RE: [ActiveDir] OT: speaking of AD books...
http://www.joeware.net/win/ad3e.htm -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of joe Sent: Thursday, January 19, 2006 5:09 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] OT: speaking of AD books... Yeah the dates have been all dorked up. Even the O'Reilly site initially said Feb. The initial thought was this would be out for the release of R2 at the end of the year. Didn't happen. :) Anyway, as mentioned in another post, I got my advance copy via FedEx today so I know hardcopy versions officially exist, at least one. I was last told the 18th was the date and today is the 19th and it was shipped to me on the 17th so that seems pretty accurate. Not sure when it will hit US Amazon. Once it does, I will post a link from my website that will take people directly to it. Hopefully the person who posted that review below will take another read and see if I made it better for them as there were, to be honest, parts that were just plain incorrect. :) However there was/is a table indicating what modes there are and what you get from each. -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Mark Parris Sent: Thursday, January 19, 2006 3:30 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] OT: speaking of AD books... I just went to see the UK release date on amazon.co.uk for this book and it's 28/02 or 02/28 depending on your flavour and I saw this - someone was not happy. + Active Directory, 2nd Edition, August 14, 2003 Reviewer: A reader from Oxfordshire, United Kingdom I was recommended this book and can only guess at what the person who recommended it was thinking. Make no mistake, this book is poor. Some parts are misleading, there are a number of omissions (for example, there's a long discussion of changing domain/forest modes, but no discussion of what the modes are and what each provides) and some parts are just plain incorrect. Now, how do I get my money back? + Anyway it made me laugh. Mark -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Susan Bradley, CPA aka Ebitz - SBS Rocks [MVP] Sent: 19 January 2006 18:57 To: ActiveDir@mail.activedir.org Subject: [ActiveDir] OT: speaking of AD books... Design and Deployment of Microsoft's Active Directory O'Reilly Releases Active Directory, Third Edition Sebastopol, CA--Since its introduction in Windows 2000, Microsoft's Active Directory has improved the way organizations share network resources such as users, groups, computers, printers, applications, and files. Having a single source for this information makes it more accessible and easier to manage, notes Robbie Allen, co-author of the highly acclaimed Active Directory, now available in its third edition (O'Reilly, US $49.99). To accomplish this, however, requires a significant amount of knowledge on topics such as LDAP, Kerberos, DNS, multi-master replication, group policies, and data partitioning, to name a few. In other words, Active Directory is still a major headache for network and system administrators who have to design, implement, and support it. Allen's book, co-written with industry experts Joe Richards and Alistair G. Lowe-Norris, offers a clear and detailed introduction that not only guides administrators through the maze of technologies, but also helps them understand the big picture. Our book describes Active Directory in depth, but not in the traditional way of going through the graphical user interface screen by screen, Allen explains. Instead, the book sets out to tell administrators how to design, manage, and maintain a small, medium, or enterprise Active Directory infrastructure that's both scalable and reliable. Many industry authorities consider this book to be the definitive resource for implementing Active Directory. Allen, Richards, and Lowe-Norris have revised the new edition of Active Directory significantly to describe features that have been updated or added in Windows Server 2003 R2, including coverage of programmatic interfaces available to manage them. Three additional chapters explain new features and concepts such as Active Directory Application Mode (ADAM), and scripting for common user and group tasks for Microsoft Exchange 2000/2003. Once information has been added to Active Directory, it can be made available for use throughout the entire network to as many or as few people as an administrator likes, Allen points out. The structure of the information can match the structure of the organization, and users can query Active Directory to find the location of a printer or the email address of a colleague. Administrators can delegate control and management of the data however they see fit. While Microsoft's documentation serves as an important reference, any administrator who deals with Active Directory will find this book to
RE: [ActiveDir] Net localgroup limitation?
Title: Net localgroup limitation? The attribute SAMaccountName is limited to 20 chars (by the AD schema) neil From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Freddy HARTONOSent: 20 January 2006 07:49To: activedir@mail.activedir.orgSubject: [ActiveDir] Net localgroup limitation? Hi Just curious is there a 19 characters limit for net localgroup commands? Just realised after trying to script a couple of things - that adding this doesn't work This works Net localgroup Administrators "domain\12345678910123456789" /ADD This doesn't work Net localgroup Administrators "domain\123456789101234567890123456" /ADD Anyone else comes up with this limitation? Thank you and have a splendid day! Kind Regards, Freddy Hartono Group Support Engineer InternationalSOS Pte Ltd mail: [EMAIL PROTECTED] phone: (+65) 6330-9785 PLEASE READ: The information contained in this email is confidential and intended for the named recipient(s) only. If you are not an intended recipient of this email please notify the sender immediately and delete your copy from your system. You must not copy, distribute or take any further action in reliance on it. Email is not a secure method of communication and Nomura International plc ('NIplc') will not, to the extent permitted by law, accept responsibility or liability for (a) the accuracy or completeness of, or (b) the presence of any virus, worm or similar malicious or disabling code in, this message or any attachment(s) to it. If verification of this email is sought then please request a hard copy. Unless otherwise stated this email: (1) is not, and should not be treated or relied upon as, investment research; (2) contains views or opinions that are solely those of the author and do not necessarily represent those of NIplc; (3) is intended for informational purposes only and is not a recommendation, solicitation or offer to buy or sell securities or related financial instruments. NIplc does not provide investment services to private customers. Authorised and regulated by the Financial Services Authority. Registered in England no. 1550505 VAT No. 447 2492 35. Registered Office: 1 St Martin's-le-Grand, London, EC1A 4NP. A member of the Nomura group of companies.
RE: [ActiveDir] Changing Employee ID from workstation
Brief steps: 1. Logon with Ent Admin rights. Open ADSI Edit, locate the user-Display object (in CN=409,CN=DisplaySpecifiers,CN=Configuration,DC=yourdomain,DC=yourTLD). 2. Select the adminContextMenu attribute. Add to the attribute the value 2, Employee ID, \\location\script.vbs (without quotes). Don't remove existing entries, and if number 2 is already in use, select the next available number. 3. Create script.vbs and place in the correct location (Personally, I use SYSVOL for the scripts since that way the scripts are replicated around and are available to all users.) 4. Start ADUC and right-click any user object, select Employee ID in the context menu. The attached exposes emp ID as well as 2 other attributes. Remove the parts you don't need. If you need to view and edit the emp id then you'll need to extend the script. I have another script which exposes various other user related data. (Bad pw count, last logon etc) neil PS I should put this in a blog or article I guess :) ___ Neil Ruston Global Technology Infrastructure Nomura International plc -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Hutchins, Mike Sent: 19 January 2006 17:02 To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Changing Employee ID from workstation Can you send me some information on doing this. We just got tasked with doing this yesterday and this would be a great shortcut. Thanks! -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of [EMAIL PROTECTED] Sent: Thursday, January 19, 2006 9:55 AM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Changing Employee ID from workstation I have scripts and procedures to do this as well. I also (in my current role) synched additional attributes from an external LDAP repository such as cost code and desk location and exposed them via ADUC too. It's well liked by the support guys :) The script on petri's web site which exposes logon date/time; password last changed date etc is also useful and can be executed as per the above. neil -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Doug Ferguson Sent: 19 January 2006 16:38 To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Changing Employee ID from workstation I have done this in our environment and I use it to alter employee id's and employee numbers from whatever workstation I want (through the ADUC). I used ADSI edit and made changes to the containers throughout the forest so that any admin could get the right click context and make changes (if allowed to do so). I am off work today, but tomorrow I will post the details of how I did it. Doug Ferguson Windows Systems Administrator Hynix Semiconductor Manufacturing America, Inc. -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Marko Inkinen Sent: Wednesday, January 18, 2006 11:59 PM To: ActiveDir@mail.activedir.org Subject: [ActiveDir] Changing Employee ID from workstation Sähköpostiosoitteeni muuttuu 31.12.2005, käyttäjätunnusosa pysyy entisenä, uusi toimialuetunnus on PKSSK.FI. ([EMAIL PROTECTED]). List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ PLEASE READ: The information contained in this email is confidential and intended for the named recipient(s) only. If you are not an intended recipient of this email please notify the sender immediately and delete your copy from your system. You must not copy, distribute or take any further action in reliance on it. Email is not a secure method of communication and Nomura International plc ('NIplc') will not, to the extent permitted by law, accept responsibility or liability for (a) the accuracy or completeness of, or (b) the presence of any virus, worm or similar malicious or disabling code in, this message or any attachment(s) to it. If verification of this email is sought then please request a hard copy. Unless otherwise stated this email: (1) is not, and should not be treated or relied upon as, investment research; (2) contains views or opinions that are solely those of the author and do not necessarily represent those of NIplc; (3) is intended for informational purposes only and is not a recommendation, solicitation or offer to buy or sell securities or related financial instruments. NIplc does not provide investment services to private customers. Authorised and regulated by the Financial Services Authority. Registered in England no. 1550505 VAT No. 447 2492 35. Registered Office: 1 St Martin's-le-Grand, London, EC1A 4NP. A member of the Nomura group of companies. List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List
RE: [ActiveDir] Permissions vanishing
Title: RE: [ActiveDir] Token Bloat Gil, That is a good avenue of approach, although I do not recall any GPO's that modify folder permissions, it is something I have not checked nevertheless.I will give that a look. Joe, That would be great if you had the perl code for file change/modification notification. I would greatly appreciate that. I am using your oldcmp.exe right now and putting together some perl code that parses through it to pull out host names and user names and then emails a monthly list that can be used to clean them up in AD with a cron job consisting of perl code based upon the Active Directory Cookbook's jobs.Your utilityis very useful. Thanks again. Nate Bahta From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of joeSent: Friday, January 20, 2006 1:13 AMTo: ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] Permissions vanishing I concur with Gil, either something really bad is happening or the auditing isn't tight (i.e. some account doing the work is outside of the audit policy, like say you configured watch for domain users making changes and it isn't catching the secprin doing it).Verify theSACL on the folder (btw is that getting changed too?), make sure SharedData isn't a junction and taking its perms from somewhere else, set up a script to do event notification on the folder that will detect a DACL change and tell you exactly when it is occurring. On the last, if you need it, I think I have some old old old old perl code I wrote back in the 90's to dofile change notification I could try and find. A friend of mine had a project where he had to set up an auto FTP feedthat had to be fired when certain file types hit the folder so Iwhipped up aquick perl script to handle it. From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Gil KirkpatrickSent: Thursday, January 19, 2006 2:19 PMTo: ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] Permissions vanishing The fact that nothing showed up in the audit log is disturbing. Can you modify the ACL manually and see the audit entries that appear? Is there possibly a group policy that is changing the ACLs? -gil From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Bahta, Nathaniel V Contractor NASIC/SCNASent: Thursday, January 19, 2006 11:34 AMTo: ActiveDir@mail.activedir.orgSubject: [ActiveDir] Permissions vanishing Hey everyone, I am having a issue with a cluster server that shares our our common access data drive. Every other day, the NTFS permissions on the shared clustered drive will revert to only Administrators and System having privleges. I have it set up as follows: X:\SharedData - Share permissions Authenticated Users RWX X:\SharedData - Inherited NTFS permissions Authenticated Users RX,LIST FOLDER CONTENTS Administrators F System F Every other day or so the Authenticated users vanish from the NTFS permissions. I enabled auditing on the folder for permission change, but nothing came up in the security log that stated that the permissions had changed. Any ideas? I would appreciate anything anyone had to suggest. Thanks, Nate
RE: [ActiveDir] OT: speaking of AD books...
FYI, Walmart.com shows the book as being in-stock as of last night. Scott Klassen -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of joe Sent: Thursday, January 19, 2006 4:09 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] OT: speaking of AD books... Yeah the dates have been all dorked up. Even the O'Reilly site initially said Feb. The initial thought was this would be out for the release of R2 at the end of the year. Didn't happen. :) Anyway, as mentioned in another post, I got my advance copy via FedEx today so I know hardcopy versions officially exist, at least one. I was last told the 18th was the date and today is the 19th and it was shipped to me on the 17th so that seems pretty accurate. Not sure when it will hit US Amazon. Once it does, I will post a link from my website that will take people directly to it. Hopefully the person who posted that review below will take another read and see if I made it better for them as there were, to be honest, parts that were just plain incorrect. :) However there was/is a table indicating what modes there are and what you get from each. -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Mark Parris Sent: Thursday, January 19, 2006 3:30 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] OT: speaking of AD books... I just went to see the UK release date on amazon.co.uk for this book and it's 28/02 or 02/28 depending on your flavour and I saw this - someone was not happy. + Active Directory, 2nd Edition, August 14, 2003 Reviewer: A reader from Oxfordshire, United Kingdom I was recommended this book and can only guess at what the person who recommended it was thinking. Make no mistake, this book is poor. Some parts are misleading, there are a number of omissions (for example, there's a long discussion of changing domain/forest modes, but no discussion of what the modes are and what each provides) and some parts are just plain incorrect. Now, how do I get my money back? + Anyway it made me laugh. Mark -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Susan Bradley, CPA aka Ebitz - SBS Rocks [MVP] Sent: 19 January 2006 18:57 To: ActiveDir@mail.activedir.org Subject: [ActiveDir] OT: speaking of AD books... Design and Deployment of Microsoft's Active Directory O'Reilly Releases Active Directory, Third Edition Sebastopol, CA--Since its introduction in Windows 2000, Microsoft's Active Directory has improved the way organizations share network resources such as users, groups, computers, printers, applications, and files. Having a single source for this information makes it more accessible and easier to manage, notes Robbie Allen, co-author of the highly acclaimed Active Directory, now available in its third edition (O'Reilly, US $49.99). To accomplish this, however, requires a significant amount of knowledge on topics such as LDAP, Kerberos, DNS, multi-master replication, group policies, and data partitioning, to name a few. In other words, Active Directory is still a major headache for network and system administrators who have to design, implement, and support it. Allen's book, co-written with industry experts Joe Richards and Alistair G. Lowe-Norris, offers a clear and detailed introduction that not only guides administrators through the maze of technologies, but also helps them understand the big picture. Our book describes Active Directory in depth, but not in the traditional way of going through the graphical user interface screen by screen, Allen explains. Instead, the book sets out to tell administrators how to design, manage, and maintain a small, medium, or enterprise Active Directory infrastructure that's both scalable and reliable. Many industry authorities consider this book to be the definitive resource for implementing Active Directory. Allen, Richards, and Lowe-Norris have revised the new edition of Active Directory significantly to describe features that have been updated or added in Windows Server 2003 R2, including coverage of programmatic interfaces available to manage them. Three additional chapters explain new features and concepts such as Active Directory Application Mode (ADAM), and scripting for common user and group tasks for Microsoft Exchange 2000/2003. Once information has been added to Active Directory, it can be made available for use throughout the entire network to as many or as few people as an administrator likes, Allen points out. The structure of the information can match the structure of the organization, and users can query Active Directory to find the location of a printer or the email address of a colleague. Administrators can delegate control and management of the data however they see fit. While Microsoft's documentation serves as an important reference, any administrator who deals
Re: [ActiveDir] 3rd party DNS and windows DDNS updates
Additionally, I've never seen it work well even though it may be that it's supposed to. To be honest, I never cared what it's supposed to do, because of the amount of confusion it causes and the likelihood that it would break for something it is ridiculous to begin with. In my opinion, there is no sound reason to tell a client to use a different DNS server than the one that is authoritative for it's own primary zone for name services. That's an absurd way to do things that has no technical merit that I have ever seen. Whenever I see a configuration such as this, it is always either a misunderstanding or a politically motivated decision, but never a good one. Like I said earlier, tell your client to avoid the hassle of a complicated name resolution scheme and instead use DNS the way it was designed to work. You get paid to make those kind of suggestions ;) On 1/20/06, Lee, Wook [EMAIL PROTECTED] wrote: Yea, with a caveat. You need to be careful when mixing DNS implementations. We've seen cases where forwarding of dynamic updates breaks because of bugs in one or both implementations. The moral of the story is to test, test, test, then deploy and keep your fingers crossed because there's no accounting for production. Be ready with a contingency plan in case it all comes crashing down around your ears. Wook From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]] On Behalf Of Alex FontanaSent: Thursday, January 19, 2006 9:07 PMTo: ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] 3rd party DNS and windows DDNS updates As I understand it; the client machine queries it's primary DNS server for the SOA of the zone that matches the client's primary DNS Suffix. It then attempts to register it's A/PTR records with primary for that zone. That said, as long as the client's primary dns server knows who the SOA for the client's zone is you should be ok… Yay? Nay? From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]] On Behalf Of Al MulnickSent: Thursday, January 19, 2006 6:02 PMTo: ActiveDir@mail.activedir.orgSubject: Re: [ActiveDir] 3rd party DNS and windows DDNS updates Give a little more detail, can you? What I think you're asking is, if the zone is a third party hosted zone delegated to AD, but the users are using the third party host as their primary dns resolver, then would they be able to update their records? Is that about it? If that's the case, then I would think not. Why? Because the client must talk directly to the server that is authoritative for the zone so it can write the record. In most situations, I have always advocated having machines use the servers that host their primary zone for all transactions. This has always resulted in higher availability and lower resolution times when/if issues arise (it's hard to keep admins from doing things, right? ;) Further, if the client machine is an AD member, it will do better if it is able to register it's forward and reverse information. Not for AD necessarily, but for other applications that use DNS. If you're going to delegate the zone to AD anyway, have the clients use the AD DNS and just simplify your design. All your AD DNS servers would then just forward or otherwise allow resolution for other zones, but you wouldn't have a bunch of complex name resolution issues. Al On 1/19/06, Chandra Burra [EMAIL PROTECTED] wrote: Hi,Wanted to know if any one has tried this or does this work.Having a 3rd party DNS with a sub-zone or child zone created for AD and delegated that zone to windows DDNS. Now if the clients are pointing to 3rd party DNS as primary DNS - will these clients be able to still register with the dynamic windows DNS?? Regards,Chandra Burra
[ActiveDir] Windows Installer failure
To All: I have run into an issue here that has me stumped. I am attempting to remove an application from a Windows Server 2003 Standard Edition with SP1 installed. During the removal process I get the following error: Error 1720: There is a problem with this Windows Installed package. A script required for this install to could not be run. Contact your support personnel or package vendor. I seem to remember there was a program you could run that would show all msi packages installed and would let you manually remove one. Has anyone ever heard of this program? I tried the program msizap T[WA!] {A91DF459-5729-426E-ACCB-8C61C1481B53} to no avail. TIA Dan List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
RE: [ActiveDir] 3rd party DNS and windows DDNS updates
For startersI kinda agree ;-) Simplicity, especially when dealing with DNS and AD is my primary concern, and I may just be playing devils advocate here, but if I learn something new it was worth it! So I do care what its supposed to do because it helps me in troubleshooting issues. The RFC for DDNS specifically says that the client must know the name of the zone for which it is trying to update a RR, and must know the MNAME of the SOA for that zone. That said, put a sniffer on your machine and run ipconfig /registerdns. Youll see that the first operation is a query for the SOA for your hostname. Besides, telling a client to use a different DNS server than one that is authoritative for its own primary zone happens all the time. Think of a remote office in a DNS environment that uses primary/secondary configs. More likely than not those clients are going to point to a Secondary DNS server as primary for resolution and maybe the master as secondary. Regardless, the first operation will be a query for the SOA record. Again, do I suggest everyone go and point their clients to bob.coms dns server when their clients are in the jim.bob.com domain? No, of course not, but it would work. From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Al Mulnick Sent: Friday, January 20, 2006 6:34 AM To: ActiveDir@mail.activedir.org Subject: Re: [ActiveDir] 3rd party DNS and windows DDNS updates Additionally, I've never seen it work well even though it may be that it's supposed to. To be honest, I never cared what it's supposed to do, because of the amount of confusion it causes and the likelihood that it would break for something it is ridiculous to begin with. In my opinion, there is no sound reason to tell a client to use a different DNS server than the one that is authoritative for it's own primary zone for name services. That's an absurd way to do things that has no technical merit that I have ever seen. Whenever I see a configuration such as this, it is always either a misunderstanding or a politically motivated decision, but never a good one. Like I said earlier, tell your client to avoid the hassle of a complicated name resolution scheme and instead use DNS the way it was designed to work. You get paid to make those kind of suggestions ;) On 1/20/06, Lee, Wook [EMAIL PROTECTED] wrote: Yea, with a caveat. You need to be careful when mixing DNS implementations. We've seen cases where forwarding of dynamic updates breaks because of bugs in one or both implementations. The moral of the story is to test, test, test, then deploy and keep your fingers crossed because there's no accounting for production. Be ready with a contingency plan in case it all comes crashing down around your ears. Wook From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]] On Behalf Of Alex Fontana Sent: Thursday, January 19, 2006 9:07 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] 3rd party DNS and windows DDNS updates As I understand it; the client machine queries it's primary DNS server for the SOA of the zone that matches the client's primary DNS Suffix. It then attempts to register it's A/PTR records with primary for that zone. That said, as long as the client's primary dns server knows who the SOA for the client's zone is you should be ok Yay? Nay? From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]] On Behalf Of Al Mulnick Sent: Thursday, January 19, 2006 6:02 PM To: ActiveDir@mail.activedir.org Subject: Re: [ActiveDir] 3rd party DNS and windows DDNS updates Give a little more detail, can you? What I think you're asking is, if the zone is a third party hosted zone delegated to AD, but the users are using the third party host as their primary dns resolver, then would they be able to update their records? Is that about it? If that's the case, then I would think not. Why? Because the client must talk directly to the server that is authoritative for the zone so it can write the record. In most situations, I have always advocated having machines use the servers that host their primary zone for all transactions. This has always resulted in higher availability and lower resolution times when/if issues arise (it's hard to keep admins from doing things, right? ;) Further, if the client machine is an AD member, it will do better if it is able to register it's forward and reverse information. Not for AD necessarily, but for other applications that use DNS. If you're going to delegate the zone to AD anyway, have the clients use the AD DNS and just simplify your design. All your AD DNS servers would then just forward or otherwise allow resolution for other zones, but you wouldn't have a bunch of complex name resolution issues. Al On 1/19/06, Chandra Burra [EMAIL PROTECTED] wrote: Hi, Wanted to know if any one has tried this
[ActiveDir] Limitations and issues with domain local groups and GC replicated data
Title: Limitations and issues with domain local groups and GC replicated data It's Friday afternoon and I think I need more sugar and/or caffeine :) I've recently read in several places how the use of domain local groups (DLGs) could represent an issue when used to permission GC replicated domain data. For example - this an excerpt from a MS article: Special security consideration should be given when specifying permissions on domain data that is also replicated to the global catalog. When a user connects to a global catalog, an impersonation token is created for the user, which is used in subsequent access control decisions on the global catalog. The user's universal, global and domain local group memberships are represented in this token. However, only domain local groups from the domain that the domain controller hosting the global catalog (to which the user has connected) belongs to and of which the user is a member show up in the user's token. Domain local groups in the user's domain (and in other domains) of which the user is a member do not show up in the access token. I'm trying to figure out if this represents an issue to me in my (proposed) regional multi-domain environment or not. We are currently planning to use DLGs for permissioning AD data as well as server based data. We planned to then nest global groups (GGs) into these DLGs from various domains in the forest. Will such a scenario be affected by the issue described above? If so, what are the alternatives / suggestions open to me? Can someone offer an example of when the above would represent a true issue? [Assuming my scenario above is not a good example.] Thanks, neil ___ Neil Ruston Global Technology Infrastructure Nomura International plc PLEASE READ: The information contained in this email is confidential and intended for the named recipient(s) only. If you are not an intended recipient of this email please notify the sender immediately and delete your copy from your system. You must not copy, distribute or take any further action in reliance on it. Email is not a secure method of communication and Nomura International plc ('NIplc') will not, to the extent permitted by law, accept responsibility or liability for (a) the accuracy or completeness of, or (b) the presence of any virus, worm or similar malicious or disabling code in, this message or any attachment(s) to it. If verification of this email is sought then please request a hard copy. Unless otherwise stated this email: (1) is not, and should not be treated or relied upon as, investment research; (2) contains views or opinions that are solely those of the author and do not necessarily represent those of NIplc; (3) is intended for informational purposes only and is not a recommendation, solicitation or offer to buy or sell securities or related financial instruments. NIplc does not provide investment services to private customers. Authorised and regulated by the Financial Services Authority. Registered in England no. 1550505 VAT No. 447 2492 35. Registered Office: 1 St Martin's-le-Grand, London, EC1A 4NP. A member of the Nomura group of companies.
Re: [ActiveDir] Windows Installer failure
Try msiexec /X {A91DF459-5729-426E-ACCB-8C61C1481B53} Mark -Original Message- From: Daniel Gilbert [EMAIL PROTECTED] Date: Fri, 20 Jan 2006 08:31:12 To:ActiveDir@mail.activedir.org Subject: [ActiveDir] Windows Installer failure To All: I have run into an issue here that has me stumped. I am attempting to remove an application from a Windows Server 2003 Standard Edition with SP1 installed. During the removal process I get the following error: Error 1720: There is a problem with this Windows Installed package. A script required for this install to could not be run. Contact your support personnel or package vendor. I seem to remember there was a program you could run that would show all msi packages installed and would let you manually remove one. Has anyone ever heard of this program? I tried the program msizap T[WA!] {A91DF459-5729-426E-ACCB-8C61C1481B53} to no avail. TIA Dan List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
[ActiveDir] OT: Script Request - Restart Remote Service
Does anyone have a nice applet to enable the remote manual restart of a service on a server? The service permissions have been delegated as the app that uses it is not very good and needs to be restarted numerous times a day - it never hangs so the inbuilt stuff is no good. I have had a look but can find no examples to achieve my end goal. Regards, Mark List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
RE: [ActiveDir] Windows Installer failure
Windows Installer Cleanup Util.exe Joseph B. Luptak Information Resources Group, Advanced Technology Program National Institute of Standards and Technology [EMAIL PROTECTED] (301) 975-3940 -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Daniel Gilbert Sent: Friday, January 20, 2006 10:31 AM To: ActiveDir@mail.activedir.org Subject: [ActiveDir] Windows Installer failure To All: I have run into an issue here that has me stumped. I am attempting to remove an application from a Windows Server 2003 Standard Edition with SP1 installed. During the removal process I get the following error: Error 1720: There is a problem with this Windows Installed package. A script required for this install to could not be run. Contact your support personnel or package vendor. I seem to remember there was a program you could run that would show all msi packages installed and would let you manually remove one. Has anyone ever heard of this program? I tried the program msizap T[WA!] {A91DF459-5729-426E-ACCB-8C61C1481B53} to no avail. TIA Dan List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
RE: [ActiveDir] Windows Installer failure
Found it: http://support.microsoft.com/default.aspx?scid=kb;en-us;290301 Thanks to everyone. Dan Original Message Subject: [ActiveDir] Windows Installer failure From: Daniel Gilbert [EMAIL PROTECTED] Date: Fri, January 20, 2006 8:31 am To: ActiveDir@mail.activedir.org To All: I have run into an issue here that has me stumped. I am attempting to remove an application from a Windows Server 2003 Standard Edition with SP1 installed. During the removal process I get the following error: Error 1720: There is a problem with this Windows Installed package. A script required for this install to could not be run. Contact your support personnel or package vendor. I seem to remember there was a program you could run that would show all msi packages installed and would let you manually remove one. Has anyone ever heard of this program? I tried the program msizap T[WA!] {A91DF459-5729-426E-ACCB-8C61C1481B53} to no avail. TIA Dan List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
RE: [ActiveDir] OT: Script Request - Restart Remote Service
Here is part of a script that I poached from somewhere. It's only set to stop a list of services, but you could include a second step in the For...Next loop that calls the oInstance.ExecMethod_(StartService) after you've stopped the service. Watch for line wraps and such... sComputer = 'enter the target computer name here ' In 'services_list', add your sevices in the order you want them to stop. ' If some of the services have comma in their names, ' you must choose another delimiter services_list = IMAP4Svc,POP3Svc,MSExchangeES,MSExchangeIS,MSExchangeMTA,MSExchangeSA,M SExchangeMGMT,MSExchangeSRS,RESvc services_array = Split(services_list,,) For i = 0 to UBound(services_array) sService = Trim(services_array(i)) 'fileTxt.WriteLine(ServiceName = sService) Set oInstance = GetObject(winmgmts:{impersonationLevel=impersonate}// sComputer _ /root/cimv2:Win32_Service= Chr(34) sService Chr(34)) 'fileTxt.WriteLine(ServiceState = oInstance.Properties_(State).Value) fileTxt.WriteLine(oInstance.Name : oInstance.Properties_(State).Value) If (oInstance.Properties_(State).Value = Running) Then Set oOutParam = oInstance.ExecMethod_(StopService) If oOutParam.ReturnValue = 0 Then fileTxt.WriteLine(oInstance.Name stopped successfully) Else fileTxt.WriteLine(oInstance.Name failed to stop) Select Case oOutParam.ReturnValue Case 1 fileTxt.WriteLine(The request is not supported.) Case 2 fileTxt.WriteLine(The user did not have the necessary access.) Case 3 fileTxt.WriteLine(The service cannot be stopped because other _ services that are running are dependent on it.) Case 4 fileTxt.WriteLine(The requested control code is not valid, or _ it is unacceptable to the service.) Case 5 fileTxt.WriteLine(The requested control code cannot be sent to _ the service because the state of the service.) Case 6 fileTxt.WriteLine(The service has not been started.) Case 7 fileTxt.WriteLine(The service did not respond to the stop request _ in a timely fashion.) Case 8 fileTxt.WriteLine(Unknown failure when stopping the service.) Case 9 fileTxt.WriteLine(The directory path to the service executable was not found.) Case 10 fileTxt.WriteLine(The service is already stopped) Case 11 fileTxt.WriteLine(The service database is locked.) Case 12 fileTxt.WriteLine(A dependency which this service relies on _ has been removed from the system.) Case 13 fileTxt.WriteLine(The service failed to find the service needed _ from a dependent service.) Case 14 fileTxt.WriteLine(The service has been disabled from the system.) Case 15 fileTxt.WriteLine(The service does not have the correct authentication _ to run on the system.) Case 16 fileTxt.WriteLine(This service is being removed from the system.) Case 17 fileTxt.WriteLine(There is no execution thread for the service.) Case 18 fileTxt.WriteLine(There are circular dependencies when stopping the service.) Case 19 fileTxt.WriteLine(There is a service running under the same name.) Case 20 fileTxt.WriteLine(There are invalid characters in the name of the service.) Case 21 fileTxt.WriteLine(Invalid parameters have been passed to the service.) Case 22 fileTxt.WriteLine(The account, which this service is to run under is _ either invalid or lacks the permissions to run the service.) Case 23 fileTxt.WriteLine(The service exists in the database of services _ available from the system.) Case 24 fileTxt.WriteLine(The service is currently paused in the system.) End Select End If Do ' state will be Stop Pending until Stopped. ' Adjust sleep as necessary, but do *not* remove it! WScript.Sleep 1000 Set oInstance = GetObject(winmgmts:{impersonationLevel=impersonate}// sComputer _ /root/cimv2:Win32_Service= Chr(34) sService Chr(34)) 'fileTxt.WriteLine( ServiceState = oInstance.Properties_(State).Value Stopped = False if oInstance.Properties_(State) = Stopped Then 'fileTxt.WriteLine( sService : oInstance.Properties_(State).Value Stopped = True end if Loop until Stopped End If Next -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL
RE: [ActiveDir] OT: Script Request - Restart Remote Service
www.protect-me.com/rtm/ There are several 'remote task manager' like apps out there. neil -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Mark Parris Sent: 20 January 2006 16:06 To: ActiveDir.org Subject: [ActiveDir] OT: Script Request - Restart Remote Service Does anyone have a nice applet to enable the remote manual restart of a service on a server? The service permissions have been delegated as the app that uses it is not very good and needs to be restarted numerous times a day - it never hangs so the inbuilt stuff is no good. I have had a look but can find no examples to achieve my end goal. Regards, Mark List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ PLEASE READ: The information contained in this email is confidential and intended for the named recipient(s) only. If you are not an intended recipient of this email please notify the sender immediately and delete your copy from your system. You must not copy, distribute or take any further action in reliance on it. Email is not a secure method of communication and Nomura International plc ('NIplc') will not, to the extent permitted by law, accept responsibility or liability for (a) the accuracy or completeness of, or (b) the presence of any virus, worm or similar malicious or disabling code in, this message or any attachment(s) to it. If verification of this email is sought then please request a hard copy. Unless otherwise stated this email: (1) is not, and should not be treated or relied upon as, investment research; (2) contains views or opinions that are solely those of the author and do not necessarily represent those of NIplc; (3) is intended for informational purposes only and is not a recommendation, solicitation or offer to buy or sell securities or related financial instruments. NIplc does not provide investment services to private customers. Authorised and regulated by the Financial Services Authority. Registered in England no. 1550505 VAT No. 447 2492 35. Registered Office: 1 St Martin's-le-Grand, London, EC1A 4NP. A member of the Nomura group of companies. List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
RE: [ActiveDir] Net localgroup limitation?
Hi, In AD: the sAMAccountName must be between 0 and 256 characters long the cn must be between 1 and 64 characters long I guess the NET commands are still using legacy methods When creating a group in a NT4 the limit was 20 char when you used the user manager for domains. However, using other methods (scripting or third party tooling) it was possible to pass the limit of user manager for domains. Don't remember what the real limit was/is Jorge From: [EMAIL PROTECTED] on behalf of Freddy HARTONO Sent: Fri 2006-01-20 08:48 To: activedir@mail.activedir.org Subject: [ActiveDir] Net localgroup limitation? Hi Just curious is there a 19 characters limit for net localgroup commands? Just realised after trying to script a couple of things - that adding this doesn't work This works Net localgroup Administrators domain\12345678910123456789 /ADD This doesn't work Net localgroup Administrators domain\123456789101234567890123456 /ADD Anyone else comes up with this limitation? Thank you and have a splendid day! Kind Regards, Freddy Hartono Group Support Engineer InternationalSOS Pte Ltd mail: [EMAIL PROTECTED] phone: (+65) 6330-9785 This e-mail and any attachment is for authorised use by the intended recipient(s) only. It may contain proprietary material, confidential information and/or be subject to legal privilege. It should not be copied, disclosed to, retained or used by, any other party. If you are not an intended recipient then please promptly delete this e-mail and any attachment and all copies and inform the sender. Thank you. winmail.dat
RE: [ActiveDir] OT: Script Request - Restart Remote Service
Sc.exe is an easy command-line utility for managing local and remote services. Comes with the OS. -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Mark Parris Sent: Friday, January 20, 2006 8:06 AM To: ActiveDir.org Subject: [ActiveDir] OT: Script Request - Restart Remote Service Does anyone have a nice applet to enable the remote manual restart of a service on a server? The service permissions have been delegated as the app that uses it is not very good and needs to be restarted numerous times a day - it never hangs so the inbuilt stuff is no good. I have had a look but can find no examples to achieve my end goal. Regards, Mark List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
RE: [ActiveDir] Limitations and issues with domain local groups and GC replicated data
Title: Limitations and issues with domain local groups and GC replicated data I'm trying to figure out if this represents an issue to me in my (proposed) regional multi-domain environment or not. We are currently planning to use DLGs for permissioning AD data as well as server based data. We planned to then nest global groups (GGs) into these DLGs from various domains in the forest. Will such a scenario be affected by the issue described above? Yes it does. Are you actually in the planning phase of the domain-model / forest-structure itself? Or does this multi-domain AD already exist and you need to plan the security model for it? If you're still structuring the forest, you should seriously consider a single domain approach to avoid many of the challenges involved with multiple domain forests (the security on GC data using DLGs just being one of them). The impact ofAD data in GCs that are secured with DLGscertainly depends on your overall security strategy in the AD forest. If you leave the default ACLs in place (which grant a whole lot of READ permissions to authenticated users) and are just planning to use the DLGs to add extra rights to OUs (or any object) for delegating administrative tasks (e.g. permissions to change PW or to add specific objects such as computers to an OU), this will typcially not impact you negatively when trying to access the data from a remote domain on a GC. Why? Well the data in the GC is read-only anyways so even though those extrapermissions will not be applicable on the GC in a remote domain, the data can't be edited anyways so you won't notice the difference. If however you are planning to take away a lot of the default rights - or you are granting extra rights to read hidden data (e.g. hidden group-memberships in Exchange or simply an OU where the default read-permissions have been removed so that the data won't be visible for the normal users), granting rights using a DLG will not suffice to make the data accessible on the GC in a remote domain. It doesn't matter that you're planning to put the users from the various domains into Global Groups (GGs) and then nest these into the DLGs = the GC of a remote domain has no clue who is a member of the DLG (since the member attribute of a DLG is not replicated to the GC), so it can't expand the token of the user that tries to access the data on that remote GC. To make it clear: 1.a user in DomA (DOMA-Usr1) is a member of a DLG in DomB (DOMB-DLG1). 2.DOMB-DLG1is used to grant read access on an OU in DomB (where auth. users READ access has been removed) 3.when DOMA-Usr1 logs onto his client he is authenticated via a DOMA DC 4.at this time he will only have DOMA groups in his token + any Universal Groups of the forest (needs to connect to a GC at logon to find the appropriate group-memberships of the user). He will thus have the DLGs and GGs of his own domain (DOMA)and UGs of any domain in his token. 5.he now connects to a DOMB DC to look at the secured OU = because of the transitive trust he is automatically authenticated - at this time the user's access token is generated for the DOMB domain by a DOMB DC = this DC knows of the user's DLG memberships in DOMB and adds DOMB-DLG1 to DOMA-Usr1's access token (only valid on DOMB resources); it doesn't matter if the user has a direct membership in the DLG or via a GG of DOMA. 6. the user successfully accesses the secured OU on the DOMB DC Now the same data is replicated to a GC in DomA. 1.DOMA-USR1 now tries to access the OU on a DOMA-GC 2.only the user's DomA token is valid on aDC or GC(or any other resource) in DomA- this does not include the DOMB-DLG1 3. so even though the user is a member of the DLG of DomB, this group membership is unknown on the DOMA GCand thus access will fail (again, assuming you've removed the default READ permissions for auth. users). If so, what are the alternatives / suggestions open to me? well, the first suggestion would be not to implement a multi-domain forest if you can. Try to do everything with OUs. If you can'tand you're going to "hide" data in AD that you need to have accessible in the GC, then use UGs to grant the required permissions. This will work for direct membership in the UGs or nested GGs. Last warning: you do need to be careful with nesting GGs into UGs for other reasons = if membership of the UGs is expanded by other apps to determine their membership (e.g. by Exchange Servers when determining recipients of a distribution list), the nested GGs will not be a good thing. For similar reasons as desribed above, the GC of DOMB will not know who is a member of the GG in DOMA that is nested into a UG in DOMB - as such the Exchange server can't fully expand the group and mail delivery will fail. So, for many circumstances it is benefitial to populate the UGs directly with the users (or other UGs). Enough for today. /Guido From: [EMAIL
RE: [ActiveDir] OT: Gauging AD experience
In my experience, when good directories go bad, it is usually due to three things. Firewalls Firewalls Did I list firewalls? Runner ups would be ADC for Exchange, Clowns posing as Administrators, Clowns posing as DNS experts, Clowns posing as Security experts, and no disaster recovery solution. Todd Myrick Brushing off the dust of my MVP status. From: joe [mailto:[EMAIL PROTECTED] Sent: Thursday, January 19, 2006 3:17 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] OT: Gauging AD experience When I read Al's post I thought of you Wook, I figured, hey Wook could use a creative presentation name... ;o) I would say When Bad Things Happen To Good Directories is more on par with When Bad Things Happen To Good People, say like when your nanny gets a flat tire. When Good Directories Go Bad is more like when yourgood little daughter hits her teen years and starts going out to parties in fish net stockings and Big Red gum. :o) From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Lee, Wook Sent: Thursday, January 19, 2006 2:00 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] OT: Gauging AD experience Importance: Low Sorry, I already did that one. My first DEC presentation was entitled When Bad Things Happen To Good Directories. J Wook From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of [EMAIL PROTECTED] Sent: Thursday, January 19, 2006 8:02 AM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] OT: Gauging AD experience when good directories go badsounds like a catchy title for a presentation, Joe. I think of directories and identity management infrastructures a little like networks: you rarely do get to design one from scratch, youre always tweaking an existing one. And I agree that tweaking the existing ones are a lot more interesting than designing from a blank slate. The analogy could be taken too far, but like networks, directories and authentications systems are always morphing due to new technologies, new tools, adding or removing applications. Lots of fun. Al Maurer Service Manager, Naming and Authentication Services IT | Information Technology Agilent Technologies (719) 590-2639; Telnet 590-2639 http://activedirectory.it.agilent.com From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of joe Sent: Wednesday, January 18, 2006 6:31 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] OT: Gauging AD experience I would say focusing on the design of big directories is pigeon-holing a little too much. There are only so many big directories that need to be designed. I personally find much more fun in diagnosing good directories that have gone bad than trying to design them. I design if I have to but it isn't what I like. Plus often with the design, it is rarely the case where you actually have all of the info though someone will tell you you do. You find out you don't later on when someone starts complaining or something starts breaking. I am not sure I would go so far to say it is something you let the tools handle though. A lot of the tools out there still aren't doing the greatest job and there are many companies that don't want to spend the millions on those tools that they would be charged for them instead having a few really good people handling it. A tool doesn't see bad things coming when someone is coming at you with the next great thing they want to plug into the AD. If the tool does catch it, it is way too late in the integration cycle. Plus, what if the tool isn't catching the problem? Someone has to be knowledgeable enough too. If you depend solely on your tools to keep your AD running well it is possible you are going to get cut pretty good. When I did Ops, I had several tools that watched what had been determined needed to be watched and then I would just go off and sample things to decide if there was something that maybe could be watched that we weren't watching. That could take the form of just watching a network packets on a DC or a client subnet for an hour or so or just walking the event logs event by event or walking through looking at objects in the directory. Whatever. To get into those positions you want to get in with the companies already mentioned and jump about (and try not to hurt the customer too much with your learning) or find a big company and take whatever entry position you can get and prove yourself and grow into bigger/better positions. Don't expect to, for instance, walk into Walmart and become their AD guy. Maybe you get in as desktop support and get to know the right people and make suggestions on how things can be better and work your way up. You could possibly walk into a company and be there expert right off if your experience is greater than what they currently have or your resume indicates it or they are desperate. But it could end up biting you in the end if you don't turn out to be what
RE: [ActiveDir] OT: Script Request - Restart Remote Service
Here's a script I use - prompts to stop or start the service; watch line wrap modify to suit your needs. On Error Resume Next Const TIMEOUT = 5 Set objShell = WScript.CreateObject(WScript.Shell) ComputerName = Server ServiceName = SurfControl Scout Service Err.Clear for each Service in _ GetObject(winmgmts:{impersonationLevel=impersonate}!// ComputerName ).ExecQuery _ (select * from Win32_Service where Name = ' ServiceName ') If Err.Number 0 Then MyErr = Err.Number - Err.Description MsgBox MyErr End If Status = Service.State If Err.Number 0 Then MyErr = Err.Number - Err.Description MsgBox MyErr End If If Status = Running Then Action = InputBox(The SurfControl service is running; do you want to stop it? vbCrLf Y or N,Web Filter,Y) If UCase(Action) = Y Then Service.StopService() objShell.Popup Stop request sent., TIMEOUT End If ElseIf Status = Stopped Then Action = InputBox(The SurfControl service is stopped; do you want to start it? vbCrLf Y or N,Web Filter,Y) If UCase(Action) = Y Then Service.StartService() objShell.Popup Start request sent., TIMEOUT End If Else objShell.Popup Service state cannot be determined., TIMEOUT End If Next -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Mark Parris Sent: 20 January 2006 16:06 To: ActiveDir.org Subject: [ActiveDir] OT: Script Request - Restart Remote Service Does anyone have a nice applet to enable the remote manual restart of a service on a server? The service permissions have been delegated as the app that uses it is not very good and needs to be restarted numerous times a day - it never hangs so the inbuilt stuff is no good. I have had a look but can find no examples to achieve my end goal. Regards, Mark List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ PLEASE READ: The information contained in this email is confidential and intended for the named recipient(s) only. If you are not an intended recipient of this email please notify the sender immediately and delete your copy from your system. You must not copy, distribute or take any further action in reliance on it. Email is not a secure method of communication and Nomura International plc ('NIplc') will not, to the extent permitted by law, accept responsibility or liability for (a) the accuracy or completeness of, or (b) the presence of any virus, worm or similar malicious or disabling code in, this message or any attachment(s) to it. If verification of this email is sought then please request a hard copy. Unless otherwise stated this email: (1) is not, and should not be treated or relied upon as, investment research; (2) contains views or opinions that are solely those of the author and do not necessarily represent those of NIplc; (3) is intended for informational purposes only and is not a recommendation, solicitation or offer to buy or sell securities or related financial instruments. NIplc does not provide investment services to private customers. Authorised and regulated by the Financial Services Authority. Registered in England no. 1550505 VAT No. 447 2492 35. Registered Office: 1 St Martin's-le-Grand, London, EC1A 4NP. A member of the Nomura group of companies. List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
RE: [ActiveDir] OT: Gauging AD experience
But at least you're not bitter... -g From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Myrick, Todd (NIH/CC/DNA) [E]Sent: Friday, January 20, 2006 12:06 PMTo: ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] OT: Gauging AD experience In my experience, when good directories go bad, it is usually due to three things. Firewalls Firewalls Did I list firewalls? Runner ups would be ADC for Exchange, Clowns posing as Administrators, Clowns posing as DNS experts, Clowns posing as Security experts, and no disaster recovery solution. Todd Myrick Brushing off the dust of my MVP status. From: joe [mailto:[EMAIL PROTECTED] Sent: Thursday, January 19, 2006 3:17 PMTo: ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] OT: Gauging AD experience When I read Al's post I thought of you Wook, I figured, hey Wook could use a creative presentation name... ;o) I would say When Bad Things Happen To Good Directories is more on par with "When Bad Things Happen To Good People", say like when your nanny gets a flat tire. "When Good Directories Go Bad" is more like when yourgood little daughter hits her teen years and starts going out to parties in fish net stockings and Big Red gum. :o) From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Lee, WookSent: Thursday, January 19, 2006 2:00 PMTo: ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] OT: Gauging AD experienceImportance: Low Sorry, I already did that one. My first DEC presentation was entitled When Bad Things Happen To Good Directories. J Wook From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of [EMAIL PROTECTED]Sent: Thursday, January 19, 2006 8:02 AMTo: ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] OT: Gauging AD experience when good directories go badsounds like a catchy title for a presentation, Joe. I think of directories and identity management infrastructures a little like networks: you rarely do get to design one from scratch, youre always tweaking an existing one. And I agree that tweaking the existing ones are a lot more interesting than designing from a blank slate. The analogy could be taken too far, but like networks, directories and authentications systems are always morphing due to new technologies, new tools, adding or removing applications. Lots of fun. Al Maurer Service Manager, Naming and Authentication Services IT | Information Technology Agilent Technologies (719) 590-2639; Telnet 590-2639 http://activedirectory.it.agilent.com From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of joeSent: Wednesday, January 18, 2006 6:31 PMTo: ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] OT: Gauging AD experience I would say focusing on the design of big directories is pigeon-holing a little too much. There are only so many big directories that need to be designed. I personally find much more fun in diagnosing good directories that have gone bad than trying to design them. I design if I have to but it isn't what I like. Plus often with the design, it is rarely the case where you actually have all of the info though someone will tell you you do. You find out you don't later on when someone starts complaining or something starts breaking. I am not sure I would go so far to say it is something you let the tools handle though. A lot of the tools out there still aren't doing the greatest job and there are many companies that don't want to spend the millions on those tools that they would be charged for them instead having a few really good people handling it. A tool doesn't see bad things coming when someone is coming at you with the next great thing they want to plug into the AD. If the tool does catch it, it is way too late in the integration cycle. Plus, what if the tool isn't catching the problem? Someone has to be knowledgeable enough too. If you depend solely on your tools to keep your AD running well it is possible you are going to get cut pretty good. When I did Ops, I had several tools that watched what had been determined needed to be watched and then I would just go off and sample things to decide if there was something that maybe could be watched that we weren't watching. That could take the form of just watching a network packets on a DC or a client subnet for an hour or so or just walking the event logs event by event or walking through looking at objects in the directory. Whatever. To get into those positions you want to get in with the companies already mentioned and jump about (and try not to hurt the customer too much with your learning) or find a big company and take whatever entry position you can get and prove yourself and grow into bigger/better positions. Don't expect to, for instance, walk into Walmart and become their AD guy. Maybe you get in as desktop support and get to know the right people and make suggestions on how things can be better and work
RE: [ActiveDir] AD computer accounts being removed
Title: Message Tell me about it. We had a vendor roll a server into every site to do as they pleased with. Didnt get syspreped. Many sites decided to dcpromo theirs up. Of course every independent domain has to trust me, and you cant trust more than one domain with the same sid Thanks, Brian Desmond [EMAIL PROTECTED] c - 312.731.3132 From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Lee, Wook Sent: Friday, January 20, 2006 2:16 AM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] AD computer accounts being removed You can have collisions between a domain controller SID and a member server SID when two machines have duplicate SIDs and one is DCPROMOd and the other is joined to the new domain. The error messages that are logged say something to the effect that the domain and the member server SIDs conflict. Darn confusing when you see it for the first time. Ill see if I can dig out the exact text of the message. Wook From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of joe Sent: Wednesday, January 18, 2006 6:36 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] AD computer accounts being removed Yep sorry, didn't intend to say it wasn't a good idea. At some point the list will catch up and my post that says that will show up. :) From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Brian Desmond Sent: Wednesday, January 18, 2006 8:39 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] AD computer accounts being removed Dozen other reasons to run it. Not running sysprep is just a bad idea. Thanks, Brian Desmond [EMAIL PROTECTED] c - 312.731.3132 From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of joe Sent: Wednesday, January 18, 2006 8:11 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] AD computer accounts being removed Well not really. The important SID in question is the Domain SID and that isn't duped. The domain doesn't care about the machine SID. It is still good practice to newsid the machines though. If the accounts are disappearing it is one of two things 1. Someone is deleting it. 2. During the join process something fails and the computer deletes the object out. I don't recall the details of this but I do recall hearing it happen. It happens right after the failed join though, you don't have to wait for it. I have also heard otherpeople who don't have enough rights report the account being disabled instead of deleted. I never verified personally either. From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Brian Desmond Sent: Wednesday, January 18, 2006 6:50 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] AD computer accounts being removed NO NO NO NO NO BAD BAD BAD You have to use sysprep. Youre getting duplicate SIDs here bad. Thanks, Brian Desmond [EMAIL PROTECTED] c - 312.731.3132 From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Aaron Visser Sent: Wednesday, January 18, 2006 5:44 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] AD computer accounts being removed Gary, Brian, I do not use Sysprep on my images and have yet to come across any problems, but there may be one big difference with my images, before I ghost them or create the image I put the said machine into a workgroup and then create image. After I have imaged a computer I log on and change the Computer Name reboot and then join the domain with the new computer name, should I be using Sysprep? And Brenda I have experienced your problem but I have never noticed the accounts actually being out of AD, anyways most times for me a simple reboot works although I have had to actually ghost computers in order to rejoin the domain because I do not have any local accounts active on my computers in the school, makes it a little safer J but with that comes more work L From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Brian Desmond Sent: Wednesday, January 18, 2006 12:38 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] AD computer accounts being removed Gary- Are you implying you dont sysprep your images? Thanks, Brian Desmond [EMAIL PROTECTED] c - 312.731.3132 From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Garyphold Sent: Wednesday, January 18, 2006 3:04 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] AD computer accounts being removed Brenda, FWIW: It happens to me when I clone a workstation then try to join that workstation to the domain in order to change the computer name. AD sees 2 machines with the same name, gives me a notification and lets the 2nd one in. Then when the original machine with that name logs in next time, it isn't seen on the network. Then I have to do the same thing you did - with the original machine.
RE: [ActiveDir] OT: speaking of AD books...
Reserved my copy. You should see if they'll do the Saturday Fedex home delivery like when you reserve a copy of Harry Potter. ;) Thanks, Brian Desmond [EMAIL PROTECTED] c - 312.731.3132 -Original Message- From: [EMAIL PROTECTED] [mailto:ActiveDir- [EMAIL PROTECTED] On Behalf Of joe Sent: Friday, January 20, 2006 3:42 AM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] OT: speaking of AD books... http://www.joeware.net/win/ad3e.htm -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of joe Sent: Thursday, January 19, 2006 5:09 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] OT: speaking of AD books... Yeah the dates have been all dorked up. Even the O'Reilly site initially said Feb. The initial thought was this would be out for the release of R2 at the end of the year. Didn't happen. :) Anyway, as mentioned in another post, I got my advance copy via FedEx today so I know hardcopy versions officially exist, at least one. I was last told the 18th was the date and today is the 19th and it was shipped to me on the 17th so that seems pretty accurate. Not sure when it will hit US Amazon. Once it does, I will post a link from my website that will take people directly to it. Hopefully the person who posted that review below will take another read and see if I made it better for them as there were, to be honest, parts that were just plain incorrect. :) However there was/is a table indicating what modes there are and what you get from each. -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Mark Parris Sent: Thursday, January 19, 2006 3:30 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] OT: speaking of AD books... I just went to see the UK release date on amazon.co.uk for this book and it's 28/02 or 02/28 depending on your flavour and I saw this - someone was not happy. + Active Directory, 2nd Edition, August 14, 2003 Reviewer: A reader from Oxfordshire, United Kingdom I was recommended this book and can only guess at what the person who recommended it was thinking. Make no mistake, this book is poor. Some parts are misleading, there are a number of omissions (for example, there's a long discussion of changing domain/forest modes, but no discussion of what the modes are and what each provides) and some parts are just plain incorrect. Now, how do I get my money back? + Anyway it made me laugh. Mark -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Susan Bradley, CPA aka Ebitz - SBS Rocks [MVP] Sent: 19 January 2006 18:57 To: ActiveDir@mail.activedir.org Subject: [ActiveDir] OT: speaking of AD books... Design and Deployment of Microsoft's Active Directory O'Reilly Releases Active Directory, Third Edition Sebastopol, CA--Since its introduction in Windows 2000, Microsoft's Active Directory has improved the way organizations share network resources such as users, groups, computers, printers, applications, and files. Having a single source for this information makes it more accessible and easier to manage, notes Robbie Allen, co-author of the highly acclaimed Active Directory, now available in its third edition (O'Reilly, US $49.99). To accomplish this, however, requires a significant amount of knowledge on topics such as LDAP, Kerberos, DNS, multi-master replication, group policies, and data partitioning, to name a few. In other words, Active Directory is still a major headache for network and system administrators who have to design, implement, and support it. Allen's book, co-written with industry experts Joe Richards and Alistair G. Lowe-Norris, offers a clear and detailed introduction that not only guides administrators through the maze of technologies, but also helps them understand the big picture. Our book describes Active Directory in depth, but not in the traditional way of going through the graphical user interface screen by screen, Allen explains. Instead, the book sets out to tell administrators how to design, manage, and maintain a small, medium, or enterprise Active Directory infrastructure that's both scalable and reliable. Many industry authorities consider this book to be the definitive resource for implementing Active Directory. Allen, Richards, and Lowe-Norris have revised the new edition of Active Directory significantly to describe features that have been updated or added in Windows Server 2003 R2, including coverage of programmatic interfaces available to manage them. Three additional chapters explain new features and concepts such as Active Directory Application Mode (ADAM), and scripting for common user and group tasks for Microsoft Exchange 2000/2003. Once information has been added to Active Directory, it can be
RE: [ActiveDir] OT: speaking of AD books...
We're migrating our AD from W2K to W2K3 in the next month. And I want to be able to find out a little about the AD migration beforehand (our consultant is doing it - I'm not ready to jump into deep water on something like this). Will the 3rd edition cover W2K and getting from there to W2K3? And we'll still be using W2K on a couple of servers, so I want to be able to have documentation that will cover both. Thanks. Gary -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Brian Desmond Sent: Friday, January 20, 2006 2:39 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] OT: speaking of AD books... Reserved my copy. You should see if they'll do the Saturday Fedex home delivery like when you reserve a copy of Harry Potter. ;) Thanks, Brian Desmond [EMAIL PROTECTED] c - 312.731.3132 List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
Re: [ActiveDir] 3rd party DNS and windows DDNS updates
Kinda? Hmm... :) Go ahead and sniff it, but keep in mind that it may be different for different client versions. If they're all the same version, no worries but if you ever have different ones, then it's better to go the appropriate route for your risk tolerance. Alex, I can think of no time when a client woulduse a name resolution server that is notauthoritative for it's primary domain. Ever.Can you provide a scenario that would warrant such a thing?Technically that is. It's never a good idea IMHO to use a NS that is not authoritative for your own primary zone. Never. That's because you'll get confused during troubleshooting and because you'll have trouble at some point in the lifetime of that client. It's essentially a self-made time-bomb waiting for the right moment to ruin your day. On 1/20/06, Alex Fontana [EMAIL PROTECTED] wrote: For starters…I kinda agree ;-) Simplicity, especially when dealing with DNS and AD is my primary concern, and I may just be playing devil's advocate here, but if I learn something new it was worth it! So… I do care what it's supposed to do because it helps me in troubleshooting issues. The RFC for DDNS specifically says that the client must know the name of the zone for which it is trying to update a RR, and must know the MNAME of the SOA for that zone. That said, put a sniffer on your machine and run ipconfig /registerdns. You'll see that the first operation is a query for the SOA for your hostname. Besides, telling a client to use a different DNS server than one that is authoritative for it's own primary zone happens all the time. Think of a remote office in a DNS environment that uses primary/secondary configs. More likely than not those clients are going to point to a Secondary DNS server as primary for resolution and maybe the master as secondary. Regardless, the first operation will be a query for the SOA record. Again, do I suggest everyone go and point their clients to bob.com's dns server when their clients are in the jim.bob.com domain? No, of course not, but it would work. From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]] On Behalf Of Al MulnickSent: Friday, January 20, 2006 6:34 AM To: ActiveDir@mail.activedir.org Subject: Re: [ActiveDir] 3rd party DNS and windows DDNS updates Additionally, I've never seen it work well even though it may be that it's supposed to. To be honest, I never cared what it's supposed to do, because of the amount of confusion it causes and the likelihood that it would break for something it is ridiculous to begin with. In my opinion, there is no sound reason to tell a client to use a different DNS server than the one that is authoritative for it's own primary zone for name services. That's an absurd way to do things that has no technical merit that I have ever seen. Whenever I see a configuration such as this, it is always either a misunderstanding or a politically motivated decision, but never a good one. Like I said earlier, tell your client to avoid the hassle of a complicated name resolution scheme and instead use DNS the way it was designed to work. You get paid to make those kind of suggestions ;) On 1/20/06, Lee, Wook [EMAIL PROTECTED] wrote: Yea, with a caveat. You need to be careful when mixing DNS implementations. We've seen cases where forwarding of dynamic updates breaks because of bugs in one or both implementations. The moral of the story is to test, test, test, then deploy and keep your fingers crossed because there's no accounting for production. Be ready with a contingency plan in case it all comes crashing down around your ears. Wook From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]] On Behalf Of Alex FontanaSent: Thursday, January 19, 2006 9:07 PMTo: ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] 3rd party DNS and windows DDNS updates As I understand it; the client machine queries it's primary DNS server for the SOA of the zone that matches the client's primary DNS Suffix. It then attempts to register it's A/PTR records with primary for that zone. That said, as long as the client's primary dns server knows who the SOA for the client's zone is you should be ok… Yay? Nay? From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]] On Behalf Of Al MulnickSent: Thursday, January 19, 2006 6:02 PMTo: ActiveDir@mail.activedir.orgSubject: Re: [ActiveDir] 3rd party DNS and windows DDNS updates Give a little more detail, can you? What I think you're asking is, if the zone is a third party hosted zone delegated to AD, but the users are using the third party host as their primary dns resolver, then would they be able to update their records? Is that about it? If that's the case, then I would think not. Why? Because the client must talk directly to the server that is authoritative for the zone so it can write the record. In most situations, I have always advocated having machines use the servers that host their primary zone for all
Re: [ActiveDir] OT: speaking of AD books...
On 1/20/06, Brian Desmond [EMAIL PROTECTED] wrote: Reserved my copy. You should see if they'll do the Saturday Fedex homedelivery like when you reserve a copy of Harry Potter. ;) Thanks,Brian Desmond[EMAIL PROTECTED]c - 312.731.3132 -Original Message- From: [EMAIL PROTECTED] [mailto:ActiveDir- [EMAIL PROTECTED]] On Behalf Of joe Sent: Friday, January 20, 2006 3:42 AM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] OT: speaking of AD books... http://www.joeware.net/win/ad3e.htm -Original Message- From: [EMAIL PROTECTED] [mailto: [EMAIL PROTECTED]] On Behalf Of joe Sent: Thursday, January 19, 2006 5:09 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] OT: speaking of AD books... Yeah the dates have been all dorked up. Even the O'Reilly siteinitially said Feb. The initial thought was this would be out for the release ofR2 at the end of the year. Didn't happen. :) Anyway, as mentioned in another post, I got my advance copy via FedEx today so I know hardcopy versions officially exist, at least one. I was last told the 18th was the date and today is the 19th and it was shipped to me on the 17th so that seems pretty accurate. Not sure when it will hit USAmazon. Once it does, I will post a link from my website that will take people directly to it. Hopefully the person who posted that review below will take another read and see if I made it better for them as there were, to be honest, partsthat were just plain incorrect. :) However there was/is a table indicatingwhat modes there are and what you get from each. -Original Message- From: [EMAIL PROTECTED] [mailto: [EMAIL PROTECTED]] On Behalf Of Mark Parris Sent: Thursday, January 19, 2006 3:30 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] OT: speaking of AD books... I just went to see the UK release date on amazon.co.uk for this bookand it's 28/02 or 02/28 depending on your flavour and I saw this - someonewas not happy. + Active Directory, 2nd Edition, August 14, 2003 Reviewer: A reader from Oxfordshire, United Kingdom I was recommended this book and can only guess at what the person who recommended it was thinking. Make no mistake, this book is poor. Some parts are misleading, there are a number of omissions (for example, there'sa long discussion of changing domain/forest modes, but no discussion of what the modes are and what each provides) and some parts are just plainincorrect. Now, how do I get my money back? + Anyway it made me laugh. Mark -Original Message- From: [EMAIL PROTECTED] [mailto: [EMAIL PROTECTED]] On Behalf Of SusanBradley, CPA aka Ebitz - SBS Rocks [MVP] Sent: 19 January 2006 18:57 To: ActiveDir@mail.activedir.org Subject: [ActiveDir] OT: speaking of AD books... Design and Deployment of Microsoft's Active Directory O'ReillyReleases Active Directory, Third Edition Sebastopol, CA--Since its introduction in Windows 2000, Microsoft's Active Directory has improved the way organizations share network resourcessuch as users, groups, computers, printers, applications, and files. Having a single source for this information makes it more accessible and easier to manage, notes Robbie Allen, co-author of the highly acclaimed Active Directory, now available in its third edition (O'Reilly, US $49.99).To accomplish this, however, requires a significant amount of knowledge on topics such as LDAP, Kerberos, DNS, multi-master replication, group policies, and data partitioning, to name a few. In other words, Active Directory is still a major headache for network and system administrators who have to design, implement, and support it. Allen's book, co-written with industry experts Joe Richards andAlistair G. Lowe-Norris, offers a clear and detailed introduction that not only guides administrators through the maze of technologies, but also helps them understand the big picture. Our book describes Active Directory in depth, but not in thetraditional way of going through the graphical user interface screen by screen,Allen explains. Instead, the book sets out to tell administrators how to design, manage, and maintain a small, medium, or enterprise Active Directory infrastructure that's both scalable and reliable. Many industry authorities consider this book to be the definitiveresource for implementing Active Directory. Allen, Richards, and Lowe-Norris have revised the new edition of Active Directory significantly todescribe features that have been updated or added in Windows Server 2003 R2, including coverage of programmatic interfaces available to manage them. Three additional chapters explain new features and concepts such asActive Directory Application Mode (ADAM), and scripting for common user andgroup tasks for Microsoft Exchange 2000/2003. Once information has been added to Active Directory, it can be made available for use throughout the entire network to as many or as few people as an administrator
Re: [ActiveDir] OT: speaking of AD books...
So when is the world wide book signing/speaking tour going to start? Do you have the dates you'll be here in Seattle to autograph my (pre-ordered) copy? Cheers Steve On 1/20/06, Garyphold [EMAIL PROTECTED] wrote: We're migrating our AD from W2K to W2K3 in the next month.And I want to beable to find out a little about the AD migration beforehand (our consultant is doing it - I'm not ready to jump into deep water on something like this).Will the 3rd edition cover W2K and getting from there to W2K3?And we'llstill be using W2K on a couple of servers, so I want to be able to have documentation that will cover both.Thanks.Gary-Original Message-From: [EMAIL PROTECTED][mailto: [EMAIL PROTECTED]] On Behalf Of Brian DesmondSent: Friday, January 20, 2006 2:39 PMTo: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] OT: speaking of AD books...Reserved my copy. You should see if they'll do the Saturday Fedex homedelivery like when you reserve a copy of Harry Potter. ;)Thanks, Brian Desmond[EMAIL PROTECTED]c - 312.731.3132List info : http://www.activedir.org/List.aspxList FAQ: http://www.activedir.org/ListFAQ.aspxList archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
[ActiveDir] Disable the RDP Popup security alert.
Hello,Iactivatedthe client drives redirection whileusers log on a 2k3 TS via tsweb.But, while connecting, there is always a RDP popupsecurity alert stating that: "The Remote Desktop Connection has asked a connection to your computer, do you want to:connect your local drives to the remote computerthat may be a security risk'Is it possible to disable this Popup security alert ?Thanks for input. Yann
[ActiveDir] Outlook setting via GP
I'm trying to make this change for our new laptop image. We've rolled it out to some test users and they all want their contacts folder to show up as an email address list. (click new message, to, and select from contacts). It's not available by default; it requires a few steps (http://support.microsoft.com/default.aspx?scid=kb;en-us;287563Product= ol2003). I'd like to be able to do this with GP, but I can't find a setting for it in the OL2003 administrative template anywhere. Anyone know how I can make that change? Thanks... ** Charlie Kaiser W2K3 MCSA/MCSE/Security, CCNA Systems Engineer Essex Credit / Brickwalk 510 595 5083 ** List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
RE: [ActiveDir] Outlook setting via GP
I'm looking at a way to do something similar but adding an LDAP address book. I'm looking at the Custom Installation Wizard (CIW) for Outlook. It may provide a way. http://www.outlook-tips.net/howto/prf.htm Good luck Jerry -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Charlie Kaiser Sent: Friday, January 20, 2006 3:38 PM To: ActiveDir@mail.activedir.org Subject: [ActiveDir] Outlook setting via GP I'm trying to make this change for our new laptop image. We've rolled it out to some test users and they all want their contacts folder to show up as an email address list. (click new message, to, and select from contacts). It's not available by default; it requires a few steps (http://support.microsoft.com/default.aspx?scid=kb;en-us;287563Product= ol2003). I'd like to be able to do this with GP, but I can't find a setting for it in the OL2003 administrative template anywhere. Anyone know how I can make that change? Thanks... ** Charlie Kaiser W2K3 MCSA/MCSE/Security, CCNA Systems Engineer Essex Credit / Brickwalk 510 595 5083 ** List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
RE: [ActiveDir] AD computer accounts being removed
Title: Message I was referring to workstations not Servers, who would even think of ghosting a Server? And here is the bottom line I have been ghosting workstations for several years now at this site without using Sysprep or anything like it, and it has caused me no problems, I have yet to hear anything worth while on why I should be running sysprep on a workstation in a Domain Environment where local login is not prohibited other than some BS stuff from Wininternals or some other mag like that. So put your rolled up newspapers away ( unless of course your going to be using it on yourself ) and give me something worth while or concrete as to why I should be running Sysprep in the mentioned environment other than NO NO NO NO BAD BAD BAD BAD you must run sysprep. From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Brian Desmond Sent: Friday, January 20, 2006 11:37 AM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] AD computer accounts being removed Tell me about it. We had a vendor roll a server into every site to do as they pleased with. Didnt get syspreped. Many sites decided to dcpromo theirs up. Of course every independent domain has to trust me, and you cant trust more than one domain with the same sid Thanks, Brian Desmond [EMAIL PROTECTED] c - 312.731.3132 From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Lee, Wook Sent: Friday, January 20, 2006 2:16 AM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] AD computer accounts being removed You can have collisions between a domain controller SID and a member server SID when two machines have duplicate SIDs and one is DCPROMOd and the other is joined to the new domain. The error messages that are logged say something to the effect that the domain and the member server SIDs conflict. Darn confusing when you see it for the first time. Ill see if I can dig out the exact text of the message. Wook From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of joe Sent: Wednesday, January 18, 2006 6:36 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] AD computer accounts being removed Yep sorry, didn't intend to say it wasn't a good idea. At some point the list will catch up and my post that says that will show up. :) From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Brian Desmond Sent: Wednesday, January 18, 2006 8:39 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] AD computer accounts being removed Dozen other reasons to run it. Not running sysprep is just a bad idea. Thanks, Brian Desmond [EMAIL PROTECTED] c - 312.731.3132 From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of joe Sent: Wednesday, January 18, 2006 8:11 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] AD computer accounts being removed Well not really. The important SID in question is the Domain SID and that isn't duped. The domain doesn't care about the machine SID. It is still good practice to newsid the machines though. If the accounts are disappearing it is one of two things 1. Someone is deleting it. 2. During the join process something fails and the computer deletes the object out. I don't recall the details of this but I do recall hearing it happen. It happens right after the failed join though, you don't have to wait for it. I have also heard otherpeople who don't have enough rights report the account being disabled instead of deleted. I never verified personally either. From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Brian Desmond Sent: Wednesday, January 18, 2006 6:50 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] AD computer accounts being removed NO NO NO NO NO BAD BAD BAD You have to use sysprep. Youre getting duplicate SIDs here bad. Thanks, Brian Desmond [EMAIL PROTECTED] c - 312.731.3132 From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Aaron Visser Sent: Wednesday, January 18, 2006 5:44 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] AD computer accounts being removed Gary, Brian, I do not use Sysprep on my images and have yet to come across any problems, but there may be one big difference with my images, before I ghost them or create the image I put the said machine into a workgroup and then create image. After I have imaged a computer I log on and change the Computer Name reboot and then join the domain with the new computer name, should I be using Sysprep? And Brenda I have experienced your problem but I have never noticed the accounts actually being out of AD, anyways most times for me a simple reboot works although I have had to actually ghost computers in order to rejoin the domain because I do not have any local accounts active on my computers in the school, makes it a little safer J but with that comes more work L From:
RE: [ActiveDir] AD computer accounts being removed
Title: Message Sorry, Sorry, Sorry it is Friday and I have had enough, next time I will try to think before I hit Send (Disregard last post on this topic) Aaron Visser From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Brian Desmond Sent: Friday, January 20, 2006 11:37 AM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] AD computer accounts being removed Tell me about it. We had a vendor roll a server into every site to do as they pleased with. Didnt get syspreped. Many sites decided to dcpromo theirs up. Of course every independent domain has to trust me, and you cant trust more than one domain with the same sid Thanks, Brian Desmond [EMAIL PROTECTED] c - 312.731.3132 From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Lee, Wook Sent: Friday, January 20, 2006 2:16 AM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] AD computer accounts being removed You can have collisions between a domain controller SID and a member server SID when two machines have duplicate SIDs and one is DCPROMOd and the other is joined to the new domain. The error messages that are logged say something to the effect that the domain and the member server SIDs conflict. Darn confusing when you see it for the first time. Ill see if I can dig out the exact text of the message. Wook From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of joe Sent: Wednesday, January 18, 2006 6:36 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] AD computer accounts being removed Yep sorry, didn't intend to say it wasn't a good idea. At some point the list will catch up and my post that says that will show up. :) From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Brian Desmond Sent: Wednesday, January 18, 2006 8:39 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] AD computer accounts being removed Dozen other reasons to run it. Not running sysprep is just a bad idea. Thanks, Brian Desmond [EMAIL PROTECTED] c - 312.731.3132 From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of joe Sent: Wednesday, January 18, 2006 8:11 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] AD computer accounts being removed Well not really. The important SID in question is the Domain SID and that isn't duped. The domain doesn't care about the machine SID. It is still good practice to newsid the machines though. If the accounts are disappearing it is one of two things 1. Someone is deleting it. 2. During the join process something fails and the computer deletes the object out. I don't recall the details of this but I do recall hearing it happen. It happens right after the failed join though, you don't have to wait for it. I have also heard otherpeople who don't have enough rights report the account being disabled instead of deleted. I never verified personally either. From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Brian Desmond Sent: Wednesday, January 18, 2006 6:50 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] AD computer accounts being removed NO NO NO NO NO BAD BAD BAD You have to use sysprep. Youre getting duplicate SIDs here bad. Thanks, Brian Desmond [EMAIL PROTECTED] c - 312.731.3132 From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Aaron Visser Sent: Wednesday, January 18, 2006 5:44 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] AD computer accounts being removed Gary, Brian, I do not use Sysprep on my images and have yet to come across any problems, but there may be one big difference with my images, before I ghost them or create the image I put the said machine into a workgroup and then create image. After I have imaged a computer I log on and change the Computer Name reboot and then join the domain with the new computer name, should I be using Sysprep? And Brenda I have experienced your problem but I have never noticed the accounts actually being out of AD, anyways most times for me a simple reboot works although I have had to actually ghost computers in order to rejoin the domain because I do not have any local accounts active on my computers in the school, makes it a little safer J but with that comes more work L From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Brian Desmond Sent: Wednesday, January 18, 2006 12:38 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] AD computer accounts being removed Gary- Are you implying you dont sysprep your images? Thanks, Brian Desmond [EMAIL PROTECTED] c - 312.731.3132 From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Garyphold Sent: Wednesday, January 18, 2006 3:04 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] AD computer accounts being removed Brenda, FWIW: It
RE: [ActiveDir] Outlook setting via GP
OK; that tip led me to what I think is the answer. :-) I had originally used the Custom Installation Wizard to configure OL. I was able to use the Custom Maintenance Wizard to build a CMW file to run against the test computer. What I'm not sure about yet is whether the CIW will leave all the other configured settings alone (I _think_ it does) or whether it overwrites them all. Anyone know for sure? Now I just need to apply the CMW file. I might just do that as a manual task as part of the post-imaging process; since it's not an msi or mst, I don't think I can use software installation to push it out... ** Charlie Kaiser W2K3 MCSA/MCSE/Security, CCNA Systems Engineer Essex Credit / Brickwalk 510 595 5083 ** -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Condra, Jerry W Mr HP Sent: Friday, January 20, 2006 2:08 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Outlook setting via GP I'm looking at a way to do something similar but adding an LDAP address book. I'm looking at the Custom Installation Wizard (CIW) for Outlook. It may provide a way. http://www.outlook-tips.net/howto/prf.htm Good luck Jerry -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Charlie Kaiser Sent: Friday, January 20, 2006 3:38 PM To: ActiveDir@mail.activedir.org Subject: [ActiveDir] Outlook setting via GP I'm trying to make this change for our new laptop image. We've rolled it out to some test users and they all want their contacts folder to show up as an email address list. (click new message, to, and select from contacts). It's not available by default; it requires a few steps (http://support.microsoft.com/default.aspx?scid=kb;en-us;28756 3Product= ol2003). I'd like to be able to do this with GP, but I can't find a setting for it in the OL2003 administrative template anywhere. Anyone know how I can make that change? Thanks... ** Charlie Kaiser W2K3 MCSA/MCSE/Security, CCNA Systems Engineer Essex Credit / Brickwalk 510 595 5083 ** List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
RE: [ActiveDir] OT: Gauging AD experience
LOL. Thats great Todd! Trusts across firewallsone of my favorite things! Al Maurer Service Manager, Naming and Authentication Services IT | Information Technology Agilent Technologies (719) 590-2639; Telnet 590-2639 http://activedirectory.it.agilent.com From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Myrick, Todd (NIH/CC/DNA) [E] Sent: Friday, January 20, 2006 12:06 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] OT: Gauging AD experience In my experience, when good directories go bad, it is usually due to three things. Firewalls Firewalls Did I list firewalls? Runner ups would be ADC for Exchange, Clowns posing as Administrators, Clowns posing as DNS experts, Clowns posing as Security experts, and no disaster recovery solution. Todd Myrick Brushing off the dust of my MVP status. From: joe [mailto:[EMAIL PROTECTED] Sent: Thursday, January 19, 2006 3:17 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] OT: Gauging AD experience When I read Al's post I thought of you Wook, I figured, hey Wook could use a creative presentation name... ;o) I would say When Bad Things Happen To Good Directories is more on par with When Bad Things Happen To Good People, say like when your nanny gets a flat tire. When Good Directories Go Bad is more like when yourgood little daughter hits her teen years and starts going out to parties in fish net stockings and Big Red gum. :o) From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Lee, Wook Sent: Thursday, January 19, 2006 2:00 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] OT: Gauging AD experience Importance: Low Sorry, I already did that one. My first DEC presentation was entitled When Bad Things Happen To Good Directories. J Wook From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of [EMAIL PROTECTED] Sent: Thursday, January 19, 2006 8:02 AM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] OT: Gauging AD experience when good directories go badsounds like a catchy title for a presentation, Joe. I think of directories and identity management infrastructures a little like networks: you rarely do get to design one from scratch, youre always tweaking an existing one. And I agree that tweaking the existing ones are a lot more interesting than designing from a blank slate. The analogy could be taken too far, but like networks, directories and authentications systems are always morphing due to new technologies, new tools, adding or removing applications. Lots of fun. Al Maurer Service Manager, Naming and Authentication Services IT | Information Technology Agilent Technologies (719) 590-2639; Telnet 590-2639 http://activedirectory.it.agilent.com From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of joe Sent: Wednesday, January 18, 2006 6:31 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] OT: Gauging AD experience I would say focusing on the design of big directories is pigeon-holing a little too much. There are only so many big directories that need to be designed. I personally find much more fun in diagnosing good directories that have gone bad than trying to design them. I design if I have to but it isn't what I like. Plus often with the design, it is rarely the case where you actually have all of the info though someone will tell you you do. You find out you don't later on when someone starts complaining or something starts breaking. I am not sure I would go so far to say it is something you let the tools handle though. A lot of the tools out there still aren't doing the greatest job and there are many companies that don't want to spend the millions on those tools that they would be charged for them instead having a few really good people handling it. A tool doesn't see bad things coming when someone is coming at you with the next great thing they want to plug into the AD. If the tool does catch it, it is way too late in the integration cycle. Plus, what if the tool isn't catching the problem? Someone has to be knowledgeable enough too. If you depend solely on your tools to keep your AD running well it is possible you are going to get cut pretty good. When I did Ops, I had several tools that watched what had been determined needed to be watched and then I would just go off and sample things to decide if there was something that maybe could be watched that we weren't watching. That could take the form of just watching a network packets on a DC or a client subnet for an hour or so or just walking the event logs event by event or walking through looking at objects in the directory. Whatever. To get into those positions you want to get in with the companies already mentioned and jump about (and try not to hurt the customer too much with your learning) or find a big company and take whatever entry position you can get and prove yourself and
Re: [ActiveDir] OT: Script Request - Restart Remote Service
Yup, SC \\remoteserver stop myservice SC \\remoteserver start myservice * Assumes user or app running SC has enought rights to manage service remotely. Note: It doesn't handle automanagement for dependent services, same as otherposted scripts I have _vbscript_ to handle dependent services as well (put somewhere, need to find) if you need it let me know -- Kamlesh On 1/20/06, Darren Mar-Elia [EMAIL PROTECTED] wrote: Sc.exe is an easy command-line utility for managing local and remoteservices. Comes with the OS. -Original Message-From: [EMAIL PROTECTED][mailto:[EMAIL PROTECTED] ] On Behalf Of Mark ParrisSent: Friday, January 20, 2006 8:06 AMTo: ActiveDir.orgSubject: [ActiveDir] OT: Script Request - Restart Remote ServiceDoes anyone have a nice applet to enable the remote manual restart of a service on a server? The service permissions have been delegated as theapp that uses it is not very good and needs to be restarted numeroustimes a day - it never hangs so the inbuilt stuff is no good.I have had a look but can find no examples to achieve my end goal. Regards,MarkList info : http://www.activedir.org/List.aspxList FAQ: http://www.activedir.org/ListFAQ.aspx List archive:http://www.mail-archive.com/activedir%40mail.activedir.org/List info : http://www.activedir.org/List.aspxList FAQ: http://www.activedir.org/ListFAQ.aspxList archive: http://www.mail-archive.com/activedir%40mail.activedir.org/-- ~Be the change you want to see in the World~