RE: [ActiveDir] Domain Local Groups vs Global Groups
Title: Message Local groups are so 1990s grin because they exist on individual systems, they are virtually un-manageable (save via Restricted Groups policies). Fugghedaboutem. DOMAIN LOCAL groups are what you probably mean, or should mean. They exist as a single instance in Active Directory, instead of the multiple-local-groups-one-each-server model of NT4. The best practice in a SINGLE DOMAIN (or a single active domain with an empty forest root domain) is: Users à Global Groups - - - Global Groups à Domain Local Groups - - - Domain Local Groups à ACL Users go into global groups (which in Windows Server 2000 or greater domain functional level can be further nested into other global groups if necessary). Global groups nest into domain local groups. ACLs are assigned to domain local groups. In a multidomain forest, best practice is the above *OR* Users à Global Groups - - - Global Groups à Universal Groups - - - Universal Groups à Domain Local Groups - - - Domain Local Groups à ACL Or Users à Global Groups | Universal Groups à ACL Universal groups are really useful in multidomain forests for defining things like My Company Executives where each domain has a (global) Executives role defined, and those nest into a super group WHY this complexity? It yields optimal replication (though thats more of a technicality these days, in a single domain, since many/most organizations are making every DC a global catalog server). More importantly, it sets you up for effective role-based management in a dynamic enterprise. Domain Local Groups as the access group enable cross-domain access which may not seem important to you today (we have just one domain) but will become important the day theres a joint venture, acquisition, merger, etc If it seems to complex to figure out the why then stop asking and just do it ;-) There is no *technical* better or worse about ACLing resources to global groups. For that matter, you could ACL resources to each and every user. Why dont you do that? Because its obviously unmanageable. Doing it to global groups is equally, if not as obviously, unmanageable, particularly in the long term. That said, theres a very minor technical difference that deals with the size of your PAC in your Kerberos ticket, so please dont take me to the matt for not detailing that its technical more than practical. What should be driving your design is the need for ROLE BASED MANAGEMENT of your enterprise. Role based management, as far as resources goes, should be discussed in terms of Roles (people / groups of people) and Management (in this case, managing access to a resource). Roles define who someone is you could describe them by their roles (job, function, department, business unit, geographical location, seniority, etc.). Just so happens that roles should be defined using global security groups and yes, roles nest within roles (global à global) so your departmental management role groups might very well nest into a corporate managers role group. Say, for example, that you define your brokers as to whether they are just brokers (global group: ROLE_Brokers) or supervisors (ROLE_Broker_Sups). Lets say you also have a team of auditors (ROLE_Auditors) Management groups (for dealing with resource access, in this case) are typically domain local groups. But dont think of them as their technical scope (domain local) think of them as their purpose: to manage access to a resource. So, for example, if you have a share for your broker data, you might have the following resource access management groups that parallel specific access levels to that share: Ø ACL_BrokerData_Editors (ACL = a group for access control; Editors = MODIFY permission) Ø ACL_BrokerData_Contributors (Contributors = permissions to create new files/folders and to modify own creations; but read-only to other peoples stuff) Ø ACL_BrokerData_Readers (Read access) With those three resource access groups, you can manage access to that resource by defining which roles get what access. Nest your role groups into your management groups. (global à domain local, technically). So your business might lead you to say brokers can add things to this share and read but not modify other peoples stuff. That would be nesting Role_Brokers into ACL_BrokerData_Contributors. Role_Broker_Sups might be given modify permission by nesting them into ACL_BrokerData_Editors. And your auditors might be nested into the ACL_BrokerData_Readers group. You are now headed towards ROLE BASED MANAGEMENT. When an employee is promoted from broker to supervisor, you change their role membership (out of Role_Brokers, into Role_BrokerEditors) and voila, they now have access to this (and other) data store(s) based on the new roles access. Ideally, you tie your role groups to your HR system so that any change to roles of an employee are
RE: [ActiveDir] Domain Local Groups vs Global Groups
Title: Message Thats what I get for reading my inbox up David: do read my treatise in my earlier email. But Matt Hargraves response did raise the one technical issue I only alluded to: token size. Hes right to raise a flag about Exchange. Depending on the complexity of your role-based design and whether you use Exchange (2003 or 2000; 2007 seems to be exempt from this issue) and your Exchange architecture, you do have to watch for the number of total groups a user belongs to. A large number of group memberships will reduce the effective maximum users per exchange server level somewhat but whether that somewhat would be salient depends on several factors. To tie together what Matt discussed and what I proposed, my discussion lays out a design that integrates both RBS and ABS. You definitely want role-based management. Whether you also go to the level I outlined of managing ACLs depends on your environment: more resources; more complex security; and more spread out resources and youll be better served by the design I described. In a simpler environment (e.g. we have a departmental share with each department having a subfolder on the extreme side), you dont necessarily need the ABS layer. Dan From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Wyatt, David Sent: Wednesday, July 26, 2006 8:28 AM To: ActiveDir@mail.activedir.org Subject: [ActiveDir] Domain Local Groups vs Global Groups I'd be interested to hear peoples strategy for permissioning windows based file servers when the server is in a Windows 2003 domain. I have read the best practices about putting users into global groups then put the global groups into local groups then permission the resource with the local group. But: 1. Is it better practiceto put the domain local group into a local group on the file server and then use this local group to permission the share/folder? Is this excessive? I have read something about performance or avoiding limits by using the server local group when the access token is created. 2. What shortcomings would there be in putting users into global groups then simply permissioning the global group onto the resource. We only have a single forest/domain. I am also aware of Universal groups but lets put these to one side.for the moment..;-) Thanks David This message contains confidential information and is intended only for the individual or entity named. If you are not the named addressee you should not disseminate, distribute or copy this e-mail. Please notify the sender immediately by e-mail if you have received this e-mail by mistake and delete this e-mail from your system. E-mail transmission cannot be guaranteed to be secure or error-free as information could be intercepted, corrupted, lost, destroyed, arrive late or incomplete, or contain viruses. The sender therefore does not accept liability for any errors or omissions in the contents of this message which arise as a result of e-mail transmission. If verification is required please request a hard-copy version. This message is provided for informational purposes and should not be construed as an invitation or offer to buy or sell any securities or related financial instruments. GAM operates in many jurisdictions and is regulated or licensed in those jurisdictions as required.
RE: [ActiveDir] Folder redirection exceptions?
I dont know why my reply was invisible, but I *am* going to tackle this. I am being tasked with a similar task for a client so Im guessing Ill be doing it within the next 1-2 weeks. Sorry for the delay. Dan From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Arnold Arce Sent: Wednesday, March 22, 2006 1:52 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Folder redirection exceptions? Is it me, or are Dan Holmes replies invisible? From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Dan Holme Sent: Friday, March 17, 2006 5:30 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Folder redirection exceptions?
RE: [ActiveDir] View Delegated Tasks?
teaser For anyone whos going to Windows Connections in Orlando, come to my Advanced Delegation session. Ill show you an option that is so simple and powerful for delegating and then being able to pull reports on your delegation that it will blow your mind. Believe me Im not tooting my own horn Im no brainiac the key word was SIMPLE /teaser Dan From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Steve Linehan Sent: Thursday, March 23, 2006 5:06 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] View Delegated Tasks? You can however use something like DSRevoke to build a report: http://www.microsoft.com/downloads/details.aspx?FamilyID=77744807-c403-4bda-b0e4-c2093b8d6383DisplayLang=en. Thanks, -Steve From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Lee, Wook Sent: Thursday, March 23, 2006 4:40 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] View Delegated Tasks? You can't. The delegate wizard is write only. You have to look at the security descriptor on the OU and figure out what changes were made. Wook Lee AD Architect - HP IT From: [EMAIL PROTECTED] on behalf of Harding, Devon Sent: Fri 3/17/2006 10:52 AM To: ActiveDir@mail.activedir.org Subject: [ActiveDir] View Delegated Tasks? When I delegate permissions to a group in ADUC to a specific OU (using the Delegate Wizard), how can I go back and see who was delegated and the permissions? Devon Harding Windows Systems Engineer Southern Wine Spirits - BSG 954-602-2469 __ This message and any attachments are solely for the intended recipient and may contain confidential or privileged information. If you are not the intended recipient, any disclosure, copying, use or distribution of the information included in the message and any attachments is prohibited. If you have received this communication in error, please notify us by reply e-mail and immediately and permanently delete this message and any attachments. Thank You.
RE: [ActiveDir] ou delegation - change password at next logon
If you're an IT Pro mag subscriber, check this out: http://www.windowsitpro.com/Article/ArticleID/41105/41105.html If not, here's a QUICK summary... 1) At the BOTTOM of this message, copy and everything. ON THE MACHINE *FROM* WHICH YOU DO YOUR DELEGATION (i.e. your machine) 2) BACK UP %windir%\inf\delegwiz.inf 3) REPLACE it with the text you copied below. 4) ALSO back up the 'new' file, since a service pack could theoretically stomp back on the old lame file 5) Re-launch ADUC and you'll now see exactly the task you need to delegate in the delegation of control wizard. You need reset password (a 'control right') and specify user must change password at next logon (a permission to change the pwdLastSet attribute of the user account -- setting it to 0 forces change at next logon; and when you check the box in the UI, you're setting it to 0). If by some chance you're coming to Windows Connections in Orlando, I'll be doing this at my delegation session as an example. Dan -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Graham Turner Sent: Tuesday, March 28, 2006 7:45 AM To: activedir@mail.activedir.org Subject: [ActiveDir] ou delegation - change password at next logon Dear all, was wondering if someone could give us a view on the delegation of the 'user must change password at next logon' it seems that having applied the delegation (using Windows 2000 delegation wizard on a Windows 2000 domain) that allows 'reset password on user objects' , the delegate can check the box from ADUC, but this does not in fact set the above attribute it would seem that we are going to need to apply a custom delegation, from which it is not immediately obvious how to delegate the setting of this attribute. would anyone be able to offer a 'walkthrough' using the Windows 2000 delegate control wizard ?? Thanks GT List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ =START COPYING BELOW [Version] signature=$CHICAGO$ [DelegationTemplates] Templates = template1, template2, template3, template4, template5, template6, template7, template8, template9, template10, template11, template12, template13, template14, template15, template16, template17, template18, template19, template20, template21, template22, template23,template24, template25, template26, template27, template28, template29, template30, template31, template32, template33,template34, template35, template36, template37, template38, template39, template40, template41, template42, template43,template44, template45, template46, template47, template48, template49, template50, template51, template52, template53,template54, template55, template56, template57, template58, template59, template60, template61, template62, template63,template64, template65, template66, template67, template68, template69, template70 ;- [template1] AppliesToClasses=domainDNS,organizationalUnit,container Description = Create, delete, and manage user accounts ObjectTypes = SCOPE, user [template1.SCOPE] user=CC,DC [template1.user] @=GA ;- ;- [template2] AppliesToClasses=domainDNS,organizationalUnit,container Description = Reset user passwords and force password change at next logon ObjectTypes = user [template2.user] CONTROLRIGHT= Reset Password pwdLastSet=RP,WP ;-- ;-- [template3] AppliesToClasses=domainDNS,organizationalUnit,container Description = Read all user information ObjectTypes = user [template3.user] @=RP ;-- [template4] AppliesToClasses = organizationalUnit,container Description = Create, delete and manage groups ObjectTypes = SCOPE, group [template4.SCOPE] group=CC,DC [template4.group] @=GA ;-- ;-- [template5] AppliesToClasses=domainDNS,organizationalUnit,container Description = Modify the membership of a group ObjectTypes = group [template5.group] member=RP,WP ;-- ;-- [template6] AppliesToClasses = domainDNS Description = Join a computer to the domain ObjectTypes = SCOPE [template6.SCOPE] computer=CC ;-- ;-- [template7] AppliesToClasses = domainDNS,organizationalUnit,site Description = Manage Group Policy links ObjectTypes = SCOPE [template7.SCOPE] gPLink=RP,WP gPOptions=RP,WP
RE: [ActiveDir] When and how often are EA rights needed?
Title: When and how often are EA rights needed? EA rights, once a forest is deployed and delegated, are needed only for in case of emergency break glass i.e. pretty much never. When youre talking EA, youre pretty much talking the Administrator account of the forest root domain (first domain installed), so think of them one and the sameyou will be locking down that Administrator account to lock down EA. Either its the ONLY account in the EA group (default) or any other account in EA should be locked down pretty much equivalently. The break glass scenario is, particularly in a multi-domain forest, someone does some nasty delegation (ACL modification) that effectively locks out an OU. Just like you could, theoretically, lock yourself out of an NTFS folder. Just like an NTFS folder, the owner of the folder ALWAYS can change the ACL, and open it back up again. In AD the owner is EA it owns the forest. So, one container at a time, EA will be able to dig down and unblock. Case study: One client of mine (100k employees) has only three accounts in the EA group, which in their case is in a dedicated forest root. I dont believe theyve used the accounts on over a year. Another client (global financial services company) has ONLY the default Administrator account in EA, and that account has had a three-way password created: three admins each entered PART of a password, the password pieces were put into an envelope in a physically secure location in Europe and another in N.America. AFAIK they havent used it since they locked the account down. Read the MS doc Best practices for AD Delegation to effectively delegate your forest, PARTICULARLY if you have more than one domain in your forest. The things that tend to get missed that impact day-to-day or even occasional operations are things like delegating the creation of sites, subnets, and site links; the ability to kick off replication (not recommended but); and authorize new DHCP Servers. Im sure that others on the list will have other tips as well. Dan From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of [EMAIL PROTECTED] Sent: Tuesday, March 14, 2006 9:29 AM To: ActiveDir@mail.activedir.org Subject: [ActiveDir] When and how often are EA rights needed? We're trying to understand when EA rights are needed within a multi domain forest, where each domain represents a fairly autonomous region. Mgmt have suggested that the following is true : - EA not needed on daily basis - EA rights rarely needed after initial deployment Can anyone please throw a few reasons at me why you would need EA rights on a daily basis? Troubleshooting? Diagnosis? How would you be impacted if you had to request access to a EA account each time it was required? I'd like to build a case whereby we have permanent EAs and would like some additional ammo from you guys :) ***Feel free to argue against my views and explain to me how/why you *could* manage a forest such as the above, without access to an EA account on a daily basis. Thanks, neil PLEASE READ: The information contained in this email is confidential and intended for the named recipient(s) only. If you are not an intended recipient of this email please notify the sender immediately and delete your copy from your system. You must not copy, distribute or take any further action in reliance on it. Email is not a secure method of communication and Nomura International plc ('NIplc') will not, to the extent permitted by law, accept responsibility or liability for (a) the accuracy or completeness of, or (b) the presence of any virus, worm or similar malicious or disabling code in, this message or any attachment(s) to it. If verification of this email is sought then please request a hard copy. Unless otherwise stated this email: (1) is not, and should not be treated or relied upon as, investment research; (2) contains views or opinions that are solely those of the author and do not necessarily represent those of NIplc; (3) is intended for informational purposes only and is not a recommendation, solicitation or offer to buy or sell securities or related financial instruments. NIplc does not provide investment services to private customers. Authorised and regulated by the Financial Services Authority. Registered in England no. 1550505 VAT No. 447 2492 35. Registered Office: 1 St Martin's-le-Grand, London, EC1A 4NP. A member of the Nomura group of companies.
RE: [ActiveDir] When and how often are EA rights needed?
Title: When and how often are EA rights needed? Thats an ENTIRELY different question but heres MY two cents worth. In 90-98% of enterprises, if you were to begin designing an AD forest today knowing everything that has been learned in real world implementations of AD over the past 7 years, you would NOT end up with a dedicated forest root domain. So the answer to your question is, It depends, but there probably ARENT three reasons. Theres a LOT of background to that abrupt statement. Read the Best Practices documents on AD security delegation design and youll begin to see. Its just too big of a topic to tackle in this forum. Unfortunately, I really dont have bandwidth right now to support the likely responses that this might generate in the group but, Rocky (or anyone), if you want to contact me directly we can chat about it I just cant monitor the group regularly right now. You email me directly at dan dot holme at intelliem dot com. Dan From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Rocky Habeeb Sent: Tuesday, March 14, 2006 10:28 AM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] When and how often are EA rights needed? Dan, Thanks for posting this. Now ... could you spend just a minute giving us the top three reasons (if there are any at all) on why one would have a Dedicated Forest Root domain versus just a single domain. I personally, would appreciate it ... Thank you again. RH ___ -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]On Behalf Of Dan Holme Sent: Tuesday, March 14, 2006 11:51 AM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] When and how often are EA rights needed? EA rights, once a forest is deployed and delegated, are needed only for in case of emergency break glass i.e. pretty much never. When youre talking EA, youre pretty much talking the Administrator account of the forest root domain (first domain installed), so think of them one and the sameyou will be locking down that Administrator account to lock down EA. Either its the ONLY account in the EA group (default) or any other account in EA should be locked down pretty much equivalently. The break glass scenario is, particularly in a multi-domain forest, someone does some nasty delegation (ACL modification) that effectively locks out an OU. Just like you could, theoretically, lock yourself out of an NTFS folder. Just like an NTFS folder, the owner of the folder ALWAYS can change the ACL, and open it back up again. In AD the owner is EA it owns the forest. So, one container at a time, EA will be able to dig down and unblock. Case study: One client of mine (100k employees) has only three accounts in the EA group, which in their case is in a dedicated forest root. I dont believe theyve used the accounts on over a year. Another client (global financial services company) has ONLY the default Administrator account in EA, and that account has had a three-way password created: three admins each entered PART of a password, the password pieces were put into an envelope in a physically secure location in Europe and another in N.America. AFAIK they havent used it since they locked the account down. Read the MS doc Best practices for AD Delegation to effectively delegate your forest, PARTICULARLY if you have more than one domain in your forest. The things that tend to get missed that impact day-to-day or even occasional operations are things like delegating the creation of sites, subnets, and site links; the ability to kick off replication (not recommended but); and authorize new DHCP Servers. Im sure that others on the list will have other tips as well. Dan From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of [EMAIL PROTECTED] Sent: Tuesday, March 14, 2006 9:29 AM To: ActiveDir@mail.activedir.org Subject: [ActiveDir] When and how often are EA rights needed? We're trying to understand when EA rights are needed within a multi domain forest, where each domain represents a fairly autonomous region. Mgmt have suggested that the following is true : - EA not needed on daily basis - EA rights rarely needed after initial deployment Can anyone please throw a few reasons at me why you would need EA rights on a daily basis? Troubleshooting? Diagnosis? How would you be impacted if you had to request access to a EA account each time it was required? I'd like to build a case whereby we have permanent EAs and would like some additional ammo from you guys :) ***Feel free to argue against my views and explain to me how/why you *could* manage a forest such as the above, without access to an EA account on a daily basis. Thanks, neil PLEASE READ: The information contained in this email is confidential and intended for the named recipient(s) only. If you are not an intended recipient of this email please notify
RE: [ActiveDir] When and how often are EA rights needed?
Title: When and how often are EA rights needed? Check out the Delegation paper I mentioned EA has a lot of delegations the few I mentioned there are the most important DAY-TO-DAY. There are tons of detailed, techy/geeky things that are critical to AD internals security you want to keep those things tightly secured and delegate OUT the day-to-day stuff. Dan From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of [EMAIL PROTECTED] Sent: Tuesday, March 14, 2006 10:00 AM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] When and how often are EA rights needed? Case study: One client of mine (100k employees) has only three accounts in the EA group, which in their case is in a dedicated forest root. I dont believe theyve used the accounts on over a year. Another client (global financial services company) has ONLY the default Administrator account in EA, and that account has had a three-way password created: three admins each entered PART of a password, the password pieces were put into an envelope in a physically secure location in Europe and another in N.America. AFAIK they havent used it since they locked the account down. So how do they manage and t.shoot their AD? Read the MS doc Best practices for AD Delegation to effectively delegate your forest, PARTICULARLY if you have more than one domain in your forest. The things that tend to get missed that impact day-to-day or even occasional operations are things like delegating the creation of sites, subnets, and site links; the ability to kick off replication (not recommended but); and authorize new DHCP Servers. Im sure that others on the list will have other tips as well. IMHO, if you have rights to do all the above, you are an EA equivalent any way :) Thnanks for the comments. neil From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Dan Holme Sent: 14 March 2006 16:51 To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] When and how often are EA rights needed? EA rights, once a forest is deployed and delegated, are needed only for in case of emergency break glass i.e. pretty much never. When youre talking EA, youre pretty much talking the Administrator account of the forest root domain (first domain installed), so think of them one and the sameyou will be locking down that Administrator account to lock down EA. Either its the ONLY account in the EA group (default) or any other account in EA should be locked down pretty much equivalently. The break glass scenario is, particularly in a multi-domain forest, someone does some nasty delegation (ACL modification) that effectively locks out an OU. Just like you could, theoretically, lock yourself out of an NTFS folder. Just like an NTFS folder, the owner of the folder ALWAYS can change the ACL, and open it back up again. In AD the owner is EA it owns the forest. So, one container at a time, EA will be able to dig down and unblock. Case study: One client of mine (100k employees) has only three accounts in the EA group, which in their case is in a dedicated forest root. I dont believe theyve used the accounts on over a year. Another client (global financial services company) has ONLY the default Administrator account in EA, and that account has had a three-way password created: three admins each entered PART of a password, the password pieces were put into an envelope in a physically secure location in Europe and another in N.America. AFAIK they havent used it since they locked the account down. Read the MS doc Best practices for AD Delegation to effectively delegate your forest, PARTICULARLY if you have more than one domain in your forest. The things that tend to get missed that impact day-to-day or even occasional operations are things like delegating the creation of sites, subnets, and site links; the ability to kick off replication (not recommended but); and authorize new DHCP Servers. Im sure that others on the list will have other tips as well. Dan From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of [EMAIL PROTECTED] Sent: Tuesday, March 14, 2006 9:29 AM To: ActiveDir@mail.activedir.org Subject: [ActiveDir] When and how often are EA rights needed? We're trying to understand when EA rights are needed within a multi domain forest, where each domain represents a fairly autonomous region. Mgmt have suggested that the following is true : - EA not needed on daily basis - EA rights rarely needed after initial deployment Can anyone please throw a few reasons at me why you would need EA rights on a daily basis? Troubleshooting? Diagnosis? How would you be impacted if you had to request access to a EA account each time it was required? I'd like to build a case whereby we have permanent EAs and would like some additional ammo from you guys :) ***Feel free to argue against my views and explain to me how/why you *could* manage a forest such as the above, without access
RE: [ActiveDir] Folder redirection exceptions?
Ken: I am 99% certain I solved this for a client... I will dig back through my notes and find out what we did. I know the requirement for local My Music (and videos, pictures and PSTs) while redirecting the rest of My Docs was met. Can't remember how elegant it was. Please ping me in about a week at dan dot holme at intelliem dot com and I hope to have had time to find the answer to that again. Dan -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Ken Schaefer Sent: Tuesday, March 14, 2006 6:40 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Folder redirection exceptions? Hi, For My Documents redirection, if you look at the second tab, there is an option to not redirect the My Pictures folder I know that doesn't help with My Music Cheers Ken From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Arnold Arce Sent: Wednesday, 15 March 2006 12:24 PM To: ActiveDir@mail.activedir.org Subject: [ActiveDir] Folder redirection exceptions? Hi everyone.  Long time reader, first time poster ⺠I have a simple question which Iâm hoping has a simple answer. Iâve set up a group policy that redirects everyoneâs âMy Documentsâ directory to their home directory on the server. Works great, except peopleâs Music and Pictures are being stored on the server too. IS there a way to exclude the My Music and My Pictures directories from being redirected and left on the local workstation? Arnold [EMAIL PROTECTED] Vry-4ibb [EMAIL PROTECTED] ��V�r�y���-�÷¾4���i�b��b��
RE: [ActiveDir] Folder redirection exceptions?
(see my previous reply also!) Actually, Ken, I'll talk off the top of my head for a second so that you have SOMETHING to go for and test while I dig up my notes. As I mentioned in prev reply, I'm not completely certain HOW I solved it (but will find out) but I *think* the answer was a simple registry poke to TWO parts of the HKCU registry key, which obviously can be done in your 'image', using a vbscript, with a custom GPO template, or using a GPO extension tool. My recollection is that by redirecting My Music in the registry it worked just fine even when folder redirection was set up. It may be that we had to deselect the My Pictures option in the GPO -- it might have been that by telling Windows not to auto-redirect My Pictures it also skipped auto-redirecting My Music. You can test those out while I find and test out my notes again. BTW, we created a folder in the user profile, %userprofile%\My Personal Data\ under which we put My Music, etc. We excluded My Personal Data from roaming profiles. We put a SHORTCUT in My Documents called My Music that pointed to My Personal Data\My Music so that users who were accustomed to seeing My Music there would still see it, but when they clicked it they'd end up in the non-redirected folder. Applications, which are (should be) coded to look for the *variable* (shell folder) My Music, went to the non-redirected folder automatically. Hope this helps you chew on something until we chat. Dan -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Ken Schaefer Sent: Tuesday, March 14, 2006 6:40 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Folder redirection exceptions? Hi, For My Documents redirection, if you look at the second tab, there is an option to not redirect the My Pictures folder I know that doesn't help with My Music Cheers Ken From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Arnold Arce Sent: Wednesday, 15 March 2006 12:24 PM To: ActiveDir@mail.activedir.org Subject: [ActiveDir] Folder redirection exceptions? Hi everyone.  Long time reader, first time poster ⺠I have a simple question which Iâm hoping has a simple answer. Iâve set up a group policy that redirects everyoneâs âMy Documentsâ directory to their home directory on the server. Works great, except peopleâs Music and Pictures are being stored on the server too. IS there a way to exclude the My Music and My Pictures directories from being redirected and left on the local workstation? Arnold [EMAIL PROTECTED] Vry-4ibb [EMAIL PROTECTED] ��V�r�y���-�÷¾4���i�b��b��
RE: [ActiveDir] Merging Multiple AD Groups
Did you add c to the second command (continue despite errors)? From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Frank Abagnale Sent: Thursday, February 09, 2006 9:05 PM To: ActiveDir@mail.activedir.org Subject: Re: [ActiveDir] Merging Multiple AD Groups I have two existing groups: 1. USAT_HR_RO (24 members) 2. USNY_HR_RO (45 members) I created a new group to merge members of both groups above into the new group. 3. USHR_PROJSAP_RO (0 members) Some users are members of groups 1 2. I want to copy the users from groups 1 2 into the new group 3 so this would contain 69 members. I tried the following command 1st dsget group CN=USAT_HR_RO,OU=GGroups,dc=Intara,dc=com -members | dsmod group CN=USHR_PROJSAP_RO,ou=GGroups,dc=Intara,dc=com -addmbr then I tried the following command dsget group CN=USNY_HR_RO,OU=GGroups,dc=Intara,dc=com -members | dsmod group CN=USHR_PROJSAP_RO,ou=GGroups,dc=Intara,dc=com -addmbr but this does not work...does this make sense? Al Mulnick [EMAIL PROTECTED] wrote: complains? Can you give more detail? On 2/9/06, Frank Abagnale [EMAIL PROTECTED] wrote: I have two global groups which I need to merge the users in both into one new group. What is the best way to do this, I have used DSGET DSMOD but it complains about existing users any ideas? Yahoo! Mail - Helps protect you from nasty viruses. Relax. Yahoo! Mail virus scanning helps detect nasty viruses!
RE: [ActiveDir] Going Native in root domain
Make sure you know your environment, particularly anything that uses AD to AUTHENTICATE. For example, a while back there was a VERY popular NAS device that broke when you went Native in AD: it had issues with Kerberos authentication. (BTW: no, I'm not going to mention it by name b/c I haven't had coffee yet and don't remember AND I would hope they fixed it by now) Just make sure that anything that authenticates is going to be OK with your new functional level. Check non-MS OS's and hardware and apps. That caution aside, you shouldn't run into too many problems, and assuming your root is basically empty the odds of you running into problems are low. Just research and test first, as any consultant is bound to say! Dan -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Jason Benway Sent: Tuesday, December 13, 2005 8:42 AM To: ActiveDir@mail.activedir.org Subject: [ActiveDir] Going Native in root domain We have a flat, multi-domain 2000 AD. Does anyone see any issue if the root domain goes domain native but stays mixed mode forest? Thanks,jb -- Jason Benway [EMAIL PROTECTED] GHSP 1250 S.Beechtree Grand Haven, MI 49417 616-847-8474 Fax: 616-850-1208 Required space inevitably expands to exceed available space... List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
RE: [ActiveDir] Home directories issue
Title: Home directories issue %USERNAME% wont help, as it is translated on the fly to the users name the moment you use it, so it ends up joe.user anyway. Are your users having the problem using W2K or later, I assume? (if not, theres your answer) And you ARE using a real share, not a DFS root share, right? From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Arnold Arce Sent: Monday, December 12, 2005 9:00 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Home directories issue I have experienced this same problem. Usually logging off and logging on fixes it. I need to find a better answer. Ill try the %USERNAME% variable like someone else suggested. From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Condra, Jerry W Mr HP Sent: Monday, December 12, 2005 3:42 PM To: ActiveDir@mail.activedir.org Subject: [ActiveDir] Home directories issue Hoping someone has seen this problem before. Users are mapping home folders using AD profile tab which maps X: to \\servername\home\joe.user. Occasionally, upon logon, users will map to \\servername\home and not all the way to their own home directory. Ive seen several blogs and the same problem posted elsewhere but no cause or solution. Thanks Jerry
RE: [ActiveDir] Saved Query for Distinguished Name Contains
Thanks For the scoop, Joe!!! And yes, I LOVE ADFIND, but it doesnt provide a result set within the MMC Im trying to do an MMC (AD UC snap-in) Saved Query as the basis for a custom Taskpad Sorry I wasnt clear about that. Guess Im out of luck. Thanks again, though! At least I know not to keep beating my head against the wall! Dan From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of joe Sent: Monday, December 05, 2005 3:20 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Saved Query for Distinguished Name Contains It seems I have been answering a lot of questions like this lately... You can not put parts of the DN into the LDAP query. The only way to control what branches a query looks at are 1. Permissions 2. Search base 3. Search scope. You need to be the most specific you need to be to either include or exclude various branches of the tree. That being said, someone who wanted to have those specific branches filtered out or filtered in to the outputted return set but didn't mind actually returning a lot more data could look to see if they can find a tool that was written by someone bright enough to add options to let you do that. Hey there is one... It is called adfind and has excldn and incldn switches to allow you to specify portions of a DN of objects you would like outputted. FYI, there is a bug in the objects returned counter when using incldn, I have to go in and fish it out of there. It is because I cut and pasted the excldn code to produce the incldn section. ;o) Anyway, your query would look something like adfind -default -f objectcategory=computer -incldn ou=workstations Keep in mind though that every computer in your org will be passed back to your client so if you have 100k computers and only 10 are in the ou=workstations ou's it will seem AWFULLY SLOW There is no way for me to get around that. joe From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Dan Holme Sent: Sunday, December 04, 2005 2:18 PM To: ActiveDir@mail.activedir.org Subject: [ActiveDir] Saved Query for Distinguished Name Contains Hey, all! I am trying to create a saved query to pull out computers that exist within a WORKSTATIONS ou; and that OU may exist within several higher-level OUs, i.e. distinguishedName=*OU=Workstations* but the Saved Queries interface in ADUC doesnt seem to like distinguishedName (Ive also tried dn= and DN=). Any ideas, please? Dan Holme
[ActiveDir] Saved Query for Distinguished Name Contains
Hey, all! I am trying to create a saved query to pull out computers that exist within a WORKSTATIONS ou; and that OU may exist within several higher-level OUs, i.e. distinguishedName=*OU=Workstations* but the Saved Queries interface in ADUC doesnt seem to like distinguishedName (Ive also tried dn= and DN=). Any ideas, please? Dan Holme
[ActiveDir] RIS WinPE Question
I hope some of you brainiacs can help me out here. I have a WinPE image loaded into a W2K3 RIS server. It launches as a standard image just fine, but creates a computer account in AD. I know that W2K3 SP1 is supposed to have the functionality where I can change the *.sif value ImageType=Flat to ImageType=WinPE and then WinPE is supposed to show up in my TOOLS menu, but it doesnt. It just disappears as an option altogether. Ive tried various combinations of the Choice Options GPO, including Disabling all options EXCEPT Tools, at which point the PXE client just says Cant show you anything ha ha ha. (or something evil to that effect). After 2 hours of experimentation and googling, Im at wits end Any help would be greatly appreciated. Dan
RE: [ActiveDir] Display in ADUC
The Display Name is not what is showing in ADUC. ADUC in the Name column is showing the CN. The CN *must* be unique for an user in a specific OU, and therefore is the field that can be used to select and open the properties of a user object. Right-click and RENAME the user. TIPS You will also want to think about adding more useful columns to your ADUC view: View Add/Remove Columns. (Helps you sort by last name) for example. One tip about that: when you add a column in a normal AD UC node (e.g. add last name to a user OU) that column will appear in *every* node (even in a computers OU) which is stupid and youll hate it. Saved Queries allow you to have unique columns visible per query, so you could create a query that shows *anything* (even a show all users in this OU query) and that will let you add the last name column to just that query. Dan From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Ellis, Debbie Sent: Wednesday, October 12, 2005 5:37 AM To: ActiveDir@mail.activedir.org Subject: [ActiveDir] Display in ADUC We have 2003 AD. I changed the display name of a user in their property sheet but it still shows the old display name when you look at it in Active Directory Users and Computers. You can look at the properties and it shows the new display name.. What else do I need to do?
RE: [ActiveDir] dns suffix search list
Marcus: What scope option is that? Funny I thot it was there too and couldnt find the option Tom: http://www.microsoft.com/technet/scriptcenter/scripts/network/client/modify/nwmovb21.mspx is the WMI script also Group Policy allows configuring the DNS Suffix Search Order. From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of [EMAIL PROTECTED] Sent: Thursday, September 22, 2005 8:08 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] dns suffix search list By lots of machines, are you referring to workstations? If so, are they in a scope thats managed by DHCP? You could manipulate the search suffix that way From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Kern, Tom Sent: Thursday, September 22, 2005 2:50 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] dns suffix search list I'm only running win2k I'd like to make the script query a text file of client names, so i can just execute it from my desktop rather than a script. how would i go about doing that? Thanks -Original Message- From: Grillenmeier, Guido [mailto:[EMAIL PROTECTED] Sent: Thu 9/22/2005 2:31 PM To: ActiveDir@mail.activedir.org Cc: Subject: RE: [ActiveDir] dns suffix search list
RE: [ActiveDir] Folder Redirection
Probably a permissions problem. Since youre just TESTING, start by setting perms on the folder so that the user has full control. This is not the ideal permission set, but it will tell you whether thats causing the problem. Once you know if thats the issue, we can chat about the exact permissions for future tests Also check DNS, etc try connecting to a normal shared folder on the same server Dan From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Patrick Paul Sent: Tuesday, August 16, 2005 11:42 AM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Folder Redirection I am a newbie studying for mcse 2000. I do not claim to know much but could use your patience and help! I logged on to one of the pcs as the user that has the GPO (no override is checked) for folder redirection (its my docs folder) saved something in it, but did not find the saved file in the redirected folder . Any advice is greatly appreciated. From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Brian Desmond Sent: Sunday, August 14, 2005 5:02 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Right click and goto properties A subject would help your message greatly. Thanks, Brian Desmond [EMAIL PROTECTED] c - 312.731.3132 From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Patrick Paul Sent: Sunday, August 14, 2005 7:33 PM To: ActiveDir@mail.activedir.org Subject: [ActiveDir] How do you setup folder redirection? How does it work? 1. create shared folder 2. start, programs, administrative tools, AD Users Computers 3. OU right click, properties, Group policy 4. new, any name, click name, edit, user config, windows settings 5. folder redirection, my docs Where do you go from here? Thanks all
RE: [ActiveDir] dhcp
Sorry--I wasn't even considering a scenario where you have a mix of stand-alone and domain member servers on the same subnet (the one 'exception to the rule' as the article you mention points out)... So what was the question then??? -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Tom Kern Sent: Friday, August 12, 2005 6:40 PM To: ActiveDir@mail.activedir.org Subject: Re: [ActiveDir] dhcp this article from MS claims that a stand alone will send out a dhcp inform(among other things) packet to query the auth dhcp servers and if it gets an ack, it will stop giving out addys. of course it has to be win2k or 2k3 and on the same subnet as the auth dhcp servers for them to hear the broadcast. http://www.microsoft.com/technet/prodtechnol/windowsserver2003/library/S erverHelp/9a4157c4-3c2f-4871-9ffe-7d405781f2cf.mspx On 8/12/05, Dan Holme [EMAIL PROTECTED] wrote: No. The only DHCP server that WON'T give out addresses is a 2K or 2K3 *domain member*. Everyone else, every platform, every standalone, will give out IPs ... they care nothing about AD. -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Tom Kern Sent: Friday, August 12, 2005 5:26 PM To: activedirectory Subject: [ActiveDir] dhcp is it true that even a stand alone win2k dhcp server will not give out ip's if it contacts a AD dhcp server? List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
RE: [ActiveDir] csvde syntax
DUMPCOMPUTERS.BAT @echo off set OU=%1 set FileName=%2 ldifde -f %FileName%.ldf -d %OU%,dc=us,dc=ray,dc=com -p SubTree -r (objectClass=computer) -l objectClass,description,name,sAMAccountName echo on the ldifde line is ONE line (watch for word wrap in the email) Call this file as in: DUMPCOMPUTERS.BAT dc=windomain,dc=local computers.txt Dan -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Tom Kern Sent: Thursday, August 11, 2005 11:18 AM To: activedirectory Subject: [ActiveDir] csvde syntax what's the ldap filter to use with csvde to just export all computer objects in a domain to a file? thanks List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
RE: [ActiveDir] csvde syntax
OOPS sorry I sent an LDIF version. I think the syntax is the same (don't have time to check) for CSVDE, though... -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Dan Holme Sent: Thursday, August 11, 2005 11:30 AM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] csvde syntax DUMPCOMPUTERS.BAT @echo off set OU=%1 set FileName=%2 ldifde -f %FileName%.ldf -d %OU%,dc=us,dc=ray,dc=com -p SubTree -r (objectClass=computer) -l objectClass,description,name,sAMAccountName echo on the ldifde line is ONE line (watch for word wrap in the email) Call this file as in: DUMPCOMPUTERS.BAT dc=windomain,dc=local computers.txt Dan -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Tom Kern Sent: Thursday, August 11, 2005 11:18 AM To: activedirectory Subject: [ActiveDir] csvde syntax what's the ldap filter to use with csvde to just export all computer objects in a domain to a file? thanks List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
RE: [ActiveDir] large profiles
Don't forget about using My Documents and Desktop folder redirection in addition to your roaming profile as a very viable option for this kind of situation... Dan -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Freddie Coleman III Sent: Wednesday, August 10, 2005 7:14 AM To: ActiveDir@mail.activedir.org Subject: Re: [ActiveDir] large profiles that's exactly what I was looking for, don't know how I overlooked it before, thanks! fred I think this might help if you are using Roaming Profiles: Using Group Policy to Delete Cached Copies of Roaming Profiles http://support.microsoft.com/kb/274152/EN-US/ In not, you can clean up the machine(s) using delprof: http://www.microsoft.com/downloads/details.aspx?displaylang=enfamilyid= 901A9B95-6063-4462-8150-360394E98E1E john When several users share the same machine, it doesn't take long for the Docs Settings directory to eat up too much space on the drive. Is there a setting that will allow their profiles to be removed from the local machine at logoff (other than mandatory profiles)? I don't want Deep Freeze or anything similiar, just a setting in Active Directory. List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
RE: [ActiveDir] user profiles
Do you want them each to get their 'own' profile (that they can change and those changes would be there the next time they log on) or is it a 'standard' profile that needs to be the same for every user, every time they log on? -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Freddie Coleman III Sent: Monday, August 08, 2005 12:06 PM To: ActiveDir@mail.activedir.org Subject: [ActiveDir] user profiles What would be the easiest way to setup a default profile for a few thousand users and make sure that their profile is deleted from their local machines at logoff. List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
RE: [ActiveDir] Virtual Domain Controllers
Title: Virtual Domain Controllers My experience (and youll want to listen to others as well, of course) is that youll be in pretty good shape. Dont even give yourself the CHANCE of using snapshots rolling back is the main issue (as it will hose replication and new objects) and is the primary issue discussed related to running DCs in VMs so set the DC with persistent disks that cant even BE snapshotted. Dan Holme Intelliem From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Seely Jonathan J Sent: Friday, August 05, 2005 12:54 PM To: ActiveDir@mail.activedir.org Subject: [ActiveDir] Virtual Domain Controllers Hi All, I have a question about running DCs on GSX server. I understand that MS does not support this configuration, but I've heard that many people are running DCs in this fashion. Can anyone give some advice in this arena? The idea here is to do VM for a file/print, and another one for a DC in our remote sites. Currently, we've got different hardware for each box, but we're trying to consolidate a bit out there. Thank you. JJ Seely Systems Administrator Oregon Department of Justice Division of Child Support (503) 378-4500 x22277 [EMAIL PROTECTED] *CONFIDENTIALITY NOTICE* This e-mail may contain information that is privileged, confidential, or otherwise exempt from disclosure under applicable law. If you are not the addressee or it appears from the context or otherwise that you have received this e-mail in error, please advise me immediately by reply e-mail, keep the contents confidential, and immediately delete the message and any attachments from your system.
RE: [ActiveDir] OT WEB Hosting
Ive used Intermedia.net and interland.net for web hosting; and have recently gone the route of a dedicated SERVER at godaddy.com b/c the rate was unbelievable. Very happy with all 3. From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Brian Desmond Sent: Thursday, August 04, 2005 4:09 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] OT WEB Hosting ServerIntellect has been nothing but the best for me Thanks, Brian Desmond [EMAIL PROTECTED] c - 312.731.3132 From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Peter Jessop Sent: Thursday, August 04, 2005 5:02 AM To: ActiveDir@mail.activedir.org Subject: [ActiveDir] OT WEB Hosting Completely OT I would be grateful if anyone could recommendWEB hosting services. Regards Peter Jessop
RE: [ActiveDir] DCPromo Answer file....no DNS.
Title: DCPromo Answer fileno DNS. No. DCPromo looks ONLY at the DCPromo section. Run Sysoc.inf against the answer file. For a fresh dc, run SYSOC.INF followed by DCPROMO as your two commands in the [GUIRunOnce] Section From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Smith, Brad Sent: Wednesday, August 03, 2005 6:34 AM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] DCPromo Answer fileno DNS. The bit that threw me is that my DCPromo process ignored the section [NetOptionalComponents] DNS = 1 Hence first invoking. C:\WINNT\SYSTEM32\SYSOCMGR /I:C:\WINNT\SYSTEM32\SYSOC.INF /u:C:\my_answer_file.txt Also FYI - This is not the first DC on the network, and is not the first AD based DNS server either (obviously). This is being run after the machine has been sitting on the network, in the domain as a member server for a couple of days (to allow forpatching and prove the h/w isn't immediately faulty). This is all W2K3. Should DCPromo be actioning the [NetOptionalComponents] section ? From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Dan Holme Sent: Tuesday, August 02, 2005 8:25 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] DCPromo Answer fileno DNS. To clarify what Brian meant, you run dcpromo /answer:answer_file and it will use those [DCPromo] settings. It does NOT run automatically as part of setup, unless you ALSO put that command in your GUIRunOnce section, i.e. [GUIRunOnce] dcpromo /answer:answer_file and set up Auto Logon, perhaps BUT In [DCPromo] there is the DNSOnNetwork = No Setting, which installs DNS on the server. That only works for the FIRST dc in the forest. After that, you need to use other means to get DNS on the server. Off the top of my head, that would be [NetOptionalComponents] DNS = 1 You would need to point the second DC to the FIRST DC as its DNS server, until the second DC has been DCPromod HTH Dan From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Brian Desmond Sent: Tuesday, August 02, 2005 11:13 AM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] DCPromo Answer fileno DNS. What do you mean? Thats exactly what the thing does Just call dcpromo and point it to the file. Thanks, Brian Desmond [EMAIL PROTECTED] c - 312.731.3132 <hr size=2 width="100%" align=center tabIndex=-1> From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Smith, Brad Sent: Tuesday, August 02, 2005 3:57 AM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] DCPromo Answer fileno DNS. Cheers, that has worked nicely. I was a bit surprised still that you can't drive the DCPromo wizard by using settings in the [DCPromo] section of the answer file. From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Brian Desmond Sent: Saturday, July 30, 2005 7:45 AM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] DCPromo Answer fileno DNS. You have DNS installed? You need to use the sysoc stuff (look it up in the ref.chm in deploy.cab) to install DNS first Thanks, Brian Desmond [EMAIL PROTECTED] c - 312.731.3132 hr size=2 width=100% align=center tabIndex=-1 From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Smith, Brad Sent: Friday, July 29, 2005 9:45 AM To: ActiveDir@mail.activedir.org Subject: [ActiveDir] DCPromo Answer fileno DNS. Hii All, I have set up a Win2K domain (single DC, SP3) and have joined a Win2K3 member server. I have promoted the W2K3 Member server using a dcpromo answer file, but cannot seem to force it to install DNS. Any ideas ?? Brad PS: Answer file below. ;This file is an answer file for the DCPromo process. The answers held within this file will automatically be applied to ;all DC's that are created with the DCPromo /answer:filename where this file is used. ;More information about these and additional settings are available at the link below, or in the Deployment assistence ;guide that stored in the windows server 2003 install source\SUPPORT\TOOLS\DELPOY.CAB\REF.CHM ;http://www.microsoft.com/technet/prodtechnol/windowsserver2003/library/TechRef/b7a68c24-fe69-407a-b220-0005ad1f884d.mspx [DCInstall] ;Specifies whether any pre-Windows 2000 server authenticates users from this domain or any trusted domain. AllowAnonymousAccess = Yes ;Specifies whether the DCPROMO wizard configures DNS for the new domain if it detects that the DNS dynamic update protocol is not available. AutoConfigDNS = Yes ;Specifies whether the replica is also a global catalog. ConfirmGc = Yes ;Specifies whether the promotion operation performs only critical replication and then continues, skipping the noncritical (and potentially lengthy) portion of replication. CriticalReplicationOnly = No ;Specifies the fully qu
RE: [ActiveDir] Domain DFS Roots hosted on DC
Title: Message Theres one much bigger issue that may or may not impact you, but is usually missed by folks. That is the delegation of MAINTENANCE OF THE DFS ROOT. DFS Roots are really, technically and practically, a scope for delegation of administration, as well as a root of a namespace. One should have separate DFS roots whenever separate teams/people will be supporting those roots (i.e. adding/removing/maintaining links). To maintain a DFS root, you must be delegated permissions to the appropriate object in AD (under the SYSTEM node in ADUC) *and* you **MUST BE AN ADMINISTRATOR OF THE MACHINE ON WHICH THE DFS ROOT TARGET IS HOSTED** This is a SUPER BIGGIE GOTCHA in your situation, perhaps because as soon as you host a DFS root target on a DC, you must have Administrators credentials on the DC, which means you 1) have to log on with domain administrator equivalence just to maintain your root (nasty!) and 2) you can only delegate maintenance of the root to folks who are trusted as domain administrators. Therefore, I always recommend that DFS root targets be hosted on member servers!! Dan From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Myrick, Todd (NIH/CC/DNA) Sent: Wednesday, August 03, 2005 4:38 AM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Domain DFS Roots hosted on DC Correct Neil, I dont want to host data on the DCs, just use them to refer to the actual data hosted on fileservers. Thanks, Todd From: Ruston, Neil [mailto:[EMAIL PROTECTED] Sent: Wednesday, August 03, 2005 7:31 AM To: 'ActiveDir@mail.activedir.org' Subject: RE: [ActiveDir] Domain DFS Roots hosted on DC I agree with your sentiments in principle, but would state that the number of links rather than users is of importance. Domain and stand alone DFS each have their own limitations so you should ascertain whether domain DFS will meet your requirements, whatever they may be. I assume DCs would not host links and therefore as you say, would simply refer clients to the correct server. As such, the overhead will be minimal as you say. neil -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Myrick, Todd (NIH/CC/DNA) Sent: 03 August 2005 12:23 To: ActiveDir@mail.activedir.org Subject: [ActiveDir] Domain DFS Roots hosted on DC Hey all, Have a quick question about Domain DFS roots. If you have about 3000 users, do you recommend hosting the DFS root on DC's or having dedicated boxes to host the Domain DFS roots? Since the root is mainly just doing referrals, my though is that as long as you have sufficient memory on the DC's it should work. My concern is that since my strategy is to locate all the domain resources through DFS, it might be a lot of overhead to put on the DC's. The other part of my brain things since it is basically just referral traffic, it can't be any more overhead than running DDNS. Thanks, Todd == Please access the attached hyperlink for an important electronic communications disclaimer: http://www.csfb.com/legal_terms/disclaimer_external_email.shtml ==
RE: [ActiveDir] Set UserAccountControl
Title: Set UserAccountControl I may be talking out of my butt here, but I think that you may be running into an issue of the version of AD youre using. I have a vague recollection that I ran into this problem and needed to set the pwdLastSet attribute, rather than the User Account Control, to force pw to change at next logon Im leaning towards the thought that you CANT set that attribute that way perhaps youve tried doing it separately and it worked? In which case, forget what I just said. Otherwise, look into it Dan From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Peter Johnson Sent: Wednesday, August 03, 2005 6:09 AM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Set UserAccountControl Im just curious to know why, if you dont mind, you need to set both at the same time. From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Fernandez Rego, Ramon Sent: 03 August 2005 14:44 To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Set UserAccountControl Thanks, i know but i need it. Your suggestion is good andi will do what you say if i don't have another possibility -Mensaje original- De: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]En nombre de Peter Johnson Enviado el: miércoles, 03 de agosto de 2005 14:30 Para: ActiveDir@mail.activedir.org Asunto: RE: [ActiveDir] Set UserAccountControl AFAIK these are mutually exclusive. Why would you need both? If you want to force at least one password change and then have it never expire you could create the account with the User Must Change password at next logon property to on and then have your script check the state of the Change password property and if its clear then set the Password never sets flag. You certainly cant , IIRC, create or set both at the same time. Regards Peter Johnson From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Fernandez Rego, Ramon Sent: 03 August 2005 14:22 To: ActiveDir@mail.activedir.org Subject: [ActiveDir] Set UserAccountControl Hi, Is there any possibility of setting both properties? Password never expires and User must change password at next logon I tried with this script, but i can't: -- Set objConnection = CreateObject(ADODB.Connection) objConnection.Open Provider=ADsDSOObject; m=0 strOU = cn=test,ou=usuarios,ou=XXX Set objCommand = CreateObject(ADODB.Command) objCommand.ActiveConnection = objConnection objCommand.Properties (Size Limit)= 1001 objCommand.Properties (Cache Results)= False objCommand.Properties(Page Size) = 1001 objCommand.CommandText = _ LDAP:// strOU ,dc=asp,dc=mundo-r,dc=com;(objectCategory=user) _ ;distinguishedName,name,mail,ADsPath;subtree Set objRecordSet = objCommand.Execute While Not objRecordSet.EOF strADsPath = objRecordset.Fields(ADsPath) Set objUser = GetObject(strADsPath) objUser.Put UserAccountControl , 524288 ' 0x8 + 0x10200 = pass never exp + user must change objUser.SetInfo wscript.echo strADsPath ; objUser.UserAccountControl m=m+1 objRecordSet.MoveNext Wend objConnection.Close wscript.echo Numero objetos afectados: m -- Thanks, Moncho ** Este mensaje se dirige exclusivamente a su destinatario. Puede contener información privilegiada, confidencial o legalmente protegida. Si ha recibido este mensaje por error le rogamos que lo borre inmediatamente, así como todas sus copias, y lo comunique al remitente. En virtud de la legislación vigente está prohibida la utilización, divulgación, copia o impresión sin autorización. No existe renuncia a la confidencialidad o privilegio por causa de una transmisión errónea. ** ** Este mensaje se dirige exclusivamente a su destinatario. Puede contener información privilegiada, confidencial o legalmente protegida. Si ha recibido este mensaje por error le rogamos que lo borre inmediatamente, así como todas sus copias, y lo comunique al remitente. En virtud de la legislación vigente está prohibida la utilización, divulgación, copia o impresión sin autorización. No existe renuncia a la confidencialidad o privilegio por causa de una transmisión errónea. **
RE: [ActiveDir] Distribute a template delegation.
Im attaching a script I used for a scripted delegation demonstration. There is a lot of code (applying a lot of templates) but the guts can be seen in one section and the RunDSACLS routine at the end. Im sorry I dont have time to document this fully for you, but Im heading out of town. Hopefully you can make heads and tails out of it. set objShell=WScript.CreateObject(WScript.Shell) ' ===EUROPE HELP DESK=== strGroup=WINDOMAIN\ZEUR_HelpDesk strOU=OU=Users,OU=EUR,DC=windomain,DC=local Level1UserTasks(strGroup,strOU) strOU=OU=Groups,OU=EUR,DC=windomain,DC=local Level1GroupTasks(strGroup,strOU) ' ===EUROPE ENGINEERS=== strGroup=WINDOMAIN\ZEUR_Engineers strOU=OU=Users,OU=EUR,DC=windomain,DC=local Level2UserTasks(strGroup,strOU) strOU=OU=Groups,OU=EUR,DC=windomain,DC=local Level2GroupTasks(strGroup,strOU) strOU=OU=Clients,OU=EUR,DC=windomain,DC=local Level2ComputerTasks(strGroup,strOU) strOU=OU=Servers,OU=EUR,DC=windomain,DC=local Level2ComputerTasks(strGroup,strOU) strOU=OU=Admins,OU=EUR,DC=windomain,DC=local Level1UserTasks(strGroup,strOU) ' ===USA HELP DESK=== strGroup=WINDOMAIN\ZUSA_HelpDesk1 strOU=OU=Users,OU=USA,DC=windomain,DC=local Level1UserTasks(strGroup,strOU) strOU=OU=Travelers,OU=Users,OU=EUR,DC=windomain,DC=local Level1UserTasks(strGroup,strOU) ' ===USA LEVEL 2=== strGroup=WINDOMAIN\ZUSA_HelpDesk2 strOU=OU=Users,OU=USA,DC=windomain,DC=local Level2UserTasks(strGroup,strOU) strOU=OU=Groups,OU=USA,DC=windomain,DC=local Level2GroupTasks(strGroup,strOU) strOU=OU=Clients,OU=USA,DC=windomain,DC=local Level2ComputerTasks(strGroup,strOU) ' ===USA ENGINEERS=== strGroup=WINDOMAIN\ZUSA_Engineers strOU=OU=Servers,OU=USA,DC=windomain,DC=local Level2ComputerTasks(strGroup,strOU) strOU=OU=Admins,OU=USA,DC=windomain,DC=local Level1UserTasks(strGroup,strOU) ' ===USA CORE AD TEAM=== strGroup=WINDOMAIN\ZUSA_CoreADTeam strOU=OU=Admins,OU=USA,DC=windomain,DC=local Level2UserTasks(strGroup,strOU) strOU=OU=Groups,OU=USA,DC=windomain,DC=local Level2UserTasks(strGroup,strOU) Sub Level1UserTasks(strGroup,strOU) strPerms=CA; Quote(Reset Password) ;user strInher=/I:S RunDSACLS(strGroup,strOU,strInher,strPerms) strPerms=rpwp; Quote(pwdLastSet) ;user strInher=/I:S RunDSACLS(strGroup,strOU,strInher,strPerms) strPerms=rpwp; Quote(lockoutTime) ;user strInher=/I:S RunDSACLS(strGroup,strOU,strInher,strPerms) End Sub Sub Level1GroupTasks(strGroup,strOU) strPerms=rpwp; Quote(member) ;group strInher=/I:S RunDSACLS(strGroup,strOU,strInher,strPerms) End Sub Sub Level2UserTasks(strGroup,strOU) strPerms=CC;user strInher=/I:T RunDSACLS(strGroup,strOU,strInher,strPerms) strPerms=GA;;user strInher=/I:S RunDSACLS(strGroup,strOU,strInher,strPerms) End Sub Sub Level2GroupTasks(strGroup,strOU) strPerms=CCDC;group strInher=/I:T RunDSACLS(strGroup,strOU,strInher,strPerms) strPerms=GA;;group strInher=/I:S RunDSACLS(strGroup,strOU,strInher,strPerms) End Sub Sub Level2ComputerTasks(strGroup,strOU) strPerms=CCDC;computer strInher=/I:T RunDSACLS(strGroup,strOU,strInher,strPerms) strPerms=GA;;computer strInher=/I:S RunDSACLS(strGroup,strOU,strInher,strPerms) End Sub Sub GPOLinkTasks(strGroup,strOU) strPerms=rpwp; Quote(gPLink) strInher= RunDSACLS(strGroup,strOU,strInher,strPerms) strPerms=rpwp; Quote(gPOptions) strInher= RunDSACLS(strGroup,strOU,strInher,strPerms) Sub DeleteUserTask(strGroup,strOU) strPerms=DC;user strInher=/I:S RunDSACLS(strGroup,strOU,strInher,strPerms) End Sub Sub RunDSACLS(strGroup,strOU,strInher,strPerms) strCommand=DSACLS strOU strInher /G strGroup : strPerms strMsg = strCommand vbCRLF 'ObjShell.Run %comspec% /c strCommand,1,true set objExec=objShell.Exec(strCommand) set objOut=objExec.StdOut While not objOut.AtEndOfStream strLastLine=objOut.ReadLine Wend strMsg = strMsg strLastLine End Sub Function Quote(strText) Quote=chr(34) strText str(34) End Function From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of joe Sent: Wednesday, August 03, 2005 5:37 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Distribute a template delegation. Yep best to script this. Last place I was an ops guy for, we wrote an entire create ou script. You told it what domain and the building number and it did the rest, built all of the OUs structures needed, created all of the groups, put into place all of the delegations, linked the proper group policy objects, etc. We then wrapped that script in another script and when a batch request came in for say 20 new buildings being added to AD we fired off one command (something like buildous domain filename) and off it would run building them all. A
RE: [ActiveDir] Account lockout
Title: Account lockout Go to the command prompt and do a net use see if there are any connections (mapped drives or otherwise) that look out of place. Perhaps do a NET USE * /D (to delete all network connections) and see if the problem stops. Dan From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Jake Stabl Sent: Tuesday, August 02, 2005 8:53 AM To: ActiveDir@mail.activedir.org Subject: [ActiveDir] Account lockout Good day everyone. Here is a crazy problem I am having today. I am logged on to my laptop writing emails and administering my domain and then all of a sudden my account will get locked out.. Just about every 5 minutes this is happening and I dont really know why? Where can I start looking to fix this?? I am lost. Jake
RE: [ActiveDir] Replicating AD
Title: Message Boy THAT is the golden question from MY clients!! One option Ive seen used (and would be interested in other members opinions about) is to yank a DC out of production (cleaning out its meta data of course), putting that DC in a (disconnected) lab, and wiping ITS metadata of the other (production) DCs. Sounds like a lot of effort to me. A big issue is what you are testing and how perfect your testing must be. My largest clients have found labs pretty lacking, since it is virtually impossible to test all appropriate variables (incl link speeds, specific app servers storage devices, etc.). Assuming all you want to do is test an AD change, then sure, you could have a lab with your AD structure mimiced. Ive been slowly building scripts to help me do this. Id be happy to give them to you (email me at dan dot holme at intelliem dot com) as long as you promise to help me test and improve them Once theyre solid I plan on releasing them publicly for anyone. Dan From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Antonio Aranda Sent: Tuesday, August 02, 2005 9:48 AM To: ActiveDir@mail.activedir.org Subject: [ActiveDir] Replicating AD Im trying to setup a test AD that's identical to the production AD with the same OU structure and user accounts. I'd like to avoid having to manually creating them by hopefully finding a tool that would import all those object. Does any one know of such a tool? Antonio
RE: [ActiveDir] DCPromo Answer file....no DNS.
Title: DCPromo Answer fileno DNS. To clarify what Brian meant, you run dcpromo /answer:answer_file and it will use those [DCPromo] settings. It does NOT run automatically as part of setup, unless you ALSO put that command in your GUIRunOnce section, i.e. [GUIRunOnce] dcpromo /answer:answer_file and set up Auto Logon, perhaps BUT In [DCPromo] there is the DNSOnNetwork = No Setting, which installs DNS on the server. That only works for the FIRST dc in the forest. After that, you need to use other means to get DNS on the server. Off the top of my head, that would be [NetOptionalComponents] DNS = 1 You would need to point the second DC to the FIRST DC as its DNS server, until the second DC has been DCPromod HTH Dan From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Brian Desmond Sent: Tuesday, August 02, 2005 11:13 AM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] DCPromo Answer fileno DNS. What do you mean? Thats exactly what the thing does Just call dcpromo and point it to the file. Thanks, Brian Desmond [EMAIL PROTECTED] c - 312.731.3132 From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Smith, Brad Sent: Tuesday, August 02, 2005 3:57 AM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] DCPromo Answer fileno DNS. Cheers, that has worked nicely. I was a bit surprised still that you can't drive the DCPromo wizard by using settings in the [DCPromo] section of the answer file. From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Brian Desmond Sent: Saturday, July 30, 2005 7:45 AM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] DCPromo Answer fileno DNS. You have DNS installed? You need to use the sysoc stuff (look it up in the ref.chm in deploy.cab) to install DNS first Thanks, Brian Desmond [EMAIL PROTECTED] c - 312.731.3132 hr size=2 width=100% align=center tabIndex=-1 From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Smith, Brad Sent: Friday, July 29, 2005 9:45 AM To: ActiveDir@mail.activedir.org Subject: [ActiveDir] DCPromo Answer fileno DNS. Hii All, I have set up a Win2K domain (single DC, SP3) and have joined a Win2K3 member server. I have promoted the W2K3 Member server using a dcpromo answer file, but cannot seem to force it to install DNS. Any ideas ?? Brad PS: Answer file below. ;This file is an answer file for the DCPromo process. The answers held within this file will automatically be applied to ;all DC's that are created with the DCPromo /answer:filename where this file is used. ;More information about these and additional settings are available at the link below, or in the Deployment assistence ;guide that stored in the windows server 2003 install source\SUPPORT\TOOLS\DELPOY.CAB\REF.CHM ;http://www.microsoft.com/technet/prodtechnol/windowsserver2003/library/TechRef/b7a68c24-fe69-407a-b220-0005ad1f884d.mspx [DCInstall] ;Specifies whether any pre-Windows 2000 server authenticates users from this domain or any trusted domain. AllowAnonymousAccess = Yes ;Specifies whether the DCPROMO wizard configures DNS for the new domain if it detects that the DNS dynamic update protocol is not available. AutoConfigDNS = Yes ;Specifies whether the replica is also a global catalog. ConfirmGc = Yes ;Specifies whether the promotion operation performs only critical replication and then continues, skipping the noncritical (and potentially lengthy) portion of replication. CriticalReplicationOnly = No ;Specifies the fully qualified, non-UNC path to a directory on a fixed disk of the local computer that contains the domain database. DatabasePath = %SYSTEMROOT%\Data ;Specifies whether to disable the Cancel button during a DNS installation. DisableCancelForDnsInstall = Yes ;Specifies the fully qualified, non-UNC path to a directory on a fixed disk of the local computer that contains the domain log files. LogPath = $SYSTEMROOT%\Logs ;Specifies whether to restart the computer upon successful completion. RebootOnSuccess = Yes ;Specifies the DNS domain name of the domain to replicate. ReplicaDomainDNSName = 1234testdomain.com ;Specifies whether to install a new domain controller as the first domain controller in a new directory service domain or to install it as a replica directory service domain controller. ReplicaOrNewDomain = Replica ;Specifies the fully qualified, non-UNC path to a directory on a fixed disk of the local computer. SysVolPath = %SYSTEMDRIVE%\Sysvol ;Specifies the domain name for the user name (account credentials) used for promoting the member server to a domain controller. UserDomain = 1234testdomain.com ;Specifies the user name (account credentials) used for promoting the member server to a domain controller. UserName = administrator This email and any attached files are confidential and copyright protected. If you
RE: [ActiveDir] Replicating AD
Title: Message OK I took some time to gather my scripts I was concerned that all the advice to use LDIFDE would leave you lacking, since the command takes some tweaking to make it useful. You dont want to export all properties from a production AD, as importing them can be painful. So please go to http://intelliem.editme.com/scripting and click the last link. Youll find scripts that will export OUS COMPUTERS USERS GROUPS Using LDIFDE And SITES SUBNETS SITE LINKS SERVERS Using _vbscript_ Enjoy and please provide feedback to dan dot holme at intelliem dot com. Dan From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Antonio Aranda Sent: Tuesday, August 02, 2005 9:48 AM To: ActiveDir@mail.activedir.org Subject: [ActiveDir] Replicating AD Im trying to setup a test AD that's identical to the production AD with the same OU structure and user accounts. I'd like to avoid having to manually creating them by hopefully finding a tool that would import all those object. Does any one know of such a tool? Antonio
RE: [ActiveDir] copy or migrating local to domain accounts
And for #4, use SUBINACL from MS note, though, that this tool has been revised since its ResKit release, so get the newest version. Dan From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Michael B. Smith Sent: Tuesday, August 02, 2005 1:08 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] copy or migrating local to domain accounts How good are your scripting skills? 1) Dump the passwords from the local server using pwdump3e 2) Crack all the passwords using rainbow crack or l0phtcrack or whatever 3) Script the creation of the users in the domain setting those passwords you cracked Pretty easy. (And if you already know all the passwords, you can skip items 1 and 2 -- net users will list your local users and you can use dsadd to add them to the domain!) For extra credit: 4) Scan the filesystem finding all files with ACLs including the above users, write the filenames and ACLs to a file and after you've promoted the users and joined the domain, go back and re-ACL the files. That's a little harder. :-) I've promoted web servers toa domain this way several times. The real question is why does a local user no longer meet the needs on the local server? M From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Steve Shaff Sent: Tuesday, August 02, 2005 2:34 PM To: ActiveDir@mail.activedir.org Subject: [ActiveDir] copy or migrating local to domain accounts I think that I already know the answer to the question, but I will ask anyways. I have a test box (server) that is a stand-alone. I need to add it to a domain, but I have a lot of local users on this box. Is there any way to move, copy, or migrate the user accounts to the domain level? Thanks Lazy.. J
RE: [ActiveDir] OT and silly
Wait until the person who is in charge of the MS Word numbered list feature is walking beneath your window, please. Dan -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Kern, Tom Sent: Monday, August 01, 2005 12:29 PM To: ActiveDir@mail.activedir.org Subject: [ActiveDir] OT and silly Ok, I'm trying to install office 2k on a winxp sp2 box and I keep getting the windows file protection warning to insert the winxp sp 2 cd. This drives me nuts because A. I only have a winxp sp1 cd which I installed the os with and later downloaded sp2. B. It doesn't let you browse to a share or local folder, it only wants a cd. Is there anyway to get around this? I don't have a cd burner right now, so I can't exract sp2 and burn it. Also, I may throw this pc out the window if I can't find a solution to this issue. Thanks a lot! -- Sent from my BlackBerry Wireless Handheld (www.BlackBerry.net) List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
RE: [ActiveDir] OT and silly
Actually, as a serious answer, I just created an 'image' for a client with O2K on an XP machine and I did NOT get this problem. What you might try is installing from a patched admin share of O2K. I suggest this only b/c that's what we did and did not encounter the problem. I'd be happy to cut your time in creating this share (I have one ready to go) but we'd need to make sure it's the edition you want, and obviously would need to use your product key. Email or call me directly if you'd like to go this route. Dan Holme 602.943.8346 Dan dot holme at Intelliem dot com -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Kern, Tom Sent: Monday, August 01, 2005 12:29 PM To: ActiveDir@mail.activedir.org Subject: [ActiveDir] OT and silly Ok, I'm trying to install office 2k on a winxp sp2 box and I keep getting the windows file protection warning to insert the winxp sp 2 cd. This drives me nuts because A. I only have a winxp sp1 cd which I installed the os with and later downloaded sp2. B. It doesn't let you browse to a share or local folder, it only wants a cd. Is there anyway to get around this? I don't have a cd burner right now, so I can't exract sp2 and burn it. Also, I may throw this pc out the window if I can't find a solution to this issue. Thanks a lot! -- Sent from my BlackBerry Wireless Handheld (www.BlackBerry.net) List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
RE: [ActiveDir] Add domain user to local group?
I put a script on my WIKI that may be a big help for you http://intelliem.editme.com/vbsadmingroupstartup -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Almeida Pinto, Jorge de Sent: Wednesday, July 27, 2005 12:07 PM To: ActiveDir@mail.activedir.org; ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Add domain user to local group? better exists use the restricted groups feature of a GPO where you can dictate who the MEMBERS are of a group or where you can define to which group a user or a group is a MEMBER OF Works great! Cheers #JORGE# From: [EMAIL PROTECTED] on behalf of Harding, Devon Sent: Wed 7/27/2005 9:04 PM To: ActiveDir@mail.activedir.org Subject: [ActiveDir] Add domain user to local group? Is there a vb script out there that I can run in a GPO to add a domain user to the 'Administrators' group on every local PC's in a domain? Sorta like this: http://www.microsoft.com/technet/scriptcenter/scripts/ad/groups/adgpvb03 .mspx Devon Harding Windows Systems Engineer Southern Wine Spirits - BSG 954-602-2469 __ This message and any attachments are solely for the intended recipient and may contain confidential or privileged information. If you are not the intended recipient, any disclosure, copying, use or distribution of the information included in the message and any attachments is prohibited. If you have received this communication in error, please notify us by reply e-mail and immediately and permanently delete this message and any attachments. Thank You. This e-mail and any attachment is for authorised use by the intended recipient(s) only. It may contain proprietary material, confidential information and/or be subject to legal privilege. It should not be copied, disclosed to, retained or used by, any other party. If you are not an intended recipient then please promptly delete this e-mail and any attachment and all copies and inform the sender. Thank you. List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
RE: [ActiveDir] generating signatures and remote desktop
This may not be authoritative Im not at my system right now, but 1) Computer Configuration / Admin Templates / Windows Components / Terminal Services / Allow users to connect remotely using Terminal Services a. My recollection is that this will enable RD on clients 90% sure 2) My recollection is that this is one of the many core features of MS Office that isnt as easy as it should be, 10 years into the product suite. Check the O2K3 Resource Kit on MSs web site. Its possible that you can use an Office Profile Settings (OPS) file to distribute the signature, or an .oft. But Im not sure From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Peter Jakobsson Sent: Thursday, July 21, 2005 6:50 AM To: ActiveDir@mail.activedir.org Subject: [ActiveDir] generating signatures and remote desktop hi all! 2 questions for you 1. is there a way to generate and distribute signatures for outlook 2003? 2. how do i enable remote desktop at my clients, i can´t seem to find that specific gpo? regards jake
RE: [ActiveDir] Redirecting PC's into the proper OU
There are two additional options for you: 1) If you are sysprepping your machines (or using an unattended answer file) XP supports a new parameter, MachineObjectOU, which you can put into the script. 2) *** I HAVE POSTED A CUSTOM TOOL *** that you can use its raw but quite functional and easy to tweak to your needs: http://intelliem.editme.com/depjoindomain Enjoy Dan From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of David Adner Sent: Friday, July 22, 2005 11:59 AM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Redirecting PC's into the proper OU You can change the default location (with redircomp), but it's a default, not something that can be unique per computer. If you want to be able to create computer accounts in varying OU's then it's something you'll either have to script (such as with netdom /join /ou) or you could pre-create the accounts in the proper OU's. Or you can be stuck doing it manually. :) From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of P West Sent: Friday, July 22, 2005 1:48 PM To: ActiveDir@mail.activedir.org Subject: [ActiveDir] Redirecting PC's into the proper OU I know you can redirect computer account to a specified OU, using redircomp. But what if you have multiple Ou's and want the pc to be added to the proper OU with some sort of logic. Does this not exist or is this something that would need to be scripted? Am I stuck doing this manually? Thanks P west
RE: [ActiveDir] Logon script with Admin rights **Work Around**
I would check your assumption that users won't be able to see the batch file just because it's running as part of a GPO Have you ever dug through a SYSVOL share? You can see a lot more than you would think. Dan -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Harding, Devon Sent: Thursday, July 21, 2005 7:18 AM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Logon script with Admin rights **Work Around** Joe, you're absolutely correct. I'm going to look for a vbscript course as soon as possible. If anyone has any recommendation, lemme know. As for the admin rights script, I worked around it by first putting it in GPO, then used the 'runas' command along with a freeware program called 'sanur' which piped the password back into the runas command. And since this is being run through GPO, the batch file was not visible to the end user. The end result was this: runas /u:domain\admin \\SERVER1\SDLIB$\INSTALL.EXE | \\SERVER1\SDLIB$\sanur password -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of joe Sent: Wednesday, July 20, 2005 10:13 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Logon script with Admin rights This is the kind of thing why you hire in admins with scripting capabilities or encourage your admins to learn how to script or set up a tool group to write scripts for everyone. A long time ago in a galaxy far far away I worked at a very large company on NT4 stuff. We used SMS but found it to be so crappy (It was like SMS 1.2 or something like that) that it could barely properly deliver a menu pick so we sat down for a month and wrote a software delivery system for NT from perl. It wasn't completely original, the client integration group had done something similar with I think C for Win9x. We just took the idea and expanded it to NT. Basically the perl script would read a null share read only file share to find out what needed to be delivered to a specific machine and then went to another share with a copy of the software package to install and ran the install batch file (this could easily be keyed by AD/AM or AD attributes now now to keep the info together, didn't have that option with NT4). You could compile this and make it into a service or you could use srvany to make it run as a perl script directly as a service. The package was a simple batch file that had all the commands that needed to be run and it logged everything to another share on the server so it was all recorded. There was a simple web interface to queue up jobs, it simply listed what could be deployed and listed which machines to deploy too, you could also manually type in the machine. In the end I believe we could specify it by user as well if we wanted. The packages themselves were usually broken out of their native install packets and broken into reg updates and file updates, however we had several that were native installshield packages and we had made a few installshield packages as well. When the request went into the web system, it would record that it was queued and would warn the software inventory system so we could track it later that way too. It ran in whatever context the service ran in or it could be fired as a logon script as well to run as users. If you don't want to pay for something because it sucks or because it just doesn't do things in a way that suits your model, writing a simple scripted tool to do this stuff usually isn't rocket science. It is much easier to build a simple system for yourself than it is to build a generic system that would work for anyone. So people who look at say an SMS and say, we couldn't build something like that are right. You can't. But you could build something you can use that will be tailored to you and probably more to your liking. You just have to continue to support it. That support part scares people too. However I have written many scripts back in the 90's that are still used daily today. I just chatted with some friends about some scripts I wrote back in 2001 or so that were supposed to be short term scripts until a better solution came along and they have run so well, they became the solution. If you aren't a scripter, become one. It can really help. I recommend perl, it hasn't done me wrong. The difficult it makes easy, the impossible it simply makes difficult. Oh, another thing to look at is CPAU on www.joeware.net. It is like runas but will let you encode (and I mean encode, not encrypt) a JOB file with a userid and password so that you can run it in a logon script and get enhanced rights. Make sure you read up on the use of the -profile switch when using it that way. It was designed to give you network credentials by default, I always hated typing /NETONLY in runas when I wrote it and one of the big reasons I wrote it. I got pinged by Novell some time ago because they wanted to list this tool in their useful tools for admins section of some
RE: [ActiveDir] Default Domain
REG ADD has a disadvantage b/c it runs every time (thus adding to startup delay) but of course has one big advantage... it runs every time. Unless you configure the registry client side extension otherwise, it doesn't refresh (b/c the GPO itself hasn't changed)... so you could still have a user from another domain change the domain, then the next user is logging on to the wrong domain... A startup script is useful to enforce that setting. However, I agree that educating users to log on with the upn is a much more viable answer for multidomain environments I would try to aim for that. Dan -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of [EMAIL PROTECTED] Sent: Tuesday, July 19, 2005 3:37 PM To: ActiveDir@mail.activedir.org Cc: ActiveDir@mail.activedir.org; [EMAIL PROTECTED] Subject: RE: [ActiveDir] Default Domain We are using a startup script that has two reg add commands reg add HKLM\software\microsoft\windows nt\currentversion\winlogon /v altdefaultdomainname /t REG_SZ /d DOMAINAME /f reg add HKLM\software\microsoft\windows nt\currentversion\winlogon /v defaultdomainname /t REG_SZ /d DOMAINAME /f This has worked very well for us during and post migration. Most of our users came from small NT domains and we only finished the 1000 NT domains to 9 AD domains over the last 6 months. Where this does not work is if I choose to logon, then hit escape - for some reason when I hit ctrl alt del the second time the last domain I logged into shows up instead of the specified DOMAINAME above. This might have been specific to one machine or may be a problem with one of the entries - I only saw it the once and have not had time to go back and investigate. Regards; James R. Day Active Directory Core Team Office of the Chief Information Officer National Park Service [EMAIL PROTECTED] Grillenmeier, Guido [EMAIL PROTECTED]To: ActiveDir@mail.activedir.org com cc: (bcc: James Day/Contractor/NPS) Sent by: Subject: RE: [ActiveDir] Default Domain [EMAIL PROTECTED] tivedir.org 07/19/2005 11:59 PM ZE2 Please respond to ActiveDir got ya - makes sense in this case. however, you could also edjucate users to logon via UPN thus not requiring the selection of a domain at all, regardless of the domain-affiliation of the PC used during logon... -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Salandra, Justin A. Sent: Dienstag, 19. Juli 2005 23:54 To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Default Domain I am actually thinking of using it since I have 7 domains in one forest, if someone from a different domain uses someones computer, on reboot the domain that is selected in the drop down list is the proper domain for that computer. Similar to when my helpdesk people login to the local machine, the user doesn't try to then login to the local machine using their domain username, hence reducing phone calls to the helpdesk. Justin A. Salandra MCSE Windows 2000 2003 Network and Technology Services Manager Catholic Healthcare System 212.752.7300 - office 917.455.0110 - cell [EMAIL PROTECTED] -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Grillenmeier, Guido Sent: Tuesday, July 19, 2005 5:51 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Default Domain should work just like setting any other registry key on the client. The question is, if you really need it/want it. Most computer migration tools can set that value during the migration of the PC from source to target. But you might very well not want to change this value at the time of the computer-migration = you'll typically want to change it during migration/activation of the user accounts. This is often not done at the same time, so changing the value via GPO with the computer migration could actually be counter-productive. Further, it's not enough if you're implementing a new naming conventions for user-accounts or simply need to change logon-names due to duplicates during a domain-migration that consolidates multiple source domains to one AD domain. In this case you'll no only want to generically update the DefaulDomainName value to help your users, but at the same time you might want to update the DefaultUserName value with the new accountname for the target domain. Hardly doable with a GPO - I typically do this with custom scripts triggered centrally during account activation (quite independently from the computer migration). But nothing goes over edjucating your users about the changes in the infrastructure and specifically those related to their domain logon - otherwise
RE: [ActiveDir] OT: Roaming profiles and XP themes
I'm not clear... do you want the 'classic' look or the 'xp' look for all users? -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Dan Stanford Sent: Wednesday, July 20, 2005 12:51 AM To: ActiveDir@mail.activedir.org Subject: [ActiveDir] OT: Roaming profiles and XP themes We are just about to migrate over to Server 2003 from 2000, and in our test set up, when newly created users with roaming profiles log into an XP station, they get a modified desktop theme, instead of the default XP teletubbies one - it has the classic task bar and start menu. This doesn't happen if I create a user with a local profile. I know this is going to fox some users - does anyone know how to stop it? TIA, Dan List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
RE: [ActiveDir] converting .exe to .msi
See the CURRENT thread, Logon Script with Admin Rights as it is very relevant to your issue. WinInstall LE is a great, free tool. www.ondemandsoftware.com Well, I take that back Just checked my URL and now its $50 still far from steep http://www.ondemandsoftware.com/PurchaseLE.asp Dan From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Senthil Kumar Sent: Wednesday, July 20, 2005 7:39 AM To: Active directory group Subject: [ActiveDir] converting .exe to .msi Dear all, I am having a installation program which is based on setup.exe . I want to convert it to a msi based program so that i can implement it through group policy. I want to know through which program i can convent .exe based program to a .msi based program. Thanks in advance. Regards, K.SENTHIL KUMAR __ Do You Yahoo!? Tired of spam? Yahoo! Mail has the best spam protection around http://mail.yahoo.com
RE: [ActiveDir] Delegation of privilege
This may be a rotten answer or a perfect answer Check out TWEAKUI for Windows XP. Its ACCESS CONTROL section gives you UI ability to change very specific activities permissions, e.g. creating a share, etc. You might try it (in a lab, first of course) as far as how it works on 2003 for the specific things you are trying to accomplish. Because the Access Control will be server (in your case, DC) specific, it might just work. Ive NOT tried it but I think itd be worth a shot. Dan From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Sakari Kouti Sent: Monday, July 18, 2005 3:01 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Delegation of privilege Hi Yann, You could grant your user those privileges that are listed as User Rights, by applying a corresponding Group Policy Object to only one DC. However, this is probably not enough for you. For example, you cannot grant a privilege to format hard drives or share folders this way. Yours, Sakari From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of TIROA YANN Sent: Monday, July 18, 2005 8:39 PM To: ActiveDir@mail.activedir.org Subject: [ActiveDir] Delegation of privilege Hello AD Gurus :) I would like to give toone of my user server operator privilegeon only one DC, and not the whole DCs of my AD 2003. I know that DCs do not havesam locally, and the only way to give this privilege is to use the Built-in Groups in the Built-in Container. But doing thisallow my user to be server op for all DCs in my domain. The purpose of myquestion is; =to give one user the privilege to fully manage *only one* DCwith server operator privilege, without having the right to use MMCs such as ADUC, Schema, dssite, replmon, repadmin commands. Is this possible ? Thanks for input. Cheers, Yann
RE: [ActiveDir] User with LDAP userPassword permissions
I didnt see any responses to this dont know if I missed an answer but you should be able to ACL the Write permission to the userPassword property to any account you want and youre right to do it to a limited account, although Id be concerned about ANY code that could be accessed and leveraged to change passwords but thats a security discussion, not a delegation discussion Whats the actual PROBLEM? Is it the delegation or how to do it? Ive not dealt with that attribute recently, but I might have the piece (that most people miss) for you. Hopefully this is the answer: You need to expose the permissions for that property in order to delegate them. There are LOTS of properties of a user (and other objects) that are hidden to keep the ACL Editor clean. On the machine FROM WHICH YOU ADMINISTER, open Notepad and open %windir%\system32\dssec.dat Find the section [user]. Find the line userPassword=7. Delete it. (the =7 hides the permissions for this property in the ACL editor) Restart AD Users Computers. In ADUC View Advanced Features. Right-click the OU that contains the users for whom you want this PHP app to set the passwords for. Security Advanced Add Specify the account (or a group containing the account) used by the PHP app. In the dialog box, click the PROPERTIES tab. In the drop down list, choose USER OBJECTS. Scroll down and youll find Write userPassword. If this doesnt work, or wasnt quite the problem you were having, please reply. IN such case, please let us know what domain and forest functional level youre running and if you have SP1 on your W2K3 DCs. It makes a difference, as you might know. Dan From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Matt Brown Sent: Monday, July 18, 2005 1:49 PM To: ActiveDir@mail.activedir.org Subject: [ActiveDir] User with LDAP userPassword permissions Hi, I'm trying to give an account permission to update the userPassword field via LDAP protocol in PHP. I have it working perfect using my Admin account. But since that has to be stored in the PHP file I would really like to have an account with much tighter security able to make the modification. Any ideas? Thanks, -- Matt Brown [EMAIL PROTECTED] Consultant for Student Technology Fee website: http://techfee.ewu.edu/ +--+ | 509.359.6972 ph. - 509.359.7087 fx | 307 MONROE HALL | Cheney, WA 99004 +--+
RE: [ActiveDir] Logon script with Admin rights
I don't know what your budget might be, but a couple of my clients use TQCRunAs by Quimeras (www.quimeras.com) for this kind of thing... this tool lets you encapsulate a secondary logon, the credentials for that logon, and a command in an encrypted .exe, which you could then use in a logon script. It's not free, but it's not expensive either, and it's a great way to push things to users that require higher credentials, without exposing any accounts. Dan -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Rick Kingslan Sent: Tuesday, July 19, 2005 8:27 AM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Logon script with Admin rights Al, One of the problems with the .ZAP format - it only executes the underlying program for install - but cannot be executed with elevated privliges as it is run under the user's context. .MSI is much better, but is not easy to create them correctly and effectively without some experience and practice. However, they can be written to install at an elevated context. Rick -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Al Garrett Sent: Tuesday, July 19, 2005 10:02 AM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Logon script with Admin rights Use the ZAP format. See KB 231747 below http://support.microsoft.com/default.aspx?scid=kb;en-us;231747 -Original Message- From: Harding, Devon [mailto:[EMAIL PROTECTED] Sent: Tuesday, July 19, 2005 7:17 AM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Logon script with Admin rights Unfortunately, this software is not a .msi format. Can this still be installed via GPO? -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Za Vue Sent: Tuesday, July 19, 2005 10:09 AM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Logon script with Admin rights Software installation from GPO works like a charm. Z.V. -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Harding, Devon Sent: Tuesday, July 19, 2005 9:10 AM To: ActiveDir@mail.activedir.org Subject: [ActiveDir] Logon script with Admin rights How can I run a batch file logon script to map a drive and install an application on a user's PC as an Administrator? I don't want to expose the password using 'run as' Devon Harding Windows Systems Engineer Southern Wine Spirits - BSG 954-602-2469 - __ This message and any attachments are solely for the intended recipient and may contain confidential or privileged information. If you are not the intended recipient, any disclosure, copying, use or distribution of the information included in the message and any attachments is prohibited. If you have received this communication in error, please notify us by reply e-mail and immediately and permanently delete this message and any attachments. Thank You. List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
RE: [ActiveDir] DC Backups
I'm sure you've figured this out on your own, but just in case, you're right... AD is part of the system state and even if you CAN back up NTDS.DIT 'separately' as a file, you shouldn't. You need the system state to do any kind of restore operation in Dir Svcs Restore Mode. So b/c you can't do anything with it, so you're wasting time, tape, and who knows what else. Don't get too caught up in why you can or can't see it or can or can't (de)select it... Instead (something COOL and not publicized enough) -- test your DC restore process on a 2K3 SP1 machine and check out the LDIF file that Auth Restore creates for you to help make restoring group memberships MUCH easier COOL! grin and off the subject, but cool... Dan Holme Intelliem List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
RE: [ActiveDir] OT: File properties
Title: [ActiveDir] DFS Client for Mac and UNIX That could be it but also CHECK YOUR *SHARE* PERMISSIONS!! That could absolutely and easily be causing this problem. Share Perms must be *FULL CONTROL* a *MODIFY* (or read obviously) Share Perm will override NTFS Write Permissions. Dan From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Douglas M. Long Sent: Thursday, July 14, 2005 9:52 AM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] OT: File properties I take that back. The files in the share are inherited. Nothing above that level in the tree is inheriting permissions though From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Douglas M. Long Sent: Thursday, July 14, 2005 12:13 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] OT: File properties It only seems like inheritance. Nothing is actually set to inherit permissions. From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Kern, Tom Sent: Thursday, July 14, 2005 12:06 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] OT: File properties you have to go up the tree and set the perms on the source of the inheritance or uncheck inheritance. -Original Message- From: Douglas M. Long [mailto:[EMAIL PROTECTED] Sent: Thursday, July 14, 2005 12:01 PM To: ActiveDir@mail.activedir.org Subject: [ActiveDir] OT: File properties I feel pretty stupid asking this question because I know it is something very simple that I am overlooking. I have full control to a file or folder, am the owner, but still cant edit permissions. The buttons are all greyed out. It seems like this just happened, although I could have overlooked it in the past. It seems like everything is explicitly inheriting permissions. Any ideas?
RE: [ActiveDir] Remote Desktop vs. Remote assistance
RA is helping a user... by definition, shadowing... You have the option of allowing control (i.e. move the user's mouse for them)... Can be controlled by user or set through policy. RD is getting to my desk while away to put it simply. They use many identical underlying technologies... Just two different uses for the technology formerly known as terminal services client. As a support person, you can drop in on a user and propose to help them, without them having to email/im/transfer. This IS done through GPO. Look under Computer Configuration \ Administrative Templates. http://support.microsoft.com/default.aspx?scid=kb;en-us;306496 has local gpo steps but same in AD GPO. You CANNOT drop in uninvited AND unaccepted to spy on a user using RA. The user will always be notified that you are RA'ing in and allowed to accept/refuse, to my experience. Dan -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Kern, Tom Sent: Thursday, July 14, 2005 10:30 AM To: ActiveDir (E-mail) Subject: [ActiveDir] Remote Desktop vs. Remote assistance What is the actual diff between RD and RA? If i RD to a winxp desktop, that allows 1 connection. Can someone Shadow it or no? Is there any reason to use one over the other for support? or is RA just easier/better because you can share the session and you can see what a user is doing and interact? Also, is there a gpo or reg hack that allows me as a Domain Admin to RA to a user w/o her asking for RA via and email or im or file transfer or allowing me to log on? Thanks List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
RE: [ActiveDir] Remote Desktop vs. Remote assistance
http://support.microsoft.com/default.aspx?scid=kb;en-us;301527 Even better. -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Kern, Tom Sent: Thursday, July 14, 2005 10:30 AM To: ActiveDir (E-mail) Subject: [ActiveDir] Remote Desktop vs. Remote assistance What is the actual diff between RD and RA? If i RD to a winxp desktop, that allows 1 connection. Can someone Shadow it or no? Is there any reason to use one over the other for support? or is RA just easier/better because you can share the session and you can see what a user is doing and interact? Also, is there a gpo or reg hack that allows me as a Domain Admin to RA to a user w/o her asking for RA via and email or im or file transfer or allowing me to log on? Thanks List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
RE: [ActiveDir] Remote Desktop vs. Remote assistance
BOTTOM LINE I think I know what you're saying and RA *is* the answer. Set up RA using GPOs. IN group policy, you add your Help Desk group as the HELPERS group that is allowed to OFFER remote assistance: Computer config\admin templates\system\remote assistance And specify that they are allowed to remotely control the system. That's all you need to do. Now, when a user calls, the help desk says hold on, launches an RA session to the user's desktop. The ONLY potential difference from VNC is that the user will get a little notice that says Dan is wanting to offer remote assistance and will have to click OK. At that point the helper can view, no problem. There is a second confirmation box IF the helper actually launches control. But believe me, the messages are clear enough and the help desk is on the phone anyway, right? So it's not tough to figure out! It beats having a third party app doing the same thing! One less thing to manage (and RA, as part of XP and GPO infrastructure is EASIER to manage), and one less thing to have to keep up with patches on. DETAILS You cannot shadow a ts connection to xp. Remember how it works on a server... the user is ts'd to the server; the support person has a SEPARATE ts to the server and jumps in to the user's ts. It requires multiple TS connections and XP doesn't support that. The ONLY 'shadow' to a THICK client is RA. If XP is TS'd into a TS, then you can shadow that TS connection (as described above). I am working with a high profile client right now and we just 'banished' VNC on XP systems. We found its admin logon encryption lacking, in the version we were using, and, more importantly, it just wasn't necessary. -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Kern, Tom Sent: Thursday, July 14, 2005 11:09 AM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Remote Desktop vs. Remote assistance thanks alot, rick and dan. can you shadow a ts connection to xp like on server? as to the user giving me control, i thought that was just a policy that could be configured, NOT hardwired into the os somehow. I thought if i was a DA and by default then a local admin on the box, when i RA in, i could over rule that setting somehow since i am in actuallity a admin of the box. I only ask because we use VNC here for some help desk stuuf and i wanted to replace it with RA since we are mostly xp on the client but i'm araid with this asking for help stuff and allowing access, my users would get confused awfully quick. they don't adapt well to change. usually, someone here calls them and then says ok, i'm gonna connect to your machine or they might be away and a help desk admin connects to their box. RA doesn't seem to make this as simple as vnc does, i guess. I still wonder how as an admin you can be denied RA access to a box or need permission. is it a local system thing? thanks for all your help and sorry to bore you with my issues. -Original Message- From: Rick Kingslan [mailto:[EMAIL PROTECTED] Sent: Thursday, July 14, 2005 1:51 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Remote Desktop vs. Remote assistance With Remote Desktop, you are going to take over the machine (in the case of XP) kicking off any logged on person in the act of taking over the machine. Your access is the same as the credentials in which you login as. With Remote Access, you need to receive an invitation and the user is not kicked off. Both of you will see what is on the screen, and initially you have view only access. The user has to GIVE you control, and can take it back, in the event that you go nuts and attempt to format the drive, delete files, etc. Not that it would ever happen to you, Tom... ;-) Does that help? Rick -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Kern, Tom Sent: Thursday, July 14, 2005 12:30 PM To: ActiveDir (E-mail) Subject: [ActiveDir] Remote Desktop vs. Remote assistance What is the actual diff between RD and RA? If i RD to a winxp desktop, that allows 1 connection. Can someone Shadow it or no? Is there any reason to use one over the other for support? or is RA just easier/better because you can share the session and you can see what a user is doing and interact? Also, is there a gpo or reg hack that allows me as a Domain Admin to RA to a user w/o her asking for RA via and email or im or file transfer or allowing me to log on? Thanks List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive:
RE: [ActiveDir] Keep existing attributes from users restored.
Title: RE: [ActiveDir] Keep existing attributes from users restored. Im curious, Al, as to what you mean about .NET not handling group memberships well do you mind elaborating on that (can be a separate thread)? Thanks! Dan From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of joe Sent: Tuesday, July 12, 2005 8:03 AM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Keep existing attributes from users restored. As Al indicated interesting thread, my comments 1. I don't see the reason not to do this. I like it andthink it is a good idea. The point I would start to reconsider is if you do a lot of deleting and creating, saying in a test lab, this may make your DIT grow out of control. Also if you have an excessively long TSL it may not be optimum as well. Otherwise, I think this is extremely useful and MUCH easier than following the auth restore processes which are, frankly IMO, rather involved for what it is. That is why people are willing to shell out so much money for third party products. I agree this should be a very rare thing to do, but if would be willing to do an auth restore to get something back, I think being willing to do this first makes more sense. 2. As Guido mentioned, this doesn't work for everything. Be aware of what it does and doesn't work for PRIOR to hoping it saves your butt on something. For the things that it doesn't work for, it shouldn't be too terribly hard to set up an AD/AM instance or a DB to maintain the info you want repopulated. The really hard things are like objectSID, ObjectGUID, sIDHistory, etc as you can't easily put those back into place. 3. I am with ~Eric and I don't see where password is being kept. I have also been over that section of the source and don't recall anything with passwords. It also doesn't appear the password attributes are marked in the schema either.Are we sure passwords are being kept? I admit to not trying it. I really haven't done much with SP1 yet due to the Virtual Server guest bits blunder. The docs I have seen mention sIDHistory but not the password attributes (there are several password attributes that would need to be saved). From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Al Mulnick Sent: Tuesday, July 12, 2005 9:08 AM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Keep existing attributes from users restored. Interesting thread. I've always been a fan of keeping the information separate for this situation. I need the sid in order to allow the user to access the resources he had prior to accidental deletion (that's another thread :) but otherwise, I wouldn't want password for a user I restored. That would be very dangerous in my mind as it could allow a rogue admin (yet another thread right?) access to resources that purposefully deleted users had and they'd be able to do so in a relatively covert manner. They'd be hard to track for sure. Additionally, restoring the user to groups could be a nightmare. I'd prefer to keep that information in a separate off-line format (text file? db?) where I can report against it and use it to breath life into a reanimated user should the need absolutely arise. I'm a huge fan of setting up process to do as much as possible to prevent the accidental deletion of users at every turn. My thoughts are that those shops with the wherewithal to set the schema mods, aren't the ones that need an undelete in most cases, but good processes are always a good idea. Still, the odd accident can occur. I realize that. Now I'm just not sure that taking the time to practice against such a thing is worth the effort of practicing this on a regular basis to make sureyou don't mess it up. Besides, you'll have to restore the other information anyway, so you may as well get what's absolutely needed (sidHistory should be in that list IMHO) but planto getother information (fax #? Phone#, group information, nickname, petname, etc) separately. To try and hold it in deleted items would be more of a PITA due toreplication than it would be to store itout of band for other uses. My $0.04 (USD) anyway. Al P.S. if you use .NET to write an app to suck the data out to an off-line storage medium, be awarethat it doesn't natively handle group membership very well. Trust me, that's important ;) From: [EMAIL PROTECTED] on behalf of Dean Wells Sent: Mon 7/11/2005 5:36 PM To: Send - AD mailing list Subject: RE: [ActiveDir] Keep existing attributes from users restored. No. -- Dean Wells MSEtechnology * Email: [EMAIL PROTECTED] http://msetechnology.com From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Grillenmeier, Guido Sent: Monday, July 11, 2005 5:05 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Keep existing attributes from users restored. thanks for the useful information, Eric. You've
[ActiveDir] DSQUERY DSGET provide inconsistent results - help
A client is using DSQUERY is to dump a list of the Domain Admins group every 15 minutes or so. Theyre finding that it misses some memberstheyll be there in one query, gone the next, then reappear. Has anyone seen this behavior with this command? dsquery group -name %GRP% | dsget group members Were going to look at ADFind or just VBS to solve the problem too!! Thanks! Dan
RE: [ActiveDir] Replication Delegating
Yes. The AD Best Practices doc appendix details this. http://www.microsoft.com/downloads/details.aspx?FamilyID=29dbae88-a216-45f9-9739-cb1fb22a0642DisplayLang=en Start on Page 193 I think it will get you where you want to go. You might also look at the entire whitepaper. Go to MS Downloads and search for keywords: Best Practices Active Directory From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Brian Desmond Sent: Thursday, June 30, 2005 9:39 AM To: ActiveDir@mail.activedir.org Subject: [ActiveDir] Replication Delegating Anyway to delegate the ability to click Replicate Now in ad sites/services short of being in domain admins? --brian
RE: [ActiveDir] Compare GPO RSOPs
Even more scientific: MS Word Compare Docs grin. But it works! Dan From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Darren Mar-Elia Sent: Wednesday, June 29, 2005 1:06 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Compare GPO RSOPs There are no in-the-box tools for this but what I've done in the past to skin it is to use GPMC or gpresults to export GP settings (or RSOP) to an XML or HTML file. Then you can use your favorite diff tool (e.g. Windiff) to compare the differences. That's about the most scientific method I've seen. Darren From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of [EMAIL PROTECTED] Sent: Wednesday, June 29, 2005 12:53 PM To: ActiveDir@mail.activedir.org Subject: [ActiveDir] Compare GPO RSOPs Anyone got a good method to compare two GPOs and determine the delta between the two GPOs being compared ? Thank You ! And have a nice day ! ** Mark Lunsford KAISER PERMANENTE Security Operations Email: [EMAIL PROTECTED] Outside Phone: 925-926-5898 Tie Line Phone: 8-473-5898 C ell: 925-200-4077 Remedy Group: NOPS SECURITY EDOS SYS **
RE: [ActiveDir] ? on MCSE Exam 70-290 (W2K3S)
$username$ is the right token... which is why it's a tricky question grin and as you know, MS likes tricky questions grin again.. http://www.microsoft.com/technet/prodtechnol/windowsserver2003/library/S erverHelp/8d37ecb0-ac28-4e05-aa05-da82dc36b54b.mspx has the scoop on the syntax. Good luck on the exam and getting through the book :-) Dan Holme -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of joe Sent: Monday, June 27, 2005 3:15 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] ? on MCSE Exam 70-290 (W2K3S) Last I looked, dsmod uses $username$ but it doesn't create anything on the filesystem, it only updates AD attributes. Specifying a homedir in the user object doesn't make it appear except when you use ADUC which actually goes off and does it separately. joe -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Rocky Habeeb Sent: Monday, June 27, 2005 8:57 AM To: ActiveDir@mail.activedir.org Subject: [ActiveDir] ? on MCSE Exam 70-290 (W2K3S) Ladies and Gentlemen; In reading Dan Holme's and Orin Thomas' fine MCSE Self Paced training Kit training manual, I have come upon a question in the Chapter 3 lesson review on page 3-55: What variable can be used with the DSMOD and DSADD commands to create user-specific home folders and profile folders? a. %Username% b. $Username$ c. CN=Username d. Username The correct answer is b Is this true? Thanks in advance. _ Rocky Habeeb Microsoft Systems Administrator James W. Sewall Company Old Town, Maine Voice: 207.827.4456 Ext. 387 Email: [EMAIL PROTECTED] www.jws.com _ List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
RE: [ActiveDir] Scripts
Of course the big problem is the security. User must be a local admin (to successfully change the Administrator password) and how to encrypt the new password. There are several options out there. I would suggest that doing it via a login script is probably NOT the best way. Scripting (I know you use the command line...) really is... by remoting the change, the concerns about exposing the pw diminish greatly. BUT if you gotta gui: Check out both Desktop Standard (www.desktopstandard.com) and FullArmour (www.fullarmor.com) both companies offer extensions to group policy that support changing the local admin password. You'll be paying for the privilege to use the GUI. Check out TQCRunAs (www.quimeras.com). This is a super cool tool, IMHO. It allows you to wrap up any command or script (OK, you'll actually use the NET USER command, but you get to wrap it up using a gui grin) within an encrypted package that executes a RunAs... solving many of the issues in your task. Just some thoughts... I'm sure you'll get many others. Actually, now that I think about your suggestion, I'd actually like to build a sample that allows you to do exactly what you suggest using the Active Directory Users Computers snap-in. Email me directly late next week (dan dot holme at Intelliem dot com) and I'll hash out an example for you, and make it available to everyone else on the list. I'm just swamped now and I know I'll forget. Dan -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Haaker, Chris Sent: Monday, June 20, 2005 11:57 AM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Scripts I guess I should have (*) that I always use the GUI. I know there are a lot of WMI hooks in the software though. I just open the computer container, select all, right-click and choose specify local account password. As long as the account you want to change the password for on the local machine are all the same name you can do it in one fell swoop. Chris Haaker ITS Infrastructure x7841 -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Rick Kingslan Sent: Monday, June 20, 2005 2:23 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Scripts Could we get some more detail on that? I've used Hyena, but I'm not sure how to use that in a scripted fashion. Thanks! Rick -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Haaker, Chris Sent: Monday, June 20, 2005 11:57 AM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Scripts I know of a piece of software that will; Hyena. Chris Haaker ITS Infrastructure x7841 -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Ellis, Debbie Sent: Sunday, June 19, 2005 5:22 PM To: ActiveDir@mail.activedir.org Subject: [ActiveDir] Scripts Does anyone know of a script I can include in the login scripts to change the local admin passwords on the computers in my environment? List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
RE: [ActiveDir] OT: Missing Offline Files
You're not going to be able to get to them there, at least not by 'mere mortal' means. You need to go thru the GUI. Log on as an administrator (or as the user, if her account is in the Administrators group). Open My Computer. Choose Tools - Folder Options. Click Offline Files. Click VIEW FILES. This UI exposes what is 'stuffed' in the CSC. If you don't see em there, you're more than likely out of luck. Dan -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Charlie Kaiser Sent: Friday, June 17, 2005 10:21 AM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] OT: Missing Offline Files They're stored by default in %systemroot%\CSC... Here's a bit more info... http://www.windowsitpro.com/Articles/Index.cfm?ArticleID=20373DisplayTa b=Article ** Charlie Kaiser MCSE, CCNA Systems Engineer Essex Credit / Brickwalk 510 595 5083 ** -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Carerros, Charles Sent: Friday, June 17, 2005 10:08 AM To: ActiveDir@mail.activedir.org Subject: [ActiveDir] OT: Missing Offline Files I have a user who has lost all of their data from the past four months because they were using off line file sync with their my documents folder but didn't have the default to sync the files in subfolders. As she has lost all of her data, she would like it back but I don't know where to look for it. I can't seem to find where the system saves the offline synced files. Does anyone where this is? Does anyone have any good solution to working around this type of issue. My only guess at this time is to throw a document recovery program at that machine and see if the data is in a deleted state on the hard drive. I'm not to confident in this scenario. Thanks, Charlie List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
RE: [ActiveDir] DFS and Access Based Enumeration
You could test it in a lab, but since ABE works on ACLs on shared folders, and since the actual folders in the DFS target folder are not ACLed, I think you'd be making a big mistake. I agree wholeheartedly with Jorge. -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Jorge de Almeida Pinto Sent: Friday, June 10, 2005 1:04 PM To: 'Nathan Casey '; '[EMAIL PROTECTED] '; 'ActiveDir@mail.activedir.org ' Subject: RE: [ActiveDir] DFS and Access Based Enumeration In my opinion I would only enable ABE on the actual shares that are used for the DFS links Cheers #JORGE# -Original Message- From: [EMAIL PROTECTED] To: ActiveDir@mail.activedir.org Sent: 6/10/2005 7:01 PM Subject: [ActiveDir] DFS and Access Based Enumeration Does anyone have and experience yet enabling ABE on a DFS root share? If I enable ABE on the DFS root share, DFS links from the root to other shares only show up when accessed by an admin. ABE is not enabled on the linked shares. Any ideas? Thanks Nathan List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ This e-mail and any attachment is for authorised use by the intended recipient(s) only. It may contain proprietary material, confidential information and/or be subject to legal privilege. It should not be copied, disclosed to, retained or used by, any other party. If you are not an intended recipient then please promptly delete this e-mail and any attachment and all copies and inform the sender. Thank you. List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
RE: [ActiveDir] OT: Cloned machine domain membership
No... straight GHOST image. -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Douglas M. Long Sent: Tuesday, June 07, 2005 7:29 AM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] OT: Cloned machine domain membership Dan, are you using a ghost boot partition in your images? -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Dan Holme Sent: Monday, June 06, 2005 11:46 AM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] OT: Cloned machine domain membership If you have already figured out a way to come up with a unique computer name, you're in great shape. To join the domain, you can do one of the following: OPTION #1: SYSPREP SCRIPT In your SYSPREP.INF file (if you're not familiar with what this file is, ask and I'll elaborate), include the following section: [Identification] DomainAdmin = PatC DomainAdminPassword = abcdef123 JoinDomain = MYDOMAIN JoinWorkgroup = MYUSERGROUP MachineObjectOU = OU = myou,OU = myparentou,DC = mydom,DC = mycompany,DC = com If you do this, there are issues with the password, obviously. The script should be placed in the C:\SYSPREP folder (PRIOR to imaging) and that folder is deleted during mini-setup. But there is still a possible exposure. Suggestions to overcome this: 1) Have a domain account that ONLY can add computers to the OU where you want these machines, and has no other access to resources in the domain 2) (Best): PRESTAGE the computer accounts: create the computer accounts IN ADVANCE in AD, and set DOMAIN USERS as the account that can join the workstation to that account. Then there's far less of an issue. There are scripts that will let you do this: http://support.microsoft.com/default.aspx?scid=kb;en-us;q315273 for starters OPTION #2: POST-IMAGE (FIRST LOGON) SCRIPT Depending on your imaging procedure, if a LOCAL administrator will log on to the computer for the first time post-imaging, you can have a script that runs at that time, either pointed to in the [RunOnce] key of the registry or in the Startup program group or a Startup/Logon script in Group Policy. The URL above shows the syntax for NETDOM which is one script you can use. http://www.microsoft.com/technet/scriptcenter/scripts/ad/computer/cptrvb 06.mspx shows another example that works well on XP. Again, consider the security implications of the domain accounts that are used and any possible password exposure. LMK if you need more detail, but this should get you going. Dan -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Douglas M. Long Sent: Monday, June 06, 2005 8:32 AM To: ActiveDir@mail.activedir.org Subject: [ActiveDir] OT: Cloned machine domain membership I am trying to figure out the best way to re-image our labs (XP only) without any interaction. Currently we are using Ghost 7.5, and it will add the machine account to the domain, but doesn't actually join the machine to the domain. This would be fine if the machines only needed re-imaged twice a year, but at times they need re-imaged weekly. Any suggestions on a way to do this with what we have? Other suggestions? List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
RE: [ActiveDir] Modifying behaviour of Users and Computers snap-i n
I have a page that has a script to make this process significantly easier... you can hook ANY script, web page, etc., into a new context menu command in AD UC. http://intelliem.editme.com/admindispspec BTW, the article referenced below does a similar thing --just more 'manually' -- your question about adding items to an existing PROPERTY PAGE requires significantly more development, but is possible. I'd suggest starting with MSDN for that. Until you figure that out, use this method--it gets the job done. Dan -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Ruston, Neil Sent: Tuesday, June 07, 2005 5:26 AM To: 'ActiveDir@mail.activedir.org' Subject: RE: [ActiveDir] Modifying behaviour of Users and Computers snap-i n The object cn=user-display,cn=409,cn=displayspecifiers,cn=configuration,dc=xxx,dc= yyy, attribute adminpropertypages may be altered. [409 refers to the English language, others may be in use in your org.] Additional entries may be provided - one per additional attribute to be exposed in the UI. An example is found here http://www.windowsitpro.com/Article/ArticleID/21588/21588.html neil -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Peter Jessop Sent: 07 June 2005 12:18 To: ActiveDir@mail.activedir.org Subject: [ActiveDir] Modifying behaviour of Users and Computers snap-in Good day to you all. How can the Users and Computers snap-in be modified to display additional properties? For example I might wish to see the employeeID property of a user in the Organization tab. Regards Peter Jessop List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ == Please access the attached hyperlink for an important electronic communications disclaimer: http://www.csfb.com/legal_terms/disclaimer_external_email.shtml == List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
RE: [ActiveDir] OT: Cloned machine domain membership
If you have already figured out a way to come up with a unique computer name, you're in great shape. To join the domain, you can do one of the following: OPTION #1: SYSPREP SCRIPT In your SYSPREP.INF file (if you're not familiar with what this file is, ask and I'll elaborate), include the following section: [Identification] DomainAdmin = PatC DomainAdminPassword = abcdef123 JoinDomain = MYDOMAIN JoinWorkgroup = MYUSERGROUP MachineObjectOU = OU = myou,OU = myparentou,DC = mydom,DC = mycompany,DC = com If you do this, there are issues with the password, obviously. The script should be placed in the C:\SYSPREP folder (PRIOR to imaging) and that folder is deleted during mini-setup. But there is still a possible exposure. Suggestions to overcome this: 1) Have a domain account that ONLY can add computers to the OU where you want these machines, and has no other access to resources in the domain 2) (Best): PRESTAGE the computer accounts: create the computer accounts IN ADVANCE in AD, and set DOMAIN USERS as the account that can join the workstation to that account. Then there's far less of an issue. There are scripts that will let you do this: http://support.microsoft.com/default.aspx?scid=kb;en-us;q315273 for starters OPTION #2: POST-IMAGE (FIRST LOGON) SCRIPT Depending on your imaging procedure, if a LOCAL administrator will log on to the computer for the first time post-imaging, you can have a script that runs at that time, either pointed to in the [RunOnce] key of the registry or in the Startup program group or a Startup/Logon script in Group Policy. The URL above shows the syntax for NETDOM which is one script you can use. http://www.microsoft.com/technet/scriptcenter/scripts/ad/computer/cptrvb 06.mspx shows another example that works well on XP. Again, consider the security implications of the domain accounts that are used and any possible password exposure. LMK if you need more detail, but this should get you going. Dan -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Douglas M. Long Sent: Monday, June 06, 2005 8:32 AM To: ActiveDir@mail.activedir.org Subject: [ActiveDir] OT: Cloned machine domain membership I am trying to figure out the best way to re-image our labs (XP only) without any interaction. Currently we are using Ghost 7.5, and it will add the machine account to the domain, but doesn't actually join the machine to the domain. This would be fine if the machines only needed re-imaged twice a year, but at times they need re-imaged weekly. Any suggestions on a way to do this with what we have? Other suggestions? List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
RE: [ActiveDir] Alternate install Directory for W2K3 load
Rick's right... has to be done in an ANSWERFILE. HOWEVER, you can create an answer file with ONLY the parameters you need, and leave all others blank. Launch the installation with an answerfile (winnt /u or winnt32 /unattend) and it will PROMPT you for all non-answered parameters... i.e. it's still an interactive installation, but the 'hidden' parameter you want has been tackled. -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Rick Kingslan Sent: Monday, June 06, 2005 8:29 AM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Alternate install Directory for W2K3 load No, sorry to say that there isn't. The installer is designed to take this type of input from an answer file, and stipulated by the /u:file name parameter. Rick -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Bahta Nathaniel V Contr NASIC/SCNA Sent: Monday, June 06, 2005 7:37 AM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Alternate install Directory for W2K3 load Ok, but I am trying to do it from an install that I am doing interactively. Isnt there some kind of command line switch or something like that for WINNT.EXE? I looked through the switches again, but none of them say they are to change the install directory. Nate -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Peter Johnson Sent: Monday, June 06, 2005 6:45 AM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Alternate install Directory for W2K3 load I believe you can do this using an answer /transform file for the unattended install process. -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Bahta Nathaniel V Contr NASIC/SCNA Sent: 06 June 2005 12:06 To: ActiveDir@mail.activedir.org Subject: [ActiveDir] Alternate install Directory for W2K3 load Hey all, I am trying to create an image for Windows 2003 member servers for our domain and the SMS/Tivoli folks want to keep the default directory for the OS load at C:\WINNT. I have gone through the setup many times booting from the CD and walking through the menus, but there is no option for where I want to install the OS besides selecting the drive and partition. It defaults to C:\WINDOWS. I can specify which directory I want if I am upgrading from a previous OS in the GUI setup mode, but this is to be made for a fresh install, not an upgrade. Any ideas on how to load W2K3 into c:\winnt from the start? Thanks, Nate -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Rick Kingslan Sent: Sunday, June 05, 2005 10:35 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] DNS Error Good point, David. Thanks for enhancing the suggestion. Rick -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of David Adner Sent: Sunday, June 05, 2005 7:34 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] DNS Error The /e switch for dcdiag will run the test against every DC in the Forest. Might be good to make sure every DC is seeing the same thing as all others. -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Rick Kingslan Sent: Sunday, June 05, 2005 19:24 To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] DNS Error I've seen exactly the same when an Infrastructure Master was missing. Check all FSMO owners to be sure that they really DO exist. To do this, it's best to run DCDIAG /v /test:KnowsOfRoleHolders You will need to run this in each domain for the domain FSMO roles, but it will query the domain controllers directly for who they know of and can they be contacted (have you heard from this DC lately). This is superior to NETDOM QUERY FSMO which seems to just blindly return the information without any verification. Rick From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Steve Rochford Sent: Sunday, June 05, 2005 4:32 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] DNS Error When I had a similar error it was because the domain naming master was not available (server had failed and been rebuilt but the FSMO role had not been seized) Steve From: [EMAIL PROTECTED] on behalf of Za Sent: Sat 04/06/2005 05:13 To: ActiveDir@mail.activedir.org Subject: [ActiveDir] DNS Error Good evening all. A W2K DC was upgraded to W3K and it is also a DNS server. No problem at all with prepping and upgrading from W2K-W3K. I am getting the error below every few minutes. Anyone have a solution? Event Type: Error Event Source: DNS Event Category: None Event ID: 4015 Date: 5/15/2004 Time: 8:49:51 AM User: N/A Computer: PC Name Description: The DNS
RE: [ActiveDir] User account and home directory management
Ive had good luck finding solutions like this using Google a hint is to use _vbscript_ as a keyword, e.g. _vbscript_ users (home directories OR home folders) Last I looked I found a lot of samples of this kind of thing. Unfortunately I didnt capture the one I thought was best sorry. Dan From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Dan Stanford Sent: Monday, June 06, 2005 6:37 AM To: ActiveDir@mail.activedir.org Subject: [ActiveDir] User account and home directory management Hi to all on the list. Forgive me if this subject has been covered, as I am new to the list. I manage a school network, and one of the issues I face is that an AD user account, the user profile and the user's home directory share are inextricably linked. I need to be able to create users and shares in on go, so that the account is set up, the share and profilecreated, and permissions set, and the details entered into the AD object. Does anyone know of any software or scripts that would accomplish this? I would ideally like to be able to do it for individual users or in bulk. Thanks in advance, Dan Stanford. The contents of this email and any attachments do not necessarily represent the views or policies of Ibstock Place School, its employees or pupils. They are intended for the confidential use by the named recipient only and may be legally privileged and should not be communicated to, or relied upon by, any other party without our written consent. Although this message is believed to be virus free, Ibstock Place School does not accept liability for any damage, loss or cost caused by software viruses. If received in error, please advise the sender immediately and delete all record of it from your system.
RE: [ActiveDir] Seeking AD monitoring software recomendations
You asked about MOM vs. NetPro, and the feedback I've been getting from clients is that while both tools are great, they serve slightly different purposes. One client described well what several have said: that MOM is, like many MS tools, a fantastic *platform* (extensible, a basis for future solutions, etc.) but thus was more complex than they desired for the level of functionality they require right now. NetPro was more out-of-box, ready-to-go. I agree with what was said earlier: your ramp-up time and expectation for hands free may be a little lofty. But if that is the case, my guess is that NetPro may serve you well. HPOV has advantages in very heterogeneous environments, of course, and can serve spaces that NetPro and MS don't touch yet. On a *personal* note, I've never met someone from NetPro I didn't *like*--they seem to be very adept at hiring super smart, personable folks. That actually can make a difference in the long run. But you're looking at the right tools. You might be BEST served by having each vendor spend 1/2 to 1 day pitching you, and hit them up with the excellent feedback you've been getting in this thread. I have one client who just did that exact thing, and I'd be happy to hook you up with him--he may have some very fresh opinions for you. Dan Holme Intelliem -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of David Adner Sent: Sunday, June 05, 2005 5:21 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Seeking AD monitoring software recomendations If you're determined to put as little time as needed into whatever tool you choose, then I don't have a lot of faith in you deploying something like MOM, HPOV, NetIQ, etc. Time after time I've seen customers deploy such a tool and expect it to just work out of the box with little to no configuration or attention. Since that's not how these things work, the customers just end up not really using it and it sits mostly dormant and ignored. There's typically a lot of up-front cost in time and learning to get things configured to where it becomes useful. If you really want to do things right, then you're going to have to commit to the time and effort. Otherwise you may as well put the money into something else. You probably want to also refine your requirements and do some good research and testing of the various candidates before biting the bullet and signing the purchase order. -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Mark Sent: Sunday, June 05, 2005 18:47 To: ActiveDir@mail.activedir.org Subject: [ActiveDir] Seeking AD monitoring software recomendations I work for a large enterprise company running w2k3 in 2003 mode with the expectation the main user domain will hold 150K users. Currently has about 80 DCs. We finally have funding to buy some AD specific monitoring tools. * I am looking for an application(s) that will tell us when AD is not functioning as it should in a simple screen and email us. * Would like to be able to bench mark systems. * Will tell us when someone changed a piece of the infrastructure (Auditing) * Would like to have the install done in about a week and be proficient in about a month. I need a system I do not have to spend a lot of time with, and will tell me when something wrong/changed. anyone have any good suggestions ? Thanks, You guys are great! M. Lunsford List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
RE: [ActiveDir] DFS
Your workgroup servers can be targets of links. No problem. You can also 'point' to UNIX/LINUX (SAMBA) and NetWare resources - anything that can be referred to with a UNC (\\server\share) can be a link in DFS... definitely doesn't have to be a domain member. HOWEVER You cannot have a workgroup server host a ROOT TARGET, i.e. the DFS Server itself needs to be a server in the domain - and in a distributed env like CHW you'll be best served by hosting the root targets on MEMBER SERVERS in the domain where the DFS root is, rather than on DCs. There are administrative and delegation issues that make hosting a root target on a DC in a distributed, decentralized enterprise a very bad idea. ALSO Replication will be challenging, but not just b/c you're in a multiple domain environment. The real issue is that FRS sucks, particularly if you have a situation where changes will be made to multiple copies of a replica. In other words, if you have FOLDER A replicated to SERVER1 and SERVER2, and people are making changes to FOLDER A on both servers, FRS tends to have issues. Many of these will be solved in Windows 2003 R2, with it's new replication technology. Until then, my general guidance to clients is 1) Use FRS only where there is a 'master - replica' topology, where changes are made only to one server and replicated to all copies. This can be 'managed' by setting share permissions (NOT NTFS permissions, which are replicated) on the master to allow modify/full and share permissions on the replicas to allow only read. Don't use FRS across servers in different domains/workgroups. 2) Use another tool for replication in all other scenarios. RoboCopy and DoubleTake are popular among my clients. THIS DOCUMENT IS AWESOME: http://www.microsoft.com/technet/prodtechnol/windowsserver2003/library/T echRef/20ffb860-f802-455c-9ca2-5194f79a9eb4.mspx Dan Holme Director of Training Consulting Intelliem, Inc. -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Salandra, Justin A. Sent: Friday, June 03, 2005 7:32 AM To: ActiveDir@mail.activedir.org Subject: [ActiveDir] DFS Can a DFS Root be created in a Root Domain and contain servers from child domains in the DFS Share? Is there any good information on how to deal with permissions with this kind of setup? Justin A. Salandra MCSE Windows 2000 2003 Network and Technology Services Manager Catholic Healthcare System 212.752.7300 - office 917.455.0110 - cell [EMAIL PROTECTED] List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
RE: [ActiveDir] OT Assign Icon in script
Title: OT Assign Icon in script Ive done that sort of thing simply by creating the shortcut then _copying_ it via a script. Dan From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Aaron Visser Sent: Wednesday, June 01, 2005 2:39 PM To: ActiveDir@mail.activedir.org Subject: [ActiveDir] OT Assign Icon in script Is it possible to assign an icon to a shortcut, to all the computers in the domain via GPO Logon Scripts? What I have got is this: set ws = Wscript.CreateObject(Wscript.Shell) dsktop = ws.SpecialFolders(Desktop) Set scut = ws.createShortcut (dsktop \shortcut name.lnk) scut. TargetPath = http://enter url here scut.Save Now this is all great and works (creating the Shortcut on the desktop) but I would also like to assign a custom icon is this at all possible? Thanks, Aaron Visser
RE: [ActiveDir] Home Directories
Modify permission on an NTFS ACL *does* include DELETE. Anyway, what Steve suggests is simply not possible to achieve without workarounds such as 'resetting the acl' regularly. Here's why, and a suggestion. 1) The CREATOR/OWNER of a file or folder ALWAYS can change permission on that file or folder. There's no way to prevent that. In other words, if you let a user save a file, they CAN change permission. 2) The only workaround I've heard for this (and I've not tested it myself but it is on good authority) is to set a SHARE permission of MODIFY (not Full Control). The lack of full control on a share apparently prohibits anyone (including the owner) from changing an ACL... cool assuming it's true, though managing share permissions is a whole other can of worms, and PLEASE don't go there with this thread. It's a solution, not a perfect one (and there isn't a perfect solution given Steve's requirements). 3) You can *always* provision anything in windows. Go bananas with a script or process that creates the folder for the user with the right permissions on that user's folder, and then of course you can restrict the root more. The permissions I listed are the minimum required permissions for out-of-box Windows functionality. Hope this helps. D -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of joe Sent: Tuesday, May 31, 2005 4:35 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Home Directories Are you sure about that? -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Dryden, Karen Sent: Tuesday, May 31, 2005 6:47 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Home Directories Modify rights doesn't give them the ability to delete files/folders. You have to go to the Advanced tab on permissions and edit their rights and check the box to enable them to delete their own home drive files/folders -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Steve Rochford Sent: Tuesday, May 31, 2005 5:10 AM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Home Directories The trouble is that Microsoft's idea of locked down and my idea of locked down don't match... I work in a college (and I think Debbie works in a similar environment) and there's no way I'd give users full control over even their own folders - the most they get is modify on everything in their user area. (Giving full allows them to change permissions - most will do this accidentally and manage to remove themselves from the list or they will give access to other users. In a work environment this may be a good thing - it allows users to share work on an ad-hoc basis. For students, it's typically a way to move pirate material around...) There's also a problem in that if users can create folders in the root share then they will - again, some will do this accidentally and lose work in that way; others will do it maliciously. Whichever, when you have 14,000 folders to worry about you don't want odd ones sneaking in :-) The downside of this is that you can't then have the folder created by the redirection process as the user logs on; no big deal - we script the user creation so we also create the home folder with the permissions we want (admins, system - full; user - modify) On a regular basis we also force the permissions and ownership back to what they should be - I've found setacl (http://setacl.sourceforge.net) to be easier to use for this than subinacl. Steve -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Dan Holme Sent: 27 May 2005 16:14 To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Home Directories The best practice permissions for the ROOT SHARE (for home directories, roaming profiles folder redirection) are listed below. There is a lot of confusion about these perms, b/c there are inconsistencies in MS doc. I've tested these to make sure they work and (as you'll see) they're pretty well locked down. The root share == ACL Users*:Allow:List Folder Create Folders Inheritance: This folder only ( THIS IS TRICKY AND IS NOT THE DEFAULT Set Apply onto to THIS FOLDER ONLY) *Or another group that includes users who will have folders under this root Creator Owner:Allow:Full Inheritance: Subfolders files only System:Allow:Full Inheritance: This folder, subfolders files Administrators: depends Set based on Enterprise information security policy Share Hidden share name (sharename$) Share permissions: Everyone:Allow:Full ** Do not create individual user folders ** How folders are created === Home folders: created perm'd automatically Redirected folders: created, perm'd, user owner SUBINACL on Res Kit to change ownership if you must create folder in advance. (Be sure to download newest
RE: [ActiveDir] Enhancement Question
Charlie: This is a question I'm getting from a LOT of my clients these days. I'd be happy to chat through some ideas with you, but it's too much to type out. Give me a shout and I'll spend a bit of time talking you through some ooh-ahh-wow things you can do with AD. 888.381.6956. Dan Holme Intelliem -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Tony Murray Sent: Tuesday, May 31, 2005 1:10 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Enhancement Question You could look at pre-populating the location field for printer searches. This is quite a nice feature that uses the IP subnet of the workstation the user is logged on to to locate the nearest printer. There's a few tasks you need to do to enable this, but it can be worth the effort, especially in distributed organisations. See the following whitepaper for more information on this. http://www.microsoft.com/windows2000/technologies/fileandprint/print/add eplo y.asp As you suggest, there are not a huge number of benefits that are directly visible to the end user. Tony -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Carerros, Charles Sent: Wednesday, 1 June 2005 3:05 a.m. To: 'ActiveDir@mail.activedir.org' Subject: [ActiveDir] Enhancement Question This is an odd question. We have just about finished up rolling out AD 2003 (from an NT domain) and I have been charged with finding several ways to utilize Active Directory to optimize the management of our applications and infrastructure. At least one of the solutions should enhance functionality directly for the user community. I'm having problems of finding ways to enhance functionally for the end-users. Besides tying the AD into a one of our outsourced web based applications to reduce their password count I'm stretching. I know of a number of management and infrastructure enhancements that could be made but none enhance the functionality of our end-users to a point where they will notice it and say Wow, now that's cool. Does anyone know of a location where I can get ideas on this topic? Increased security, stability, management. These core things are not seen by the end-user even though they directly affect them. I need to find something that the end-users will like to see and something that benefits them. I'm just coming up blank on this. In the past, I have always been instructions to use AD in ways that the end-user doesn't notice but increases the functionality. Thanks, Charlie List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
RE: [ActiveDir] Selective moving/migration of users
Take a look at the documentation of the ADMT. You can use a SELECTION FILE to specify the users groups you wish to modify, so that you don't have to manually select them in the user interface. There are also a number of options to *script* the ADMT, which means you could utilize any language (e.g. vbscript, .bat) to create the 'logic' to select your users and groups. To expand on what Jorge mentioned, there are lots of ways to migrate, but by far the *easiest* with the ADMT is to migrate the global groups you want *first*, then, as a second 'pass' through the ADMT, migrate the users you want. Dan -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of [EMAIL PROTECTED] Sent: Monday, May 30, 2005 3:50 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Selective moving/migration of users As Jorge mentioned earlier Quest DMW has an option to find out the groups that user is a member of and migrate that as well (nice checkbox)...not sure bout ADMT though.. Thank you and have a splendid day! Kind Regards, Freddy Hartono Windows Administrator (ADSM/NT Security) Spherion Technology Group, Singapore For Agilent Technologies E-mail: [EMAIL PROTECTED] -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Jorge de Almeida Pinto Sent: Monday, May 30, 2005 7:56 PM To: '[EMAIL PROTECTED] '; ''Lucia Washaya ' '; '''ActiveDir@mail.activedir.org' ' ' Subject: RE: [ActiveDir] Selective moving/migration of users almost forgot: think about closed sets (meaning: if I migrate these objects, what other objects should be migrated also) what about the groups the NT users you want to migrate are members of? Don't you need to migrate those as well? cheers, #JORGE# -Original Message- From: [EMAIL PROTECTED] To: 'Lucia Washaya '; '[EMAIL PROTECTED] '; ''ActiveDir@mail.activedir.org' ' Sent: 5/30/2005 1:42 PM Subject: RE: [ActiveDir] Selective moving/migration of users Hi, You can always select the user and/or groups you want to migrate. It all depends on the requirements and situations but it is not needed to migrate the domain at once. There are a lot of tools available that help you with your object migration (user, groups, computers) en resource updating (re-acl, etc.) One of the free tools available is ADMTv2 (ADMTv3 is in beta at the moment) which can migrate objects and standard windows resource updating (incl exchange). If you however need to update resources on SQL or SMS you will likely need to use a third party tool like Quest DMW Cheers, #JORGE# -Original Message- From: [EMAIL PROTECTED] To: [EMAIL PROTECTED]; 'ActiveDir@mail.activedir.org' Sent: 5/30/2005 12:52 PM Subject: [ActiveDir] Selective moving/migration of users Colleagues, Is there a way to selectively move or migrate users between NT and windows2000 domains. I have two domains one on NT and another on Widows 2000. I want to move some of the users form NT to 2000. Is there a way to do it? Thank you in advance for your assistance Regards, Lucia Washaya UNAMSIL Tel Ext.: 5497 or Local Tel.: 022-295-526 Int'l Tel.: Via Italy +(39) 083123-5497 Via USA +1(212) 963-9915 (after audio response dial 174-5497) == The cobra will bite whether you call it Cobra or Dear Mr. Cobra. === __ This e-mail and any attachment is for authorised use by the intended recipient(s) only. It may contain proprietary material, confidential information and/or be subject to legal privilege. It should not be copied, disclosed to, retained or used by, any other party. If you are not an intended recipient then please promptly delete this e-mail and any attachment and all copies and inform the sender. Thank you. List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ This e-mail and any attachment is for authorised use by the intended recipient(s) only. It may contain proprietary material, confidential information and/or be subject to legal privilege. It should not be copied, disclosed to, retained or used by, any other party. If you are not an intended recipient then please promptly delete this e-mail and any attachment and all copies and inform the sender. Thank you. List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
RE: [ActiveDir] Home Directories
The best practice permissions for the ROOT SHARE (for home directories, roaming profiles folder redirection) are listed below. There is a lot of confusion about these perms, b/c there are inconsistencies in MS doc. I've tested these to make sure they work and (as you'll see) they're pretty well locked down. The root share == ACL Users*:Allow:List Folder Create Folders Inheritance: This folder only ( THIS IS TRICKY AND IS NOT THE DEFAULT Set Apply onto to THIS FOLDER ONLY) *Or another group that includes users who will have folders under this root Creator Owner:Allow:Full Inheritance: Subfolders files only System:Allow:Full Inheritance: This folder, subfolders files Administrators: depends Set based on Enterprise information security policy Share Hidden share name (sharename$) Share permissions: Everyone:Allow:Full ** Do not create individual user folders ** How folders are created === Home folders: created perm'd automatically Redirected folders: created, perm'd, user owner SUBINACL on Res Kit to change ownership if you must create folder in advance. (Be sure to download newest patched version of SubInACL from MS web site) Profiles: created perm'd automatically Hope this helps Dan -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of [EMAIL PROTECTED] Sent: Friday, May 27, 2005 8:00 AM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Home Directories Yes, make sure that the top level home folder that your share is pointing to does not have rights for those users to make changes. They should only have rights at their individual folder. For instance: Share Level Perms \\server\home1 is your home folder share which has the following perms: Administrators - FC Domain Users - C NTFS Perms That folder maps to h:\home1 on your server. Home1 should have the following: Administrators - FC There's a user folder under home1 that exists under home1 that maps to JohnDoe such as h:\home1\johndoe. At the johndoe folder, you want to make sure the following permissions are set: Administrators - FC JohnDoe - Modify So now you can map the user's H: drive or whatever to \\server\home1\johndoe. Hope that helps... :m:dsm:cci:mvp -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Ellis, Debbie Sent: Friday, May 27, 2005 10:50 AM To: 'ActiveDir@mail.activedir.org' Subject: RE: [ActiveDir] Home Directories But it also allows then to create new folders under the top level Home share. Is there a way around that? -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of [EMAIL PROTECTED] Sent: Friday, May 27, 2005 10:40 AM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Home Directories Now that your share-level permissions are correct, you need to add the individual user to their respective home folder and grant modify permissions (ntfs). That should give them change access to their files. :m:dsm:cci:mvp -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Ellis, Debbie Sent: Friday, May 27, 2005 9:04 AM To: 'ActiveDir@mail.activedir.org' Subject: RE: [ActiveDir] Home Directories I appreciate all the feedback. I had to end up giving domain users change access on the top level Home share folder. (On both file and share) I removed domain users from the individual home directory/folders. The problem I have with the solution is that won't users be able to create folders in the Home Folder? Is there a solution to this? -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of [EMAIL PROTECTED] Sent: Friday, May 27, 2005 8:30 AM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Home Directories Sorry. Please don't perceive my earlier post as disrespecting your opinion. Simply typing in brevity. :) At any rate, I read it as a user end permission error, not as a copy process failure. :m:dsm:cci:mvp -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Medeiros, Jose Sent: Thursday, May 26, 2005 6:34 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Home Directories No problem in disagreeing, as long as we can respect each others opinions. Granted Debbie did not give a us lot of details, but based on what Debbie wrote, it sounds like she is having trouble copying the files from the server, and if her users had full control enabled on the original NT 4 home directory, then in the middle of the move process she would probably have an access denied even though she is the admin. By taking ownership of the files prior to her move this issue would be resolved. She also stated that the permissions are change ( Change for end users is better then Full control in my option) and Debbie stated that she
RE: [ActiveDir] Delivering MSI packages effectively
If your domain is in Windows 2000 native mode (or Windows 2000 domain functional level) or higher, you can effectively nest global groups into global groups. With a dispersed OU structure (I echo Jorge's question, why), I would suggest: 1) A global group containing the computers of each classroom 2) A global group representing the software package 3) Nest the classroom groups into the software group 4) Filter the GPO to apply only to the software group. Remove (don't deny - remove) Authenticated Users ability to Apply Group Policy and allow the Software group Read and Apply Group Policy. If you're using the GPMC (which you should be), it's even easier: remove Auth Users and add the software group. Dan -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Jorge de Almeida Pinto Sent: Tuesday, May 24, 2005 7:08 AM To: 'Steven Wood '; '[EMAIL PROTECTED] '; 'ActiveDir@mail.activedir.org ' Subject: RE: [ActiveDir] Delivering MSI packages effectively You have two possibilities: For both create a GPO with the APP assigned. (1) link the GPO to each classroom and you're done (2) link the GPO to the workstations OU and use group filtering by giving a group (that represents the classroom) read and apply permissions to the GPO. Each workstation must be a member of their corresponding group Question: why do you have such a deep structure? Delegations?, GPOs? something else Cheers, #JORGE# -Original Message- From: [EMAIL PROTECTED] To: ActiveDir@mail.activedir.org Sent: 5/24/2005 3:48 PM Subject: [ActiveDir] Delivering MSI packages effectively I'm hoping someone can explain to me the most effective way to deliver an MSi package in the following scenairo. My AD structure looks something like this: Workstations Building One Classroom 1 Classroom 2 etc to Classroom 99 Building Two Classroom 1 etc to Classroom 99 Building Three Classroom 1 etc to Classroom 99 I have an GPO connected to most rooms. If I have an MSI package that I need to deliver to say 25 rooms what would be the most effective way to assign to the required classrooms? Currently I have to assign the app 25 times, once to each room. Regards Steven --- This email is from Oldham Sixth Form College, but expresses the views of the sender and not necessarily the views of the college. The email and any files transmitted with it are confidential to the intended recipient at the e-mail address to which it has been addressed. It may not be disclosed or used by any other than that addressee, nor may it be copied in any way. If received in error, please notify [EMAIL PROTECTED] quoting the name of the sender. This message has been scanned for viruses by F-Secure Anti-Virus. Please note that we cannot accept any responsibility for any transmitted viruses. It is, therefore, your responsibility to scan attachments (if any). This e-mail and any attachment is for authorised use by the intended recipient(s) only. It may contain proprietary material, confidential information and/or be subject to legal privilege. It should not be copied, disclosed to, retained or used by, any other party. If you are not an intended recipient then please promptly delete this e-mail and any attachment and all copies and inform the sender. Thank you. List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
RE: [ActiveDir] AD DR - replication lag site----Why?
will have Brett snickering at you. As I mentioned in an earlier post, if you are afraid of deleted objects, I would recommend judicious use of searchflags0x08 and admod with the -undel option. Couple that with a simple AD/AM directory that you don't let your loose cannon admins to have access to and you can pretty easily get things back. joe -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of David Adner Sent: Friday, May 20, 2005 5:24 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] AD DR - replication lag siteWhy? Using my non-scientific personal observations, of the last 50 or so customers I've been to I believe only 3 had lag sites. Of those 3, none had done what I'd call a good job of setting it up (they had basically just created a separate site with a longer replication interval). Of the other ~47, perhaps half knew of lag sites and were either interested in the concept or had plans to implement them. How many actually will I can't say. These are all Premier customers. So, based on my personal experience, I'm more inclined to agree with Todd. I think, however, that over the next couple years lag sites will become the norm as virtualization becomes commonplace and best practices are better documented and understood. -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Rick Kingslan Sent: Friday, May 20, 2005 15:49 To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] AD DR - replication lag siteWhy? Todd, With all due respect, I think there are more people doing this than you think. You aren't using a Lag Site, so it's 'whacky'. Your opinion, so you're entitled to it. PSS blessed our implementation, BTW. If you'd like, I'll be happy to provide you with contacts for the ROSS tech (out of Los Colinas) that did our recent AD Health check in advance of our Win2k3/E2k3 upgrade. He stated that this was becoming a cheap, scalable solution to providing DR - and a few large organizations were using them at warm/hot sites because they also meet criteria for DR as addressed and required for Sarbanes. And, I don't question the fact that a poor site design can cause problems. But, humbly, I submit that I know what I'm doing. Learn from what I do - or learn not. That's up to you. I know that you have a liking for Quest - which is fine. I use some of their tools - just not Recovery Manager. However, in a DR situation when your DCs are being rebuilt from scratch - Recovery Manager is not a very valuable tool when there are no objects to 'undelete'. As for Guido - I hope he chimes in as well. He seems to be one of the few that you trust - regardless of those that have supported you in the past. Hopefully then - we can put this behind us. Me, I'll keep doing what has been successful for me for two years, thank you. -rtk From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Myrick, Todd (NIH/CC/DNA) Sent: Friday, May 20, 2005 11:59 AM To: ActiveDir@mail.activedir.org; ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] AD DR - replication lag siteWhy? I disagree that Lag sites are popular, maybe with you and at AD conferences as a session. I tend to avoid those sessions. To all those considering this as a viable solution, why not run it by MSC or PSS and see what they say. We get something called a supportability review before we implement anything to whacky at my organization. There are so many things that can go wrong with a improper site design and object reanimation that I just say avoid doing it. I am waiting for Guido to chime in on this. Todd From: Dan Holme [mailto:[EMAIL PROTECTED] Sent: Thu 5/19/2005 10:16 AM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] AD DR - replication lag siteWhy? Two more notes on this issue: 1) THIRD PARTY AD RESTORE TOOLS. Sounds like it's clear, now, WHY lag sites are so popular. Yes, there are third party products (particularly Quest Recovery Manager) that work quite well if you have a budget for that. Here's my take as to why my IT budget shouldn't be spent on those tools (and *should* be spent on OTHER tools by some of those same companies). a) Deleted objects can be avoided with proper delegation. It's so important that you properly delegate and properly use accounts with administrative logon (i.e. with 'secondary logon' only) that this trumps just about everything. At most of my clients, NOBODY (from a practical perspective) can delete users or groups. We have a process we call graveyarding, whereby an account is tagged (using a variety of methods) and, with a SCRIPT, moved to an OU where they stay for 90 days before being deleted (again, only by the SCRIPT). The only other accounts that can delete users
RE: [ActiveDir] Scripting Delegation Question
Thanks! Ill definitely look at your tools book, Alain! Dan From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Alain Lissoir Sent: Friday, May 20, 2005 11:41 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Scripting Delegation Question Deleting an ACE is obviously supported. Supporting removal of ACE is a granular way requires an extensive regression testing, which way more complex than removing all ACE using the same trustee. Therefore, it is more than just implementing the feature in the tool. That's why it is not supported even though if technically this should work fine. I've been doing some testing with the script below and it works great so far. HTH /Alain From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of joe Sent: Friday, May 20, 2005 10:07 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Scripting Delegation Question Microsoft doesn't support this and this is why no tool doing this exists. I am confused, what specifically isn't supported? Deleting a single ACE is obviously supported, the reason DSACLS doesn't do it I would bet is programmer laziness versus anything being unsupported. You would have to add additional switches to specify the specific ACL to remove versus simply yanking all of the ACEs with a specific secprin. The latter is much much easier to implement. DSACLS has lots of shortcuts like that, look at the case sensitivity for more examples there. joe From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Alain Lissoir Sent: Friday, May 20, 2005 7:10 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Scripting Delegation Question Check out the script at http://users.skynet.be/alain.lissoir/conferences/WMIManageSD.zipI wrote for my books. This script is fully documented in my WMI books at http://www.lissware.net (Vol 2). It supports the management of security descriptors for files, folders, file shares, registry, WMI namespaces, AD, Exchange 2000/2003 mailboxes. It requires the registration of some resource DLLs where it is started in order to work. For instance, if you want to delegate Modify the membership of a group (as the delegation wizard displays). The command line to for WMIManageSD.Wsf is: Set OU=OU=Department,DC=LissWare,DC=NET Set TRUSTEE=VMLissWareNET\Alain.Lissoir Cscript.Exe //Nologo WMIManageSD.Wsf /ADObject:%OU% ^ /Trustee:%TRUSTEE% ^ /ACEType:ADS_ACETYPE_ACCESS_ALLOWED_OBJECT ^ /ACEMask:ADS_RIGHT_DS_READ_PROP,ADS_RIGHT_DS_WRITE_PROP ^ /ACEFlags:ADS_ACEFLAG_CONTAINER_INHERIT_ACE,ADS_ACEFLAG_INHERIT_ONLY_ACE ^ /ObjectType:{BF9679C0-0DE6-11D0-A285-00AA003049E2} ^ /InheritedObjectType:{BF967A9C-0DE6-11D0-A285-00AA003049E2} ^ /AddAce+ /ADSI+ Then to undelegate one ACE, you specify the exact same command line, but you use the /DelAce and /Granular+ switches instead. If you dont't specify the /Granular+ switch, then it removes all ACEs for the trustee. If you do, it removes the ACE specified for the trustee. Set OU=OU=Department,DC=LissWare,DC=NET Set TRUSTEE=VMLissWareNET\Alain.Lissoir Cscript.Exe //Nologo WMIManageSD.Wsf /ADObject:%OU% ^ /Trustee:%TRUSTEE% ^ /ACEType:ADS_ACETYPE_ACCESS_ALLOWED_OBJECT ^ /ACEMask:ADS_RIGHT_DS_READ_PROP,ADS_RIGHT_DS_WRITE_PROP ^ /ACEFlags:ADS_ACEFLAG_CONTAINER_INHERIT_ACE,ADS_ACEFLAG_INHERIT_ONLY_ACE ^ /ObjectType:{BF9679C0-0DE6-11D0-A285-00AA003049E2} ^ /InheritedObjectType:{BF967A9C-0DE6-11D0-A285-00AA003049E2} ^ /DelAce+ /ADSI+ /Granular+ Note that even though this may work in most cases, Microsoft doesn't support this and this is why no tool doing this exists. HTH /Alain From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Dan Holme Sent: Friday, May 20, 2005 10:20 AM To: ActiveDir@mail.activedir.org Subject: [ActiveDir] Scripting Delegation Question I am at the latter stages of a script to pump out delegation from a business administrative model description. Ive had great luck automating DSACLS to drive delegation. Now Ive hit a wall though and maybe someone can help. DSACLS wont let you remove a single permission. It will let you remove all permissions for a security principal; it will let you deny; but it wont remove an allowed permission. My goal is to be able to drive a delegation of almost full control of users groups, whereby an admin group can do everything except delete, because we want to provision the deletion process to avoid accidental deletions. Id like to delegate this as I would in the UI: click Full Control then UNCHECK Delete and Delete Subtree. Does anyone have any ideas how to script this? Id prefer not to have to dive into the security descriptor using _vbscript_, but if thats what it takes Ill do that, if someone has a sample. THANKS! Dan (BTW: Yes, Ill be posting this tool for everyone once its finished)
RE: [ActiveDir] delegwiz.inf file replaced with w2k3/sp1 upgrade
I've done a lot of Delegwiz.inf customization and to my experience do not believe there's a way to avoid what you experienced. The only workaround is a cheesy one. I have a workflow for post-SP repairs -- a share where I keep anything that needs to be 'replaced' after an SP. BTW, I assume you've seen the Appendices to the Active Directory Best Practices? The Delegwiz.inf file in there rocks as a starting point. http://tinyurl.com/e3n2u -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Jorge de Almeida Pinto Sent: Friday, May 20, 2005 9:11 AM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] delegwiz.inf file replaced with w2k3/sp1 upgrade I think not... What I would do: * Rename the default DELEGWIZ.INF to DELEGWIZ-SPx.ORG (where x is the service pack number) * Create my own DELEGWIZ.INF (or customize the default) and create a copy called DELEGWIZ.INF.CUSTOM Implement the custom DELEGWIZ.INF on all DCs that are used to configure delegation, and do the above only on one DC (like the PDC FSMO for example) Cheers #JORGE# -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Thommes, Michael M. Sent: Friday, May 20, 2005 17:52 To: ActiveDir@mail.activedir.org Subject: [ActiveDir] delegwiz.inf file replaced with w2k3/sp1 upgrade We discovered today that our custom delegwiz.inf (the input file for the delegation GUI) was replaced during the upgrade from w2k3/sp0 to w2k3/sp1. 8-( Luckily, we do have backups. 8-) Anybody ever caught up in this issue? Files likely to be customized by MS customers should be handled with kid gloves by MS during standard upgrades. Is there some way to designate another location so we don't get surprised again? Thanks! Mike Thommes List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ This e-mail and any attachment is for authorised use by the intended recipient(s) only. It may contain proprietary material, confidential information and/or be subject to legal privilege. It should not be copied, disclosed to, retained or used by, any other party. If you are not an intended recipient then please promptly delete this e-mail and any attachment and all copies and inform the sender. Thank you. List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
RE: [ActiveDir] Prevent certain users being added to a group
TMK theres no way to prevent a particular account from being added to the group in this scenario. The permission youre leveraging is obviously Allow:WriteProperty:Member on the group object. Once you have that permission, you can add any member. What youll want to do, therefore, is have some LOGIC IN THE CODE TO SOLVE THE PROBLEM, where the logic evaluates the security principal that is being requested to add to the group and decides whether or not thats kosher. Dan From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Steven Wood Sent: Friday, May 20, 2005 8:54 AM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Prevent certain users being added to a group Sorry this is short, Im about to leave work and go on holiday for a week. This is a bit of asp code that adds the user to the group DeniedNetAccess. There is another page that removes them and one that lists all members of the group. Use Windows Authentication in IIS to restrict access to the page and a form which the staff can then add a students account name (read in here as usr). If I remember after my break Ill post more. Steven % Dim usr usr=request.form(usr2) remUserfromGroup domainNameHere,usr,DeniedNetAccess response.write(Internet access for ucase(usr) has been enabled) Sub remUserfromGroup(strDomain,strUsername,strGroupname) Dim User Dim Group Set User = GetObject(WinNT:// strDomain / strUsername ,user) Set Group = GetObject(WinNT:// strDomain / strGroupname ,group) on error resume next Group.remove(User.ADsPath) Group.Setinfo Set User = nothing End Sub % From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Brenda Casey Sent: 20 May 2005 15:31 To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Prevent certain users being added to a group Steven- I can't help with your question, but would love to hear more about your web page that allows staff to add students to and Active Directory group to deny web access. Thanks, Brenda From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Steven Wood Sent: Friday, May 20, 2005 3:04 AM To: ActiveDir@mail.activedir.org Subject: [ActiveDir] Prevent certain users being added to a group Hi, Using ADSI I have a web page that allows staff to add students to an Active Directory group called DeniedNetAccess. Members of this group as the name implies are of course denied access to the web. How can I prevent staff from adding other members of staff to this group? Is this possible using AD permissions? Thanks Steven --- This email is from Oldham Sixth Form College, but expresses the views of the sender and not necessarily the views of the college. The email and any files transmitted with it are confidential to the intended recipient at the e-mail address to which it has been addressed. It may not be disclosed or used by any other than that addressee, nor may it be copied in any way. If received in error, please notify [EMAIL PROTECTED] quoting the name of the sender. This message has been scanned for viruses by F-Secure Anti-Virus. Please note that we cannot accept any responsibility for any transmitted viruses. It is, therefore, your responsibility to scan attachments (if any).
[ActiveDir] Scripting Delegation Question
I am at the latter stages of a script to pump out delegation from a business administrative model description. Ive had great luck automating DSACLS to drive delegation. Now Ive hit a wall though and maybe someone can help. DSACLS wont let you remove a single permission. It will let you remove all permissions for a security principal; it will let you deny; but it wont remove an allowed permission. My goal is to be able to drive a delegation of almost full control of users groups, whereby an admin group can do everything except delete, because we want to provision the deletion process to avoid accidental deletions. Id like to delegate this as I would in the UI: click Full Control then UNCHECK Delete and Delete Subtree. Does anyone have any ideas how to script this? Id prefer not to have to dive into the security descriptor using VBScript, but if thats what it takes Ill do that, if someone has a sample. THANKS! Dan (BTW: Yes, Ill be posting this tool for everyone once its finished)
RE: [ActiveDir] AD DR - replication lag site
The major issue is the SPEED of recovery. With a lag site, you ONLY have to do an authoritative restore (NTDSUTIL). Without a lag site, you must first restore the AD from backup tape ('normal' restore), which can take quite some time Then, and only then, can you do the auth restore. -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of TIROA YANN Sent: Wednesday, May 18, 2005 11:46 PM To: [EMAIL PROTECTED]; ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] AD DR - replication lag site Hello, Thanks for this interesting tips, but i didn't really understand the behind the techno of a lag site in case of just a deletion of an entire OU with many objects. For example,if I have AD 2003 domain with 2 sites: Site A has 2 DCs Site B has one DC and is the lag site Between 2 sites, i scheduled repl to appear every 1 week. In the situation of an OU deletion, i go to the DC i have made the deletion, and do an autoritative restore in dsmode and after rebbot, wait for replication to take place in order to repopulate all my domain with my OU restored. So what will the lag site help me in this situation ? I can understand that a lag site will help me if all my DCs in site A crashed. So i would take all informations from the lag site to be restored in site A such as copy my domain from the lag site by doing a dcpromo /adv, and go my freshly installed DCs on site A, and restored my whole domain. However, I think i will have more updated information by restoring from my yerterday backup than from the lag site... So, could you help me better understand the behind the techno of a lag site, i thing i misunderstand something important ;-( Thank you for your feedback. Have a nice day :-) Regards, Yann List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
RE: [ActiveDir] AD DR - replication lag site----Why?
the deletion immediately. You therefore have a window of opportunity in which the deletion may be 'undone'. The deleted object may be auth restored on DC2 and thus replicated / reanimated on DC1 (and any other DC which has received the deletion). [My terminology may not be acceptable to some - I have deliberately explained this in simplistic terms :)] neil -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of TIROA YANN Sent: 19 May 2005 08:54 To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] AD DR - replication lag site Hello, I must apologize, but i'm a little bit confused. You said With a lag site, you ONLY have to do an authoritative restore (NTDSUTIL). Do you mean if i delete my OU in DC in site A, all i have to do is do an autoritative restore, not on site A, BUT on DC on lag site, reboot, and dforce replication to site A ? And the non-autoritative restore will be in fact the data on the lag site, that explain your prévious sentence ? Waou! That's very celver !! Am I right ? Regards, Yann -Message d'origine- De : [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] De la part de Dan Holme Envoyé : jeudi 19 mai 2005 08:51 À : ActiveDir@mail.activedir.org Objet : RE: [ActiveDir] AD DR - replication lag site The major issue is the SPEED of recovery. With a lag site, you ONLY have to do an authoritative restore (NTDSUTIL). Without a lag site, you must first restore the AD from backup tape ('normal' restore), which can take quite some time Then, and only then, can you do the auth restore. -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of TIROA YANN Sent: Wednesday, May 18, 2005 11:46 PM To: [EMAIL PROTECTED]; ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] AD DR - replication lag site Hello, Thanks for this interesting tips, but i didn't really understand the behind the techno of a lag site in case of just a deletion of an entire OU with many objects. For example,if I have AD 2003 domain with 2 sites: Site A has 2 DCs Site B has one DC and is the lag site Between 2 sites, i scheduled repl to appear every 1 week. In the situation of an OU deletion, i go to the DC i have made the deletion, and do an autoritative restore in dsmode and after rebbot, wait for replication to take place in order to repopulate all my domain with my OU restored. So what will the lag site help me in this situation ? I can understand that a lag site will help me if all my DCs in site A crashed. So i would take all informations from the lag site to be restored in site A such as copy my domain from the lag site by doing a dcpromo /adv, and go my freshly installed DCs on site A, and restored my whole domain. However, I think i will have more updated information by restoring from my yerterday backup than from the lag site... So, could you help me better understand the behind the techno of a lag site, i thing i misunderstand something important ;-( Thank you for your feedback. Have a nice day :-) Regards, Yann List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ == This message is for the sole use of the intended recipient. If you received this message in error please delete it and notify us. If this message was misdirected, Credit Suisse, its subsidiaries and affiliates (CS) do not waive any confidentiality or privilege. CS retains and monitors electronic communications sent through its network. Instructions transmitted over this system are not binding on CS until they are confirmed by us. Message transmission is not guaranteed to be secure. == List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
RE: [ActiveDir] AD DR - replication lag site
Changing SRV weight is NOT ENOUGH because there is still a chance that they will be used for authentication (e.g. if higher weighted records don't respond to the LDAP bind by the client fast enough). You must either prevent the SRV records from registering (per the originally-cited article, which I have not tried) or stop NetLogon or both. All of these are minimal TCO impact because ALL can be done thru GPOs. (e.g. Services policy to set NetLogon to disabled). DDan -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of [EMAIL PROTECTED] Sent: Thursday, May 19, 2005 10:04 AM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] AD DR - replication lag site Killing off the rules stops those particular DCs from running the latency rules... but how do you overcome the latency rules from any DC not in a lag site with connection objects to DCs in the lag site? :m:dsm:cci:mvp -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Rick Kingslan Sent: Thursday, May 19, 2005 11:15 AM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] AD DR - replication lag site Marcus, I kill off the specific rules on those servers. If I'm not interested in a particular message, it's gone. -rtk -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of [EMAIL PROTECTED] Sent: Thursday, May 19, 2005 9:24 AM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] AD DR - replication lag site For those of you that are a MOM environment and have created a lag site, how are you overcoming the replication latency messages? :m:dsm:cci:mvp -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Ruston, Neil Sent: Thursday, May 19, 2005 4:09 AM To: 'ActiveDir@mail.activedir.org' Subject: RE: [ActiveDir] AD DR - replication lag site If the deletion occurs on DC1, then a DC (DC2) in the lag site will not receive the deletion immediately. You therefore have a window of opportunity in which the deletion may be 'undone'. The deleted object may be auth restored on DC2 and thus replicated / reanimated on DC1 (and any other DC which has received the deletion). [My terminology may not be acceptable to some - I have deliberately explained this in simplistic terms :)] neil -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of TIROA YANN Sent: 19 May 2005 08:54 To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] AD DR - replication lag site Hello, I must apologize, but i'm a little bit confused. You said With a lag site, you ONLY have to do an authoritative restore (NTDSUTIL). Do you mean if i delete my OU in DC in site A, all i have to do is do an autoritative restore, not on site A, BUT on DC on lag site, reboot, and dforce replication to site A ? And the non-autoritative restore will be in fact the data on the lag site, that explain your prévious sentence ? Waou! That's very celver !! Am I right ? Regards, Yann -Message d'origine- De : [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] De la part de Dan Holme Envoyé : jeudi 19 mai 2005 08:51 À : ActiveDir@mail.activedir.org Objet : RE: [ActiveDir] AD DR - replication lag site The major issue is the SPEED of recovery. With a lag site, you ONLY have to do an authoritative restore (NTDSUTIL). Without a lag site, you must first restore the AD from backup tape ('normal' restore), which can take quite some time Then, and only then, can you do the auth restore. -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of TIROA YANN Sent: Wednesday, May 18, 2005 11:46 PM To: [EMAIL PROTECTED]; ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] AD DR - replication lag site Hello, Thanks for this interesting tips, but i didn't really understand the behind the techno of a lag site in case of just a deletion of an entire OU with many objects. For example,if I have AD 2003 domain with 2 sites: Site A has 2 DCs Site B has one DC and is the lag site Between 2 sites, i scheduled repl to appear every 1 week. In the situation of an OU deletion, i go to the DC i have made the deletion, and do an autoritative restore in dsmode and after rebbot, wait for replication to take place in order to repopulate all my domain with my OU restored. So what will the lag site help me in this situation ? I can understand that a lag site will help me if all my DCs in site A crashed. So i would take all informations from the lag site to be restored in site A such as copy my domain from the lag site by doing a dcpromo /adv, and go my freshly installed DCs on site A, and restored my whole domain. However, I think i will have more updated information by restoring from my yerterday backup than from the lag site... So, could you help me better understand the behind the techno of a lag site, i thing i misunderstand something important ;-( Thank you for your feedback
RE: [ActiveDir] AD DR - replication lag site
I have several large clients who are going this direction and are in testing right now. Things look quite good. I had read somewhere that an alternative approach to preventing authentication to the 'lag' DCs was to stop the Netlogon service. The approach of removing DNS records seems more elegant, and I'll be interested to hear ppls thoughts on these alternatives. Dan -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Danny Sent: Wednesday, May 18, 2005 6:45 AM To: ActiveDir@mail.activedir.org Subject: [ActiveDir] AD DR - replication lag site I am interested in your thoughts regarding this suggestion for DR: http://searchwin2000.techtarget.com/tip/1,289483,sid1_gci1086805,00.htm l (You may need to register) Basically it states that you should create another AD site and set the replication for 168 hours. Thank you, ...D List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
RE: [ActiveDir] delegation not working on Win2k AD
Title: Re: [ActiveDir] delegation not working on Win2k AD I wonder if something is just broken (and missed) as youve been making changes. It sounds like everything is in place correctly. You might try this, as it will serve you well in many ways: Background It is a best practice not to be adding computers willy nilly to the Computers container, since it is unmanaged. Youll probably want to be adding computers to an actual OU, to which youve linked appropriate GPOs. It is also a best practice to create the computer account in advance of joining the computer to the domain; or to use NETDOM or WMI to join computers to the domain, so that one way or another they end up in the correct (end state) OU, rather than in a generic container. If you have W2K3 domain functaional level, you can also redirect the default computers container into a custom OU. See http://support.microsoft.com/default.aspx?scid=kb;en-us;324949 . Suggestion Start over with your task, since youve tried everything and have done things well. Start with a fresh OU, delegate your techs group the CC (Create Child) and GA (Full Control) of computer objects in the OU. Test by logging on as a tech and using ADUC to create a computer object; then join a workstation (same name) to the domain. See what breaks, if anything. If anything breaks, create a NEW tech user account, put it in the same group that has been delegated permissions, and try again. If the new tech can add computers (using ADUC) to the new OU and join computers to the new accounts, try one last round of the new tech doing the same thing back in your old container. NEXT STEPS Id be happy *try* to help you directly if youd like. LMK where exactly things are breaking. Id just need to look at the ACL on the Computers container and your new OU and an RSoP of a Technician 1) Use the following command to dump the permissions on the container: dsacls CN=Computers,DC=windomain,DC=local desktop\dsaclsdump.txt Replacing the domain name and/or Container/OU as appropriate 2) Please run two RSoP reports using the Group Policy Management Console a. A Technician on a technicians computer b. A Technician on a domain controller Save the reports (they come out as HTML) Send me the three files (I probably dont need all three, but theyll be helpful). I dont have *tons* of time today, but Ill be happy to take a quick look. My email is dan-dot-holme-at-intelliem-dot-com. Dan Holme From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Bruyere, Michel Sent: Wednesday, May 18, 2005 6:28 AM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] delegation not working on Win2k AD Hi Rick , Thanks for the answer, I double checked and I already have the technicians full control on computer objects set on the Computers container. Any other Ideas? De: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] De la part de Rick Kingslan Envoyé: Tuesday, May 17, 2005 6:09 PM À: ActiveDir@mail.activedir.org Objet: RE: [ActiveDir] delegation not working on Win2k AD I agree with many of the other posts here a domain level is likely the correct area to do this, simply because the usual location for a joined computer is the Computers Container not an OU. If they dont have access to the container, then they arent going to be able to join them. What is the scope of the delegated permissions? Is it This object and all child objects? Also, I think that Id create a new delegation in the Advanced properties of the AD Securities tab (it might exist if you arent used to using the Advanced view of Security in AD, you wont see it) for the techs. This time, however you are going to want to select Computer Objects from the dropdown, then select Full Control for the techs. Save this. If you dont have a clear idea on how to proceed, reply back. Ill send or post detailed instructions with pictures, if necessary, on how to do exactly what you want. -rtk From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Bruyere, Michel Sent: Tuesday, May 17, 2005 2:15 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] delegation not working on Win2k AD Hi, Thanks for the hint, but I did it too Here are the settings I have. In the user rights the group technicians is allowed to add computers to the domain. I also have the following perms on the Computers OU List content Read all properties Write all properties Read permissions Create computer objects Delete computer objects Read Container info Write container info Read heuristics Write heuristics I used the delegation wizard on the domain, not on the OU. Is there anything else Im missing? Thanks De: TIROA YANN [mailto:[EMAIL PROTECTED] De la part de TIROA YANN Envoyé: Tuesday, May 17, 2005 2:23 PM À: ActiveDir@mail.activedir.org; Bruyere, Michel Objet: RE: [ActiveDir] delegation not working on Win2k AD Hello ;-) If You
RE: [ActiveDir] Windows / AD Conferences
Windows Connections is a pretty unique event, in that you have access to the best 'gurus' around (many of us also present at TechEd, DEC, and TechMentor) but it's generally a MUCH more sane environment with fewer attendees, so you'll get MUCH more 'face time' with the experts than you would elsewhere. Imagine yourself with a question you want answered in a room of 500-1000+ versus 80-150. You get the picture. We've also instituted some really cool ways for you to get the answers you need (i.e. free consulting) in our Ask the Experts booth (manned by the gurus during all breaks meals) and a new brain share format where selected sessions (e.g. my AD session in October) are open format, specifically to address attendee issues. OK, it's a shameless plug, but it's good for you to know about since you're asking. Dan Holme -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Mark Parris Sent: Wednesday, May 18, 2005 3:05 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Windows / AD Conferences I would go to the one where John Craddock was presenting. Mark -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of [EMAIL PROTECTED] Sent: 18 May 2005 22:01 To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Windows / AD Conferences Be nice to get to go to more than one. :-) DEC -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] Behalf Of Jorge de Almeida Pinto Sent: Tuesday, May 17, 2005 5:11 AM To: 'Charlie Saliba '; '[EMAIL PROTECTED] '; 'ActiveDir@mail.activedir.org ' Subject: RE: [ActiveDir] Windows / AD Conferences DEC IT Forum TechEd #JORGE# -Original Message- From: [EMAIL PROTECTED] To: ActiveDir@mail.activedir.org Sent: 5/17/2005 4:35 AM Subject: [ActiveDir] Windows / AD Conferences If you had to go to three conferences a year on Microsoft Windows / Active Directory / Security, which would you attend? Thanks, Charlie List info : http://www.activedir.org/List.aspx List FAQ : http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ This e-mail and any attachment is for authorised use by the intended recipient(s) only. It may contain proprietary material, confidential information and/or be subject to legal privilege. It should not be copied, disclosed to, retained or used by, any other party. If you are not an intended recipient then please promptly delete this e-mail and any attachment and all copies and inform the sender. Thank you. List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
RE: [ActiveDir] Sites and Folder Redirection | more
I have not seen a reply to this thread so I thought I might pitch in my thoughts: In my geographically distributed clients, we face the same problem. We address it using global groups to represent the geographic location of users. If a user is transferred to another site (location) we change their global group membership. The global group is used either to filter a GPO redirecting folders to a specific server (or via a site-related DFS link) or the groups are used in a single GPO to create advanced folder redirection, whereby you can point groups to different servers. That way, traveling users, dial-in users, etc. were accessing their folder-redirected-folders in their home server we didnt want to replicate tons of user data in those environments just for the few So to make a long story short, we just didnt use site-linked GPOs for anything to do with user data. Also made it much easier on the help desk issues, since help desk could change the membership of these location-related global groups easily. Dan Holme Intelliem From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Noah Eiger Sent: Thursday, May 12, 2005 3:31 PM To: ActiveDir@mail.activedir.org Subject: [ActiveDir] Sites and Folder Redirection | more Hello: I am working with redirecting My Documents in various sites. I have some follow up questions to the thread I started a few months ago. Some sites have poor connectivity. There is no replication of data between sites (for home directories). Laptop users use Offline Files. Single domain, W2k. All redirection is handled via User GPOs. The root Home directory resides on a file server at each site; users at that site point there based on the GPO. Security is defined as per MSKB 274443. Where to apply the GPO? As Aric pointed out, applied at the Site level will cause users to redirect to the local Home share when they just drop by with their laptops. What happens to Offline Files in this case? It seems better to create OUs for uses at each Site and apply the GPO there. Under this scenario, would Slow Link Detection prevent the redirection from trying to find Home over the slow WAN link? Would it then just resort to Offline Files? Finally, if we use DFS to create a unified namespace, all user home directories would be created under a single Home directory. Without folder replication, how would we control the Site and file server where the folder actually gets created? Many TIA. -- nme
RE: [ActiveDir] Strange problem
To add to what Joe just said, you might run DSACLS DN of OU /S /T This command will reset the permissions on the OU *and* all objects beneath it to the default set by the schema. This might help prevent any junk other than the perms you're trying to set from causing problems... This is what it sounds like -- a RESET TO DEFAULT -- so don't use it if you have other delegation attached to the OU that you want to preserve. However, the default DOES include inherit, so any perms attached explicitly to OUs (or the domain) above this OU will be inherited. Dan List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/