RE: [ActiveDir] List Groups I'm In?
Return Receipt Your RE: [ActiveDir] List Groups I'm In? document : was Christopher Drewery/WilliamsF1 received by: at: 26/10/2006 07:39:25 List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir@mail.activedir.org/
RE: [ActiveDir] LastlogonTimestamp Missing
Title: Re: [ActiveDir] List Groups I'm In? Even though this is a forest built on Server 2003, you probably still have to raise the domain/forest functional levels to 2003; this is probably not the default functional level. LastLogonTimestamp is one of the attributes that didnt appear until functional level 2003. tdoan From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of WATSON, BEN Sent: Wednesday, October 25, 2006 9:00 PM To: ActiveDir@mail.activedir.org Subject: LastlogonTimestamp Missing I have a Windows 2003 R2 single domain/forest. This domain/forest was built upon Windows 2003 R2 so it has never had to go through any upgrades. I wanted to query for the true last logon time/date for various users and noticed that the LastlogonTimestamp is not an available attribute for the user accounts. The standard non-replicated LastLogon attribute is there, but I would obviously be more interested in the replicated LastlogonTimestamp. The LastlogonTimestamp schema attribute has been defined and it is listed as a systemmaycontain of the user class. C:\adfind -sc scontainsl:lastlogontimestamp user Is there any reason why the LastlogonTimestamp attribute would not be appearing for user accounts? From what I understand, the LastlogonTimestamp attribute may not be instantiated on user accounts if the user accounts have not logged on since a domain has been upgraded to Windows 2003, however since this domain/forest was built upon Windows 2003 R2 this is not the case. Any ideas on how to get this attribute instantiated properly on the user accounts? ~Ben
RE: [ActiveDir] List Groups I'm In?
Hi! Just a little question RE: whoami: I have Windows Server 2003 Service Pack 1 32-bit Support Tools :) installed on my laptop, and I can't find the whoami utility you are refering to.. Also, I see from your excerpt that you use where that seems to behave like which but for Windows: I'd really apreciate it if you could refer me to that utility ;) Thanks a lot in advance. Javier Jarava -Mensaje original- De: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] En nombre de Free, Bob Enviado el: miércoles, 25 de octubre de 2006 19:07 Para: ActiveDir@mail.activedir.org Asunto: RE: [ActiveDir] List Groups I'm In? whoami /groups C:\Admin\Utilwhere whoami C:\Program Files\Support Tools\whoami.exe Not exacty stock but then again I consider Support Tools as an essential part of an installation :-) -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Michael B Allen Sent: Wednesday, October 25, 2006 9:47 AM To: ActiveDir@mail.activedir.org Subject: [ActiveDir] List Groups I'm In? Was is the easiest way for a user (say on a stock XP client) to list what groups they're in? Specifically I'd like the user to be able to just type a command like 'net user list groups' or some such and get a list of NT Account names for tokenGroups. Or if there is a dialog somewhere that's good too. Ideas? Mike -- Michael B Allen PHP Active Directory SSO http://www.ioplex.com/ List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir@mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir@mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir@mail.activedir.org/
Re: [ActiveDir] List Groups I'm In?
You can download it here: http://www.microsoft.com/downloads/details.aspx?familyid=3E89879D-6C0B-4F92-96C4-1016C187D429displaylang=en On 10/26/06, F. Javier Jarava [EMAIL PROTECTED] wrote: Hi!Just a little question RE: whoami: I have Windows Server 2003 ServicePack 1 32-bit Support Tools :) installed on my laptop, and I can't find the whoami utility you are refering to..Also, I see from your excerpt that you use where that seems to behave likewhich but for Windows: I'd really apreciate it if you could refer me to that utility ;)Thanks a lot in advance. Javier Jarava-Mensaje original-De: [EMAIL PROTECTED][mailto: [EMAIL PROTECTED]] En nombre de Free, BobEnviado el: miércoles, 25 de octubre de 2006 19:07Para: ActiveDir@mail.activedir.orgAsunto: RE: [ActiveDir] List Groups I'm In?whoami /groupsC:\Admin\Utilwhere whoamiC:\Program Files\Support Tools\whoami.exeNot exacty stock but then again I consider Support Tools as an essential part of an installation :-)-Original Message-From: [EMAIL PROTECTED][mailto: [EMAIL PROTECTED]] On Behalf Of Michael B AllenSent: Wednesday, October 25, 2006 9:47 AMTo: ActiveDir@mail.activedir.orgSubject: [ActiveDir] List Groups I'm In? Was is the easiest way for a user (say on a stock XP client) to listwhat groups they're in?Specifically I'd like the user to be able to just type a command like'net user list groups' or some such and get a list of NT Account names for tokenGroups.Or if there is a dialog somewhere that's good too.Ideas?Mike--Michael B AllenPHP Active Directory SSOhttp://www.ioplex.com/ List info : http://www.activedir.org/List.aspxList FAQ: http://www.activedir.org/ListFAQ.aspxList archive: http://www.mail-archive.com/activedir@mail.activedir.org/List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspxList archive: http://www.mail-archive.com/activedir@mail.activedir.org/ List info : http://www.activedir.org/List.aspxList FAQ: http://www.activedir.org/ListFAQ.aspxList archive: http://www.mail-archive.com/activedir@mail.activedir.org/
Re: [ActiveDir] Restore ACE on User Object
You can use dsacls with /T switch to restore the ACL back to default. C:\dsacls /?Displays or modifies permissions (ACLS) of an Active Directory (AD)Object DSACLS object [/I:TSP] [/N] [/P:YN] [/G group/user:perms [...]] [/R group/user [...]] [/D group/user:perms [...]] [/S] [/T] [/A] /T Restore the security on the tree of objects to the default for the object class. This switch is valid only with the /S option. On 10/26/06, Steve Evans [EMAIL PROTECTED] wrote: Because of something called FERPA (Federal Student Privacy Act) I hadwritten a script that goes through our Students OU and removes the ACE for Authenticated Users.This prevented the students private information frombeing viewable by non-admin staff.Now I have been given a better view for our identity system to use thatincludes a FERPA flag.So instead of treating all 20,000 students as FERPA (and having to remove the AuthUser ACE) I only need to treat those that haveasked for FERPA protection (about 3% of the student body).So I need to go back through all the student accounts and restore the Auth User ACE and only remove it from the FERPA students (which I've separatedinto a sub-ou of students).I tried to do this with .Net but had some difficulties.Anyone have a goodquick way to do this? Steve EvansList info : http://www.activedir.org/List.aspxList FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir@mail.activedir.org/
RE: [ActiveDir] LastlogonTimestamp Missing
Title: Re: [ActiveDir] List Groups I'm In? What is the domain mode/ forest mode? From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of WATSON, BEN Sent: Wednesday, October 25, 2006 7:00 PM To: ActiveDir@mail.activedir.org Subject: LastlogonTimestamp Missing I have a Windows 2003 R2 single domain/forest. This domain/forest was built upon Windows 2003 R2 so it has never had to go through any upgrades. I wanted to query for the true last logon time/date for various users and noticed that the LastlogonTimestamp is not an available attribute for the user accounts. The standard non-replicated LastLogon attribute is there, but I would obviously be more interested in the replicated LastlogonTimestamp. The LastlogonTimestamp schema attribute has been defined and it is listed as a systemmaycontain of the user class. C:\adfind -sc scontainsl:lastlogontimestamp user Is there any reason why the LastlogonTimestamp attribute would not be appearing for user accounts? From what I understand, the LastlogonTimestamp attribute may not be instantiated on user accounts if the user accounts have not logged on since a domain has been upgraded to Windows 2003, however since this domain/forest was built upon Windows 2003 R2 this is not the case. Any ideas on how to get this attribute instantiated properly on the user accounts? ~Ben
Re: [ActiveDir] quota issues
by any chance, is it possible that there's a live PST in there, or an attempt to place it there? Users can do that on their own after all, unless measures are taken against it. - Original Message - From: Antonio Aranda To: ActiveDir@mail.activedir.org Sent: Wednesday, October 25, 2006 9:17 AM Subject: RE: [ActiveDir] quota issues I’m sorry but I don’t know what you mean by “files having streams”. Can you explain that attribute to me? From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Mike GuestSent: Wednesday, October 25, 2006 10:06 AMTo: ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] quota issues Just a couple of thoughts Have you tried searching the disk for other files marked with him as owner – perhaps from a legacy share which no longer exists? Alternatively, is it possible that one of the files he’s copying has streams? I understand the space used by a stream does not get added to the disk space that windows reports, but perhaps it affects the quota? Mike GuestIT SolutionsHMLPadiham DDI: +44 (0)1282 682550 Internal Extension: (61) 2550 From: Antonio Aranda [mailto:[EMAIL PROTECTED] Sent: 25 October 2006 15:33To: ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] quota issues There seems to be mostly small files; 5 to 7 K. From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Parag NagwekarSent: Tuesday, October 24, 2006 11:26 PMTo: ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] quota issues I guess he is probably trying to write or copy file which is quite big, may be more than 200Mb in size. Please tell him to write smaller file on the file system where he already using 300MB. From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Antonio ArandaSent: Tuesday, October 24, 2006 12:55 PMTo: ActiveDir@mail.activedir.orgSubject: [ActiveDir] quota issues I’m having weird quota issues. I have a partition that has the default quota set to a 500 MB. There are a good hundred users that wring to that partition but only one is having this issue; he keeps running out of quota even though he has only written about 300 MB to his subdirectory. He can only write to that subdirectory so why is he running out of space? Antonio Aranda Network Analyst UT-Permian Basin 432-552-2413 *This email is intended only for the addressee named above. As this email may contain confidential or privileged information, if you are not the named addressee or receive this message in error, please notify us immediately, delete it and do not make use of or copy it.This message is protected by copyright. HML accepts no responsibility for viruses found in this message or any file attachment.Homeloan Management LimitedRegistered in England No. 22148391 Providence Place, Skipton, North Yorkshire BD23 2HL**
[ActiveDir] New server to replace DC and FP role - options for keeping the same name
Quick question; an existing remote office DC/file/print server will be replaced with a brand new server. What options do I have if they wish to keep the same name?Thanks,...D
Re: [ActiveDir] New server to replace DC and FP role - options for keeping the same name
www.sbsmigration.com In the SBS world this is what we do all the time when we are replacing our SBS box and we don't want to have to touch the workstations. Original server is sync'd up with a temp DC with the name of TempDC. Ensure replication occurs, cut the cord. Seize FSMO roles to that TempDC. Sync up with another server that is made an additional DC which has the exact same name as the original server. Ensure replication occurs, cut cord with the TempDC. Seize FSMO roles. TempDC can be a virtual PC image of Win2k3 server on a laptop used only to move that AD gunk from the one DC to the other. You now have the original server and a replica server ... same name.. same domain that can be slid in place and the workstations are none the wiser. Danny wrote: Quick question; an existing remote office DC/file/print server will be replaced with a brand new server. What options do I have if they wish to keep the same name? Thanks, ...D -- Letting your vendors set your risk analysis these days? http://www.threatcode.com If you are a SBSer and you don't subscribe to the SBS Blog... man ... I will hunt you down... http://blogs.technet.com/sbs List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir@mail.activedir.org/
RE: [ActiveDir] quota issues
There is on pst file in there but Ive had that problem before. What measures did you take to avoid that. From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Albert Duro Sent: Thursday, October 26, 2006 9:44 AM To: ActiveDir@mail.activedir.org Subject: Re: [ActiveDir] quota issues by any chance, is it possible that there's a live PST in there, or an attempt to place it there? Users can do that on their own after all, unless measures are taken against it. - Original Message - From: Antonio Aranda To: ActiveDir@mail.activedir.org Sent: Wednesday, October 25, 2006 9:17 AM Subject: RE: [ActiveDir] quota issues Im sorry but I dont know what you mean by files having streams. Can you explain that attribute to me? From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Mike Guest Sent: Wednesday, October 25, 2006 10:06 AM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] quota issues Just a couple of thoughts Have you tried searching the disk for other files marked with him as owner perhaps from a legacy share which no longer exists? Alternatively, is it possible that one of the files hes copying has streams? I understand the space used by a stream does not get added to the disk space that windows reports, but perhaps it affects the quota? Mike Guest IT Solutions HML Padiham DDI: +44 (0)1282 682550 Internal Extension: (61) 2550 From: Antonio Aranda [mailto:[EMAIL PROTECTED] Sent: 25 October 2006 15:33 To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] quota issues There seems to be mostly small files; 5 to 7 K. From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Parag Nagwekar Sent: Tuesday, October 24, 2006 11:26 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] quota issues I guess he is probably trying to write or copy file which is quite big, may be more than 200Mb in size. Please tell him to write smaller file on the file system where he already using 300MB. From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Antonio Aranda Sent: Tuesday, October 24, 2006 12:55 PM To: ActiveDir@mail.activedir.org Subject: [ActiveDir] quota issues Im having weird quota issues. I have a partition that has the default quota set to a 500 MB. There are a good hundred users that wring to that partition but only one is having this issue; he keeps running out of quota even though he has only written about 300 MB to his subdirectory. He can only write to that subdirectory so why is he running out of space? Antonio Aranda Network Analyst UT-Permian Basin 432-552-2413 * This email is intended only for the addressee named above. As this email may contain confidential or privileged information, if you are not the named addressee or receive this message in error, please notify us immediately, delete it and do not make use of or copy it. This message is protected by copyright. HML accepts no responsibility for viruses found in this message or any file attachment. Homeloan Management Limited Registered in England No. 2214839 1 Providence Place, Skipton, North Yorkshire BD23 2HL **
[ActiveDir] Change a password over PPTP Windows Domain
All, Does anyone now a way I can change my Active Directory password on a laptop remotely while connoted to domain via PPTP? I keep running into cache problems with the local computer and I've tried using the dialup option but it still wont work after I change the password? Any help is greatly appreciated Thanks, Mike
RE: [ActiveDir] List Groups I'm In?
Thanks a lot! Javier De: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] En nombre de Chong Ai Chung Enviado el: jueves, 26 de octubre de 2006 16:08 Para: ActiveDir@mail.activedir.org Asunto: Re: [ActiveDir] List Groups I'm In? You can download it here: http://www.microsoft.com/downloads/details.aspx?familyid=3E89879D-6C0B-4F92- 96C4-1016C187D429displaylang=en http://www.microsoft.com/downloads/details.aspx?familyid=3E89879D-6C0B-4F92 -96C4-1016C187D429displaylang=en On 10/26/06, F. Javier Jarava [EMAIL PROTECTED] wrote: Hi! Just a little question RE: whoami: I have Windows Server 2003 Service Pack 1 32-bit Support Tools :) installed on my laptop, and I can't find the whoami utility you are refering to.. Also, I see from your excerpt that you use where that seems to behave like which but for Windows: I'd really apreciate it if you could refer me to that utility ;) Thanks a lot in advance. Javier Jarava List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir@mail.activedir.org/
RE: [ActiveDir] Change a password over PPTP Windows Domain
Yes only on Windows XP - It looks like I need to edit the GINA.dll and enable fast user switching but that doesn't sound right to me... From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Tim OnsomuSent: Thursday, October 26, 2006 9:43 AMTo: ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] Change a password over PPTP Windows Domain Only on Windows xp. From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Mike HogenauerSent: Thursday, October 26, 2006 9:30 AMTo: ActiveDir@mail.activedir.orgSubject: [ActiveDir] Change a password over PPTP Windows Domain All, Does anyone now a way I can change my Active Directory password on a laptop remotely while connoted to domain via PPTP? I keep running into cache problems with the local computer and I've tried using the dialup option but it still wont work after I change the password? Any help is greatly appreciated Thanks, Mike
RE: [ActiveDir] Change a password over PPTP Windows Domain
I'm very confused (haven't had a lot of coffee today)... Is the laptop a member of the domain? How are you changing the password? What exactly isn't working? You should be able to simply press CTRL + ALT + DEL and change the password just as you would if you were connected to the network via any other connection. Can you provide more information about what you mean by "cache problems" and "dialup option"? thanks, Laura From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Mike HogenauerSent: Thursday, October 26, 2006 1:06 PMTo: ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] Change a password over PPTP Windows Domain Yes only on Windows XP - It looks like I need to edit the GINA.dll and enable fast user switching but that doesn't sound right to me... From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Tim OnsomuSent: Thursday, October 26, 2006 9:43 AMTo: ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] Change a password over PPTP Windows Domain Only on Windows xp. From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Mike HogenauerSent: Thursday, October 26, 2006 9:30 AMTo: ActiveDir@mail.activedir.orgSubject: [ActiveDir] Change a password over PPTP Windows Domain All, Does anyone now a way I can change my Active Directory password on a laptop remotely while connoted to domain via PPTP? I keep running into cache problems with the local computer and I've tried using the dialup option but it still wont work after I change the password? Any help is greatly appreciated Thanks, Mike
Re: [ActiveDir] New server to replace DC and FP role - options for keeping the same name
Thanks, Susan - I'll have a go at it.On 10/26/06, Susan Bradley, CPA aka Ebitz - SBS Rocks [MVP] [EMAIL PROTECTED] wrote:www.sbsmigration.com In the SBS world this is what we do all the time when we are replacingour SBS box and we don't want to have to touch the workstations.Original server is sync'd up with a temp DC with the name of TempDC.Ensure replication occurs, cut the cord. Seize FSMO roles to that TempDC.Sync up with another server that is made an additional DC which has theexact same name as the original server. Ensure replication occurs, cutcord with the TempDC.Seize FSMO roles. TempDC can be a virtual PC image of Win2k3 server on a laptop used onlyto move that AD gunk from the one DC to the other.You now have the original server and a replica server ... same name..same domain that can be slid in place and the workstations are none the wiser.Danny wrote: Quick question; an existing remote office DC/file/print server will be replaced with a brand new server. What options do I have if they wish to keep the same name? Thanks, ...D--Letting your vendors set your risk analysis these days?http://www.threatcode.comIf you are a SBSer and you don't subscribe to the SBS Blog... man ... I will hunt you down... http://blogs.technet.com/sbsList info : http://www.activedir.org/List.aspxList FAQ: http://www.activedir.org/ListFAQ.aspxList archive: http://www.mail-archive.com/activedir@mail.activedir.org/ -- CPDE - Certified Petroleum Distribution EngineerCCBC - Certified Canadian Beer Consumer
RE: [ActiveDir] Change a password over PPTP Windows Domain
- Yes- sorry. Our remote users use Windows XP Pro and connect to the Corp network via PPTP once online. Yes, they can use Ctrl+Alt+Del to change password but since they are logged in to their laptops locally using a cached account once they change their passwords they cannot get back into the latop. I'm trying to find a way that users can change they passwords over PPTP and not get locked out of their laptops Thanks! Mike From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Laura A. RobinsonSent: Thursday, October 26, 2006 10:29 AMTo: ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] Change a password over PPTP Windows Domain I'm very confused (haven't had a lot of coffee today)... Is the laptop a member of the domain? How are you changing the password? What exactly isn't working? You should be able to simply press CTRL + ALT + DEL and change the password just as you would if you were connected to the network via any other connection. Can you provide more information about what you mean by "cache problems" and "dialup option"? thanks, Laura From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Mike HogenauerSent: Thursday, October 26, 2006 1:06 PMTo: ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] Change a password over PPTP Windows Domain Yes only on Windows XP - It looks like I need to edit the GINA.dll and enable fast user switching but that doesn't sound right to me... From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Tim OnsomuSent: Thursday, October 26, 2006 9:43 AMTo: ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] Change a password over PPTP Windows Domain Only on Windows xp. From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Mike HogenauerSent: Thursday, October 26, 2006 9:30 AMTo: ActiveDir@mail.activedir.orgSubject: [ActiveDir] Change a password over PPTP Windows Domain All, Does anyone now a way I can change my Active Directory password on a laptop remotely while connoted to domain via PPTP? I keep running into cache problems with the local computer and I've tried using the dialup option but it still wont work after I change the password? Any help is greatly appreciated Thanks, Mike
RE: [ActiveDir] Change a password over PPTP Windows Domain
You could disable account caching and force them to log on to the laptop via PPTP before authenticating to the machine. Of course this would now allow them to log on to the computer if they had no way to connect to the RRAS Server. Solves one problem but creates another one. From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Mike HogenauerSent: Thursday, October 26, 2006 1:46 PMTo: ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] Change a password over PPTP Windows Domain - Yes- sorry. Our remote users use Windows XP Pro and connect to the Corp network via PPTP once online. Yes, they can use Ctrl+Alt+Del to change password but since they are logged in to their laptops locally using a cached account once they change their passwords they cannot get back into the latop. I'm trying to find a way that users can change they passwords over PPTP and not get locked out of their laptops Thanks! Mike From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Laura A. RobinsonSent: Thursday, October 26, 2006 10:29 AMTo: ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] Change a password over PPTP Windows Domain I'm very confused (haven't had a lot of coffee today)... Is the laptop a member of the domain? How are you changing the password? What exactly isn't working? You should be able to simply press CTRL + ALT + DEL and change the password just as you would if you were connected to the network via any other connection. Can you provide more information about what you mean by "cache problems" and "dialup option"? thanks, Laura From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Mike HogenauerSent: Thursday, October 26, 2006 1:06 PMTo: ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] Change a password over PPTP Windows Domain Yes only on Windows XP - It looks like I need to edit the GINA.dll and enable fast user switching but that doesn't sound right to me... From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Tim OnsomuSent: Thursday, October 26, 2006 9:43 AMTo: ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] Change a password over PPTP Windows Domain Only on Windows xp. From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Mike HogenauerSent: Thursday, October 26, 2006 9:30 AMTo: ActiveDir@mail.activedir.orgSubject: [ActiveDir] Change a password over PPTP Windows Domain All, Does anyone now a way I can change my Active Directory password on a laptop remotely while connoted to domain via PPTP? I keep running into cache problems with the local computer and I've tried using the dialup option but it still wont work after I change the password? Any help is greatly appreciated Thanks, Mike Confidentiality Notice: The information contained in this message may be legally privileged and confidential information intended only for the use of the individual or entity named above. If the reader of this message is not the intended recipient, or the employee or agent responsible to deliver it to the intended recipient, you are hereby notified that any release, dissemination, distribution, or copying of this communication is strictly prohibited. If you have received this communication in error please notify the author immediately by replying to this message and deleting the original message. Thank you.
RE: [ActiveDir] Change a password over PPTP Windows Domain
After they change their password but before disconnecting from the PPTP VPN, ask them to lock and unlock their computer using the new password. This should update the cached credentials with the new password. Let us know if it works; have a great day! Robert Williams From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Mike Hogenauer Sent: Thursday, October 26, 2006 12:46 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Change a password over PPTP Windows Domain - Yes- sorry. Our remote users use Windows XP Pro and connect to the Corp network via PPTP once online. Yes, they can use Ctrl+Alt+Del to change password but since they are logged in to their laptops locally using a cached account once they change their passwords they cannot get back into the latop. I'm trying to find a way that users can change they passwords over PPTP and not get locked out of their laptops Thanks! Mike From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Laura A. Robinson Sent: Thursday, October 26, 2006 10:29 AM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Change a password over PPTP Windows Domain I'm very confused (haven't had a lot of coffee today)... Is the laptop a member of the domain? How are you changing the password? What exactly isn't working? You should be able to simply press CTRL + ALT + DEL and change the password just as you would if you were connected to the network via any other connection. Can you provide more information about what you mean by cache problems and dialup option? thanks, Laura From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Mike Hogenauer Sent: Thursday, October 26, 2006 1:06 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Change a password over PPTP Windows Domain Yes only on Windows XP - It looks like I need to edit the GINA.dll and enable fast user switching but that doesn't sound right to me... From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Tim Onsomu Sent: Thursday, October 26, 2006 9:43 AM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Change a password over PPTP Windows Domain Only on Windows xp. From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Mike Hogenauer Sent: Thursday, October 26, 2006 9:30 AM To: ActiveDir@mail.activedir.org Subject: [ActiveDir] Change a password over PPTP Windows Domain All, Does anyone now a way I can change my Active Directory password on a laptop remotely while connoted to domain via PPTP? I keep running into cache problems with the local computer and I've tried using the dialup option but it still wont work after I change the password? Any help is greatly appreciated Thanks, Mike 2006-10-26, 14:42:08 The information contained in this e-mail message and any attachments may be privileged and confidential. If the reader of this message is not the intended recipient or an agent responsible for delivering it to the intended recipient, you are hereby notified that any review, dissemination, distribution or copying of this communication is strictly prohibited. If you have received this communication in error, please notify the sender immediately by replying to this e-mail and delete the message and any attachments from your computer.
[ActiveDir] Exchange Log files --Disk Full--
Hi All, Kindly suggest, what i can do about my Exchange Log files? I have about 120 GB Log files for past 4 months. I havea few doubts:- Do i really need all those log files? If yes, Then how is it possible to manage with this as i have a very limited space left. Can i delete these log files? Backup doesnt remove these log files? i am really running out of space on my Exchange log storage drive. Thanks!!! Ravi
RE: [ActiveDir] Change a password over PPTP Windows Domain
Is there anything that prevents the users from logging on via PPTP when they want to change their passwords? Laura From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Mike HogenauerSent: Thursday, October 26, 2006 1:46 PMTo: ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] Change a password over PPTP Windows Domain - Yes- sorry. Our remote users use Windows XP Pro and connect to the Corp network via PPTP once online. Yes, they can use Ctrl+Alt+Del to change password but since they are logged in to their laptops locally using a cached account once they change their passwords they cannot get back into the latop. I'm trying to find a way that users can change they passwords over PPTP and not get locked out of their laptops Thanks! Mike From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Laura A. RobinsonSent: Thursday, October 26, 2006 10:29 AMTo: ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] Change a password over PPTP Windows Domain I'm very confused (haven't had a lot of coffee today)... Is the laptop a member of the domain? How are you changing the password? What exactly isn't working? You should be able to simply press CTRL + ALT + DEL and change the password just as you would if you were connected to the network via any other connection. Can you provide more information about what you mean by "cache problems" and "dialup option"? thanks, Laura From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Mike HogenauerSent: Thursday, October 26, 2006 1:06 PMTo: ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] Change a password over PPTP Windows Domain Yes only on Windows XP - It looks like I need to edit the GINA.dll and enable fast user switching but that doesn't sound right to me... From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Tim OnsomuSent: Thursday, October 26, 2006 9:43 AMTo: ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] Change a password over PPTP Windows Domain Only on Windows xp. From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Mike HogenauerSent: Thursday, October 26, 2006 9:30 AMTo: ActiveDir@mail.activedir.orgSubject: [ActiveDir] Change a password over PPTP Windows Domain All, Does anyone now a way I can change my Active Directory password on a laptop remotely while connoted to domain via PPTP? I keep running into cache problems with the local computer and I've tried using the dialup option but it still wont work after I change the password? Any help is greatly appreciated Thanks, Mike
[ActiveDir] [OT] Best. KB. Article. Ever. (done in the voice of the Simpsons comic book dude, naturally)
http://support.microsoft.com/kb/228001 Network Adapter Does Not Work if Unplugged -- --- Laura E. Hunter Microsoft MVP - Windows Server Networking Author: _Active Directory Consultant's Field Guide_ (http://tinyurl.com/7f8ll) Author: _Active Directory Cookbook, Second Edition_ (http://tinyurl.com/z7svl) List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir@mail.activedir.org/
RE: [ActiveDir] Exchange Log files --Disk Full--
If you do a full (normal) backup using a real backup tool (ntbackup, Veritas with the Exchange Backup Agent, etc) the logs will be flushed. Period. For some reason you arent getting a clean backup. Thats what you need to be checking into. Temporarily, you can compress (using NTFS compression not WinZIP or PowerArc or anything like that) the logfiles until you can make that backup. From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Technical Support Sent: Thursday, October 26, 2006 2:09 PM To: ActiveDir@mail.activedir.org Subject: [ActiveDir] Exchange Log files --Disk Full-- Hi All, Kindly suggest, what i can do about my Exchange Log files? I have about 120 GB Log files for past 4 months. I havea few doubts:- Do i really need all those log files? If yes, Then how is it possible to manage with this as i have a very limited space left. Can i delete these log files? Backup doesnt remove these log files? i am really running out of space on my Exchange log storage drive. Thanks!!! Ravi
RE: [ActiveDir] Exchange Log files --Disk Full--
Backup should truncate the log files. However, depending on which software you are using, sometimes truncate log files is an option that you have to select. What backup software are you running? Are you running an exchange backup or just a file backup of the Exchange server? If you are only backing up files, and not the actual Info Store, then you are not getting a good (or even usable) backup. From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Technical Support Sent: Thursday, October 26, 2006 1:09 PM To: ActiveDir@mail.activedir.org Subject: [ActiveDir] Exchange Log files --Disk Full-- Hi All, Kindly suggest, what i can do about my Exchange Log files? I have about 120 GB Log files for past 4 months. I havea few doubts:- Do i really need all those log files? If yes, Then how is it possible to manage with this as i have a very limited space left. Can i delete these log files? Backup doesnt remove these log files? i am really running out of space on my Exchange log storage drive. Thanks!!! Ravi
RE: [ActiveDir] [OT] Best. KB. Article. Ever. (done in the voice of the Simpsons comic book dude, naturally)
Does this fall in the ID10T category? DOH! Sigh. Steve Egan Purcell Systems System/Network Administrator desk 509 755-0341 x110 cell 509 475-7682 fax 509 755-0345 -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Laura E. Hunter Sent: Thursday, October 26, 2006 11:22 AM To: ActiveDir@mail.activedir.org Subject: [ActiveDir] [OT] Best. KB. Article. Ever. (done in the voice of the Simpsons comic book dude, naturally) http://support.microsoft.com/kb/228001 Network Adapter Does Not Work if Unplugged -- --- Laura E. Hunter Microsoft MVP - Windows Server Networking Author: _Active Directory Consultant's Field Guide_ (http://tinyurl.com/7f8ll) Author: _Active Directory Cookbook, Second Edition_ (http://tinyurl.com/z7svl) List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir@mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir@mail.activedir.org/
RE: [ActiveDir] Exchange Log files --Disk Full--
Take a look at the section titled The path less traveled- Remove unneeded log files manually in the article http://www.msexchange.org/articles/Exchange-log-disk-full.html It shows how to checkpoint the logs, so you can remove them manually without fear they will be required in the event of disaster recovery. /aaron From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Technical Support Sent: Thursday, October 26, 2006 1:09 PM To: ActiveDir@mail.activedir.org Subject: [ActiveDir] Exchange Log files --Disk Full-- Hi All, Kindly suggest, what i can do about my Exchange Log files? I have about 120 GB Log files for past 4 months. I havea few doubts:- Do i really need all those log files? If yes, Then how is it possible to manage with this as i have a very limited space left. Can i delete these log files? Backup doesnt remove these log files? i am really running out of space on my Exchange log storage drive. Thanks!!! Ravi
RE: [ActiveDir] Exchange Log files --Disk Full--
Are you running full (AKA normal) backups every night? It seems not. Use NTBackup to backup to disk (obviously, you'll need a disk with over 120GB of available space) and then use whatever normal program you use to back that backup onto tape. This will keep you running until you sort out why your normal backup software isn't flushing the logs when the backup completes. How are you currently running backups? What software is in use? Are you sure it's Exchange aware? Are you doing brick level backups or copy backups instead of a full backup? Neither will flush the logs. I'd resolve this as quickly as possible, because if you are in a situation where you have to replay the logs, you're NOT going to be a happy camper. From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Technical SupportSent: Thursday, October 26, 2006 11:09 AMTo: ActiveDir@mail.activedir.orgSubject: [ActiveDir] Exchange Log files --Disk Full-- Hi All, Kindly suggest, what i can do about my Exchange Log files? I have about 120 GB Log files for past 4 months. I havea few doubts:- Do i really need all those log files? If yes, Then how is it possible to manage with this as i have a very limited space left. Can i delete these log files? Backup doesnt remove these log files? i am really running out of space on my Exchange log storage drive. Thanks!!! Ravi
RE: [ActiveDir] List Groups I'm In?
I believe the whoami question was answered, I used to get where.exe from the 2000 reskit, it is one of the tools from the reskit that thankfully made it into 2003 Server, I just copy that file to my XP systems. Should be in System32 on any 2K3 server. -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of F. Javier Jarava Sent: Thursday, October 26, 2006 6:13 AM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] List Groups I'm In? Hi! Just a little question RE: whoami: I have Windows Server 2003 Service Pack 1 32-bit Support Tools :) installed on my laptop, and I can't find the whoami utility you are refering to.. Also, I see from your excerpt that you use where that seems to behave like which but for Windows: I'd really apreciate it if you could refer me to that utility ;) Thanks a lot in advance. Javier Jarava -Mensaje original- De: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] En nombre de Free, Bob Enviado el: miércoles, 25 de octubre de 2006 19:07 Para: ActiveDir@mail.activedir.org Asunto: RE: [ActiveDir] List Groups I'm In? whoami /groups C:\Admin\Utilwhere whoami C:\Program Files\Support Tools\whoami.exe Not exacty stock but then again I consider Support Tools as an essential part of an installation :-) -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Michael B Allen Sent: Wednesday, October 25, 2006 9:47 AM To: ActiveDir@mail.activedir.org Subject: [ActiveDir] List Groups I'm In? Was is the easiest way for a user (say on a stock XP client) to list what groups they're in? Specifically I'd like the user to be able to just type a command like 'net user list groups' or some such and get a list of NT Account names for tokenGroups. Or if there is a dialog somewhere that's good too. Ideas? Mike -- Michael B Allen PHP Active Directory SSO http://www.ioplex.com/ List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir@mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir@mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir@mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir@mail.activedir.org/
RE: [ActiveDir] Exchange Log files --Disk Full--
Yes, I have been doing full backup but unfortunately logs arent flushed. What could be the possible reason for that. I have to look for it. I am using NTBackup. There is no option for Truncate Log Files in this backup utility. I am running Info Store backup. Any suggestions. Thanks!!! Ravi From: [EMAIL PROTECTED] on behalf of Michael B. Smith Sent: Thu 10/26/2006 11:38 AM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Exchange Log files --Disk Full-- If you do a full (normal) backup using a real backup tool (ntbackup, Veritas with the Exchange Backup Agent, etc) - the logs will be flushed. Period. For some reason - you aren't getting a clean backup. That's what you need to be checking into. Temporarily, you can compress (using NTFS compression - not WinZIP or PowerArc or anything like that) the logfiles until you can make that backup. From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Technical Support Sent: Thursday, October 26, 2006 2:09 PM To: ActiveDir@mail.activedir.org Subject: [ActiveDir] Exchange Log files --Disk Full-- Hi All, Kindly suggest, what i can do about my Exchange Log files? I have about 120 GB Log files for past 4 months. I have a few doubts:- Do i really need all those log files? If yes, Then how is it possible to manage with this as i have a very limited space left. Can i delete these log files? Backup doesnt remove these log files? i am really running out of space on my Exchange log storage drive. Thanks!!! Ravi DISCLAIMER: This message contains privileged and confidential information and is intended only for the individual named. If you are not the intended recipient you should not disseminate,distribute,store,print, copy or deliver this message. Please notify the sender immediately by e-mail if you have received this e-mail by mistake and delete this e-mail from your system. E-mail transmission cannot be guaranteed to be secure or error-free as information could be intercepted,corrupted,lost,destroyed, arrive late or incomplete or contain viruses. The sender therefore does not accept liability for any errors or omissions in the contents of this message which arise as a result of e-mail transmission. If verification is required please request a hard-copy version. winmail.dat
RE: [ActiveDir] Exchange Log files --Disk Full--
Hi, I am running Normal Backup. Using NTBackup Utility. Backing up Information store. From: [EMAIL PROTECTED] on behalf of Missy KosloskySent: Thu 10/26/2006 12:49 PMTo: ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] Exchange Log files --Disk Full-- Are you running full (AKA normal) backups every night? It seems not. Use NTBackup to backup to disk (obviously, you'll need a disk with over 120GB of available space) and then use whatever normal program you use to back that backup onto tape. This will keep you running until you sort out why your normal backup software isn't flushing the logs when the backup completes. How are you currently running backups? What software is in use? Are you sure it's Exchange aware? Are you doing brick level backups or copy backups instead of a full backup? Neither will flush the logs. I'd resolve this as quickly as possible, because if you are in a situation where you have to replay the logs, you're NOT going to be a happy camper. From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Technical SupportSent: Thursday, October 26, 2006 11:09 AMTo: ActiveDir@mail.activedir.orgSubject: [ActiveDir] Exchange Log files --Disk Full-- Hi All, Kindly suggest, what i can do about my Exchange Log files? I have about 120 GB Log files for past 4 months. I havea few doubts:- Do i really need all those log files? If yes, Then how is it possible to manage with this as i have a very limited space left. Can i delete these log files? Backup doesnt remove these log files? i am really running out of space on my Exchange log storage drive. Thanks!!! Ravi
[ActiveDir] DNS setup questions
OK; my Google-fu isn't working well today, and it's been a while since I had to do any advanced DNS work. Too much BPM work, not enough AD admin lately... Here's the scenario: Our domain: W2K3 functional level single-domain forest using AD-integrated DNS, secure updates only Partner domain: W2K3 functional level single-domain forest using BIND DNS. We are planning to establish a trust between the domains. We need to set up DNS so that both domains can resolve at minimum SRV records to keep the trust working and allow member enumeration for selective auth setup. IIRC, we need to create secondary zones in each domain pointing to the other domain, and on the W2K3 side, add the BIND servers to the nameservers tab, right? Anything else I need to do on the W2K3 DNS side? I really think I'm missing something here, but I can't find any information with the answers I need... Also, if I allow zone transfers to the other domain's DNS IP addresses, what's to prevent them from setting up something other than a secondary server? I know AD integrated won't allow another AD integrated DNS server outside the current domain, but I just want to make sure I don't leave anything insecure... Thanks... ** Charlie Kaiser W2K3 MCSA/MCSE/Security, CCNA Systems Engineer Essex Credit / Brickwalk 510 595 5083 ** winmail.dat
RE: [ActiveDir] Exchange Log files --Disk Full--
Ntbackup considers the option to Flush Log Files so obvious that it doesnt even ask. Are you seeing any errors in the backup logs? I have seen ntbackup fail after the data was backed up but before it flushed logs, if some of the permissions were changed. Of course this was 3 years ago, so I dont remember which permissions those were. Were backups flushing logs before 4 months ago? From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Technical Support Sent: Thursday, October 26, 2006 2:56 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Exchange Log files --Disk Full-- Yes, I have been doing full backup but unfortunately logs arent flushed. What could be the possible reason for that. I have to look for it. I am using NTBackup. There is no option for Truncate Log Files in this backup utility. I am running Info Store backup. Any suggestions. Thanks!!! Ravi From: [EMAIL PROTECTED] on behalf of Michael B. Smith Sent: Thu 10/26/2006 11:38 AM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Exchange Log files --Disk Full-- If you do a full (normal) backup using a real backup tool (ntbackup, Veritas with the Exchange Backup Agent, etc) the logs will be flushed. Period. For some reason you arent getting a clean backup. Thats what you need to be checking into. Temporarily, you can compress (using NTFS compression not WinZIP or PowerArc or anything like that) the logfiles until you can make that backup. From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Technical Support Sent: Thursday, October 26, 2006 2:09 PM To: ActiveDir@mail.activedir.org Subject: [ActiveDir] Exchange Log files --Disk Full-- Hi All, Kindly suggest, what i can do about my Exchange Log files? I have about 120 GB Log files for past 4 months. I havea few doubts:- Do i really need all those log files? If yes, Then how is it possible to manage with this as i have a very limited space left. Can i delete these log files? Backup doesnt remove these log files? i am really running out of space on my Exchange log storage drive. Thanks!!! Ravi
RE: [ActiveDir] DNS setup questions
You could use conditional-forwarding. You could also setup an AD int stub zone. I'm not well versed in the security aspects of either... but either one of those would work fine... :m:dsm:cci:mvp | marcusoh.blogspot.com -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Charlie Kaiser Sent: Thursday, October 26, 2006 4:32 PM To: ActiveDir@mail.activedir.org Subject: DNS setup questions OK; my Google-fu isn't working well today, and it's been a while since I had to do any advanced DNS work. Too much BPM work, not enough AD admin lately... Here's the scenario: Our domain: W2K3 functional level single-domain forest using AD-integrated DNS, secure updates only Partner domain: W2K3 functional level single-domain forest using BIND DNS. We are planning to establish a trust between the domains. We need to set up DNS so that both domains can resolve at minimum SRV records to keep the trust working and allow member enumeration for selective auth setup. IIRC, we need to create secondary zones in each domain pointing to the other domain, and on the W2K3 side, add the BIND servers to the nameservers tab, right? Anything else I need to do on the W2K3 DNS side? I really think I'm missing something here, but I can't find any information with the answers I need... Also, if I allow zone transfers to the other domain's DNS IP addresses, what's to prevent them from setting up something other than a secondary server? I know AD integrated won't allow another AD integrated DNS server outside the current domain, but I just want to make sure I don't leave anything insecure... Thanks... ** Charlie Kaiser W2K3 MCSA/MCSE/Security, CCNA Systems Engineer Essex Credit / Brickwalk 510 595 5083 ** List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir@mail.activedir.org/
[ActiveDir] list lastlogontime for every user script
Hi, I am trying to do an script or something that will list lastlogontime for all users so I can receive an email when someone has not use the account for more than 30 days. I have seen a couple of examples of half built scripts that don't work, I get lost when they start dealing with the converting the number to a date... Does anyone has a script will do some similar? does Joe ware has something similar? Thanks Ramon
RE: [ActiveDir] DNS setup questions
I'd probably take a look at conditional forwarding and/or stub zones instead of doing Win2K-style secondaries. What version of BIND is in use in the other forest? BIND 8+ supports conditional forwarding, and BIND 9+ supports stub zones, IIRC. Laura -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Charlie Kaiser Sent: Thursday, October 26, 2006 4:32 PM To: ActiveDir@mail.activedir.org Subject: [ActiveDir] DNS setup questions OK; my Google-fu isn't working well today, and it's been a while since I had to do any advanced DNS work. Too much BPM work, not enough AD admin lately... Here's the scenario: Our domain: W2K3 functional level single-domain forest using AD-integrated DNS, secure updates only Partner domain: W2K3 functional level single-domain forest using BIND DNS. We are planning to establish a trust between the domains. We need to set up DNS so that both domains can resolve at minimum SRV records to keep the trust working and allow member enumeration for selective auth setup. IIRC, we need to create secondary zones in each domain pointing to the other domain, and on the W2K3 side, add the BIND servers to the nameservers tab, right? Anything else I need to do on the W2K3 DNS side? I really think I'm missing something here, but I can't find any information with the answers I need... Also, if I allow zone transfers to the other domain's DNS IP addresses, what's to prevent them from setting up something other than a secondary server? I know AD integrated won't allow another AD integrated DNS server outside the current domain, but I just want to make sure I don't leave anything insecure... Thanks... ** Charlie Kaiser W2K3 MCSA/MCSE/Security, CCNA Systems Engineer Essex Credit / Brickwalk 510 595 5083 ** List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir@mail.activedir.org/
RE: [ActiveDir] DNS setup questions
http://technet2.microsoft.com/WindowsServer/en/library/358c7852-d23b-4668-ad f5-6ad2fe001e9f1033.mspx?mfr=true Sorry, probably should have dug up the link before sending my other response. :-) Laura -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Charlie Kaiser Sent: Thursday, October 26, 2006 4:32 PM To: ActiveDir@mail.activedir.org Subject: [ActiveDir] DNS setup questions OK; my Google-fu isn't working well today, and it's been a while since I had to do any advanced DNS work. Too much BPM work, not enough AD admin lately... Here's the scenario: Our domain: W2K3 functional level single-domain forest using AD-integrated DNS, secure updates only Partner domain: W2K3 functional level single-domain forest using BIND DNS. We are planning to establish a trust between the domains. We need to set up DNS so that both domains can resolve at minimum SRV records to keep the trust working and allow member enumeration for selective auth setup. IIRC, we need to create secondary zones in each domain pointing to the other domain, and on the W2K3 side, add the BIND servers to the nameservers tab, right? Anything else I need to do on the W2K3 DNS side? I really think I'm missing something here, but I can't find any information with the answers I need... Also, if I allow zone transfers to the other domain's DNS IP addresses, what's to prevent them from setting up something other than a secondary server? I know AD integrated won't allow another AD integrated DNS server outside the current domain, but I just want to make sure I don't leave anything insecure... Thanks... ** Charlie Kaiser W2K3 MCSA/MCSE/Security, CCNA Systems Engineer Essex Credit / Brickwalk 510 595 5083 ** List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir@mail.activedir.org/
Re: [ActiveDir] Exchange Log files --Disk Full--
Make sure you aren't doing a copy backup...it needs to be a normal backup. Teo On 10/26/06, Technical Support [EMAIL PROTECTED] wrote: Yes, I have been doing full backup but unfortunately logs arent flushed. What could be the possible reason for that. I have to look for it. I am using NTBackup. There is no option for Truncate Log Files in this backup utility. I am running Info Store backup.Any suggestions.Thanks!!!Ravi From: [EMAIL PROTECTED] on behalf of Michael B. SmithSent: Thu 10/26/2006 11:38 AMTo: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Exchange Log files --Disk Full--If you do a full (normal) backup using a real backup tool (ntbackup, Veritas with the Exchange Backup Agent, etc) - the logs will be flushed. Period. For some reason - you aren't getting a clean backup. That's what you need to be checking into.Temporarily, you can compress (using NTFS compression - not WinZIP or PowerArc or anything like that) the logfiles until you can make that backup. From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]] On Behalf Of Technical Support Sent: Thursday, October 26, 2006 2:09 PMTo: ActiveDir@mail.activedir.orgSubject: [ActiveDir] Exchange Log files --Disk Full--Hi All, Kindly suggest, what i can do about my Exchange Log files?I have about 120 GB Log files for past 4 months. I have a few doubts:-Do i really need all those log files?If yes, Then how is it possible to manage with this as i have a very limited space left. Can i delete these log files?Backup doesnt remove these log files?i am really running out of space on my Exchange log storage drive.Thanks!!!RaviDISCLAIMER: This message contains privileged and confidential information and is intended only for the individual named.If you are not the intended recipient you should not disseminate,distribute,store,print, copy or deliver this message. Please notify the sender immediately by e-mail if you have received this e-mail by mistake and delete this e-mail from your system.E-mail transmission cannot be guaranteed to be secure or error-free as information could be intercepted,corrupted,lost,destroyed, arrive late or incomplete or contain viruses. The sender therefore does not accept liability for any errors or omissions in the contents of this message which arise as a result of e-mail transmission. If verification is required please request a hard-copy version.
RE: [ActiveDir] DNS setup questions
Since the partner forest is not using AD DNS zones but a Unix BIND system, wouldn't that eliminate the ability to do the conditional forwarding? I thought that required both sides to be W2K3 AD DNS... ** Charlie Kaiser W2K3 MCSA/MCSE/Security, CCNA Systems Engineer Essex Credit / Brickwalk 510 595 5083 ** -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of [EMAIL PROTECTED] Sent: Thursday, October 26, 2006 1:55 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] DNS setup questions You could use conditional-forwarding. You could also setup an AD int stub zone. I'm not well versed in the security aspects of either... but either one of those would work fine... :m:dsm:cci:mvp | marcusoh.blogspot.com -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Charlie Kaiser Sent: Thursday, October 26, 2006 4:32 PM To: ActiveDir@mail.activedir.org Subject: DNS setup questions OK; my Google-fu isn't working well today, and it's been a while since I had to do any advanced DNS work. Too much BPM work, not enough AD admin lately... Here's the scenario: Our domain: W2K3 functional level single-domain forest using AD-integrated DNS, secure updates only Partner domain: W2K3 functional level single-domain forest using BIND DNS. We are planning to establish a trust between the domains. We need to set up DNS so that both domains can resolve at minimum SRV records to keep the trust working and allow member enumeration for selective auth setup. IIRC, we need to create secondary zones in each domain pointing to the other domain, and on the W2K3 side, add the BIND servers to the nameservers tab, right? Anything else I need to do on the W2K3 DNS side? I really think I'm missing something here, but I can't find any information with the answers I need... Also, if I allow zone transfers to the other domain's DNS IP addresses, what's to prevent them from setting up something other than a secondary server? I know AD integrated won't allow another AD integrated DNS server outside the current domain, but I just want to make sure I don't leave anything insecure... Thanks... ** Charlie Kaiser W2K3 MCSA/MCSE/Security, CCNA Systems Engineer Essex Credit / Brickwalk 510 595 5083 ** List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir@mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir@mail.activedir.org/
RE: [ActiveDir] Exchange Log files --Disk Full--
Do you have multiple information stores on this storage group? (If using Exchange Enterprise edition)...the logs can't flush until all stores have a full backup, because the logs are shared... --James From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Technical SupportSent: Thursday, October 26, 2006 3:16 PMTo: ActiveDir@mail.activedir.org; ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] Exchange Log files --Disk Full-- Hi, I am running Normal Backup. Using NTBackup Utility. Backing up Information store. From: [EMAIL PROTECTED] on behalf of Missy KosloskySent: Thu 10/26/2006 12:49 PMTo: ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] Exchange Log files --Disk Full-- Are you running full (AKA normal) backups every night? It seems not. Use NTBackup to backup to disk (obviously, you'll need a disk with over 120GB of available space) and then use whatever normal program you use to back that backup onto tape. This will keep you running until you sort out why your normal backup software isn't flushing the logs when the backup completes. How are you currently running backups? What software is in use? Are you sure it's Exchange aware? Are you doing brick level backups or copy backups instead of a full backup? Neither will flush the logs. I'd resolve this as quickly as possible, because if you are in a situation where you have to replay the logs, you're NOT going to be a happy camper. From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Technical SupportSent: Thursday, October 26, 2006 11:09 AMTo: ActiveDir@mail.activedir.orgSubject: [ActiveDir] Exchange Log files --Disk Full-- Hi All, Kindly suggest, what i can do about my Exchange Log files? I have about 120 GB Log files for past 4 months. I havea few doubts:- Do i really need all those log files? If yes, Then how is it possible to manage with this as i have a very limited space left. Can i delete these log files? Backup doesnt remove these log files? i am really running out of space on my Exchange log storage drive. Thanks!!! Ravi
RE: [ActiveDir] list lastlogontime for every user script
oldcmp Keep in mind that by default, lastLogonTimeStamp is not updated every day, it will be updated about every 9-14 days (14 days with a random swing of minus 0-5 days). You can output to csv or html, whatever is more convenient for you. Alternately if you just want to query the value directly, you can use adfindto generate the output. However, oldcmp tends to be easier for most folks. joe -- O'Reilly Active Directory Third Edition - http://www.joeware.net/win/ad3e.htm From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Ramon LinanSent: Thursday, October 26, 2006 4:59 PMTo: ActiveDir@mail.activedir.orgSubject: [ActiveDir] list lastlogontime for every user script Hi, I am trying to do an script or something that will list lastlogontime for all users so I can receive an email when someone has not use the account for more than 30 days. I have seen a couple of examples of half built scripts that don't work, I get lost when they start dealing with the converting the number to a date... Does anyone has a script will do some similar? does Joe ware has something similar? Thanks Ramon
Re: [ActiveDir] list lastlogontime for every user script
Have you looked at this Perl sample from the AD Cookbook? http://techtasks.com/code/viewbookcode/1608 Another alternative is to write your script around Joe's ADFIND (or even OldCMP). ADFIND has the ability to handle the date formats in a user-friendly way. Tony -- Original Message -- From: Ramon Linan [EMAIL PROTECTED] Reply-To: ActiveDir@mail.activedir.org Date: Thu, 26 Oct 2006 16:59:20 -0400 Hi, I am trying to do an script or something that will list lastlogontime for all users so I can receive an email when someone has not use the account for more than 30 days. I have seen a couple of examples of half built scripts that don't work, I get lost when they start dealing with the converting the number to a date... Does anyone has a script will do some similar? does Joe ware has something similar? Thanks Ramon Sent via the WebMail system at mail.activedir.org List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir@mail.activedir.org/
Re: [ActiveDir] list lastlogontime for every user script
I have one that I have coded and I have sent it to your email address. You can modify it easily to email you. Cheers, Matt Duguid Systems Engineer for Identity Services Department of Internal Affairs Phone: +64 4 4748028 (wellington) Mobile: +64 21 1713290 Fax: +64 4 4748894 Address: Level 4, 47 Boulcott Street, Wellington CBD E-mail: [EMAIL PROTECTED] Web: http://www.dia.govt.nz/ |-+-- | | | | | | | | | | | Ramon Linan | | | [EMAIL PROTECTED] | | | Sent by: | | | [EMAIL PROTECTED]| | | tivedir.org| | | | | | | | | 27/10/2006 09:59 a.m. | | | Please respond to | | | ActiveDir | | | | |-+-- --| | | |To: ActiveDir@mail.activedir.org | |cc: | |Subject: [ActiveDir] list lastlogontime for every user script | --| Hi, I am trying to do an script or something that will list lastlogontime for all users so I can receive an email when someone has not use the account for more than 30 days. I have seen a couple of examples of half built scripts that don't work, I get lost when they start dealing with the converting the number to a date... Does anyone has a script will do some similar? does Joe ware has something similar? Thanks Ramon List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir@mail.activedir.org/
RE: [ActiveDir] DNS setup questions
Yeah I think you're right. I completely overlooked that part about Bind. :) :m:dsm:cci:mvp | marcusoh.blogspot.com -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Charlie Kaiser Sent: Thursday, October 26, 2006 5:20 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] DNS setup questions Since the partner forest is not using AD DNS zones but a Unix BIND system, wouldn't that eliminate the ability to do the conditional forwarding? I thought that required both sides to be W2K3 AD DNS... ** Charlie Kaiser W2K3 MCSA/MCSE/Security, CCNA Systems Engineer Essex Credit / Brickwalk 510 595 5083 ** -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of [EMAIL PROTECTED] Sent: Thursday, October 26, 2006 1:55 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] DNS setup questions You could use conditional-forwarding. You could also setup an AD int stub zone. I'm not well versed in the security aspects of either... but either one of those would work fine... :m:dsm:cci:mvp | marcusoh.blogspot.com -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Charlie Kaiser Sent: Thursday, October 26, 2006 4:32 PM To: ActiveDir@mail.activedir.org Subject: DNS setup questions OK; my Google-fu isn't working well today, and it's been a while since I had to do any advanced DNS work. Too much BPM work, not enough AD admin lately... Here's the scenario: Our domain: W2K3 functional level single-domain forest using AD-integrated DNS, secure updates only Partner domain: W2K3 functional level single-domain forest using BIND DNS. We are planning to establish a trust between the domains. We need to set up DNS so that both domains can resolve at minimum SRV records to keep the trust working and allow member enumeration for selective auth setup. IIRC, we need to create secondary zones in each domain pointing to the other domain, and on the W2K3 side, add the BIND servers to the nameservers tab, right? Anything else I need to do on the W2K3 DNS side? I really think I'm missing something here, but I can't find any information with the answers I need... Also, if I allow zone transfers to the other domain's DNS IP addresses, what's to prevent them from setting up something other than a secondary server? I know AD integrated won't allow another AD integrated DNS server outside the current domain, but I just want to make sure I don't leave anything insecure... Thanks... ** Charlie Kaiser W2K3 MCSA/MCSE/Security, CCNA Systems Engineer Essex Credit / Brickwalk 510 595 5083 ** List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir@mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir@mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir@mail.activedir.org/
RE: [ActiveDir] DNS setup questions
Not at all. Both BIND and MS DNS support conditional forwarding (depending on BIND version and OS version, respectively). The destination for the conditional forwarding is irrelevant, since it's the servers receiving the queries from the clients that are responsible for forwarding (or not) the queries. There is no specific interaction between the two DNS implementations beyond standard querying. Laura -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Charlie Kaiser Sent: Thursday, October 26, 2006 5:20 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] DNS setup questions Since the partner forest is not using AD DNS zones but a Unix BIND system, wouldn't that eliminate the ability to do the conditional forwarding? I thought that required both sides to be W2K3 AD DNS... ** Charlie Kaiser W2K3 MCSA/MCSE/Security, CCNA Systems Engineer Essex Credit / Brickwalk 510 595 5083 ** -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of [EMAIL PROTECTED] Sent: Thursday, October 26, 2006 1:55 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] DNS setup questions You could use conditional-forwarding. You could also setup an AD int stub zone. I'm not well versed in the security aspects of either... but either one of those would work fine... :m:dsm:cci:mvp | marcusoh.blogspot.com -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Charlie Kaiser Sent: Thursday, October 26, 2006 4:32 PM To: ActiveDir@mail.activedir.org Subject: DNS setup questions OK; my Google-fu isn't working well today, and it's been a while since I had to do any advanced DNS work. Too much BPM work, not enough AD admin lately... Here's the scenario: Our domain: W2K3 functional level single-domain forest using AD-integrated DNS, secure updates only Partner domain: W2K3 functional level single-domain forest using BIND DNS. We are planning to establish a trust between the domains. We need to set up DNS so that both domains can resolve at minimum SRV records to keep the trust working and allow member enumeration for selective auth setup. IIRC, we need to create secondary zones in each domain pointing to the other domain, and on the W2K3 side, add the BIND servers to the nameservers tab, right? Anything else I need to do on the W2K3 DNS side? I really think I'm missing something here, but I can't find any information with the answers I need... Also, if I allow zone transfers to the other domain's DNS IP addresses, what's to prevent them from setting up something other than a secondary server? I know AD integrated won't allow another AD integrated DNS server outside the current domain, but I just want to make sure I don't leave anything insecure... Thanks... ** Charlie Kaiser W2K3 MCSA/MCSE/Security, CCNA Systems Engineer Essex Credit / Brickwalk 510 595 5083 ** List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir@mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir@mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir@mail.activedir.org/
RE: [ActiveDir] DNS setup questions
Hmmm. Looks like BIND 8 supports conditional forwarding and BIND 9 supports stub zones. :m:dsm:cci:mvp | marcusoh.blogspot.com -Original Message- From: Oh, Marcus (CCI-Atlanta) Sent: Thursday, October 26, 2006 6:19 PM To: 'ActiveDir@mail.activedir.org' Subject: RE: [ActiveDir] DNS setup questions Yeah I think you're right. I completely overlooked that part about Bind. :) :m:dsm:cci:mvp | marcusoh.blogspot.com -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Charlie Kaiser Sent: Thursday, October 26, 2006 5:20 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] DNS setup questions Since the partner forest is not using AD DNS zones but a Unix BIND system, wouldn't that eliminate the ability to do the conditional forwarding? I thought that required both sides to be W2K3 AD DNS... ** Charlie Kaiser W2K3 MCSA/MCSE/Security, CCNA Systems Engineer Essex Credit / Brickwalk 510 595 5083 ** -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of [EMAIL PROTECTED] Sent: Thursday, October 26, 2006 1:55 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] DNS setup questions You could use conditional-forwarding. You could also setup an AD int stub zone. I'm not well versed in the security aspects of either... but either one of those would work fine... :m:dsm:cci:mvp | marcusoh.blogspot.com -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Charlie Kaiser Sent: Thursday, October 26, 2006 4:32 PM To: ActiveDir@mail.activedir.org Subject: DNS setup questions OK; my Google-fu isn't working well today, and it's been a while since I had to do any advanced DNS work. Too much BPM work, not enough AD admin lately... Here's the scenario: Our domain: W2K3 functional level single-domain forest using AD-integrated DNS, secure updates only Partner domain: W2K3 functional level single-domain forest using BIND DNS. We are planning to establish a trust between the domains. We need to set up DNS so that both domains can resolve at minimum SRV records to keep the trust working and allow member enumeration for selective auth setup. IIRC, we need to create secondary zones in each domain pointing to the other domain, and on the W2K3 side, add the BIND servers to the nameservers tab, right? Anything else I need to do on the W2K3 DNS side? I really think I'm missing something here, but I can't find any information with the answers I need... Also, if I allow zone transfers to the other domain's DNS IP addresses, what's to prevent them from setting up something other than a secondary server? I know AD integrated won't allow another AD integrated DNS server outside the current domain, but I just want to make sure I don't leave anything insecure... Thanks... ** Charlie Kaiser W2K3 MCSA/MCSE/Security, CCNA Systems Engineer Essex Credit / Brickwalk 510 595 5083 ** List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir@mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir@mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir@mail.activedir.org/
[ActiveDir] How to grant administrator from trusted forest local PC Admin rights
Looking for ideas on how to provide a domain administrator in a separate forest local administrator rights on all domain computers to assist with ADMT v3 computer migration.Thanks,...D
RE: [ActiveDir] DNS setup questions
Conditional forwarding does not require AD DNS on the side that it is forwarding to so this would not be an issue, however I would personally recommend the use of stub zones as they can be AD integrated which means you do not have to worry about manually configuring secondary zones across multiple servers in your environment but only need to create it once and allow it to replicate out to your other DC/DNS servers. As for the opposing BIND side of the thing yeah make add them to the nameservers tab allow zone transfers only to servers listed on the names server tabs and setup secondaries on those BIND servers. You may also want to check the notify option so that the secondaries are notified when there are updates to the zone that they should transfer depending on what level of frequency you want IXFR's to happen at. Kurt Falde, MCSE NT4/2K/2K3, CCSE+, CISSP Premier Field Engineer Northeast Region Microsoft Corporation Mobile Phone: (301) 367-2721 Windows Vista -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Charlie Kaiser Sent: Thursday, October 26, 2006 5:20 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] DNS setup questions Since the partner forest is not using AD DNS zones but a Unix BIND system, wouldn't that eliminate the ability to do the conditional forwarding? I thought that required both sides to be W2K3 AD DNS... ** Charlie Kaiser W2K3 MCSA/MCSE/Security, CCNA Systems Engineer Essex Credit / Brickwalk 510 595 5083 ** -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of [EMAIL PROTECTED] Sent: Thursday, October 26, 2006 1:55 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] DNS setup questions You could use conditional-forwarding. You could also setup an AD int stub zone. I'm not well versed in the security aspects of either... but either one of those would work fine... :m:dsm:cci:mvp | marcusoh.blogspot.com -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Charlie Kaiser Sent: Thursday, October 26, 2006 4:32 PM To: ActiveDir@mail.activedir.org Subject: DNS setup questions OK; my Google-fu isn't working well today, and it's been a while since I had to do any advanced DNS work. Too much BPM work, not enough AD admin lately... Here's the scenario: Our domain: W2K3 functional level single-domain forest using AD-integrated DNS, secure updates only Partner domain: W2K3 functional level single-domain forest using BIND DNS. We are planning to establish a trust between the domains. We need to set up DNS so that both domains can resolve at minimum SRV records to keep the trust working and allow member enumeration for selective auth setup. IIRC, we need to create secondary zones in each domain pointing to the other domain, and on the W2K3 side, add the BIND servers to the nameservers tab, right? Anything else I need to do on the W2K3 DNS side? I really think I'm missing something here, but I can't find any information with the answers I need... Also, if I allow zone transfers to the other domain's DNS IP addresses, what's to prevent them from setting up something other than a secondary server? I know AD integrated won't allow another AD integrated DNS server outside the current domain, but I just want to make sure I don't leave anything insecure... Thanks... ** Charlie Kaiser W2K3 MCSA/MCSE/Security, CCNA Systems Engineer Essex Credit / Brickwalk 510 595 5083 ** List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir@mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir@mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir@mail.activedir.org/
RE: [ActiveDir] DNS setup questions
There seems to be a bit of confusion on a couple of fronts. First, neither stub zones nor conditional forwarding are dependent on the destination (e.g., external forest/external environment) DNS implementation. DNS servers respond to queries; that is what DNS does, no matter what version or whose implementation. The mechanisms used in both stub zone population and conditional forwarding are queries. The only reason that the BIND DNS implementation would need to be 8+ is if it is necessary for the forest that is serviced by the BIND servers to also do conditional forwarding and/or stub zones on behalf of their clients. Second, there is one and only one item in DNS that requires pure Windows Server 2003 DNS, and that is the use of AD-integrated DNS zones that are stored in partitions other than the domain partition. Leaving BIND out of the picture for a moment, conditional forwarding and stub zones do, of course, require Win2K3 DNS servers, but that does not necessarily preclude the use of Windows 2000 DNS servers in the environment. Personally, I'd use Windows Server 2003 regardless, but that's simply because it gives you more options and you don't have to worry about what Win2K supports. (And as a side note, you can even have Win2K DNS servers if you're using AD-integrated DNS zones that are stored in partitions other than the domain partition- you just won't be able to use the Win2k servers as replicas.) This may prove useful: http://support.microsoft.com/default.aspx/kb/88 HTH, Laura -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of [EMAIL PROTECTED] Sent: Thursday, October 26, 2006 6:21 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] DNS setup questions Hmmm. Looks like BIND 8 supports conditional forwarding and BIND 9 supports stub zones. :m:dsm:cci:mvp | marcusoh.blogspot.com -Original Message- From: Oh, Marcus (CCI-Atlanta) Sent: Thursday, October 26, 2006 6:19 PM To: 'ActiveDir@mail.activedir.org' Subject: RE: [ActiveDir] DNS setup questions Yeah I think you're right. I completely overlooked that part about Bind. :) :m:dsm:cci:mvp | marcusoh.blogspot.com -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Charlie Kaiser Sent: Thursday, October 26, 2006 5:20 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] DNS setup questions Since the partner forest is not using AD DNS zones but a Unix BIND system, wouldn't that eliminate the ability to do the conditional forwarding? I thought that required both sides to be W2K3 AD DNS... ** Charlie Kaiser W2K3 MCSA/MCSE/Security, CCNA Systems Engineer Essex Credit / Brickwalk 510 595 5083 ** -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of [EMAIL PROTECTED] Sent: Thursday, October 26, 2006 1:55 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] DNS setup questions You could use conditional-forwarding. You could also setup an AD int stub zone. I'm not well versed in the security aspects of either... but either one of those would work fine... :m:dsm:cci:mvp | marcusoh.blogspot.com -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Charlie Kaiser Sent: Thursday, October 26, 2006 4:32 PM To: ActiveDir@mail.activedir.org Subject: DNS setup questions OK; my Google-fu isn't working well today, and it's been a while since I had to do any advanced DNS work. Too much BPM work, not enough AD admin lately... Here's the scenario: Our domain: W2K3 functional level single-domain forest using AD-integrated DNS, secure updates only Partner domain: W2K3 functional level single-domain forest using BIND DNS. We are planning to establish a trust between the domains. We need to set up DNS so that both domains can resolve at minimum SRV records to keep the trust working and allow member enumeration for selective auth setup. IIRC, we need to create secondary zones in each domain pointing to the other domain, and on the W2K3 side, add the BIND servers to the nameservers tab, right? Anything else I need to do on the W2K3 DNS side? I really think I'm missing something here, but I can't find any information with the answers I need... Also, if I allow zone transfers to the other domain's DNS IP addresses, what's to prevent them from setting up something other than a secondary server? I know AD integrated won't allow another AD integrated DNS server outside the current domain, but I just want to make sure I don't leave anything insecure... Thanks... ** Charlie Kaiser W2K3 MCSA/MCSE/Security, CCNA Systems Engineer Essex Credit / Brickwalk 510 595 5083 ** List info :
RE: [ActiveDir] list lastlogontime for every user script
How is this 9-14 day value tracked for each user object, by the way? From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of joe Sent: Thursday, October 26, 2006 5:34 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] list lastlogontime for every user script oldcmp Keep in mind that by default, lastLogonTimeStamp is not updated every day, it will be updated about every 9-14 days (14 days with a random swing of minus 0-5 days). You can output to csv or html, whatever is more convenient for you. Alternately if you just want to query the value directly, you can use adfindto generate the output. However, oldcmp tends to be easier for most folks. joe -- O'Reilly Active Directory Third Edition - http://www.joeware.net/win/ad3e.htm From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Ramon Linan Sent: Thursday, October 26, 2006 4:59 PM To: ActiveDir@mail.activedir.org Subject: [ActiveDir] list lastlogontime for every user script Hi, I am trying to do an script or something that will list lastlogontime for all users so I can receive an email when someone has not use the account for more than 30 days. I have seen a couple of examples of half built scripts that don't work, I get lost when they start dealing with the converting the number to a date... Does anyone has a script will do some similar? does Joe ware has something similar? Thanks Ramon
Re: [ActiveDir] How to grant administrator from trusted forest local PC Admin rights
You can use restricted group feature in GPO for this. Please refer to following link for more detail: http://www.msresource.net/content/view/45/46/ On 10/27/06, Danny [EMAIL PROTECTED] wrote: Looking for ideas on how to provide a domain administrator in a separate forest local administrator rights on all domain computers to assist with ADMT v3 computer migration. Thanks,...D
Re: [ActiveDir] quota issues
I haven't. I don't have that problem with my users (sometimes I wish they were savvy enough to be that troublesome). But I vaguely remember something about a reg hack and or a GPO that prevents users from receiving to a PST. - Original Message - From: Antonio Aranda To: ActiveDir@mail.activedir.org Sent: Thursday, October 26, 2006 9:12 AM Subject: RE: [ActiveDir] quota issues There is on pst file in there but I’ve had that problem before. What measures did you take to avoid that. From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Albert DuroSent: Thursday, October 26, 2006 9:44 AMTo: ActiveDir@mail.activedir.orgSubject: Re: [ActiveDir] quota issues by any chance, is it possible that there's a live PST in there, or an attempt to place it there? Users can do that on their own after all, unless measures are taken against it. - Original Message - From: Antonio Aranda To: ActiveDir@mail.activedir.org Sent: Wednesday, October 25, 2006 9:17 AM Subject: RE: [ActiveDir] quota issues I’m sorry but I don’t know what you mean by “files having streams”. Can you explain that attribute to me? From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Mike GuestSent: Wednesday, October 25, 2006 10:06 AMTo: ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] quota issues Just a couple of thoughts Have you tried searching the disk for other files marked with him as owner – perhaps from a legacy share which no longer exists? Alternatively, is it possible that one of the files he’s copying has streams? I understand the space used by a stream does not get added to the disk space that windows reports, but perhaps it affects the quota? Mike GuestIT SolutionsHMLPadiham DDI: +44 (0)1282 682550 Internal Extension: (61) 2550 From: Antonio Aranda [mailto:[EMAIL PROTECTED] Sent: 25 October 2006 15:33To: ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] quota issues There seems to be mostly small files; 5 to 7 K. From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Parag NagwekarSent: Tuesday, October 24, 2006 11:26 PMTo: ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] quota issues I guess he is probably trying to write or copy file which is quite big, may be more than 200Mb in size. Please tell him to write smaller file on the file system where he already using 300MB. From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Antonio ArandaSent: Tuesday, October 24, 2006 12:55 PMTo: ActiveDir@mail.activedir.orgSubject: [ActiveDir] quota issues I’m having weird quota issues. I have a partition that has the default quota set to a 500 MB. There are a good hundred users that wring to that partition but only one is having this issue; he keeps running out of quota even though he has only written about 300 MB to his subdirectory. He can only write to that subdirectory so why is he running out of space? Antonio Aranda Network Analyst UT-Permian Basin 432-552-2413 *This email is intended only for the addressee named above. As this email may contain confidential or privileged information, if you are not the named addressee or receive this message in error, please notify us immediately, delete it and do not make use of or copy it.This message is protected by copyright. HML accepts no responsibility for viruses found in this message or any file attachment.Homeloan Management LimitedRegistered in England No. 22148391 Providence Place, Skipton, North Yorkshire BD23 2HL**
RE: [ActiveDir] list lastlogontime for every user script
It isn't, it is randomly calculated every time logonTime is updated. -- O'Reilly Active Directory Third Edition - http://www.joeware.net/win/ad3e.htm From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of [EMAIL PROTECTED]Sent: Thursday, October 26, 2006 9:49 PMTo: ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] list lastlogontime for every user script How is this 9-14 day value tracked for each user object, by the way? From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of joeSent: Thursday, October 26, 2006 5:34 PMTo: ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] list lastlogontime for every user script oldcmp Keep in mind that by default, lastLogonTimeStamp is not updated every day, it will be updated about every 9-14 days (14 days with a random swing of minus 0-5 days). You can output to csv or html, whatever is more convenient for you. Alternately if you just want to query the value directly, you can use adfindto generate the output. However, oldcmp tends to be easier for most folks. joe -- O'Reilly Active Directory Third Edition - http://www.joeware.net/win/ad3e.htm From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Ramon LinanSent: Thursday, October 26, 2006 4:59 PMTo: ActiveDir@mail.activedir.orgSubject: [ActiveDir] list lastlogontime for every user script Hi, I am trying to do an script or something that will list lastlogontime for all users so I can receive an email when someone has not use the account for more than 30 days. I have seen a couple of examples of half built scripts that don't work, I get lost when they start dealing with the converting the number to a date... Does anyone has a script will do some similar? does Joe ware has something similar? Thanks Ramon