED] mailto:[EMAIL PROTECTED] 406-247-3792 From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Gil Kirkpatrick Sent: Wednesday, January 18, 2006 11:14 AM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] AD computer accounts being removed When you say lose their account, do you mean the computer object in AD disappears? Or something else? -g
RE: [ActiveDir] OT: Gauging AD experience
when good directories go badsounds like a catchy title for a presentation, Joe. I think of directories and identity management infrastructures a little like networks: you rarely do get to design one from scratch, youre always tweaking an existing one. And I agree that tweaking the existing ones are a lot more interesting than designing from a blank slate. The analogy could be taken too far, but like networks, directories and authentications systems are always morphing due to new technologies, new tools, adding or removing applications. Lots of fun. Al Maurer Service Manager, Naming and Authentication Services IT | Information Technology Agilent Technologies (719) 590-2639; Telnet 590-2639 http://activedirectory.it.agilent.com From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of joe Sent: Wednesday, January 18, 2006 6:31 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] OT: Gauging AD experience I would say focusing on the design of big directories is pigeon-holing a little too much. There are only so many big directories that need to be designed. I personally find much more fun in diagnosing good directories that have gone bad than trying to design them. I design if I have to but it isn't what I like. Plus often with the design, it is rarely the case where you actually have all of the info though someone will tell you you do. You find out you don't later on when someone starts complaining or something starts breaking. I am not sure I would go so far to say it is something you let the tools handle though. A lot of the tools out there still aren't doing the greatest job and there are many companies that don't want to spend the millions on those tools that they would be charged for them instead having a few really good people handling it. A tool doesn't see bad things coming when someone is coming at you with the next great thing they want to plug into the AD. If the tool does catch it, it is way too late in the integration cycle. Plus, what if the tool isn't catching the problem? Someone has to be knowledgeable enough too. If you depend solely on your tools to keep your AD running well it is possible you are going to get cut pretty good. When I did Ops, I had several tools that watched what had been determined needed to be watched and then I would just go off and sample things to decide if there was something that maybe could be watched that we weren't watching. That could take the form of just watching a network packets on a DC or a client subnet for an hour or so or just walking the event logs event by event or walking through looking at objects in the directory. Whatever. To get into those positions you want to get in with the companies already mentioned and jump about (and try not to hurt the customer too much with your learning) or find a big company and take whatever entry position you can get and prove yourself and grow into bigger/better positions. Don't expect to, for instance, walk into Walmart and become their AD guy. Maybe you get in as desktop support and get to know the right people and make suggestions on how things can be better and work your way up. You could possibly walk into a company and be there expert right off if your experience is greater than what they currently have or your resume indicates it or they are desperate. But it could end up biting you in the end if you don't turn out to be what they expected. Companies can get mighty pissy if they find out down the road that they are paying 100k+ to someone who would normally be lucky making $45k. joe From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Douglas M. Long Sent: Wednesday, January 18, 2006 11:49 AM To: ActiveDir@mail.activedir.org Subject: [ActiveDir] OT: Gauging AD experience I am trying to figure out how one gauges their AD experience. For example, I have designed, implemented and maintained an AD/Exchange environment of 5000 users with 1000 workstations from the ground up, alone. The environment is only 3 sites, with little complexity. I now work for a company maintaining a directory of about 150 users and 150 workstations. And the more local AD people I talk to, the more confident I am that I know quite a bit about AD compared to them (only talking about the people I have metnot generalizing the entire industry). Although I am not a guru like some on this list, I would like to get myself to the place where I can say yeah, I can design your 50,000 user / 15 site infrastructure. Or is that even possible? Is a project of that size several directory experts working together? I honestly believe that I could perform such a task, but knowing that I would make some mistakes that a VERY experienced person would not. So, I guess my question is: How do I get to where I want to be? Consult? Try to get a job with the biggest company I can? There may be no real answer, but I thought it was worth asking because I have been
RE: [ActiveDir] AD computer accounts being removed
Gary wrote: I'm in a position where I'm making the big decisions, doing the big work and also doing all the little details (I'm it) including daily problems. Zero training/learning time, zero anything except get to the next fire. Boy, does that sound familiar... -- Larry List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
RE: [ActiveDir] Changing Employee ID from workstation
I have done this in our environment and I use it to alter employee id's and employee numbers from whatever workstation I want (through the ADUC). I used ADSI edit and made changes to the containers throughout the forest so that any admin could get the right click context and make changes (if allowed to do so). I am off work today, but tomorrow I will post the details of how I did it. Doug Ferguson Windows Systems Administrator Hynix Semiconductor Manufacturing America, Inc. -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Marko Inkinen Sent: Wednesday, January 18, 2006 11:59 PM To: ActiveDir@mail.activedir.org Subject: [ActiveDir] Changing Employee ID from workstation Sähköpostiosoitteeni muuttuu 31.12.2005, käyttäjätunnusosa pysyy entisenä, uusi toimialuetunnus on PKSSK.FI. ([EMAIL PROTECTED]). List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
RE: [ActiveDir] Changing Employee ID from workstation
I have scripts and procedures to do this as well. I also (in my current role)
synched additional attributes from an external LDAP repository such as cost
code and desk location and exposed them via ADUC too.
It's well liked by the support guys :)
The script on petri's web site which exposes logon date/time; password last
changed date etc is also useful and can be executed as per the above.
neil
-Original Message-
From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Doug Ferguson
Sent: 19 January 2006 16:38
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] Changing Employee ID from workstation
I have done this in our environment and I use it to alter employee id's and
employee numbers from whatever workstation I want (through the ADUC). I used
ADSI edit and made changes to the containers throughout the forest so that any
admin could get the right click context and make changes (if allowed to do so).
I am off work today, but tomorrow I will post the details of how I did it.
Doug Ferguson
Windows Systems Administrator
Hynix Semiconductor Manufacturing America, Inc.
-Original Message-
From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Marko Inkinen
Sent: Wednesday, January 18, 2006 11:59 PM
To: ActiveDir@mail.activedir.org
Subject: [ActiveDir] Changing Employee ID from workstation
Sähköpostiosoitteeni muuttuu 31.12.2005, käyttäjätunnusosa pysyy entisenä, uusi
toimialuetunnus on PKSSK.FI. ([EMAIL PROTECTED]).
List info : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
PLEASE READ: The information contained in this email is confidential and
intended for the named recipient(s) only. If you are not an intended
recipient of this email please notify the sender immediately and delete your
copy from your system. You must not copy, distribute or take any further
action in reliance on it. Email is not a secure method of communication and
Nomura International plc ('NIplc') will not, to the extent permitted by law,
accept responsibility or liability for (a) the accuracy or completeness of,
or (b) the presence of any virus, worm or similar malicious or disabling
code in, this message or any attachment(s) to it. If verification of this
email is sought then please request a hard copy. Unless otherwise stated
this email: (1) is not, and should not be treated or relied upon as,
investment research; (2) contains views or opinions that are solely those of
the author and do not necessarily represent those of NIplc; (3) is intended
for informational purposes only and is not a recommendation, solicitation or
offer to buy or sell securities or related financial instruments. NIplc
does not provide investment services to private customers. Authorised and
regulated by the Financial Services Authority. Registered in England
no. 1550505 VAT No. 447 2492 35. Registered Office: 1 St Martin's-le-Grand,
London, EC1A 4NP. A member of the Nomura group of companies.
List info : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
RE: [ActiveDir] Changing Employee ID from workstation
Can you send me some information on doing this. We just got tasked with doing
this yesterday and this would be a great shortcut. Thanks!
-Original Message-
From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of [EMAIL PROTECTED]
Sent: Thursday, January 19, 2006 9:55 AM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] Changing Employee ID from workstation
I have scripts and procedures to do this as well. I also (in my current role)
synched additional attributes from an external LDAP repository such as cost
code and desk location and exposed them via ADUC too.
It's well liked by the support guys :)
The script on petri's web site which exposes logon date/time; password last
changed date etc is also useful and can be executed as per the above.
neil
-Original Message-
From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Doug Ferguson
Sent: 19 January 2006 16:38
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] Changing Employee ID from workstation
I have done this in our environment and I use it to alter employee id's and
employee numbers from whatever workstation I want (through the ADUC). I used
ADSI edit and made changes to the containers throughout the forest so that any
admin could get the right click context and make changes (if allowed to do so).
I am off work today, but tomorrow I will post the details of how I did it.
Doug Ferguson
Windows Systems Administrator
Hynix Semiconductor Manufacturing America, Inc.
-Original Message-
From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Marko Inkinen
Sent: Wednesday, January 18, 2006 11:59 PM
To: ActiveDir@mail.activedir.org
Subject: [ActiveDir] Changing Employee ID from workstation
Sähköpostiosoitteeni muuttuu 31.12.2005, käyttäjätunnusosa pysyy entisenä, uusi
toimialuetunnus on PKSSK.FI. ([EMAIL PROTECTED]).
List info : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
PLEASE READ: The information contained in this email is confidential and
intended for the named recipient(s) only. If you are not an intended recipient
of this email please notify the sender immediately and delete your copy from
your system. You must not copy, distribute or take any further action in
reliance on it. Email is not a secure method of communication and Nomura
International plc ('NIplc') will not, to the extent permitted by law, accept
responsibility or liability for (a) the accuracy or completeness of, or (b) the
presence of any virus, worm or similar malicious or disabling code in, this
message or any attachment(s) to it. If verification of this email is sought
then please request a hard copy. Unless otherwise stated this email: (1) is
not, and should not be treated or relied upon as, investment research; (2)
contains views or opinions that are solely those of the author and do not
necessarily represent those of NIplc; (3) is intended for informational
purposes only and is not a recommendation, solicitation or offer to buy or sell
securities or related financial instruments. NIplc does not provide investment
services to private customers. Authorised and regulated by the Financial
Services Authority. Registered in England no. 1550505 VAT No. 447 2492 35.
Registered Office: 1 St Martin's-le-Grand, London, EC1A 4NP. A member of the
Nomura group of companies.
List info : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
List info : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
RE: [ActiveDir] Changing Employee ID from workstation
You may want to take a look at Namescape www.namescape.com . Provides
White Pages as well as AD editing, with Group Policies for control of who is
doing who :) Additional module support password management, again with
group policies or User reset.
Jerry
Jerry Welch
CPS Systems
US/Canada: 888-666-0277
International: +1 703 827 0919 (-4 GMT)
IP Phone (Skype): Jerry_Welch ( www.skype.net )
-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of
[EMAIL PROTECTED]
Sent: Thursday, January 19, 2006 11:55 AM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] Changing Employee ID from workstation
I have scripts and procedures to do this as well. I also (in my current
role) synched additional attributes from an external LDAP repository such as
cost code and desk location and exposed them via ADUC too.
It's well liked by the support guys :)
The script on petri's web site which exposes logon date/time; password last
changed date etc is also useful and can be executed as per the above.
neil
-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Doug Ferguson
Sent: 19 January 2006 16:38
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] Changing Employee ID from workstation
I have done this in our environment and I use it to alter employee id's and
employee numbers from whatever workstation I want (through the ADUC). I
used ADSI edit and made changes to the containers throughout the forest so
that any admin could get the right click context and make changes (if
allowed to do so). I am off work today, but tomorrow I will post the
details of how I did it.
Doug Ferguson
Windows Systems Administrator
Hynix Semiconductor Manufacturing America, Inc.
-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Marko Inkinen
Sent: Wednesday, January 18, 2006 11:59 PM
To: ActiveDir@mail.activedir.org
Subject: [ActiveDir] Changing Employee ID from workstation
Sähköpostiosoitteeni muuttuu 31.12.2005, käyttäjätunnusosa pysyy entisenä,
uusi toimialuetunnus on PKSSK.FI. ([EMAIL PROTECTED]).
List info : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
PLEASE READ: The information contained in this email is confidential and
intended for the named recipient(s) only. If you are not an intended
recipient of this email please notify the sender immediately and delete your
copy from your system. You must not copy, distribute or take any further
action in reliance on it. Email is not a secure method of communication and
Nomura International plc ('NIplc') will not, to the extent permitted by law,
accept responsibility or liability for (a) the accuracy or completeness of,
or (b) the presence of any virus, worm or similar malicious or disabling
code in, this message or any attachment(s) to it. If verification of this
email is sought then please request a hard copy. Unless otherwise stated
this email: (1) is not, and should not be treated or relied upon as,
investment research; (2) contains views or opinions that are solely those of
the author and do not necessarily represent those of NIplc; (3) is intended
for informational purposes only and is not a recommendation, solicitation or
offer to buy or sell securities or related financial instruments. NIplc
does not provide investment services to private customers. Authorised and
regulated by the Financial Services Authority. Registered in England no.
1550505 VAT No. 447 2492 35. Registered Office: 1 St Martin's-le-Grand,
London, EC1A 4NP. A member of the Nomura group of companies.
List info : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
List info : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
RE: [ActiveDir] AD computer accounts being removed
Title: Message Theres really nothing to learn. You extract deploy.cab to a folder, run setupmgr to create the sysprep.inf, the you open it up and change ComputerName to = * and copy it all to afolder called c:\sysprep. Run sysprep.exe. It will shutdown your PC, boot it back up with the ghost disk in and dump your image. Thanks, Brian Desmond [EMAIL PROTECTED] c - 312.731.3132 From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Garyphold Sent: Thursday, January 19, 2006 8:05 AM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] AD computer accounts being removed Not implying - I don't. I've been unable to find time to experiment. Yeah, I know - if I used that, I'd have much more time. Can Sysprep be much trouble to learn to use? I guess I have writer's block when it comes to that. Irrational fear of Sysprep. Gary -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Brian Desmond Sent: Wednesday, January 18, 2006 3:38 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] AD computer accounts being removed Gary- Are you implying you dont sysprep your images? Thanks, Brian Desmond [EMAIL PROTECTED] c - 312.731.3132 From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Garyphold Sent: Wednesday, January 18, 2006 3:04 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] AD computer accounts being removed Brenda, FWIW: It happens to me when I clone a workstation then try to join that workstation to the domain in order to change the computer name. AD sees 2 machines with the same name, gives me a notification and lets the 2nd one in. Then when the original machine with that name logs in next time, it isn't seen on the network. Then I have to do the same thing you did - with the original machine. Thenall is wellagain. Don't know if that will help, but it might narrow down the problem some. Gary Gary Polvinale Denton ATD -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Brenda Casey Sent: Wednesday, January 18, 2006 2:24 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] AD computer accounts being removed Yes, their computer account in AD is actually gone. Thanks, Brenda Brenda Casey Network Manager Billings Public Schools [EMAIL PROTECTED] 406-247-3792 From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Gil Kirkpatrick Sent: Wednesday, January 18, 2006 11:14 AM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] AD computer accounts being removed When you say lose their account, do you mean the computer object in AD disappears? Or something else? -g From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Brenda Casey Sent: Wednesday, January 18, 2006 10:42 AM To: ActiveDir@mail.activedir.org Subject: [ActiveDir] AD computer accounts being removed Occasionally computers will lose their account in Active Directory for no apparent reason.Sometimes it is a computer that has just joined the domain, while other times the machine has been a member of the domain for 2 years. The computer can only be logged on by a local account (not a domain account). To remedy this, the computer has to be disjoined from the domain, join a workgroup, then join the domain again. As I am sure you all are aware, this is not only time consuming, but very inappropriate to have to do. Has anyone else had this experience and how have you fixed it? Thanks, Brenda
RE: [ActiveDir] AD computer accounts being removed
Larry, I know I'm not the only one in this position. But membership in that club doesn't dissolve any of the stress. Are there other online forums that deal with the people who have to do it all in the smaller operations? Time-saving tips, direct answers and help on specific issues? Etc? Frankly, I'm lost on a lot of the stuff discussed in this forum - haven't been able to reach that level of knowledge yet. But it's still an invaluable source. Are there any more out there like it, at a lower tier of knowledge with slightly different focus, for the tied-to-the-whipping-post average network-admin/PC-schlepp/IT-Systems-Mgr/purchasing-guy/telephone-system-guy /database-admin/software-specialist/new-technology-wizard/programmer-analyst /security-specialist/software-upgrade-maintainer/forget-about-cleaning-up-th at-messy-office/no-raises-this-year multifaceted IT meatball surgeon? I'm getting further behind every day. It would be great to see how others are handling it. Gary -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Larry Wahlers Sent: Thursday, January 19, 2006 11:02 AM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] AD computer accounts being removed Gary wrote: I'm in a position where I'm making the big decisions, doing the big work and also doing all the little details (I'm it) including daily problems. Zero training/learning time, zero anything except get to the next fire. Boy, does that sound familiar... -- Larry List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
Re: [ActiveDir] AD computer accounts being removed
You forgot emptying the trash. I can tell you where the SMB outside consultants hang out... but I'll agree with you... the SMB or just M admin crowdnot sure if I've found a venue spot on yet. hmmm... ActiveDirGUI division? :-) I know that Microsoft is gathering resources for this 'medium' business space as well. I'll ask around. Garyphold wrote: Larry, I know I'm not the only one in this position. But membership in that club doesn't dissolve any of the stress. Are there other online forums that deal with the people who have to do it all in the smaller operations? Time-saving tips, direct answers and help on specific issues? Etc? Frankly, I'm lost on a lot of the stuff discussed in this forum - haven't been able to reach that level of knowledge yet. But it's still an invaluable source. Are there any more out there like it, at a lower tier of knowledge with slightly different focus, for the tied-to-the-whipping-post average network-admin/PC-schlepp/IT-Systems-Mgr/purchasing-guy/telephone-system-guy /database-admin/software-specialist/new-technology-wizard/programmer-analyst /security-specialist/software-upgrade-maintainer/forget-about-cleaning-up-th at-messy-office/no-raises-this-year multifaceted IT meatball surgeon? I'm getting further behind every day. It would be great to see how others are handling it. Gary -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Larry Wahlers Sent: Thursday, January 19, 2006 11:02 AM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] AD computer accounts being removed Gary wrote: I'm in a position where I'm making the big decisions, doing the big work and also doing all the little details (I'm it) including daily problems. Zero training/learning time, zero anything except get to the next fire. Boy, does that sound familiar... -- Letting your vendors set your risk analysis these days? http://www.threatcode.com List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
RE: [ActiveDir] OU Delegation
Exactly. There are good reasons forand against both multiple domains (including empty) and multiple forests. As a safe haven from domain level GPOs or finalQA point for domain level modificationsare things I wouldn't push against. Does it make sense for everyone? Depends on your management structure and concerns - some will see that as an issue that could impact them, others could see it as nothing. As a security barrier to protect hacking of the enterprise/schema admin is one I would pushagainst because it doesn't actually do anything to help that. Organization of the forest is one that could easily go either way, tough to argue it as it really isn't technically based. In larger multidomain environments, I tend to like empty roots because the overhead is usually quite minimal in relation to everything else and it is a great place to deploy new patches, etc. From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of [EMAIL PROTECTED]Sent: Thursday, January 19, 2006 9:55 AMTo: ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] OU Delegation candid=on As we've heard before today - do a cost/benefit study. Is it really prudent to build an extra domain with the incurred over heads just in case someone makes a mistake? There are doubtless other mistakes which can only mitigated by building a separate forest. There may be good reasons (and bad ones too) for building a placeholder domain - these reasons need to be weighed against the incurred costs (over at least a 3 year period). candid=off neil From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Rocky HabeebSent: 19 January 2006 14:37To: ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] OU Delegation "The biggest thing about an empty forest root is it is a safe haven. Safe haven: A domain where the god rights live and you don't apply any gpo's or other things that can get out of hand and hurt you. This actually saved my a__ once at [deleted] when the GPO guys screwed up on the main account domains. The locked down EVERY single userid to kiosk mode. Fortunately they have no rights in the root domain so couldn't do anything to my IDs so I could log onto my PC with the forest root ID and undo what they did." Verbatim quote fromone of the top [I mean "REALLY TOP] AD guys on this list to me in an offline when I asked him about whether or not I should do an empty root. I did it. RH _ -Original Message-From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]On Behalf Of joeSent: Wednesday, January 18, 2006 8:13 PMTo: ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] OU Delegation Well I didn't say I don't see the benefit of an empty root. I just don't see it as a generic best practice. Sometimes it makes a ton of sense, sometimes someone needs to be slapped for bringing it up. ;o) joe From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of [EMAIL PROTECTED]Sent: Wednesday, January 18, 2006 5:11 PMTo: ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] OU Delegation Boy, I just had a consultant recommend an empty root as best practice for a divestiture were doing. Like Gil and Joe, I really dont see the benefit (nor could the consultant name anything specifically). We have a single domain and delegate OU rights based basically on an administrative teams need to manage a group of resources, typically computers. Users, groups and Exchange are managed centrally. Moving things around within one domain is a whole lot easier than among domains. AL Al Maurer Service Manager, Naming and Authentication Services IT | Information Technology Agilent Technologies (719) 590-2639; Telnet 590-2639 http://activedirectory.it.agilent.com From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Gil KirkpatrickSent: Thursday, January 12, 2006 10:50 AMTo: ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] OU Delegation As joe says, "it depends". AD architecture is always a cost/benefit discussion, and most people don't really understand 1) the real benefits of multiple domains, and 2) the additional costs of running multiple domains. For instance, "additional security" is often cited as a benefit of an empty root. An empty root maybe provides a little additional security, but not much. The benefit depends on your own risk evaluation. On the other hand, the ongoing operational cost of a two domainforestis considerably higher than a single domain forest. Additional hardware costs, additional diagnostic complexity, and a more complicated DR situation all add to the costs of running multiple domains. My general recommendationis tostick with a single domain if you can, and add additional domains if you need to for password policy or controlling
RE: [ActiveDir] Changing Employee ID from workstation
I got a message with the funky characters below (I am going to guess a signature or more likely a disclaimer) and then a separate eml attachment with Hello list, I've been using vbs-script for some time already to add an Employee ID manually through ADUC, but the problem is that I always have to make a remote desktop connection to the ADUC of DC to do that. Isn't it possible to do it from the console at my workstation? Even if I add script to my computer (I don't know if that is even necessary) I still can't see Employee ID in the context menu, when I right click the user.. Thanx, Marko -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of [EMAIL PROTECTED] Sent: Thursday, January 19, 2006 3:37 AM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Changing Employee ID from workstation Is it just me, or are all posts from Marko unreadable / stripped of content? neil -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Marko Inkinen Sent: 19 January 2006 07:59 To: ActiveDir@mail.activedir.org Subject: [ActiveDir] Changing Employee ID from workstation Sähköpostiosoitteeni muuttuu 31.12.2005, käyttäjätunnusosa pysyy entisenä, uusi toimialuetunnus on PKSSK.FI. ([EMAIL PROTECTED]). List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
RE: [ActiveDir] ADUC updates - Was Expired Accounts
LOL. Ok, so has this thread finished up? If so, I will try to go through them and summarize and then send off to the appropriate folks at MS. Bueller... Bueller.. Bueller. BTW, I just received a hard copy version of Active Directory Third Edition from FedEx so it looks like the book is now being printed. Doesn't appear to be on Amazon yet though it is on the O'Reilly site (and has been for a bit actually). -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Rich Milburn Sent: Monday, January 16, 2006 9:13 AM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] ADUC updates - Was Expired Accounts Note that the ones you don't submit will most likely not be implemented... Ah but that's not necessarily true - there are about 10 ideas I remembered about right after they were posted, so I didn't have to post them myself :) -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of joe Sent: Saturday, January 14, 2006 6:06 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] ADUC updates - Was Expired Accounts I have hundreds of more ideas, but not enough time to put them all down. Thanks for what you did submit. Note that the ones you don't submit will most likely not be implemented. ;o) -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Marc A. Mapplebeck Sent: Saturday, January 14, 2006 4:32 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] ADUC updates - Was Expired Accounts OK, Here goes: 1. Ability to bulk set passwords, I have 6 generic limited access accounts for users that forget their smartcards, but the passwords are generated on a daily basis, and I just hate setting it on all 6, I suppose a simple script would do this, but I would love to see integrated so that I do not have to modify the schema display specifiers. 2. Easily add fields to the ADUC property pages, I believe this was mentioned in being MMC2. 3. Easily add items to the context menu without having to manually edit the display specifier of the schema. I have hundreds of more ideas, but not enough time to put them all down. -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of joe Sent: January 12, 2006 11:22 To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] ADUC updates - Was Expired Accounts Well, ok, lets do this. Everyone who has an idea for a change to ADUC post to the ideas to this thread. Don't be shy, you may have thought of something no one else would think of that once seeing it would go this is very cool. Then when the thread seems to die (or some point after that when I catch up :oP ) I will summarize to make sure I understand and then post to LadyBug as improvements that could be made. Also, you may or may not be shocked to hear that many of the folks working on the stuff in Redmond actually watch this list on a regular basis too so they may see it directly. I know the conversation we had previously about suggested improvements to AD was watched pretty closely and generated several DCRs without me even arguing with anyone. So let's hear it. First item on the table is different icons flagging accounts (and I am stating this generically) that are not currently live. This includes disabled, locked, expired passwords, expired accounts? Would this be better to add maybe as additional columns that you could tell the GUI to sort on? Or the icons are best? Note to Dean: This is D's bailywick now isn't it? I think I recall us having this conversation at BB. joe -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Thommes, Michael M. Sent: Thursday, January 12, 2006 9:18 AM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Expired Accounts I believe it would be helpful if different icons could be used for disabled accounts, expired account, expired password, etc. Mike Thommes -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of joe Sent: Thursday, January 12, 2006 7:51 AM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Expired Accounts Philosophical question really. How do you want the GUI to present things to you. The developers or whomever wrote the spec for the developers didn't feel it should. You also have to ask if accounts with locked passwords should show up that way and define if you mean expired accounts or expired passwords on accounts and whether or not you would differentiate them in that marking. -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Douglas M. Long Sent: Thursday, January 12, 2006 8:35 AM To: ActiveDir@mail.activedir.org Subject: [ActiveDir] Expired Accounts Shouldn't expired accounts show up with a red X just like a disabled account? List info : http://www.activedir.org/List.aspx List FAQ:
RE: [ActiveDir] AD computer accounts being removed
I'm in the position of jack-of-all-trades as well. I barely get a chance to visit the restroom on some days, nevermind breaks or lunch. Here's some advise I can impart: 1) Learn to say no and/or wait to the powers that be at your company. You can't do everything at once. Make certain that this is a realization which upper management has. Going hand in hand with this, be certain that you take some time for proactive monitoring during the week. Check logs for your devices and servers. Don't wait for a system to go down before you realize the logs had been throwing errors for days beforehand. 2) Train the employees to take off some of the burden. I taught all of my users about the mysterious help file. :) I also created walkthroughs of recurring chores that a standard user could perform themselves and put them into a FAQ on our intranet site. 3) Google is your biggest friend. You will have a very hard time finding a professionals forum where you will get an exact answer to a specific question every time first try. The expectation is that you do some research on an issue before even asking in a forum. On a simple problem somebody asks, the most frequent reply is a google search link. 4) Some good resources are experts-exchange and myitforum. I would also highly recommend the NTSysAdmin group hosted by Sunbelt-Software. It definitely doesn't hurt to pick up a book or two on various subjects which may apply. 5) The biggest and best time saver I can think of is to learn scripting. This is one where it's do as I say not as I do. I really want to learn and have made some inroads, but there is never enough time. My ability now is at the level of taking scripts others have generously posted and modifying them to my purposes. Tons of great sites for scripts including the Technet scripting center, scriptinganswers.com, and http://cwashington.netreach.net. 6) Stick with it here as well, if only as a lurker. Learn and absorb as much as you can. It will make you a better admin in the long run. 7) In doing all of these things, I pared down my workweek here from 80+ hours when I began 1.5 years ago to a normal 40 hour work week. I've even gotten back to doing external consulting work on the weekends again. Hope some of this helps. Scott Klassen -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Garyphold Sent: Thursday, January 19, 2006 11:24 AM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] AD computer accounts being removed Larry, I know I'm not the only one in this position. But membership in that club doesn't dissolve any of the stress. Are there other online forums that deal with the people who have to do it all in the smaller operations? Time-saving tips, direct answers and help on specific issues? Etc? Frankly, I'm lost on a lot of the stuff discussed in this forum - haven't been able to reach that level of knowledge yet. But it's still an invaluable source. Are there any more out there like it, at a lower tier of knowledge with slightly different focus, for the tied-to-the-whipping-post average network-admin/PC-schlepp/IT-Systems-Mgr/purchasing-guy/telephone-system-guy /database-admin/software-specialist/new-technology-wizard/programmer-analyst /security-specialist/software-upgrade-maintainer/forget-about-cleaning-up-th at-messy-office/no-raises-this-year multifaceted IT meatball surgeon? I'm getting further behind every day. It would be great to see how others are handling it. Gary -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Larry Wahlers Sent: Thursday, January 19, 2006 11:02 AM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] AD computer accounts being removed Gary wrote: I'm in a position where I'm making the big decisions, doing the big work and also doing all the little details (I'm it) including daily problems. Zero training/learning time, zero anything except get to the next fire. Boy, does that sound familiar... -- Larry List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
RE: [ActiveDir] AD computer accounts being removed
LOL. I talk to myself (a lot) and write a lot of stuff that I later erase prior to sending. Through that mechanism, mostly anyone outside of me will see the good 50% but some of the bad can slip through. :o) I have a strong desire to not look like a complete dunderhead in public. I have been known to say some stunningly stupid things though. -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Rocky Habeeb Sent: Thursday, January 19, 2006 9:04 AM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] AD computer accounts being removed And further, I am not trying to say I am always right. Quite the contrary, fully 50% of what I say is flat out incorrect, made up, or complete opinion. Your job is to try to figure out what is and isn't in that 50%. joe, I will not be signing my emails to you anymore with YMYMYM Unless of course, your recant. RH ___ -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] Behalf Of joe Sent: Wednesday, January 18, 2006 9:36 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] AD computer accounts being removed And further, I am not trying to say I am always right. Quite the contrary, fully 50% of what I say is flat out incorrect, made up, or complete opinion. Your job is to try to figure out what is and isn't in that 50%. Preferably prior to changing your environment based on something I said. :o) Or to put it another simpler way, mileage varies. What works very well for me may not be in your best interest. I would like to hear the technical details behind the SID issues from that article though. Maybe I will follow the link. Though I doubt what I want is there. Very little serious deep tech in that mag anymore. The tech stuff I previously wrote for them they stopped putting in the mag and started putting in their over the top highly overpriced professional newsletters that were $100+ for 12 tiny little issues that looked like a small school newspaper. joe -Original Message- From: joe [mailto:[EMAIL PROTECTED] Sent: Wednesday, January 18, 2006 9:14 PM To: 'ActiveDir@mail.activedir.org' Subject: RE: [ActiveDir] AD computer accounts being removed Don't get me wrong though... Sysprep/newsid, follow the process. I am absolutely not telling people to image machines and deploy them without cleaning them up. If you have odd things happening and are not following the recommended processes, it is all on you and you get to take responsibility for what you do. :) -Original Message- From: joe [mailto:[EMAIL PROTECTED] Sent: Wednesday, January 18, 2006 9:01 PM To: 'ActiveDir@mail.activedir.org' Subject: RE: [ActiveDir] AD computer accounts being removed I would like to see the details of what the issues are. Windows IT Pro mag is a nice mag and all, but there is no real technical review of the articles, you can say about anything you want to and I have seen several examples. Ditto for Redmond Mag and SearchWindows*, etc. I don't think the people actually test the stuff they say in a lot of those articles though they try to state it authoritatively. -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of AdamT Sent: Wednesday, January 18, 2006 8:22 PM To: ActiveDir@mail.activedir.org Subject: Re: [ActiveDir] AD computer accounts being removed On 1/19/06, Aaron Visser [EMAIL PROTECTED] wrote: Taken from http://www.sysinternals.com/Utilities/NewSid.html under the SID Duplication Problem snip Taken from: http://www.windowsitpro.com/Article/ArticleID/14919/14919.html At the start of the GUI phase of installation each NT/2000 installation generates a unique Security IDentifier (SID). If you then clone a workstation each installation would have the same machine SID. This is not a problem in a Windows NT 4.0 domain as users have a SID generated by the domain controller and do not user the local workstation SID for security. It IS a problem in a Windows 2000 domain as the local machine SID is used in nearly all aspects of security and before migrating to 2000 you should resolve any duplicate SID issues which may have been caused by cloning installations. -- AdamT Maidenhead is *not* in Kent List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
VS: [ActiveDir] Changing Employee ID from workstation
Sähköpostiosoitteeni muuttuu 31.12.2005, käyttäjätunnusosa pysyy entisenä, uusi toimialuetunnus on PKSSK.FI. ([EMAIL PROTECTED]).---BeginMessage--- I'm sure you did, Rich. And i apologize for the inconvenience with attachments.. But I guess it's like that here where the temperature is about minus 13 degrees fahrenheit.. if someone knows what to do, please don't hesitate to tell me :) I also got a message like this: Symantec Mail Security detected prohibited content in a message sent from your address Subject of the message: [ActiveDir] Changing Employee ID from workstation Recipient of the message: ActiveDir@mail.activedir.org ActiveDir@mail.activedir.org Does list have Symantec check perhaps? Well, back to the point. I have found two solutions (i found the other one today) to use a vbscript so that it modifies a context menu on ADUC. The first one you'll find here: http://www.informit.com/articles/article.asp?p=169630seqNum=5rl=1. The other one I found from list archive from Kouti: http://www.kouti.com/scripts.htm (employeeid.vbs) I'm actually pretty sure that it worked sometimes earlier also from my own computer but I haven't got it working anymore. Yst. terveisin Marko Lähettäjä: [EMAIL PROTECTED] puolesta: Rich Milburn Lähetetty: to 19.1.2006 16:17 Vastaanottaja: ActiveDir@mail.activedir.org Aihe: RE: [ActiveDir] Changing Employee ID from workstation I got it as an attached message to that one in... Finnish?? I'm sure I saw the word reindeer in there somewhere :-) Marko - I need coffee, so maybe that's why, but I think you're saying you have a vbscript that that is launched from a modification of the user context menu you made to ADUC on your DC, and the vbscript works fine, but what is not happening is that using ADUC on your computer, you do not have that modification? Or is the script modifying the context menu on ADUC? Rich -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of [EMAIL PROTECTED] Sent: Thursday, January 19, 2006 2:37 AM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Changing Employee ID from workstation Is it just me, or are all posts from Marko unreadable / stripped of content? neil From: Marko Inkinen [mailto:[EMAIL PROTECTED] Sent: Thursday, January 19, 2006 1:59 AM To: ActiveDir@mail.activedir.org Subject: Changing Employee ID from workstation Hello list, I've been using vbs-script for some time already to add an Employee ID manually through ADUC, but the problem is that I always have to make a remote desktop connection to the ADUC of DC to do that. Isn't it possible to do it from the console at my workstation? Even if I add script to my computer (I don't know if that is even necessary) I still can't see Employee ID in the context menu, when I right click the user.. Thanx, Marko ---APPLEBEE'S INTERNATIONAL, INC. CONFIDENTIALITY NOTICE--- PRIVILEGED / CONFIDENTIAL INFORMATION may be contained in this message or any attachments. This information is strictly confidential and may be subject to attorney-client privilege. This message is intended only for the use of the named addressee. If you are not the intended recipient of this message, unauthorized forwarding, printing, copying, distribution, or using such information is strictly prohibited and may be unlawful. If you have received this in error, you should kindly notify the sender by reply e-mail and immediately destroy this message. Unauthorized interception of this e-mail is a violation of federal criminal law. Applebee's International, Inc. reserves the right to monitor and review the content of all messages sent to and from this e-mail address. Messages sent to or from this e-mail address may be stored on the Applebee's International, Inc. e-mail system. winmail.dat---End Message---
RE: [ActiveDir] AD computer accounts being removed
Title: Message Most likely oversight. I submit quite a few requests to get articles like this updated that are missing specific OS versions or App versions. At one point I asked that they have an additional field of "doesn't apply to" for OSes so you at least knew they weren't forgetting it. I was told to piss off. From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Rich MilburnSent: Thursday, January 19, 2006 8:44 AMTo: ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] AD computer accounts being removed Any idea why XP is omitted in this article, but 2k and 2k3 are included? http://support.microsoft.com/?id=162001 "Do Not Disk Duplicate Installed Versions of Windows NT" ---Rich MilburnMCSE, Microsoft MVP - Directory ServicesSr Network Analyst, Field Platform DevelopmentApplebee's International, Inc.4551 W. 107th StOverland Park, KS 66207913-967-2819--I love the smell of red herrings in the morning - anonymous From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Aaron VisserSent: Wednesday, January 18, 2006 6:27 PMTo: ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] AD computer accounts being removed Well I would agree that is not a safe practice for most but for my application where all Local accounts are disabled I do not see a problem. Taken from http://www.sysinternals.com/Utilities/NewSid.html under the SID Duplication Problem Duplicate SIDs aren't an issue in a Domain-based environment since domain accounts have SID's based on the Domain SID. But, according to Microsoft Knowledge Base article Q162001, "Do Not Disk Duplicate Installed Versions of Windows NT", in a Workgroup environment security is based on local account SIDs. Thus, if two computers have users with the same SID, the Workgroup will not be able to distinguish between the users. All resources, including files and Registry keys, that one user has access to, the other will as well. Aaron From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Brian DesmondSent: Wednesday, January 18, 2006 3:50 PMTo: ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] AD computer accounts being removed NO NO NO NO NO BAD BAD BAD You have to use sysprep. Youre getting duplicate SIDs here bad. Thanks,Brian Desmond [EMAIL PROTECTED] c - 312.731.3132 From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Aaron VisserSent: Wednesday, January 18, 2006 5:44 PMTo: ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] AD computer accounts being removed Gary, Brian, I do not use Sysprep on my images and have yet to come across any problems, but there may be one big difference with my images, before I ghost them or create the image I put the said machine into a workgroup and then create image. After I have imaged a computer I log on and change the Computer Name reboot and then join the domain with the new computer name, should I be using Sysprep? And Brenda I have experienced your problem but I have never noticed the accounts actually being out of AD, anyways most times for me a simple reboot works although I have had to actually ghost computers in order to rejoin the domain because I do not have any local accounts active on my computers in the school, makes it a little safer J but with that comes more work L From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Brian DesmondSent: Wednesday, January 18, 2006 12:38 PMTo: ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] AD computer accounts being removed Gary- Are you implying you dont sysprep your images? Thanks,Brian Desmond [EMAIL PROTECTED] c - 312.731.3132 From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of GarypholdSent: Wednesday, January 18, 2006 3:04 PMTo: ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] AD computer accounts being removed Brenda, FWIW: It happens to me when I clone a workstation then try to join that workstation to the domain in order to change the computer name. AD sees 2 machines with the same name, gives me a notification and lets the 2nd one in. Then when the original machine with that name logs in next time, it isn't seen on the network. Then I have to do the same thing you did - with the original machine. Thenall is wellagain. Don't know if that will help, but it might narrow down the problem some. Gary Gary Polvinale Denton ATD -Original Message-From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Brenda CaseySent: Wednesday, January 18, 2006 2:24 PMTo: ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] AD computer accounts being removed Yes, their computer account in AD is actually gone. Thanks, Brenda Brenda CaseyNetwork Manager Billings Public Schools [EMAIL PROTECTED]
[ActiveDir] Permissions vanishing
Title: RE: [ActiveDir] Token Bloat Hey everyone, I am having a issue with a cluster server that shares our our common access data drive. Every other day, the NTFS permissions on the shared clustered drive will revert to only Administrators and System having privleges. I have it set up as follows: X:\SharedData - Share permissions Authenticated Users RWX X:\SharedData - Inherited NTFS permissions Authenticated Users RX,LIST FOLDER CONTENTS Administrators F System F Every other day or so the Authenticated users vanish from the NTFS permissions. I enabled auditing on the folder for permission change, but nothing came up in the security log that stated that the permissions had changed. Any ideas? I would appreciate anything anyone had to suggest. Thanks, Nate
[ActiveDir] OT: speaking of AD books...
Design and Deployment of Microsoft's Active Directory O'Reilly Releases Active Directory, Third Edition Sebastopol, CA--Since its introduction in Windows 2000, Microsoft's Active Directory has improved the way organizations share network resources such as users, groups, computers, printers, applications, and files. Having a single source for this information makes it more accessible and easier to manage, notes Robbie Allen, co-author of the highly acclaimed Active Directory, now available in its third edition (O'Reilly, US $49.99). To accomplish this, however, requires a significant amount of knowledge on topics such as LDAP, Kerberos, DNS, multi-master replication, group policies, and data partitioning, to name a few. In other words, Active Directory is still a major headache for network and system administrators who have to design, implement, and support it. Allen's book, co-written with industry experts Joe Richards and Alistair G. Lowe-Norris, offers a clear and detailed introduction that not only guides administrators through the maze of technologies, but also helps them understand the big picture. Our book describes Active Directory in depth, but not in the traditional way of going through the graphical user interface screen by screen, Allen explains. Instead, the book sets out to tell administrators how to design, manage, and maintain a small, medium, or enterprise Active Directory infrastructure that's both scalable and reliable. Many industry authorities consider this book to be the definitive resource for implementing Active Directory. Allen, Richards, and Lowe-Norris have revised the new edition of Active Directory significantly to describe features that have been updated or added in Windows Server 2003 R2, including coverage of programmatic interfaces available to manage them. Three additional chapters explain new features and concepts such as Active Directory Application Mode (ADAM), and scripting for common user and group tasks for Microsoft Exchange 2000/2003. Once information has been added to Active Directory, it can be made available for use throughout the entire network to as many or as few people as an administrator likes, Allen points out. The structure of the information can match the structure of the organization, and users can query Active Directory to find the location of a printer or the email address of a colleague. Administrators can delegate control and management of the data however they see fit. While Microsoft's documentation serves as an important reference, any administrator who deals with Active Directory will find this book to be a valuable resource, whether he or she manages a single server or works for a global multinational with thousands of servers. To that end, Active Directory is divided into three sections: -Part I introduces in general terms how Active Directory works, giving readers a thorough grounding in its concepts, such as Active Directory replication, the schema, application partitions, group policies, and interaction with DNS. -Part II covers the issues around properly designing the directory infrastructure, including designing the namespace, creating a site topology, designing group policies for locking down client settings, auditing, permissions, backup and recovery, and a look at Microsoft's future direction with Directory Services. -Part III is all about managing Active Directory via automation with Active Directory Service Interfaces (ADSI), ActiveX Data Objects (ADO), and Windows Management Instrumentation (WMI). Readers learn how to create and manipulate users, groups, printers, and other objects in their everyday management of Active Directory. Administrators who want a book that lays bare the design and management of an enterprise or departmental Active Directory need look no further, Allen says. Even if they have a previous edition of the book, they'll find this third edition to be full of updates and corrections and a worthy addition to their 'good' bookshelf: the bookshelf next to their PC with the books they really read that are all dog-eared with soda drink spills and pizza grease on them. Additional Resources: Chapter 11, Active Directory Security: Permissions and Auditing, is available online at: http://www.oreilly.com/catalog/actdir3/chapter/index.html For more information about the book, including table of contents, index, author bios, and samples, see: http://www.oreilly.com/catalog/actdir3/ For a cover graphic in JPEG format, go to: ftp://ftp.ora.com/pub/graphics/book_covers/hi-res/0596101732.jpg Active Directory, Third Edition Joe Richards, Robbie Allen, and Alistair G. Lowe-Norris ISBN: 0-596-10173-2, 800 pages, $49.99 US, $69.99 CA [EMAIL PROTECTED] 1-800-998-9938 1-707-827-7000 http://www.oreilly.com 1005 Gravenstein Highway North Sebastopol, CA 95472 -- Letting your vendors set your risk analysis these days? http://www.threatcode.com List info : http://www.activedir.org/List.aspx List FAQ:
RE: [ActiveDir] OU Delegation
when the GPO guys screwed up on the main account domains. The locked down EVERY single userid to kiosk mode Most people mitigate this sort of risk by technical review, automating the change app lication, and testing in a separate test forest. I can't see creating a separate domain as a "safe haven" for screwups like that. And it doesn't provide a safe haven from lots of other potential screwups like replication topology changes or schema mods. -gil From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of joeSent: Thursday, January 19, 2006 11:10 AMTo: ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] OU Delegation Exactly. There are good reasons forand against both multiple domains (including empty) and multiple forests. As a safe haven from domain level GPOs or finalQA point for domain level modificationsare things I wouldn't push against. Does it make sense for everyone? Depends on your management structure and concerns - some will see that as an issue that could impact them, others could see it as nothing. As a security barrier to protect hacking of the enterprise/schema admin is one I would pushagainst because it doesn't actually do anything to help that. Organization of the forest is one that could easily go either way, tough to argue it as it really isn't technically based. In larger multidomain environments, I tend to like empty roots because the overhead is usually quite minimal in relation to everything else and it is a great place to deploy new patches, etc. From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of [EMAIL PROTECTED]Sent: Thursday, January 19, 2006 9:55 AMTo: ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] OU Delegation candid=on As we've heard before today - do a cost/benefit study. Is it really prudent to build an extra domain with the incurred over heads just in case someone makes a mistake? There are doubtless other mistakes which can only mitigated by building a separate forest. There may be good reasons (and bad ones too) for building a placeholder domain - these reasons need to be weighed against the incurred costs (over at least a 3 year period). candid=off neil From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Rocky HabeebSent: 19 January 2006 14:37To: ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] OU Delegation "The biggest thing about an empty forest root is it is a safe haven. Safe haven: A domain where the god rights live and you don't apply any gpo's or other things that can get out of hand and hurt you. This actually saved my a__ once at [deleted] when the GPO guys screwed up on the main account domains. The locked down EVERY single userid to kiosk mode. Fortunately they have no rights in the root domain so couldn't do anything to my IDs so I could log onto my PC with the forest root ID and undo what they did." Verbatim quote fromone of the top [I mean "REALLY TOP] AD guys on this list to me in an offline when I asked him about whether or not I should do an empty root. I did it. RH _ -Original Message-From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]On Behalf Of joeSent: Wednesday, January 18, 2006 8:13 PMTo: ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] OU Delegation Well I didn't say I don't see the benefit of an empty root. I just don't see it as a generic best practice. Sometimes it makes a ton of sense, sometimes someone needs to be slapped for bringing it up. ;o) joe From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of [EMAIL PROTECTED]Sent: Wednesday, January 18, 2006 5:11 PMTo: ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] OU Delegation Boy, I just had a consultant recommend an empty root as best practice for a divestiture were doing. Like Gil and Joe, I really dont see the benefit (nor could the consultant name anything specifically). We have a single domain and delegate OU rights based basically on an administrative teams need to manage a group of resources, typically computers. Users, groups and Exchange are managed centrally. Moving things around within one domain is a whole lot easier than among domains. AL Al Maurer Service Manager, Naming and Authentication Services IT | Information Technology Agilent Technologies (719) 590-2639; Telnet 590-2639 http://activedirectory.it.agilent.com From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Gil KirkpatrickSent: Thursday, January 12, 2006 10:50 AMTo: ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] OU Delegation As joe says, "it depends". AD architecture is always a cost/benefit discussion, and most people don't really understand 1) the real benefits of multiple domains, and 2) the additional costs of running multiple domains. For
RE: [ActiveDir] OT: Gauging AD experience
Sorry, I already did that one. My first DEC presentation was entitled When Bad Things Happen To Good Directories. J Wook From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of [EMAIL PROTECTED] Sent: Thursday, January 19, 2006 8:02 AM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] OT: Gauging AD experience when good directories go badsounds like a catchy title for a presentation, Joe. I think of directories and identity management infrastructures a little like networks: you rarely do get to design one from scratch, youre always tweaking an existing one. And I agree that tweaking the existing ones are a lot more interesting than designing from a blank slate. The analogy could be taken too far, but like networks, directories and authentications systems are always morphing due to new technologies, new tools, adding or removing applications. Lots of fun. Al Maurer Service Manager, Naming and Authentication Services IT | Information Technology Agilent Technologies (719) 590-2639; Telnet 590-2639 http://activedirectory.it.agilent.com From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of joe Sent: Wednesday, January 18, 2006 6:31 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] OT: Gauging AD experience I would say focusing on the design of big directories is pigeon-holing a little too much. There are only so many big directories that need to be designed. I personally find much more fun in diagnosing good directories that have gone bad than trying to design them. I design if I have to but it isn't what I like. Plus often with the design, it is rarely the case where you actually have all of the info though someone will tell you you do. You find out you don't later on when someone starts complaining or something starts breaking. I am not sure I would go so far to say it is something you let the tools handle though. A lot of the tools out there still aren't doing the greatest job and there are many companies that don't want to spend the millions on those tools that they would be charged for them instead having a few really good people handling it. A tool doesn't see bad things coming when someone is coming at you with the next great thing they want to plug into the AD. If the tool does catch it, it is way too late in the integration cycle. Plus, what if the tool isn't catching the problem? Someone has to be knowledgeable enough too. If you depend solely on your tools to keep your AD running well it is possible you are going to get cut pretty good. When I did Ops, I had several tools that watched what had been determined needed to be watched and then I would just go off and sample things to decide if there was something that maybe could be watched that we weren't watching. That could take the form of just watching a network packets on a DC or a client subnet for an hour or so or just walking the event logs event by event or walking through looking at objects in the directory. Whatever. To get into those positions you want to get in with the companies already mentioned and jump about (and try not to hurt the customer too much with your learning) or find a big company and take whatever entry position you can get and prove yourself and grow into bigger/better positions. Don't expect to, for instance, walk into Walmart and become their AD guy. Maybe you get in as desktop support and get to know the right people and make suggestions on how things can be better and work your way up. You could possibly walk into a company and be there expert right off if your experience is greater than what they currently have or your resume indicates it or they are desperate. But it could end up biting you in the end if you don't turn out to be what they expected. Companies can get mighty pissy if they find out down the road that they are paying 100k+ to someone who would normally be lucky making $45k. joe From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Douglas M. Long Sent: Wednesday, January 18, 2006 11:49 AM To: ActiveDir@mail.activedir.org Subject: [ActiveDir] OT: Gauging AD experience I am trying to figure out how one gauges their AD experience. For example, I have designed, implemented and maintained an AD/Exchange environment of 5000 users with 1000 workstations from the ground up, alone. The environment is only 3 sites, with little complexity. I now work for a company maintaining a directory of about 150 users and 150 workstations. And the more local AD people I talk to, the more confident I am that I know quite a bit about AD compared to them (only talking about the people I have metnot generalizing the entire industry). Although I am not a guru like some on this list, I would like to get myself to the place where I can say yeah, I can design your 50,000 user / 15 site infrastructure. Or is that even possible? Is a project of that size several directory experts working together? I
[ActiveDir] 3rd party DNS and windows DDNS updates
Hi,Wanted to know if any one has tried this or does this work.Having a 3rd party DNS with a sub-zone or child zone created for AD and delegated that zone to windows DDNS.Now if the clients are pointing to 3rd party DNS as primary DNS - will these clients be able to still register with the dynamic windows DNS?? Regards,Chandra Burra
RE: [ActiveDir] Permissions vanishing
Title: RE: [ActiveDir] Token Bloat The fact that nothing showed up in the audit log is disturbing. Can you modify the ACL manually and see the audit entries that appear? Is there possibly a group policy that is changing the ACLs? -gil From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Bahta, Nathaniel V Contractor NASIC/SCNASent: Thursday, January 19, 2006 11:34 AMTo: ActiveDir@mail.activedir.orgSubject: [ActiveDir] Permissions vanishing Hey everyone, I am having a issue with a cluster server that shares our our common access data drive. Every other day, the NTFS permissions on the shared clustered drive will revert to only Administrators and System having privleges. I have it set up as follows: X:\SharedData - Share permissions Authenticated Users RWX X:\SharedData - Inherited NTFS permissions Authenticated Users RX,LIST FOLDER CONTENTS Administrators F System F Every other day or so the Authenticated users vanish from the NTFS permissions. I enabled auditing on the folder for permission change, but nothing came up in the security log that stated that the permissions had changed. Any ideas? I would appreciate anything anyone had to suggest. Thanks, Nate
RE: [ActiveDir] ADPrep Version Questions
Ok. Promise. Last adprep question: Does adprep need to be run from an i386 directory or can it be run on its own? Does it have dependant files within i386 or is it self-contained? Thanks. From: joe [mailto:[EMAIL PROTECTED] Sent: Wednesday, January 18, 2006 5:57 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] ADPrep Version Questions LOL. It isn't a decimal number though... It is a series of variable length decimal numbers separated by the period character... Sort of like an OID 1.2.840.113556.1.4.7000.102.7038 Versioning is a lost art I think though. I am big on xx.yy.zz. xx.=major, yy=minor, zz=really minor, =build. To me... major rev changes for big changes, massive updates or rewrites or drammatic functional changes.minor is added features, bug fixes. really minor is output string changes or remarks in the code being changed, things that don't change thecode flow and don't require any serious testing (I rarely update this one). And build of course ishow many times the bin has been compiled. G:\filever f:\dev\cpp\adfind\adfind.exe --a-- W32i APP ENU 1.29.0.785 shp 950,784 12-22-2005 adfind.exe The current release version ofadfind for instance has been compiled 785 times. Well actually that is incorrect, it has compiled 785 times since V01.08.00. There was a little bug in the routine I had been using to increment the counter and it was resetting on every new minor version rev. If I follow the average I am probably off by 250-300 compile build numbers but I expect it is less than that because as the complexity grew in versions 15 the number of compiles between releases went up due to testing and bug hunting. From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of [EMAIL PROTECTED] Sent: Wednesday, January 18, 2006 10:44 AM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] ADPrep Version Questions It's a common source of confusion. Ask a user if version 1.4.4 is newer or older than 1.4.3.4 :) Some say 344 therefore the latter is newer some say 43 therefore the former is newer neil PS The purist in me would say that without a leading 0, the 196 below looks like 1 thousand 9 hundred and 60 and 19601830. it's all about justification, when dealing with the decimal notation :) From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of joe Sent: 18 January 2006 15:13 To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] ADPrep Version Questions Ah don't worry about it, I figured you were just disconnected there when I saw the first question at all. That is why I counted it out. :) From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Noah Eiger Sent: Tuesday, January 17, 2006 8:38 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] ADPrep Version Questions Oh (blush) Dont mind me. Im just over here re-learning that whole tens, hundreds, thousands, etc thing. Ugh! (eyes roll skyward, head shakes) ;-) Sorry for the wasted bandwidth. From: joe [mailto:[EMAIL PROTECTED] Sent: Tuesday, January 17, 2006 5:27 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] ADPrep Version Questions one thousand eight hundred and thirty is greater than one hundred ninety six. The SP1 version is the most recent and highest version of adprep. 0 1 2 3 4 5 6 ... 194 195 196 197 198 199 200 ... 1826 1827 1828 1829 1830 1831 1832 1833 1834 1835 ... joe From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Noah Eiger Sent: Tuesday, January 17, 2006 7:12 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] ADPrep Version Questions yes From: joe [mailto:[EMAIL PROTECTED] Sent: Tuesday, January 17, 2006 3:48 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] ADPrep Version Questions Are you asking if 1830 196 ? From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Noah Eiger Sent: Tuesday, January 17, 2006 6:44 PM To: ActiveDir@mail.activedir.org Subject: [ActiveDir] ADPrep Version Questions Hi- I am preparing to upgrade a W2k domain to W2k3. I want to use the latest version of ADPrep. I have found the following info and am confused: For ADPrep on the following - From Windows Server 2003 CD: 5.2.3790.0 July 22, 2004, 9:07:08 AM from WindowsServer2003-KB889101-SP1-x86-ENU.exe: 5.2.3790.1830 November 07, 2005, 5:48:59 PM listed in MSKB / Hotfix 324392 5.2.3790.196 July 23, 2004, 9:04 Am I reading that correctly: the one from SP1 is a lower version and later date than the one in the hotfix? Which one is the latest? Thanks. -- nme -- No virus found in this outgoing message. Checked by AVG Free Edition. Version: 7.1.375 / Virus Database: 267.14.19/231 - Release Date: 1/16/2006 -- No virus found in this incoming message. Checked by AVG Free Edition. Version: 7.1.375 / Virus Database: 267.14.19/231 - Release Date:
RE: [ActiveDir] OU Delegation
I agree wholeheartedly. GP has lots of potential for causing major headaches across thousands of machines at onceand yet I'm amazed at how few folks I come across practice good change management on them the way they would when rolling out any new application update or patch. In Win2K days it was a bit harder, but with GPMC, RSOPand the myriad of 3rd party tools on the market for change control, the implementation of "accidental"and disruptiveGP changes should be a thing of the past. "Should be" being the operative phrase :). From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Gil KirkpatrickSent: Thursday, January 19, 2006 10:58 AMTo: ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] OU Delegation when the GPO guys screwed up on the main account domains. The locked down EVERY single userid to kiosk mode Most people mitigate this sort of risk by technical review, automating the change app lication, and testing in a separate test forest. I can't see creating a separate domain as a "safe haven" for screwups like that. And it doesn't provide a safe haven from lots of other potential screwups like replication topology changes or schema mods. -gil From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of joeSent: Thursday, January 19, 2006 11:10 AMTo: ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] OU Delegation Exactly. There are good reasons forand against both multiple domains (including empty) and multiple forests. As a safe haven from domain level GPOs or finalQA point for domain level modificationsare things I wouldn't push against. Does it make sense for everyone? Depends on your management structure and concerns - some will see that as an issue that could impact them, others could see it as nothing. As a security barrier to protect hacking of the enterprise/schema admin is one I would pushagainst because it doesn't actually do anything to help that. Organization of the forest is one that could easily go either way, tough to argue it as it really isn't technically based. In larger multidomain environments, I tend to like empty roots because the overhead is usually quite minimal in relation to everything else and it is a great place to deploy new patches, etc. From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of [EMAIL PROTECTED]Sent: Thursday, January 19, 2006 9:55 AMTo: ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] OU Delegation candid=on As we've heard before today - do a cost/benefit study. Is it really prudent to build an extra domain with the incurred over heads just in case someone makes a mistake? There are doubtless other mistakes which can only mitigated by building a separate forest. There may be good reasons (and bad ones too) for building a placeholder domain - these reasons need to be weighed against the incurred costs (over at least a 3 year period). candid=off neil From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Rocky HabeebSent: 19 January 2006 14:37To: ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] OU Delegation "The biggest thing about an empty forest root is it is a safe haven. Safe haven: A domain where the god rights live and you don't apply any gpo's or other things that can get out of hand and hurt you. This actually saved my a__ once at [deleted] when the GPO guys screwed up on the main account domains. The locked down EVERY single userid to kiosk mode. Fortunately they have no rights in the root domain so couldn't do anything to my IDs so I could log onto my PC with the forest root ID and undo what they did." Verbatim quote fromone of the top [I mean "REALLY TOP] AD guys on this list to me in an offline when I asked him about whether or not I should do an empty root. I did it. RH _ -Original Message-From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]On Behalf Of joeSent: Wednesday, January 18, 2006 8:13 PMTo: ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] OU Delegation Well I didn't say I don't see the benefit of an empty root. I just don't see it as a generic best practice. Sometimes it makes a ton of sense, sometimes someone needs to be slapped for bringing it up. ;o) joe From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of [EMAIL PROTECTED]Sent: Wednesday, January 18, 2006 5:11 PMTo: ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] OU Delegation Boy, I just had a consultant recommend an empty root as best practice for a divestiture were doing. Like Gil and Joe, I really dont see the benefit (nor could the consultant name anything specifically). We have a single domain and delegate OU rights based basically on an administrative teams need to manage a group of resources, typically computers. Users, groups and Exchange are managed centrally. Moving things around within
RE: [ActiveDir] AD computer accounts being removed
Title: Message Well, XP is kind of obscure, esp when you include Server 2003 SP1 in an imaging article being very sarcastic by the way for those who have never been to England and do not catch such things J --- Rich Milburn MCSE, Microsoft MVP - Directory Services Sr Network Analyst, Field Platform Development Applebee's International, Inc. 4551 W. 107th St Overland Park, KS 66207 913-967-2819 -- I love the smell of red herrings in the morning - anonymous From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of joe Sent: Thursday, January 19, 2006 12:30 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] AD computer accounts being removed Most likely oversight. I submit quite a few requests to get articles like this updated that are missing specific OS versions or App versions. At one point I asked that they have an additional field of doesn't apply to for OSes so you at least knew they weren't forgetting it. I was told to piss off. From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Rich Milburn Sent: Thursday, January 19, 2006 8:44 AM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] AD computer accounts being removed Any idea why XP is omitted in this article, but 2k and 2k3 are included? http://support.microsoft.com/?id=162001 Do Not Disk Duplicate Installed Versions of Windows NT --- Rich Milburn MCSE, Microsoft MVP - Directory Services Sr Network Analyst, Field Platform Development Applebee's International, Inc. 4551 W. 107th St Overland Park, KS 66207 913-967-2819 -- I love the smell of red herrings in the morning - anonymous From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Aaron Visser Sent: Wednesday, January 18, 2006 6:27 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] AD computer accounts being removed Well I would agree that is not a safe practice for most but for my application where all Local accounts are disabled I do not see a problem. Taken from http://www.sysinternals.com/Utilities/NewSid.html under the SID Duplication Problem Duplicate SIDs aren't an issue in a Domain-based environment since domain accounts have SID's based on the Domain SID. But, according to Microsoft Knowledge Base article Q162001, Do Not Disk Duplicate Installed Versions of Windows NT, in a Workgroup environment security is based on local account SIDs. Thus, if two computers have users with the same SID, the Workgroup will not be able to distinguish between the users. All resources, including files and Registry keys, that one user has access to, the other will as well. Aaron From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Brian Desmond Sent: Wednesday, January 18, 2006 3:50 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] AD computer accounts being removed NO NO NO NO NO BAD BAD BAD You have to use sysprep. Youre getting duplicate SIDs here bad. Thanks, Brian Desmond [EMAIL PROTECTED] c - 312.731.3132 From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Aaron Visser Sent: Wednesday, January 18, 2006 5:44 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] AD computer accounts being removed Gary, Brian, I do not use Sysprep on my images and have yet to come across any problems, but there may be one big difference with my images, before I ghost them or create the image I put the said machine into a workgroup and then create image. After I have imaged a computer I log on and change the Computer Name reboot and then join the domain with the new computer name, should I be using Sysprep? And Brenda I have experienced your problem but I have never noticed the accounts actually being out of AD, anyways most times for me a simple reboot works although I have had to actually ghost computers in order to rejoin the domain because I do not have any local accounts active on my computers in the school, makes it a little safer J but with that comes more work L From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Brian Desmond Sent: Wednesday, January 18, 2006 12:38 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] AD computer accounts being removed Gary- Are you implying you dont sysprep your images? Thanks, Brian Desmond [EMAIL PROTECTED] c - 312.731.3132 From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Garyphold Sent: Wednesday, January 18, 2006 3:04 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] AD computer accounts being removed Brenda, FWIW: It happens to me when I clone a workstation then try to join
RE: [ActiveDir] OT: Gauging AD experience
When I read Al's post I thought of you Wook, I figured, hey Wook could use a creative presentation name... ;o) I would say When Bad Things Happen To Good Directories is more on par with "When Bad Things Happen To Good People", say like when your nanny gets a flat tire. "When Good Directories Go Bad" is more like when yourgood little daughter hits her teen years and starts going out to parties in fish net stockings and Big Red gum. :o) From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Lee, WookSent: Thursday, January 19, 2006 2:00 PMTo: ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] OT: Gauging AD experienceImportance: Low Sorry, I already did that one. My first DEC presentation was entitled When Bad Things Happen To Good Directories. J Wook From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of [EMAIL PROTECTED]Sent: Thursday, January 19, 2006 8:02 AMTo: ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] OT: Gauging AD experience when good directories go badsounds like a catchy title for a presentation, Joe. I think of directories and identity management infrastructures a little like networks: you rarely do get to design one from scratch, youre always tweaking an existing one. And I agree that tweaking the existing ones are a lot more interesting than designing from a blank slate. The analogy could be taken too far, but like networks, directories and authentications systems are always morphing due to new technologies, new tools, adding or removing applications. Lots of fun. Al Maurer Service Manager, Naming and Authentication Services IT | Information Technology Agilent Technologies (719) 590-2639; Telnet 590-2639 http://activedirectory.it.agilent.com From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of joeSent: Wednesday, January 18, 2006 6:31 PMTo: ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] OT: Gauging AD experience I would say focusing on the design of big directories is pigeon-holing a little too much. There are only so many big directories that need to be designed. I personally find much more fun in diagnosing good directories that have gone bad than trying to design them. I design if I have to but it isn't what I like. Plus often with the design, it is rarely the case where you actually have all of the info though someone will tell you you do. You find out you don't later on when someone starts complaining or something starts breaking. I am not sure I would go so far to say it is something you let the tools handle though. A lot of the tools out there still aren't doing the greatest job and there are many companies that don't want to spend the millions on those tools that they would be charged for them instead having a few really good people handling it. A tool doesn't see bad things coming when someone is coming at you with the next great thing they want to plug into the AD. If the tool does catch it, it is way too late in the integration cycle. Plus, what if the tool isn't catching the problem? Someone has to be knowledgeable enough too. If you depend solely on your tools to keep your AD running well it is possible you are going to get cut pretty good. When I did Ops, I had several tools that watched what had been determined needed to be watched and then I would just go off and sample things to decide if there was something that maybe could be watched that we weren't watching. That could take the form of just watching a network packets on a DC or a client subnet for an hour or so or just walking the event logs event by event or walking through looking at objects in the directory. Whatever. To get into those positions you want to get in with the companies already mentioned and jump about (and try not to hurt the customer too much with your learning) or find a big company and take whatever entry position you can get and prove yourself and grow into bigger/better positions. Don't expect to, for instance, walk into Walmart and become their AD guy. Maybe you get in as desktop support and get to know the right people and make suggestions on how things can be better and work your way up. You could possibly walk into a company and be there expert right off if your experience is greater than what they currently have or your resume indicates it or they are desperate. But it could end up biting you in the end if you don't turn out to be what they expected. Companies can get mighty pissy if they find out down the road that they are paying 100k+ to someone who would normally be lucky making $45k. joe From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Douglas M. LongSent: Wednesday, January 18, 2006 11:49 AMTo: ActiveDir@mail.activedir.orgSubject: [ActiveDir] OT: Gauging AD experience I am trying to figure out how one gauges their AD experience. For example, I have designed, implemented and maintained an AD/Exchange environment of 5000
FW: [ActiveDir] Changing Employee ID from workstation
Ok folks here was that messages contents (below) where everyone saw this: Sähköpostiosoitteeni muuttuu 31.12.2005, käyttäjätunnusosa möösefärm pysyy entisenä, uusi frözenreindeerissniis toimialuetunnus myfästsääb on PKSSK.FI. ([EMAIL PROTECTED]) As for the content this sounds familiar but I cant put my finger on it. Ive actually never modified the context menu in ADUC but it seems like there is something you have to do with the local console? Maybe Im remembering wrong. --- Rich Milburn MCSE, Microsoft MVP - Directory Services Sr Network Analyst, Field Platform Development Applebee's International, Inc. 4551 W. 107th St Overland Park, KS 66207 913-967-2819 -- I love the smell of red herrings in the morning - anonymous From: Marko Inkinen [mailto:[EMAIL PROTECTED] Sent: Thursday, January 19, 2006 12:29 PM To: ActiveDir@mail.activedir.org Subject: VS: [ActiveDir] Changing Employee ID from workstation I'm sure you did, Rich. And i apologize for the inconvenience with attachments.. But I guess it's like that here where the temperature is about minus 13 degrees fahrenheit.. if someone knows what to do, please don't hesitate to tell me :) I also got a message like this: Symantec Mail Security detected prohibited content in a message sent from your address Subject of the message: [ActiveDir] Changing Employee ID from workstation Recipient of the message: ActiveDir@mail.activedir.org ActiveDir@mail.activedir.org Does list have Symantec check perhaps? Well, back to the point. I have found two solutions (i found the other one today) to usea _vbscript_ so that it modifies a context menu on ADUC. The first one you'll find here: http://www.informit.com/articles/article.asp?p=169630seqNum=5rl=1. The other one I found from list archive from Kouti: http://www.kouti.com/scripts.htm(employeeid.vbs) I'm actually pretty sure that it worked sometimes earlier also from my own computer but I haven't got it working anymore. Yst. terveisin Marko Lähettäjä: [EMAIL PROTECTED] puolesta: Rich Milburn Lähetetty: to 19.1.2006 16:17 Vastaanottaja: ActiveDir@mail.activedir.org Aihe: RE: [ActiveDir] Changing Employee ID from workstation I got it as an attached message to that one in Finnish?? Im sure I saw the word reindeer in there somewhere J Marko I need coffee, so maybe thats why, but I think youre saying you have a _vbscript_ that that is launched from a modification of the user context menu you made to ADUC on your DC, and the _vbscript_ works fine, but what is not happening is that using ADUC on your computer, you do not have that modification? Or is the script modifying the context menu on ADUC? Rich -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of [EMAIL PROTECTED] Sent: Thursday, January 19, 2006 2:37 AM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Changing Employee ID from workstation Is it just me, or are all posts from Marko unreadable / stripped of content? neil From: Marko Inkinen [mailto:[EMAIL PROTECTED] Sent: Thursday, January 19, 2006 1:59 AM To: ActiveDir@mail.activedir.org Subject: Changing Employee ID from workstation Hello list, I've been using vbs-script for some time already to add an Employee ID manually through ADUC, but the problem is that I always have to make a remote desktop connection to the ADUC of DC to do that. Isn't it possible to do it from theconsole atmy workstation? Even if I add script to my computer (I don't know if thatis evennecessary)I still can't seeEmployee ID in the context menu, when I right click the user.. Thanx, Marko ---APPLEBEE'S INTERNATIONAL, INC. CONFIDENTIALITY NOTICE--- PRIVILEGED / CONFIDENTIAL INFORMATION may be contained in this message or any attachments. This information is strictly confidential and may be subject to attorney-client privilege. This message is intended only for the use of the named addressee. If you are not the intended recipient of this message, unauthorized forwarding, printing, copying, distribution, or using such information is strictly prohibited and may be unlawful. If you have received this in error, you should kindly notify the sender by reply e-mail and immediately destroy this message. Unauthorized interception of this e-mail is a violation of federal criminal law. Applebee's International, Inc. reserves the right to monitor and review the content of all messages sent to and from this e-mail address. Messages sent to or from this e-mail address may be stored on the Applebee's International, Inc. e-mail system. ---APPLEBEE'S INTERNATIONAL, INC. CONFIDENTIALITY NOTICE--- PRIVILEGED / CONFIDENTIAL INFORMATION may be contained in
RE: [ActiveDir] OU Delegation
Even with thorough review and testing things can go still go wrong, say a script or tool that is supposed to lock down an ACL doesn't for some odd reason though it did in test every single time. I wouldn't say that safe haven in and of itself is a reason to have an empty root unless the parties involved felt strongly enough about that particular issue. But it is, IMO,good to add to the list of possible reasons. It is aways a case of balancing the pros and cons and arriving at an answer that fits the specific case. I have been witness to several really evil or bad things or at least things generally considered to be so but acclimating myself to them when you hear all of the details and don't see any other solution. Often permissioning and delegation seems to be a pick the lesser of multiple evils situation, especially when doing things like trying to put in admin separation for separation of duties between things like Exchange and AD ops if the company or management isn't willing to invest in or support acomplete provisioning solution. Completely agree on replication topo changes and schema mods. I came from an environment where getting a schema mod through the system and accomplished in less than 6 months would have been a miracle, and yet, still, there is stuff in that schema that never should have made it in and was never used. Why? Because there are people in every company that have the weight to push things through that properlythinking people wouldn't allow. I recall one cool issue where a new logon script was put into place on all users and the way it was written if there wasn't enough environment space the logon script would delete every file on the C: drive. Hundreds if not thousands of people all over the country were logging help desk tickets because their workstations crashed and burned and everyone thought there was a virus. This was a change that got pushed through even though myself and my manager fought it like they were trying to take away our magic 8-ball (which we made all serious decisions with). We didn't know that would happen but I had a strict rule of don't do complicated things with logon scripts because if it screws up, people will interpret that as a logon issue. In the end, the logon scripts were still used for this type of heavy duty stuff(software installs, etc)which I personally still to this day think is abad idea. People aren't logging on for fun, they are logging on to get work done. If you don't let them do that, tough for them to get the work done. From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Gil KirkpatrickSent: Thursday, January 19, 2006 1:58 PMTo: ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] OU Delegation when the GPO guys screwed up on the main account domains. The locked down EVERY single userid to kiosk mode Most people mitigate this sort of risk by technical review, automating the change app lication, and testing in a separate test forest. I can't see creating a separate domain as a "safe haven" for screwups like that. And it doesn't provide a safe haven from lots of other potential screwups like replication topology changes or schema mods. -gil From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of joeSent: Thursday, January 19, 2006 11:10 AMTo: ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] OU Delegation Exactly. There are good reasons forand against both multiple domains (including empty) and multiple forests. As a safe haven from domain level GPOs or finalQA point for domain level modificationsare things I wouldn't push against. Does it make sense for everyone? Depends on your management structure and concerns - some will see that as an issue that could impact them, others could see it as nothing. As a security barrier to protect hacking of the enterprise/schema admin is one I would pushagainst because it doesn't actually do anything to help that. Organization of the forest is one that could easily go either way, tough to argue it as it really isn't technically based. In larger multidomain environments, I tend to like empty roots because the overhead is usually quite minimal in relation to everything else and it is a great place to deploy new patches, etc. From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of [EMAIL PROTECTED]Sent: Thursday, January 19, 2006 9:55 AMTo: ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] OU Delegation candid=on As we've heard before today - do a cost/benefit study. Is it really prudent to build an extra domain with the incurred over heads just in case someone makes a mistake? There are doubtless other mistakes which can only mitigated by building a separate forest. There may be good reasons (and bad ones too) for building a placeholder domain - these reasons need to be weighed against the incurred costs (over at least a 3 year period). candid=off neil From: [EMAIL PROTECTED]
RE: [ActiveDir] ADPrep Version Questions
It needs specific files from the folder, but best to run it from the whole folder structure. From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Noah EigerSent: Thursday, January 19, 2006 2:42 PMTo: ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] ADPrep Version Questions Ok. Promise. Last adprep question: Does adprep need to be run from an i386 directory or can it be run on its own? Does it have dependant files within i386 or is it self-contained? Thanks. From: joe [mailto:[EMAIL PROTECTED] Sent: Wednesday, January 18, 2006 5:57 PMTo: ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] ADPrep Version Questions LOL. It isn't a decimal number though... It is a series of variable length decimal numbers separated by the period character... Sort of like an OID 1.2.840.113556.1.4.7000.102.7038 Versioning is a lost art I think though. I am big on xx.yy.zz. xx.=major, yy=minor, zz=really minor, =build. To me... major rev changes for big changes, massive updates or rewrites or drammatic functional changes.minor is added features, bug fixes. really minor is output string changes or remarks in the code being changed, things that don't change thecode flow and don't require any serious testing (I rarely update this one). And build of course ishow many times the bin has been compiled. G:\filever f:\dev\cpp\adfind\adfind.exe--a-- W32i APP ENU 1.29.0.785 shp 950,784 12-22-2005 adfind.exe The current release version ofadfind for instance has been compiled 785 times. Well actually that is incorrect, it has compiled 785 times since V01.08.00. There was a little bug in the routine I had been using to increment the counter and it was resetting on every new minor version rev. If I follow the average I am probably off by 250-300 compile build numbers but I expect it is less than that because as the complexity grew in versions 15 the number of compiles between releases went up due to testing and bug hunting. From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of [EMAIL PROTECTED]Sent: Wednesday, January 18, 2006 10:44 AMTo: ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] ADPrep Version Questions It's a common source of confusion. Ask a user if version 1.4.4 is newer or older than 1.4.3.4 :) Some say "344 therefore the latter is newer" some say "43 therefore the former is newer" neil PS The purist in me would say that without a leading 0, the 196 below looks like 1 thousand 9 hundred and 60 and 19601830. it's all about justification, when dealing with the decimal notation :) From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of joeSent: 18 January 2006 15:13To: ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] ADPrep Version Questions Ah don't worry about it, I figured you were just disconnected there when I saw the first question at all. That is why I counted it out. :) From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Noah EigerSent: Tuesday, January 17, 2006 8:38 PMTo: ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] ADPrep Version Questions Oh (blush) Dont mind me. Im just over here re-learning that whole tens, hundreds, thousands, etc thing. Ugh! (eyes roll skyward, head shakes) ;-) Sorry for the wasted bandwidth. From: joe [mailto:[EMAIL PROTECTED] Sent: Tuesday, January 17, 2006 5:27 PMTo: ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] ADPrep Version Questions one thousand eight hundred and thirty is greater than one hundred ninety six. The SP1 version is the most recent and highest version of adprep. 0 1 2 3 4 5 6 ... 194 195 196 197 198 199 200 ... 1826 1827 1828 1829 1830 1831 1832 1833 1834 1835 ... joe From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Noah EigerSent: Tuesday, January 17, 2006 7:12 PMTo: ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] ADPrep Version Questions yes From: joe [mailto:[EMAIL PROTECTED] Sent: Tuesday, January 17, 2006 3:48 PMTo: ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] ADPrep Version Questions Are you asking if 1830 196 ? From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Noah EigerSent: Tuesday, January 17, 2006 6:44 PMTo: ActiveDir@mail.activedir.orgSubject: [ActiveDir] ADPrep Version Questions Hi- I am preparing to upgrade a W2k domain to W2k3. I want to use the latest version of ADPrep. I have found the following info and am confused: For ADPrep on the following - From Windows Server 2003 CD: 5.2.3790.0 July 22, 2004, 9:07:08 AM from WindowsServer2003-KB889101-SP1-x86-ENU.exe: 5.2.3790.1830 November 07, 2005, 5:48:59 PM listed in MSKB / Hotfix 324392 5.2.3790.196 July 23, 2004, 9:04 Am I reading that correctly: the one from SP1 is a lower version and later date than the one in the hotfix? Which one is the latest? Thanks. -- nme --No virus found in this outgoing message.Checked by AVG Free
RE: [ActiveDir] OT: speaking of AD books...
I just went to see the UK release date on amazon.co.uk for this book and it's 28/02 or 02/28 depending on your flavour and I saw this - someone was not happy. + Active Directory, 2nd Edition, August 14, 2003 Reviewer: A reader from Oxfordshire, United Kingdom I was recommended this book and can only guess at what the person who recommended it was thinking. Make no mistake, this book is poor. Some parts are misleading, there are a number of omissions (for example, there's a long discussion of changing domain/forest modes, but no discussion of what the modes are and what each provides) and some parts are just plain incorrect. Now, how do I get my money back? + Anyway it made me laugh. Mark -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Susan Bradley, CPA aka Ebitz - SBS Rocks [MVP] Sent: 19 January 2006 18:57 To: ActiveDir@mail.activedir.org Subject: [ActiveDir] OT: speaking of AD books... Design and Deployment of Microsoft's Active Directory O'Reilly Releases Active Directory, Third Edition Sebastopol, CA--Since its introduction in Windows 2000, Microsoft's Active Directory has improved the way organizations share network resources such as users, groups, computers, printers, applications, and files. Having a single source for this information makes it more accessible and easier to manage, notes Robbie Allen, co-author of the highly acclaimed Active Directory, now available in its third edition (O'Reilly, US $49.99). To accomplish this, however, requires a significant amount of knowledge on topics such as LDAP, Kerberos, DNS, multi-master replication, group policies, and data partitioning, to name a few. In other words, Active Directory is still a major headache for network and system administrators who have to design, implement, and support it. Allen's book, co-written with industry experts Joe Richards and Alistair G. Lowe-Norris, offers a clear and detailed introduction that not only guides administrators through the maze of technologies, but also helps them understand the big picture. Our book describes Active Directory in depth, but not in the traditional way of going through the graphical user interface screen by screen, Allen explains. Instead, the book sets out to tell administrators how to design, manage, and maintain a small, medium, or enterprise Active Directory infrastructure that's both scalable and reliable. Many industry authorities consider this book to be the definitive resource for implementing Active Directory. Allen, Richards, and Lowe-Norris have revised the new edition of Active Directory significantly to describe features that have been updated or added in Windows Server 2003 R2, including coverage of programmatic interfaces available to manage them. Three additional chapters explain new features and concepts such as Active Directory Application Mode (ADAM), and scripting for common user and group tasks for Microsoft Exchange 2000/2003. Once information has been added to Active Directory, it can be made available for use throughout the entire network to as many or as few people as an administrator likes, Allen points out. The structure of the information can match the structure of the organization, and users can query Active Directory to find the location of a printer or the email address of a colleague. Administrators can delegate control and management of the data however they see fit. While Microsoft's documentation serves as an important reference, any administrator who deals with Active Directory will find this book to be a valuable resource, whether he or she manages a single server or works for a global multinational with thousands of servers. To that end, Active Directory is divided into three sections: -Part I introduces in general terms how Active Directory works, giving readers a thorough grounding in its concepts, such as Active Directory replication, the schema, application partitions, group policies, and interaction with DNS. -Part II covers the issues around properly designing the directory infrastructure, including designing the namespace, creating a site topology, designing group policies for locking down client settings, auditing, permissions, backup and recovery, and a look at Microsoft's future direction with Directory Services. -Part III is all about managing Active Directory via automation with Active Directory Service Interfaces (ADSI), ActiveX Data Objects (ADO), and Windows Management Instrumentation (WMI). Readers learn how to create and manipulate users, groups, printers, and other objects in their everyday management of Active Directory. Administrators who want a book that lays bare the design and management of an enterprise or departmental Active Directory need look no further, Allen says. Even if they have a previous edition of the book, they'll find this third edition to be full of updates and
RE: [ActiveDir] ADPrep Version Questions
There are no .dlls that it needs outside of whats in systerm32, but I think there are a bunch of .ldf files in \i386 that it uses. -gil From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Noah EigerSent: Thursday, January 19, 2006 12:42 PMTo: ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] ADPrep Version Questions Ok. Promise. Last adprep question: Does adprep need to be run from an i386 directory or can it be run on its own? Does it have dependant files within i386 or is it self-contained? Thanks. From: joe [mailto:[EMAIL PROTECTED] Sent: Wednesday, January 18, 2006 5:57 PMTo: ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] ADPrep Version Questions LOL. It isn't a decimal number though... It is a series of variable length decimal numbers separated by the period character... Sort of like an OID 1.2.840.113556.1.4.7000.102.7038 Versioning is a lost art I think though. I am big on xx.yy.zz. xx.=major, yy=minor, zz=really minor, =build. To me... major rev changes for big changes, massive updates or rewrites or drammatic functional changes.minor is added features, bug fixes. really minor is output string changes or remarks in the code being changed, things that don't change thecode flow and don't require any serious testing (I rarely update this one). And build of course ishow many times the bin has been compiled. G:\filever f:\dev\cpp\adfind\adfind.exe--a-- W32i APP ENU 1.29.0.785 shp 950,784 12-22-2005 adfind.exe The current release version ofadfind for instance has been compiled 785 times. Well actually that is incorrect, it has compiled 785 times since V01.08.00. There was a little bug in the routine I had been using to increment the counter and it was resetting on every new minor version rev. If I follow the average I am probably off by 250-300 compile build numbers but I expect it is less than that because as the complexity grew in versions 15 the number of compiles between releases went up due to testing and bug hunting. From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of [EMAIL PROTECTED]Sent: Wednesday, January 18, 2006 10:44 AMTo: ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] ADPrep Version Questions It's a common source of confusion. Ask a user if version 1.4.4 is newer or older than 1.4.3.4 :) Some say "344 therefore the latter is newer" some say "43 therefore the former is newer" neil PS The purist in me would say that without a leading 0, the 196 below looks like 1 thousand 9 hundred and 60 and 19601830. it's all about justification, when dealing with the decimal notation :) From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of joeSent: 18 January 2006 15:13To: ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] ADPrep Version Questions Ah don't worry about it, I figured you were just disconnected there when I saw the first question at all. That is why I counted it out. :) From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Noah EigerSent: Tuesday, January 17, 2006 8:38 PMTo: ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] ADPrep Version Questions Oh (blush) Dont mind me. Im just over here re-learning that whole tens, hundreds, thousands, etc thing. Ugh! (eyes roll skyward, head shakes) ;-) Sorry for the wasted bandwidth. From: joe [mailto:[EMAIL PROTECTED] Sent: Tuesday, January 17, 2006 5:27 PMTo: ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] ADPrep Version Questions one thousand eight hundred and thirty is greater than one hundred ninety six. The SP1 version is the most recent and highest version of adprep. 0 1 2 3 4 5 6 ... 194 195 196 197 198 199 200 ... 1826 1827 1828 1829 1830 1831 1832 1833 1834 1835 ... joe From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Noah EigerSent: Tuesday, January 17, 2006 7:12 PMTo: ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] ADPrep Version Questions yes From: joe [mailto:[EMAIL PROTECTED] Sent: Tuesday, January 17, 2006 3:48 PMTo: ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] ADPrep Version Questions Are you asking if 1830 196 ? From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Noah EigerSent: Tuesday, January 17, 2006 6:44 PMTo: ActiveDir@mail.activedir.orgSubject: [ActiveDir] ADPrep Version Questions Hi- I am preparing to upgrade a W2k domain to W2k3. I want to use the latest version of ADPrep. I have found the following info and am confused: For ADPrep on the following - From Windows Server 2003 CD: 5.2.3790.0 July 22, 2004, 9:07:08 AM from WindowsServer2003-KB889101-SP1-x86-ENU.exe: 5.2.3790.1830 November 07, 2005, 5:48:59 PM listed in MSKB / Hotfix 324392 5.2.3790.196 July 23, 2004, 9:04 Am I reading that correctly: the one from SP1 is a lower version and later date than the one in the hotfix? Which one is the latest? Thanks. -- nme --No virus found in
RE: [ActiveDir] OU Delegation
"Should be" being the operative phrase Exactly. I have a phrase I like to use to describe that "Theory meet Reality." From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Darren Mar-EliaSent: Thursday, January 19, 2006 2:59 PMTo: ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] OU Delegation I agree wholeheartedly. GP has lots of potential for causing major headaches across thousands of machines at onceand yet I'm amazed at how few folks I come across practice good change management on them the way they would when rolling out any new application update or patch. In Win2K days it was a bit harder, but with GPMC, RSOPand the myriad of 3rd party tools on the market for change control, the implementation of "accidental"and disruptiveGP changes should be a thing of the past. "Should be" being the operative phrase :). From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Gil KirkpatrickSent: Thursday, January 19, 2006 10:58 AMTo: ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] OU Delegation when the GPO guys screwed up on the main account domains. The locked down EVERY single userid to kiosk mode Most people mitigate this sort of risk by technical review, automating the change app lication, and testing in a separate test forest. I can't see creating a separate domain as a "safe haven" for screwups like that. And it doesn't provide a safe haven from lots of other potential screwups like replication topology changes or schema mods. -gil From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of joeSent: Thursday, January 19, 2006 11:10 AMTo: ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] OU Delegation Exactly. There are good reasons forand against both multiple domains (including empty) and multiple forests. As a safe haven from domain level GPOs or finalQA point for domain level modificationsare things I wouldn't push against. Does it make sense for everyone? Depends on your management structure and concerns - some will see that as an issue that could impact them, others could see it as nothing. As a security barrier to protect hacking of the enterprise/schema admin is one I would pushagainst because it doesn't actually do anything to help that. Organization of the forest is one that could easily go either way, tough to argue it as it really isn't technically based. In larger multidomain environments, I tend to like empty roots because the overhead is usually quite minimal in relation to everything else and it is a great place to deploy new patches, etc. From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of [EMAIL PROTECTED]Sent: Thursday, January 19, 2006 9:55 AMTo: ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] OU Delegation candid=on As we've heard before today - do a cost/benefit study. Is it really prudent to build an extra domain with the incurred over heads just in case someone makes a mistake? There are doubtless other mistakes which can only mitigated by building a separate forest. There may be good reasons (and bad ones too) for building a placeholder domain - these reasons need to be weighed against the incurred costs (over at least a 3 year period). candid=off neil From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Rocky HabeebSent: 19 January 2006 14:37To: ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] OU Delegation "The biggest thing about an empty forest root is it is a safe haven. Safe haven: A domain where the god rights live and you don't apply any gpo's or other things that can get out of hand and hurt you. This actually saved my a__ once at [deleted] when the GPO guys screwed up on the main account domains. The locked down EVERY single userid to kiosk mode. Fortunately they have no rights in the root domain so couldn't do anything to my IDs so I could log onto my PC with the forest root ID and undo what they did." Verbatim quote fromone of the top [I mean "REALLY TOP] AD guys on this list to me in an offline when I asked him about whether or not I should do an empty root. I did it. RH _ -Original Message-From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]On Behalf Of joeSent: Wednesday, January 18, 2006 8:13 PMTo: ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] OU Delegation Well I didn't say I don't see the benefit of an empty root. I just don't see it as a generic best practice. Sometimes it makes a ton of sense, sometimes someone needs to be slapped for bringing it up. ;o) joe From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of [EMAIL PROTECTED]Sent: Wednesday, January 18, 2006 5:11 PMTo: ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] OU Delegation Boy, I just had a consultant recommend an empty root as best practice for a divestiture were doing. Like Gil and
RE: [ActiveDir] AD computer accounts being removed
I can relate. I frequently do the 60 hr week thing, and as the senior of the two IT people for our company, I do all the design/planning/decision-making, as well as fix all the hard stuff the other guy can't fix. I have found that automating my repetitive tasks has helped a lot. I did a few things to help my ability to work smarter rather than harder. I set aside an hour a day for a while (at home, at work after hours, wherever) and played with new tools; reskit, joeware, scripting, whatever it took. That got me some confidence in using the advanced tools. I spent a bunch of time on this forum and the sys admin forum (sunbelt). Lurking mostly, and contributing when time and skill allowed, but frequently looking at a problem, making an estimate of the fix, and then comparing my fix to the experts. I developed monitoring for all my production using What's Up Gold and Dumpevt/grep. That allowed me to find most failures well before they developed. I'd say better than 95% of the server problems I deal with are things I find before the end-users know about them, which is how it should be, IMO. I've also trained my junior admin and handed off all the stuff I can to him. It's hard to let go of some of it, but once I do and see that it's getting handled, I relax. :-) I think the bottom line is that until I took the steps necessary to work smarter, I just kept working harder. Spending a bunch of time to improve my skills and efficiency paid off tremendously. I don't do the 100 hour weeks anymore. Spending 8 hours to develop workable group policies saved me at least that much time per week with desktop configuration issues. If you can get your boss to buy into allowing you some no-contact time each week, you can use that to improve your skills/efficiency. You can make the case to him/her that using a bit of your time will pay dividends quickly. Do whatever it takes to move as far from reactive mode as you can. I've felt your pain; it's no fun... ** Charlie Kaiser W2K3 MCSA/MCSE/Security, CCNA Systems Engineer Essex Credit / Brickwalk 510 595 5083 ** -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Garyphold Sent: Thursday, January 19, 2006 7:39 AM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] AD computer accounts being removed Charlie, Thanks for taking the time to explain. I'm in a position where I'm making the big decisions, doing the big work and also doing all the little details (I'm it) including daily problems. Zero training/learning time, zero anything except get to the next fire. I need spend some time learning and using tools like sysprep and GP to get back some of that time. Gary -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Charlie Kaiser Sent: Thursday, January 19, 2006 10:07 AM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] AD computer accounts being removed Sysprep is pretty simple; there's a lot of documentation available on it. As Rich mentioned, you need to set up your customizations under one profile and copy that to the default user profile. Some irksome things change, however. One of my pet peeves is that when you sysprep a PC, the next time it boots, the select OS timeout goes from whatever you have set it to (5 sec in our case) back to the default of 30 sec. I have found that using group policy to make most of the settings changes is better than doing it on the workstation. We start with a sysprepped image that runs the mini-setup when first booted. We then the workstation and place it in the domain, where the GPOs apply to make all the required settings. I was able to go from a boot floppy, ghost, and ghostwalker to a boot CD, sysprep, and ghost (our new laptops don't have floppy drives) in about 4 days of testing and fine-tuning. I took a couple of laptops and a BartPE CD (with ghost added to it) into a spare conference room, didn't answer my phone, and worked it all out. A few days of work and the result is significantly simpler deployment of new images. ** Charlie Kaiser W2K3 MCSA/MCSE/Security, CCNA Systems Engineer Essex Credit / Brickwalk 510 595 5083 ** -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Garyphold Sent: Thursday, January 19, 2006 5:01 AM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] AD computer accounts being removed Thanks for the link Nav. I use Symantec (PowerQuest) V2i Desktop (DriveImage). Haven't used Ghost (Ghostwalker) or Sysprep. Been wanting to experiment with Sysprep but haven't had the time. I was thinking about that this morning though. Is there a big learning curve with Sysprep? I use V2i for cloning, because I'm already using that for backups of all the workstations
RE: [ActiveDir] OT: Gauging AD experience
LOL From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of joeSent: Thursday, January 19, 2006 1:17 PMTo: ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] OT: Gauging AD experience When I read Al's post I thought of you Wook, I figured, hey Wook could use a creative presentation name... ;o) I would say When Bad Things Happen To Good Directories is more on par with "When Bad Things Happen To Good People", say like when your nanny gets a flat tire. "When Good Directories Go Bad" is more like when yourgood little daughter hits her teen years and starts going out to parties in fish net stockings and Big Red gum. :o) From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Lee, WookSent: Thursday, January 19, 2006 2:00 PMTo: ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] OT: Gauging AD experienceImportance: Low Sorry, I already did that one. My first DEC presentation was entitled When Bad Things Happen To Good Directories. J Wook From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of [EMAIL PROTECTED]Sent: Thursday, January 19, 2006 8:02 AMTo: ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] OT: Gauging AD experience when good directories go badsounds like a catchy title for a presentation, Joe. I think of directories and identity management infrastructures a little like networks: you rarely do get to design one from scratch, youre always tweaking an existing one. And I agree that tweaking the existing ones are a lot more interesting than designing from a blank slate. The analogy could be taken too far, but like networks, directories and authentications systems are always morphing due to new technologies, new tools, adding or removing applications. Lots of fun. Al Maurer Service Manager, Naming and Authentication Services IT | Information Technology Agilent Technologies (719) 590-2639; Telnet 590-2639 http://activedirectory.it.agilent.com From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of joeSent: Wednesday, January 18, 2006 6:31 PMTo: ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] OT: Gauging AD experience I would say focusing on the design of big directories is pigeon-holing a little too much. There are only so many big directories that need to be designed. I personally find much more fun in diagnosing good directories that have gone bad than trying to design them. I design if I have to but it isn't what I like. Plus often with the design, it is rarely the case where you actually have all of the info though someone will tell you you do. You find out you don't later on when someone starts complaining or something starts breaking. I am not sure I would go so far to say it is something you let the tools handle though. A lot of the tools out there still aren't doing the greatest job and there are many companies that don't want to spend the millions on those tools that they would be charged for them instead having a few really good people handling it. A tool doesn't see bad things coming when someone is coming at you with the next great thing they want to plug into the AD. If the tool does catch it, it is way too late in the integration cycle. Plus, what if the tool isn't catching the problem? Someone has to be knowledgeable enough too. If you depend solely on your tools to keep your AD running well it is possible you are going to get cut pretty good. When I did Ops, I had several tools that watched what had been determined needed to be watched and then I would just go off and sample things to decide if there was something that maybe could be watched that we weren't watching. That could take the form of just watching a network packets on a DC or a client subnet for an hour or so or just walking the event logs event by event or walking through looking at objects in the directory. Whatever. To get into those positions you want to get in with the companies already mentioned and jump about (and try not to hurt the customer too much with your learning) or find a big company and take whatever entry position you can get and prove yourself and grow into bigger/better positions. Don't expect to, for instance, walk into Walmart and become their AD guy. Maybe you get in as desktop support and get to know the right people and make suggestions on how things can be better and work your way up. You could possibly walk into a company and be there expert right off if your experience is greater than what they currently have or your resume indicates it or they are desperate. But it could end up biting you in the end if you don't turn out to be what they expected. Companies can get mighty pissy if they find out down the road that they are paying 100k+ to someone who would normally be lucky making $45k. joe From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Douglas M. LongSent: Wednesday, January 18, 2006 11:49 AMTo:
RE: [ActiveDir] OT: speaking of AD books...
Yeah the dates have been all dorked up. Even the O'Reilly site initially said Feb. The initial thought was this would be out for the release of R2 at the end of the year. Didn't happen. :) Anyway, as mentioned in another post, I got my advance copy via FedEx today so I know hardcopy versions officially exist, at least one. I was last told the 18th was the date and today is the 19th and it was shipped to me on the 17th so that seems pretty accurate. Not sure when it will hit US Amazon. Once it does, I will post a link from my website that will take people directly to it. Hopefully the person who posted that review below will take another read and see if I made it better for them as there were, to be honest, parts that were just plain incorrect. :) However there was/is a table indicating what modes there are and what you get from each. -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Mark Parris Sent: Thursday, January 19, 2006 3:30 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] OT: speaking of AD books... I just went to see the UK release date on amazon.co.uk for this book and it's 28/02 or 02/28 depending on your flavour and I saw this - someone was not happy. + Active Directory, 2nd Edition, August 14, 2003 Reviewer: A reader from Oxfordshire, United Kingdom I was recommended this book and can only guess at what the person who recommended it was thinking. Make no mistake, this book is poor. Some parts are misleading, there are a number of omissions (for example, there's a long discussion of changing domain/forest modes, but no discussion of what the modes are and what each provides) and some parts are just plain incorrect. Now, how do I get my money back? + Anyway it made me laugh. Mark -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Susan Bradley, CPA aka Ebitz - SBS Rocks [MVP] Sent: 19 January 2006 18:57 To: ActiveDir@mail.activedir.org Subject: [ActiveDir] OT: speaking of AD books... Design and Deployment of Microsoft's Active Directory O'Reilly Releases Active Directory, Third Edition Sebastopol, CA--Since its introduction in Windows 2000, Microsoft's Active Directory has improved the way organizations share network resources such as users, groups, computers, printers, applications, and files. Having a single source for this information makes it more accessible and easier to manage, notes Robbie Allen, co-author of the highly acclaimed Active Directory, now available in its third edition (O'Reilly, US $49.99). To accomplish this, however, requires a significant amount of knowledge on topics such as LDAP, Kerberos, DNS, multi-master replication, group policies, and data partitioning, to name a few. In other words, Active Directory is still a major headache for network and system administrators who have to design, implement, and support it. Allen's book, co-written with industry experts Joe Richards and Alistair G. Lowe-Norris, offers a clear and detailed introduction that not only guides administrators through the maze of technologies, but also helps them understand the big picture. Our book describes Active Directory in depth, but not in the traditional way of going through the graphical user interface screen by screen, Allen explains. Instead, the book sets out to tell administrators how to design, manage, and maintain a small, medium, or enterprise Active Directory infrastructure that's both scalable and reliable. Many industry authorities consider this book to be the definitive resource for implementing Active Directory. Allen, Richards, and Lowe-Norris have revised the new edition of Active Directory significantly to describe features that have been updated or added in Windows Server 2003 R2, including coverage of programmatic interfaces available to manage them. Three additional chapters explain new features and concepts such as Active Directory Application Mode (ADAM), and scripting for common user and group tasks for Microsoft Exchange 2000/2003. Once information has been added to Active Directory, it can be made available for use throughout the entire network to as many or as few people as an administrator likes, Allen points out. The structure of the information can match the structure of the organization, and users can query Active Directory to find the location of a printer or the email address of a colleague. Administrators can delegate control and management of the data however they see fit. While Microsoft's documentation serves as an important reference, any administrator who deals with Active Directory will find this book to be a valuable resource, whether he or she manages a single server or works for a global multinational with thousands of servers. To that end, Active Directory is divided into three sections: -Part I introduces in general terms how Active Directory works, giving
Re: [ActiveDir] ADPrep Version Questions
On the 2nd CD for R2 there is a AD prep directory (\CMPNENTS\R2\ADPREP) that contains all the files that are needed.JeremyOn 1/19/06, Gil Kirkpatrick [EMAIL PROTECTED] wrote: There are no .dlls that it needs outside of whats in systerm32, but I think there are a bunch of .ldf files in \i386 that it uses. -gil From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]] On Behalf Of Noah EigerSent: Thursday, January 19, 2006 12:42 PMTo: ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] ADPrep Version Questions Ok. Promise. Last adprep question: Does adprep need to be run from an i386 directory or can it be run on its own? Does it have dependant files within i386 or is it self-contained? Thanks. From: joe [mailto: [EMAIL PROTECTED]] Sent: Wednesday, January 18, 2006 5:57 PMTo: ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] ADPrep Version Questions LOL. It isn't a decimal number though... It is a series of variable length decimal numbers separated by the period character... Sort of like an OID 1.2.840.113556.1.4.7000.102.7038 Versioning is a lost art I think though. I am big on xx.yy.zz. xx.=major, yy=minor, zz=really minor, =build. To me... major rev changes for big changes, massive updates or rewrites or drammatic functional changes.minor is added features, bug fixes. really minor is output string changes or remarks in the code being changed, things that don't change thecode flow and don't require any serious testing (I rarely update this one). And build of course ishow many times the bin has been compiled. G:\filever f:\dev\cpp\adfind\adfind.exe--a-- W32i APP ENU 1.29.0.785 shp 950,784 12-22-2005 adfind.exe The current release version ofadfind for instance has been compiled 785 times. Well actually that is incorrect, it has compiled 785 times since V01.08.00. There was a little bug in the routine I had been using to increment the counter and it was resetting on every new minor version rev. If I follow the average I am probably off by 250-300 compile build numbers but I expect it is less than that because as the complexity grew in versions 15 the number of compiles between releases went up due to testing and bug hunting. From: [EMAIL PROTECTED] [mailto: [EMAIL PROTECTED]] On Behalf Of [EMAIL PROTECTED]Sent: Wednesday, January 18, 2006 10:44 AMTo: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] ADPrep Version Questions It's a common source of confusion. Ask a user if version 1.4.4 is newer or older than 1.4.3.4 :) Some say 344 therefore the latter is newer some say 43 therefore the former is newer neil PS The purist in me would say that without a leading 0, the 196 below looks like 1 thousand 9 hundred and 60 and 19601830. it's all about justification, when dealing with the decimal notation :) From: [EMAIL PROTECTED] [mailto: [EMAIL PROTECTED]] On Behalf Of joeSent: 18 January 2006 15:13To: ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] ADPrep Version Questions Ah don't worry about it, I figured you were just disconnected there when I saw the first question at all. That is why I counted it out. :) From: [EMAIL PROTECTED] [mailto: [EMAIL PROTECTED]] On Behalf Of Noah EigerSent: Tuesday, January 17, 2006 8:38 PMTo: ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] ADPrep Version Questions Oh (blush) Don't mind me. I'm just over here re-learning that whole tens, hundreds, thousands, etc thing. Ugh! (eyes roll skyward, head shakes) ;-) Sorry for the wasted bandwidth. From: joe [mailto: [EMAIL PROTECTED]] Sent: Tuesday, January 17, 2006 5:27 PMTo: ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] ADPrep Version Questions one thousand eight hundred and thirty is greater than one hundred ninety six. The SP1 version is the most recent and highest version of adprep. 0 1 2 3 4 5 6 ... 194 195 196 197 198 199 200 ... 1826 1827 1828 1829 1830 1831 1832 1833 1834 1835 ... joe From: [EMAIL PROTECTED] [mailto: [EMAIL PROTECTED]] On Behalf Of Noah EigerSent: Tuesday, January 17, 2006 7:12 PMTo: ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] ADPrep Version Questions yes From: joe [mailto: [EMAIL PROTECTED]] Sent: Tuesday, January 17, 2006 3:48 PMTo: ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] ADPrep Version Questions Are you asking if 1830 196 ? From: [EMAIL PROTECTED] [mailto: [EMAIL PROTECTED]] On Behalf Of Noah EigerSent: Tuesday, January 17, 2006 6:44 PMTo: ActiveDir@mail.activedir.orgSubject: [ActiveDir] ADPrep Version Questions Hi- I am preparing to upgrade a W2k domain to W2k3. I want to use the latest version of ADPrep. I have found the following info and am confused: For ADPrep on the following - From Windows Server 2003 CD: 5.2.3790.0 July 22, 2004, 9:07:08 AM from WindowsServer2003-KB889101-SP1-x86-ENU.exe: 5.2.3790.1830 November 07, 2005, 5:48:59 PM listed in MSKB / Hotfix 324392
Re: [ActiveDir] OT: speaking of AD books...
That may have been me, but I was really just ticked that I didn't get a signed copy ;) Seriously, I'm looking forward to reading it though. Right after I learn what this AD stuff is, it's going to be high on my list G On 1/19/06, joe [EMAIL PROTECTED] wrote: Yeah the dates have been all dorked up. Even the O'Reilly site initiallysaid Feb. The initial thought was this would be out for the release of R2 at the end of the year. Didn't happen. :)Anyway, as mentioned in another post, I got my advance copy via FedEx todayso I know hardcopy versions officially exist, at least one. I was last toldthe 18th was the date and today is the 19th and it was shipped to me on the 17th so that seems pretty accurate. Not sure when it will hit US Amazon.Once it does, I will post a link from my website that will take peopledirectly to it.Hopefully the person who posted that review below will take another read and see if I made it better for them as there were, to be honest, parts thatwere just plain incorrect. :) However there was/is a table indicating whatmodes there are and what you get from each.-Original Message- From: [EMAIL PROTECTED][mailto:[EMAIL PROTECTED]] On Behalf Of Mark Parris Sent: Thursday, January 19, 2006 3:30 PMTo: ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] OT: speaking of AD books...I just went to see the UK release date on amazon.co.uk for this book andit's 28/02 or 02/28 depending on your flavour and I saw this - someone wasnot happy.+Active Directory, 2nd Edition, August 14, 2003 Reviewer: A reader from Oxfordshire, United KingdomI was recommended this book and can only guess at what the person whorecommended it was thinking. Make no mistake, this book is poor. Some partsare misleading, there are a number of omissions (for example, there's a long discussion of changing domain/forest modes, but no discussion of what themodes are and what each provides) and some parts are just plain incorrect.Now, how do I get my money back?+ Anyway it made me laugh.Mark-Original Message-From: [EMAIL PROTECTED][mailto: [EMAIL PROTECTED]] On Behalf Of Susan Bradley, CPAaka Ebitz - SBS Rocks [MVP]Sent: 19 January 2006 18:57To: ActiveDir@mail.activedir.org Subject: [ActiveDir] OT: speaking of AD books...Design and Deployment of Microsoft's Active Directory O'Reilly ReleasesActive Directory, Third EditionSebastopol, CA--Since its introduction in Windows 2000, Microsoft's Active Directory has improved the way organizations share network resources such asusers, groups, computers, printers, applications, and files. Having asingle source for this information makes it more accessible and easier to manage, notes Robbie Allen, co-author of the highly acclaimed ActiveDirectory, now available in its third edition (O'Reilly, US $49.99). Toaccomplish this, however, requires a significant amount of knowledge on topics such as LDAP, Kerberos, DNS, multi-master replication, grouppolicies, and data partitioning, to name a few.In other words, Active Directory is still a major headache for network andsystem administrators who have to design, implement, and support it. Allen's book, co-written with industry experts Joe Richards and Alistair G.Lowe-Norris, offers a clear and detailed introduction that not only guidesadministrators through the maze of technologies, but also helps them understand the big picture.Our book describes Active Directory in depth, but not in the traditionalway of going through the graphical user interface screen by screen, Allenexplains. Instead, the book sets out to tell administrators how to design, manage, and maintain a small, medium, or enterprise Active Directoryinfrastructure that's both scalable and reliable.Many industry authorities consider this book to be the definitive resourcefor implementing Active Directory. Allen, Richards, and Lowe-Norris have revised the new edition of Active Directory significantly to describefeatures that have been updated or added in Windows Server 2003 R2,including coverage of programmatic interfaces available to manage them. Three additional chapters explain new features and concepts such as ActiveDirectory Application Mode (ADAM), and scripting for common user and grouptasks for Microsoft Exchange 2000/2003.Once information has been added to Active Directory, it can be made available for use throughout the entire network to as many or as few peopleas an administrator likes, Allen points out. The structure of theinformation can match the structure of the organization, and users can query Active Directory to find the location of a printer or the email address of acolleague. Administrators can delegate control and management of the datahowever they see fit.While Microsoft's documentation serves as an important reference, any administrator who deals with Active Directory will find this book to be avaluable resource, whether he or she manages a single server or works for aglobal
Re: [ActiveDir] 3rd party DNS and windows DDNS updates
Give a little more detail, can you? What I think you're asking is, if the zone is a third party hosted zone delegated to AD, but the users are using the third party host as their primary dns resolver, then would they be able to update their records? Is that about it? If that's the case, then I would think not. Why? Because the client must talk directly to the server that is authoritative for the zone so it can write the record. In most situations, I have always advocated having machines use the servers that host their primary zone for all transactions. This has always resulted in higher availability and lower resolution times when/if issues arise (it's hard to keep admins from doing things, right? ;) Further, if the client machine is an AD member, it will do better if it is able to register it's forward and reverse information. Not for AD necessarily, but for other applications that use DNS. If you're going to delegate the zone to AD anyway, have the clients use the AD DNS and just simplify your design. All your AD DNS servers would then just forward or otherwise allow resolution for other zones, but you wouldn't have a bunch of complex name resolution issues. Al On 1/19/06, Chandra Burra [EMAIL PROTECTED] wrote: Hi,Wanted to know if any one has tried this or does this work.Having a 3rd party DNS with a sub-zone or child zone created for AD and delegated that zone to windows DDNS. Now if the clients are pointing to 3rd party DNS as primary DNS - will these clients be able to still register with the dynamic windows DNS?? Regards,Chandra Burra
Re: [ActiveDir] AD DNS in Windows delegation to Novell DNS
You'll be happy to hear you wouldn't recognize it as your father's Novell, so to speak. It's a linux/novell hybrid now supposedly including 6.5 kernel and linux pieces blended together in a magical way that makes it better, shinier, faster etc. Groupwise is a nice front end to sendmail last I checked, although that should have changed with the acquisition of SuSE. Or were they acquired by SuSE? Anyway, I think he answered his own question later and asked the question of how to delegate the zone but still use a different primary name res server. Weird, but that's the question as I understand it. Al On 1/18/06, David Adner [EMAIL PROTECTED] wrote: Unless Novell's changed what flavor of DNS/feature set they have since NetWare 5.1 (last time I ever saw Novell) it did not support dynamic updates. More specifically, it supported dynamic updates but only via a NetWare DHCP server. Also, at the time, the GUI for managing records didn't support the creation of SRV records in the way AD requires. The dialog box's fields were weird. From: [EMAIL PROTECTED] [mailto: [EMAIL PROTECTED]] On Behalf Of Chandra BurraSent: Wednesday, January 18, 2006 11:55 AM To: ActiveDir@mail.activedir.orgSubject: [ActiveDir] AD DNS in Windows delegation to Novell DNS Hi Team, Wanted to know what are the pro's and con's of delegating the DNS zone created in Windows DNS for 2003AD being delegated to Novell DNS as the client wants to use Novell as the primary Regards, Chandra Burra
RE: [ActiveDir] 3rd party DNS and windows DDNS updates
As I understand it; the client machine queries its primary DNS server for the SOA of the zone that matches the clients primary DNS Suffix. It then attempts to register its A/PTR records with primary for that zone. That said, as long as the clients primary dns server knows who the SOA for the clients zone is you should be ok Yay? Nay? From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Al Mulnick Sent: Thursday, January 19, 2006 6:02 PM To: ActiveDir@mail.activedir.org Subject: Re: [ActiveDir] 3rd party DNS and windows DDNS updates Give a little more detail, can you? What I think you're asking is, if the zone is a third party hosted zone delegated to AD, but the users are using the third party host as their primary dns resolver, then would they be able to update their records? Is that about it? If that's the case, then I would think not. Why? Because the client must talk directly to the server that is authoritative for the zone so it can write the record. In most situations, I have always advocated having machines use the servers that host their primary zone for all transactions. This has always resulted in higher availability and lower resolution times when/if issues arise (it's hard to keep admins from doing things, right? ;) Further, if the client machine is an AD member, it will do better if it is able to register it's forward and reverse information. Not for AD necessarily, but for other applications that use DNS. If you're going to delegate the zone to AD anyway, have the clients use the AD DNS and just simplify your design. All your AD DNS servers would then just forward or otherwise allow resolution for other zones, but you wouldn't have a bunch of complex name resolution issues. Al On 1/19/06, Chandra Burra [EMAIL PROTECTED] wrote: Hi, Wanted to know if any one has tried this or does this work. Having a 3rd party DNS with a sub-zone or child zone created for AD and delegated that zone to windows DDNS. Now if the clients are pointing to 3rd party DNS as primary DNS - will these clients be able to still register with the dynamic windows DNS?? Regards, Chandra Burra
RE: [ActiveDir] AD computer accounts being removed
Title: Message FYI. I submitted a request to have this article reviewed and corrected as deemed necessary. From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Rich MilburnSent: Thursday, January 19, 2006 3:08 PMTo: ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] AD computer accounts being removed Well, XP is kind of obscure, esp when you include Server 2003 SP1 in an imaging article being very sarcastic by the way for those who have never been to England and do not catch such things J ---Rich MilburnMCSE, Microsoft MVP - Directory ServicesSr Network Analyst, Field Platform DevelopmentApplebee's International, Inc.4551 W. 107th StOverland Park, KS 66207913-967-2819--I love the smell of red herrings in the morning - anonymous From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of joeSent: Thursday, January 19, 2006 12:30 PMTo: ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] AD computer accounts being removed Most likely oversight. I submit quite a few requests to get articles like this updated that are missing specific OS versions or App versions. At one point I asked that they have an additional field of "doesn't apply to" for OSes so you at least knew they weren't forgetting it. I was told to piss off. From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Rich MilburnSent: Thursday, January 19, 2006 8:44 AMTo: ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] AD computer accounts being removed Any idea why XP is omitted in this article, but 2k and 2k3 are included? http://support.microsoft.com/?id=162001 "Do Not Disk Duplicate Installed Versions of Windows NT" ---Rich MilburnMCSE, Microsoft MVP - Directory ServicesSr Network Analyst, Field Platform DevelopmentApplebee's International, Inc.4551 W. 107th StOverland Park, KS 66207913-967-2819--I love the smell of red herrings in the morning - anonymous From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Aaron VisserSent: Wednesday, January 18, 2006 6:27 PMTo: ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] AD computer accounts being removed Well I would agree that is not a safe practice for most but for my application where all Local accounts are disabled I do not see a problem. Taken from http://www.sysinternals.com/Utilities/NewSid.html under the SID Duplication Problem Duplicate SIDs aren't an issue in a Domain-based environment since domain accounts have SID's based on the Domain SID. But, according to Microsoft Knowledge Base article Q162001, "Do Not Disk Duplicate Installed Versions of Windows NT", in a Workgroup environment security is based on local account SIDs. Thus, if two computers have users with the same SID, the Workgroup will not be able to distinguish between the users. All resources, including files and Registry keys, that one user has access to, the other will as well. Aaron From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Brian DesmondSent: Wednesday, January 18, 2006 3:50 PMTo: ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] AD computer accounts being removed NO NO NO NO NO BAD BAD BAD You have to use sysprep. Youre getting duplicate SIDs here bad. Thanks,Brian Desmond [EMAIL PROTECTED] c - 312.731.3132 From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Aaron VisserSent: Wednesday, January 18, 2006 5:44 PMTo: ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] AD computer accounts being removed Gary, Brian, I do not use Sysprep on my images and have yet to come across any problems, but there may be one big difference with my images, before I ghost them or create the image I put the said machine into a workgroup and then create image. After I have imaged a computer I log on and change the Computer Name reboot and then join the domain with the new computer name, should I be using Sysprep? And Brenda I have experienced your problem but I have never noticed the accounts actually being out of AD, anyways most times for me a simple reboot works although I have had to actually ghost computers in order to rejoin the domain because I do not have any local accounts active on my computers in the school, makes it a little safer J but with that comes more work L From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Brian DesmondSent: Wednesday, January 18, 2006 12:38 PMTo: ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] AD computer accounts being removed Gary- Are you implying you dont sysprep your images? Thanks,Brian Desmond [EMAIL PROTECTED] c - 312.731.3132 From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]
RE: [ActiveDir] Permissions vanishing
Title: RE: [ActiveDir] Token Bloat I concur with Gil, either something really bad is happening or the auditing isn't tight (i.e. some account doing the work is outside of the audit policy, like say you configured watch for domain users making changes and it isn't catching the secprin doing it).Verify theSACL on the folder (btw is that getting changed too?), make sure SharedData isn't a junction and taking its perms from somewhere else, set up a script to do event notification on the folder that will detect a DACL change and tell you exactly when it is occurring. On the last, if you need it, I think I have some old old old old perl code I wrote back in the 90's to dofile change notification I could try and find. A friend of mine had a project where he had to set up an auto FTP feedthat had to be fired when certain file types hit the folder so Iwhipped up aquick perl script to handle it. From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Gil KirkpatrickSent: Thursday, January 19, 2006 2:19 PMTo: ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] Permissions vanishing The fact that nothing showed up in the audit log is disturbing. Can you modify the ACL manually and see the audit entries that appear? Is there possibly a group policy that is changing the ACLs? -gil From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Bahta, Nathaniel V Contractor NASIC/SCNASent: Thursday, January 19, 2006 11:34 AMTo: ActiveDir@mail.activedir.orgSubject: [ActiveDir] Permissions vanishing Hey everyone, I am having a issue with a cluster server that shares our our common access data drive. Every other day, the NTFS permissions on the shared clustered drive will revert to only Administrators and System having privleges. I have it set up as follows: X:\SharedData - Share permissions Authenticated Users RWX X:\SharedData - Inherited NTFS permissions Authenticated Users RX,LIST FOLDER CONTENTS Administrators F System F Every other day or so the Authenticated users vanish from the NTFS permissions. I enabled auditing on the folder for permission change, but nothing came up in the security log that stated that the permissions had changed. Any ideas? I would appreciate anything anyone had to suggest. Thanks, Nate
RE: [ActiveDir] 3rd party DNS and windows DDNS updates
Yea, with a caveat. You need to be careful when mixing DNS implementations. Weve seen cases where forwarding of dynamic updates breaks because of bugs in one or both implementations. The moral of the story is to test, test, test, then deploy and keep your fingers crossed because theres no accounting for production. Be ready with a contingency plan in case it all comes crashing down around your ears. Wook From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Alex Fontana Sent: Thursday, January 19, 2006 9:07 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] 3rd party DNS and windows DDNS updates As I understand it; the client machine queries its primary DNS server for the SOA of the zone that matches the clients primary DNS Suffix. It then attempts to register its A/PTR records with primary for that zone. That said, as long as the clients primary dns server knows who the SOA for the clients zone is you should be ok Yay? Nay? From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Al Mulnick Sent: Thursday, January 19, 2006 6:02 PM To: ActiveDir@mail.activedir.org Subject: Re: [ActiveDir] 3rd party DNS and windows DDNS updates Give a little more detail, can you? What I think you're asking is, if the zone is a third party hosted zone delegated to AD, but the users are using the third party host as their primary dns resolver, then would they be able to update their records? Is that about it? If that's the case, then I would think not. Why? Because the client must talk directly to the server that is authoritative for the zone so it can write the record. In most situations, I have always advocated having machines use the servers that host their primary zone for all transactions. This has always resulted in higher availability and lower resolution times when/if issues arise (it's hard to keep admins from doing things, right? ;) Further, if the client machine is an AD member, it will do better if it is able to register it's forward and reverse information. Not for AD necessarily, but for other applications that use DNS. If you're going to delegate the zone to AD anyway, have the clients use the AD DNS and just simplify your design. All your AD DNS servers would then just forward or otherwise allow resolution for other zones, but you wouldn't have a bunch of complex name resolution issues. Al On 1/19/06, Chandra Burra [EMAIL PROTECTED] wrote: Hi, Wanted to know if any one has tried this or does this work. Having a 3rd party DNS with a sub-zone or child zone created for AD and delegated that zone to windows DDNS. Now if the clients are pointing to 3rd party DNS as primary DNS - will these clients be able to still register with the dynamic windows DNS?? Regards, Chandra Burra
RE: [ActiveDir] AD computer accounts being removed
Title: Message You can have collisions between a domain controller SID and a member server SID when two machines have duplicate SIDs and one is DCPROMOd and the other is joined to the new domain. The error messages that are logged say something to the effect that the domain and the member server SIDs conflict. Darn confusing when you see it for the first time. Ill see if I can dig out the exact text of the message. Wook From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of joe Sent: Wednesday, January 18, 2006 6:36 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] AD computer accounts being removed Yep sorry, didn't intend to say it wasn't a good idea. At some point the list will catch up and my post that says that will show up. :) From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Brian Desmond Sent: Wednesday, January 18, 2006 8:39 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] AD computer accounts being removed Dozen other reasons to run it. Not running sysprep is just a bad idea. Thanks, Brian Desmond [EMAIL PROTECTED] c - 312.731.3132 From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of joe Sent: Wednesday, January 18, 2006 8:11 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] AD computer accounts being removed Well not really. The important SID in question is the Domain SID and that isn't duped. The domain doesn't care about the machine SID. It is still good practice to newsid the machines though. If the accounts are disappearing it is one of two things 1. Someone is deleting it. 2. During the join process something fails and the computer deletes the object out. I don't recall the details of this but I do recall hearing it happen. It happens right after the failed join though, you don't have to wait for it. I have also heard otherpeople who don't have enough rights report the account being disabled instead of deleted. I never verified personally either. From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Brian Desmond Sent: Wednesday, January 18, 2006 6:50 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] AD computer accounts being removed NO NO NO NO NO BAD BAD BAD You have to use sysprep. Youre getting duplicate SIDs here bad. Thanks, Brian Desmond [EMAIL PROTECTED] c - 312.731.3132 From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Aaron Visser Sent: Wednesday, January 18, 2006 5:44 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] AD computer accounts being removed Gary, Brian, I do not use Sysprep on my images and have yet to come across any problems, but there may be one big difference with my images, before I ghost them or create the image I put the said machine into a workgroup and then create image. After I have imaged a computer I log on and change the Computer Name reboot and then join the domain with the new computer name, should I be using Sysprep? And Brenda I have experienced your problem but I have never noticed the accounts actually being out of AD, anyways most times for me a simple reboot works although I have had to actually ghost computers in order to rejoin the domain because I do not have any local accounts active on my computers in the school, makes it a little safer J but with that comes more work L From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Brian Desmond Sent: Wednesday, January 18, 2006 12:38 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] AD computer accounts being removed Gary- Are you implying you dont sysprep your images? Thanks, Brian Desmond [EMAIL PROTECTED] c - 312.731.3132 From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Garyphold Sent: Wednesday, January 18, 2006 3:04 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] AD computer accounts being removed Brenda, FWIW: It happens to me when I clone a workstation then try to join that workstation to the domain in order to change the computer name. AD sees 2 machines with the same name, gives me a notification and lets the 2nd one in. Then when the original machine with that name logs in next time, it isn't seen on the network. Then I have to do the same thing you did - with the original machine. Thenall is wellagain. Don't know if that will help, but it might narrow down the problem some. Gary Gary Polvinale Denton ATD -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Brenda Casey Sent: Wednesday, January 18, 2006 2:24 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] AD computer accounts being removed Yes, their computer account in AD is actually gone. Thanks, Brenda Brenda Casey Network Manager Billings Public Schools [EMAIL PROTECTED]
[ActiveDir] Net localgroup limitation?
Title: Net localgroup limitation? Hi Just curious is there a 19 characters limit for net localgroup commands? Just realised after trying to script a couple of things - that adding this doesn't work This works Net localgroup Administrators domain\12345678910123456789 /ADD This doesn't work Net localgroup Administrators domain\123456789101234567890123456 /ADD Anyone else comes up with this limitation? Thank you and have a splendid day! Kind Regards, Freddy Hartono Group Support Engineer InternationalSOS Pte Ltd mail: [EMAIL PROTECTED] phone: (+65) 6330-9785
