Re: [ActiveDir] Enumerating Group type and Mebership...
Hello Mike, Try this one: - Option Explicit Dim objDomain, objUser, objGroup Set objDomain = GetObject("WinNT://MyDomain") objDomain.Filter = Array("user") For Each objUser In objDomain Wscript.Echo "User: " objUser.Name For Each objGroup In objUser.Groups Wscript.Echo "-- Member of group: " objGroup.Name Next Next objDomain.Filter = Array("group") For Each objGroup In objDomain Wscript.Echo "Group: " objGroup.Name For Each objUser In objGroup.Members Wscript.Echo "-- Member: " objUser.Name Next Next Fire it with something like cscript dump.vbs dump.txt Just my 2 cents Mathieu CHATEAU http://lordoftheping.blogspot.com Tuesday, July 25, 2006, 8:49:11 PM, you wrote: All, Im trying to enumerate all groups in my AD environment. I need to get Group name group type and group members for each group Ive tried some sample _vbscript_s fromhttp://www.microsoft.com/technet/scriptcenter/resources/qanda/apr05/hey0419.mspx Then I tried (below) but It still doesnt seem to pull back everything I need- Any help would be great! In a perfect world -J- I need a list of all security groups and distribution groups and their members Thanks, Mike Enumerate Security Groups and Member in Domain csvde -f c:\tmp\SecurityGroups.csv -p subtree -l cn,mail,member -r "(|((objectCategory=Group)(objectClass=Group)(|(groupType=-2147483644)(groupType=-2147483646)(groupType=-2147483640" -j c:\tmp Enumerate Distribution Groups and Member in Domain csvde -f c:\tmp\DistributionLists.csv -p subtree -l cn,mail,member -r "(|((objectCategory=Group)(objectClass=Group)(|(groupType=8)(groupType=4)(groupType=2" -j c:\tmp -- Best regards, Mathieu mailto:[EMAIL PROTECTED] List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.activedir.org/ml/threads.aspx
Re: [ActiveDir] Single Space in LDAP query dropped: Why?
Return Receipt Your Re: [ActiveDir] Single Space in LDAP query dropped: Why? document : was Sheik D. Badhusha/UNIOSIL received by: at: 19/08/2006 10:05:22 AM PDT List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.activedir.org/ml/threads.aspx
RE : Re: RE : RE: [ActiveDir] backup and restore AD.
Hello Brett,The pb was that one disk inmy raid5 was corrupted. So i changed the disk and i checked thatmy raid 5 was OK via dell open manager.But when restarting theDC,itshows a windows popup stated an error in lssass.exe and thati have to boot in dsrm mode. When i clicked ok , my DC reboots again and that scenario never ends up untill i boot in dsrm mode !! Whenlogging in dsrm mode, there was only the ntds.dit and the Edb*.log only, no edb.chk !! So i restored system state but when the restore finished, there was no stilledb.chk created in dsrm mode: a sematic checker shows a jet error stated that no transaction logs was found. So i had 2 options: 1) restorentds.dit, edb.chk, Edb*.log,Res1.log and Res2.log from my last full backup. This backup was done 5 days ago. 2) and i last forcea demotion via ntdsutil and delete all dns registrations,frs subscriptions, ad objects that points to this DC.So i choose 1) and that works fine I was lucky!!Brett, is there any MS documentations stated that this type of "dirty" restoration is unsupported ? I have not found any clue in ms technet. And in my situation, what would you have done ? Would the 2)be the best and supported solution than 1) ?Thanks for advice.Yann Brett Shirley [EMAIL PROTECTED] a écrit: BTW, if you have snapshot based backup you _can_ backup and just restoreonly the AD data (dit, log, and chk), and it will work w/o USN rollbackcorrectly. We used to run quick tests like that all the time, but ONLYvalidated that the DS / AD didn't break. That doesn't make it supported. BTW, it is in fact _not supported_.There are an unknown # of components (AD itself, SAM, LSA, Kerberos, NTLM,AuthZ, etc ... just about anything DS or security related) that may have adependency on some random part of AD and some random part of Registry datastaying in sync ... we don't know what breaks when you restore one w/o theother ... this is why it is unsupported ... and almost completely untested... but why let that dissuade you, you're a pioneer right. ;)The most obvious case of this, would be if you restored a DIT from onedomain, to the DIT folder for a DC in another domain, replacing it's DIT. Would that work, almost guaranteed there would be security issues. That's of course the extreme case, and one easy to avoid, we don't knowthe inbetween cases.Cheers,-BrettSh [msft]On Fri, 18 Aug 2006, Yann wrote: Hello Jorge, Thanks for clarification. I will check next week if i have no issues with usn rollback :( . Yann "Almeida Pinto, Jorge de" <[EMAIL PROTECTED]>a écrit : when a DC is restored from the system state (amongst others): * the restored RID pool is thrown away (invalidated) and a new RID pool is requested at the RID master * the invocation ID of the AD DB is changed (which prevent USN rollbacks) so in your case it works because the backup is not that old. The AD DB is tightly coupled with the registry and there is a reason for that! The reason as why you MUST restore the system state as MS says. The way you are doing that is, how shall I say it gentlyNOT SUPPORTED! ;-) And I guess you will be hitting on USN Rollback. See my blog and search for BACKUP and you will find an article with some more info jorge - From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Yann Sent: Tuesday, August 08, 2006 22:47 To: ActiveDir@mail.activedir.org Subject: [ActiveDir] backup and restore AD.Hello, I had question about D backup restore. It is possible to backup AD in 2 ways: 1) backup only the system state. 2) backup system state file system containing the AD working directory (ntds.dit, edb.chk, Edb*.log,Res1.log and Res2.log). MS states that u have to restore your AD by restoring the system state. But ,what about just restoring the AD working directory without system state ? I tested it and that works fine. So my question is: = In what circumstances do i have to choose a restore from system state or a restore from AD working directory. Thanks for clarification, Yann - Découvrez un nouveau moyen de poser toutes vos questions quelque soit le sujet ! Yahoo! Questions/Réponses pour partager vos connaissances, vos opinions et vos expériences. Cliquez ici. This e-mail and any attachment is for authorised use by the intended recipient(s) only. It may contain proprietary material, confidential information and/or be subject to legal privilege. It should not be copied, disclosed to, retained or used by, any other party. If you are not an intended recipient then please promptly delete this e-mail and any attachment and all copies and inform the sender. Thank you.- Découvrez un nouveau moyen de poser toutes vos questions quelque soit le sujet ! Yahoo! Questions/Réponses pour partager vos connaissances, vos opinions et vos expériences. Cliquez ici. List info : http://www.activedir.org/List.aspxList FAQ :
RE: [ActiveDir] FMSO roles split, patch question.
Oh ... So virtual is where my test environment should be ... And that will adequately equate to a "real" production environment? ["Hmm ..." he wonders, "Could it be true?"] _ -Original Message-From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]On Behalf Of Deji AkomolafeSent: 17 August, 2006 4:45 PMTo: ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] FMSO roles split, patch question. That argument went out the window when the following happened: Dell started selling desktops with jillion gigabyte drive space for under $1000 Microsoft started giving away Virtual Server with very liberal Windows Server 2003 licenses. Us poor admins no longer needed bazillion dollars to create "test environments". Sorry, try another one :) Sincerely, _ (, / | /) /) /) /---| (/_ __ ___// _ // _ ) / |_/(__(_) // (_(_)(/_(_(_/(__(/_(_/ /) (/ Microsoft MVP - Directory Serviceswww.akomolafe.com- we know IT-5.75, -3.23Do you now realize that Today is the Tomorrow you were worried about Yesterday? -anon From: Gordon PegueSent: Thu 8/17/2006 1:31 PMTo: ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] FMSO roles split, patch question. What about us poor admins, who for a variety of reasons outside their control, don't have a "test" environment? I'm just a little guy, supporting a small business that doesn't have kilobucks to spare for non-production equipment. I sweat bullets every time MS issues updates and I spend a lot of time researching each and every one of them before I apply... ThanksGordon PegueSystem AdministratorChavez Grieves Consulting EngineersAlbuquerque, NMwww.cg-engrs.com From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Deji AkomolafeSent: Thursday, August 17, 2006 11:53 AMTo: ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] FMSO roles split, patch question. I completely disagree with you. I understand the thinking behind the move-roles-before-patch stance. I just don't buy into it. Test patch and be sure it doesn't kill things. Test your config changes and be sure it doesn't break things. Test, test and test more before you move into production. Then deploy to production. IF, in spite of all your tests, "something" goes wrong with one DC holding a specific role (or - perish the thought - ALL your roles), it's no big deal. As long as you have other DCs available to assume the roles, the target DCwill not care how they got the roles (graceful transfer or inelegant seizure). It's good to have a script that moves roles as you desire, but this does not fall into the realm of "best practice" in the scheme of things. Your energy should be invested in instituting a comprehensive patch/change management and testing operations practice rather than figuring out where to move roles to in case a patch eats your DC. Sincerely, _ (, / | /) /) /) /---| (/_ __ ___// _ // _ ) / |_/(__(_) // (_(_)(/_(_(_/(__(/_(_/ /) (/ Microsoft MVP - Directory Serviceswww.akomolafe.com- we know IT-5.75, -3.23Do you now realize that Today is the Tomorrow you were worried about Yesterday? -anon From: joeSent: Thu 8/17/2006 9:31 AMTo: ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] FMSO roles split, patch question. I completely concur with Jorge on his process. It takes a lot less hassle and a lot less feeling of concern to move a FSMO prior to an update of a machine than to have to seize the role later regardless of the reason of it going down. Especially when you have a script that applies the NTSUTIL commands to move the roles. A move of all roles in a properly scripted environment is a procedure that takes all of about 10-15 seconds. A seize on the other hand isn't something you should just quickly think about doing, you need to work out the consequences and make a determination in most cases whether or not you will ever bring that DC back up as it stands now. It is, IMO, a no-brainer if you have multiple DCs as it is isn't any real workload or concern to do it. When I am doing production ops I *always* move roles prior to making machine specific updates. I never assume a server is going to come back up after I say restart or in fact even go down properly without hanging. Now I understand the SBS thoughts behind it though... In the SBS world if you lost the DC, you have far greater issues than you lost a FSMO role for the moment. In the world outside of SBS, most people look at DCs as expendable. You set up 10 of them in front of you and 5 fell down you would be like, crap, I will have to fix those at some point. You set up
RE: [ActiveDir] FMSO roles split, patch question.
It isn't the best test environment but it is infinitely better than no test environment. If you have a QA environment that matches production then I am perfectly fine with an entirely virtual test environment. -- O'Reilly Active Directory Third Edition - http://www.joeware.net/win/ad3e.htm From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Rocky HabeebSent: Saturday, August 19, 2006 10:36 AMTo: ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] FMSO roles split, patch question. Oh ... So virtual is where my test environment should be ... And that will adequately equate to a "real" production environment? ["Hmm ..." he wonders, "Could it be true?"] _ -Original Message-From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]On Behalf Of Deji AkomolafeSent: 17 August, 2006 4:45 PMTo: ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] FMSO roles split, patch question. That argument went out the window when the following happened: Dell started selling desktops with jillion gigabyte drive space for under $1000 Microsoft started giving away Virtual Server with very liberal Windows Server 2003 licenses. Us poor admins no longer needed bazillion dollars to create "test environments". Sorry, try another one :) Sincerely, _ (, / | /) /) /) /---| (/_ __ ___// _ // _ ) / |_/(__(_) // (_(_)(/_(_(_/(__(/_(_/ /) (/ Microsoft MVP - Directory Serviceswww.akomolafe.com- we know IT-5.75, -3.23Do you now realize that Today is the Tomorrow you were worried about Yesterday? -anon From: Gordon PegueSent: Thu 8/17/2006 1:31 PMTo: ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] FMSO roles split, patch question. What about us poor admins, who for a variety of reasons outside their control, don't have a "test" environment? I'm just a little guy, supporting a small business that doesn't have kilobucks to spare for non-production equipment. I sweat bullets every time MS issues updates and I spend a lot of time researching each and every one of them before I apply... ThanksGordon PegueSystem AdministratorChavez Grieves Consulting EngineersAlbuquerque, NMwww.cg-engrs.com From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Deji AkomolafeSent: Thursday, August 17, 2006 11:53 AMTo: ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] FMSO roles split, patch question. I completely disagree with you. I understand the thinking behind the move-roles-before-patch stance. I just don't buy into it. Test patch and be sure it doesn't kill things. Test your config changes and be sure it doesn't break things. Test, test and test more before you move into production. Then deploy to production. IF, in spite of all your tests, "something" goes wrong with one DC holding a specific role (or - perish the thought - ALL your roles), it's no big deal. As long as you have other DCs available to assume the roles, the target DCwill not care how they got the roles (graceful transfer or inelegant seizure). It's good to have a script that moves roles as you desire, but this does not fall into the realm of "best practice" in the scheme of things. Your energy should be invested in instituting a comprehensive patch/change management and testing operations practice rather than figuring out where to move roles to in case a patch eats your DC. Sincerely, _ (, / | /) /) /) /---| (/_ __ ___// _ // _ ) / |_/(__(_) // (_(_)(/_(_(_/(__(/_(_/ /) (/ Microsoft MVP - Directory Serviceswww.akomolafe.com- we know IT-5.75, -3.23Do you now realize that Today is the Tomorrow you were worried about Yesterday? -anon From: joeSent: Thu 8/17/2006 9:31 AMTo: ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] FMSO roles split, patch question. I completely concur with Jorge on his process. It takes a lot less hassle and a lot less feeling of concern to move a FSMO prior to an update of a machine than to have to seize the role later regardless of the reason of it going down. Especially when you have a script that applies the NTSUTIL commands to move the roles. A move of all roles in a properly scripted environment is a procedure that takes all of about 10-15 seconds. A seize on the other hand isn't something you should just quickly think about doing, you need to work out the consequences and make a determination in most cases whether or not you will ever bring that DC back up as it stands now. It is, IMO, a no-brainer if you have multiple DCs as it is isn't any real workload or concern to do it. When I am doing production ops I *always* move roles prior to
Re: [ActiveDir] FMSO roles split, patch question.
Perfect World= clone all servers, workstations, users (especially the stupid ones that break things all the time anyway) Install patches on the identical cloned network, when cloned users break things beat them so they never do the stupid act again. (okay so maybe this is just a network admin's view of a perfect cloning experiment --- it might be better to beat the real users come to think of it...) Best = set up a test network with real hardware that replicates the types/kinds of equipment you have Better = test up test network with mixtures of real/virtual Good = test network is virtual, recreate apps, etc. Better than nothing option 1= users that are canaries.. they get patches first... they die so that others will live Better than nothing option 2= break the mirror, patch the main, ensure all is well remirror (I'm personally not a fan of this...but...) Bottom line even in testing ...you won't find everything. True story: I patched for a chm help file patch back in 2005, all looked fine, and I deployed the patch. Two weeks later someone pinged me that they couldn't get into the Tax software help file it was suddenly blank. When I right mouse clicked on the suddenly blank page I realized it was a chm file and went oh...hang on there was a patch... Contacted the vendor and sure 'nuff, they already knew about it and had a workaround. So just plan on the fact that somethings just won't be noticeable until it's in a live network and deal with it. joe wrote: It isn't the best test environment but it is infinitely better than no test environment. If you have a QA environment that matches production then I am perfectly fine with an entirely virtual test environment. -- O'Reilly Active Directory Third Edition - http://www.joeware.net/win/ad3e.htm *From:* [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] *On Behalf Of *Rocky Habeeb *Sent:* Saturday, August 19, 2006 10:36 AM *To:* ActiveDir@mail.activedir.org *Subject:* RE: [ActiveDir] FMSO roles split, patch question. Oh ... So virtual is where my test environment should be ... And that will adequately equate to a real production environment? [Hmm ... he wonders, Could it be true?] _ -Original Message- *From:* [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] Behalf Of *Deji Akomolafe *Sent:* 17 August, 2006 4:45 PM *To:* ActiveDir@mail.activedir.org *Subject:* RE: [ActiveDir] FMSO roles split, patch question. That argument went out the window when the following happened: Dell started selling desktops with jillion gigabyte drive space for under $1000 Microsoft started giving away Virtual Server with very liberal Windows Server 2003 licenses. Us poor admins no longer needed bazillion dollars to create test environments. Sorry, try another one :) Sincerely, _ (, / | /) /) /) /---| (/_ __ ___// _ // _ ) /|_/(__(_) // (_(_)(/_(_(_/(__(/_ (_/ /) (/ Microsoft MVP - Directory Services www.akomolafe.com x-excid://3277/uri:http://www.akomolafe.com - we know IT *-5.75, -3.23* Do you now realize that Today is the Tomorrow you were worried about Yesterday? -anon *From:* Gordon Pegue *Sent:* Thu 8/17/2006 1:31 PM *To:* ActiveDir@mail.activedir.org *Subject:* RE: [ActiveDir] FMSO roles split, patch question. What about us poor admins, who for a variety of reasons outside their control, don't have a test environment? I'm just a little guy, supporting a small business that doesn't have kilobucks to spare for non-production equipment. I sweat bullets every time MS issues updates and I spend a lot of time researching each and every one of them before I apply... Thanks Gordon Pegue System Administrator Chavez Grieves Consulting Engineers Albuquerque, NM www.cg-engrs.com *From:* [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] *On Behalf Of *Deji Akomolafe *Sent:* Thursday, August 17, 2006 11:53 AM *To:* ActiveDir@mail.activedir.org *Subject:* RE: [ActiveDir] FMSO roles split, patch question. I completely disagree with you. I understand the thinking behind the move-roles-before-patch stance. I just don't buy into it. Test patch and be sure it doesn't kill things. Test your config changes and be sure it doesn't break things. Test, test and test more before you move into production.