RE: [ActiveDir] Domain Local Groups vs Global Groups

[Dan Holme]

Title: Message








Local groups are so 1990s grin
because they exist on individual systems, they are virtually un-manageable
(save via Restricted Groups policies).  Fugghedaboutem.



DOMAIN LOCAL groups are what you probably mean, or should mean. 
They exist as a single instance in Active Directory, instead of the
multiple-local-groups-one-each-server model of NT4.



The best practice in a SINGLE DOMAIN (or a single active
domain with an empty forest root domain) is:

    Users à Global Groups  - - - 
Global Groups à Domain Local Groups - - -  Domain Local Groups à ACL

Users go into global groups (which in Windows Server 2000 or
greater domain functional level can be further nested into other global groups if
necessary).

Global groups nest into domain local groups.

ACLs are assigned to domain local groups.



In a multidomain forest, best practice is the above *OR*

    Users à Global Groups - - - 
Global Groups à Universal Groups - - -  Universal Groups à Domain
Local Groups - - -  Domain Local Groups à ACL

    Or

    Users à Global Groups | Universal
Groups à ACL

Universal groups are really useful in multidomain forests for
defining things like My Company Executives where each domain has
a (global) Executives role defined, and those nest into a super group



WHY this complexity?  It yields optimal replication (though thats
more of a technicality these days, in a single domain, since many/most
organizations are making every DC a global catalog server).  More importantly,
it sets you up for effective role-based management in a dynamic enterprise. 
Domain Local Groups as the access group enable cross-domain
access which may not seem important to you today (we have just one
domain) but will become important the day theres a joint venture,
acquisition, merger, etc  If it seems to complex to figure out the why
then stop asking and just do it ;-)



There is no *technical* better or worse
about ACLing resources to global groups.  For that matter, you could ACL
resources to each and every user.  Why dont you do that?  Because its
obviously unmanageable.  Doing it to global groups is equally, if
not as obviously, unmanageable, particularly in the long term.  That said,
theres a very minor technical difference that deals with the size of
your PAC in your Kerberos ticket, so please dont take me to the matt for
not detailing that its technical more than practical.   What
should be driving your design is the need for ROLE BASED MANAGEMENT of your
enterprise.



Role based management, as far as resources goes,
should be discussed in terms of Roles (people / groups of people) and
Management (in this case, managing access to a resource).   Roles define
who someone is  you could describe them by their roles
(job, function, department, business unit, geographical location, seniority, etc.). 
Just so happens that roles should be defined using global security groups and
yes, roles nest within roles (global à global) so your departmental
management role groups might very well nest into a corporate managers
role group.  Say, for example, that you define your brokers as to whether they
are just brokers (global group: ROLE_Brokers) or supervisors
(ROLE_Broker_Sups).  Lets say you also have a team of auditors
(ROLE_Auditors)



Management groups (for dealing with resource access, in this
case) are typically domain local groups.  But dont think of them as
their technical scope (domain local)  think of them as their purpose: to
manage access to a resource.  So, for example, if you have a share for your broker
data, you might have the following resource access management groups that
parallel specific access levels to that share:

Ø ACL_BrokerData_Editors  (ACL
= a group for access control; Editors = MODIFY permission)

Ø ACL_BrokerData_Contributors 
(Contributors = permissions to create new files/folders and to modify own
creations; but read-only to other peoples stuff)

Ø ACL_BrokerData_Readers   (Read
access)



With those three resource access groups, you can manage
access to that resource by defining which roles get what access. 
Nest your role groups into your management groups.  (global à
domain local, technically).  So your business might lead you to say brokers
can add things to this share and read but not modify other peoples stuff. 
That would be nesting Role_Brokers into ACL_BrokerData_Contributors. 
Role_Broker_Sups might be given modify permission by nesting them
into ACL_BrokerData_Editors.  And your auditors might be nested into the
ACL_BrokerData_Readers group.



You are now headed towards ROLE BASED MANAGEMENT.  When an
employee is promoted from broker to supervisor, you change their role
membership (out of Role_Brokers, into Role_BrokerEditors) and voila, they now
have access to this (and other) data store(s) based on the new roles
access.  Ideally, you tie your role groups to your HR system so that any change
to roles of an employee are 

RE: [ActiveDir] Domain Local Groups vs Global Groups

[Dan Holme]

Title: Message








Thats what I get for reading my inbox up David: do read my
treatise in my earlier email. 



But Matt Hargraves response did raise the one technical issue
I only alluded to: token size. Hes right to raise a flag about Exchange.



Depending on the complexity of your role-based design and
whether you use Exchange (2003 or 2000; 2007 seems to be exempt from this
issue) and your Exchange architecture, you do have to watch for the number
of total groups a user belongs to. A large number of group memberships will
reduce the effective maximum users per exchange server level somewhat but
whether that somewhat would be salient depends on several factors.



To tie together what Matt discussed and what I proposed, my
discussion lays out a design that integrates both RBS and ABS. You definitely
want role-based management. Whether you also go to the level I outlined of
managing ACLs depends on your environment: more resources; more complex
security; and more spread out resources and youll be better served by the
design I described. In a simpler environment (e.g. we have a departmental
share with each department having a subfolder on the extreme side), you dont
necessarily need the ABS layer. 



Dan













From:
[EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On
Behalf Of Wyatt, David
Sent: Wednesday, July 26, 2006 8:28 AM
To: ActiveDir@mail.activedir.org
Subject: [ActiveDir] Domain Local Groups vs Global Groups









I'd
be interested to hear peoples strategy for permissioning windows based file
servers when the server is in a Windows 2003 domain. I have read the best
practices about putting users into global groups then put the global groups
into local groups then permission the resource with the local group. But:











1.
Is it better practiceto put the domain local group into a local group on
the file server and then use this local group to permission the
share/folder? Is this excessive? I have read something about
performance or avoiding limits by using the server local group when the access
token is created.











2.
What shortcomings would there be in putting users into global groups then
simply permissioning the global group onto the resource. We only have a
single forest/domain.











I
am also aware of Universal groups but lets put these to one side.for the
moment..;-)

















Thanks





David






This message contains confidential
information and is intended only 

for the individual or entity named. If you
are not the named addressee 

you should not disseminate, distribute or
copy this e-mail. 

Please notify the sender immediately by
e-mail if you have received 

this e-mail by mistake and delete this e-mail
from your system. 

E-mail transmission cannot be guaranteed to
be secure or error-free 

as information could be intercepted,
corrupted, lost, destroyed, arrive 

late or incomplete, or contain viruses. The
sender therefore does not 

accept liability for any errors or omissions
in the contents of this 

message which arise as a result of e-mail
transmission. 

If verification is required please request a
hard-copy version. 

This message is provided for informational
purposes and should not 

be construed as an invitation or offer to buy
or sell any securities or 

related financial instruments. 

GAM operates in many jurisdictions and is 

regulated or licensed in those jurisdictions
as required. 

RE: [ActiveDir] Folder redirection exceptions?

[Dan Holme]

I dont know why my reply was
invisible, but I *am* going to
tackle this. I am being tasked with a similar task for a client so Im
guessing Ill be doing it within the next 1-2 weeks. Sorry for the
delay.



Dan













From:
[EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Arnold Arce
Sent: Wednesday, March 22, 2006
1:52 PM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] Folder
redirection exceptions?





Is it me, or are Dan Holmes replies
invisible?









From:
[EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Dan Holme
Sent: Friday, March 17, 2006 5:30
PM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] Folder
redirection exceptions?

RE: [ActiveDir] View Delegated Tasks?

[Dan Holme]

teaser



For anyone whos going to Windows
Connections in Orlando,
come to my Advanced Delegation session. Ill show you an option that is
so simple and powerful for delegating and then being able to pull reports on
your delegation that it will blow your mind. Believe me Im not
tooting my own horn Im no brainiac the key word was SIMPLE




/teaser



Dan













From:
[EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Steve Linehan
Sent: Thursday, March 23, 2006
5:06 PM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] View
Delegated Tasks?





You can however use something like
DSRevoke to build a report: http://www.microsoft.com/downloads/details.aspx?FamilyID=77744807-c403-4bda-b0e4-c2093b8d6383DisplayLang=en.



Thanks,



-Steve









From:
[EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Lee, Wook
Sent: Thursday, March 23, 2006
4:40 PM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] View
Delegated Tasks?





You can't. The delegate wizard is write
only. You have to look at the security descriptor on the OU and figure out what
changes were made.











Wook Lee





AD Architect - HP IT















From:
[EMAIL PROTECTED] on behalf of Harding, Devon
Sent: Fri 3/17/2006 10:52 AM
To: ActiveDir@mail.activedir.org
Subject: [ActiveDir] View
Delegated Tasks?





When I delegate permissions to a group in ADUC to a specific
OU (using the Delegate Wizard), how can I go back and see who was delegated and
the permissions?



Devon Harding

Windows Systems Engineer

Southern Wine  Spirits
- BSG

954-602-2469














__
This message and any attachments are
solely for the intended
recipient and may contain confidential
or privileged information.
If you are not the intended recipient,
any disclosure, copying, use
or distribution of the information
included in the message and any
attachments is prohibited. If you have
received this communication
in error, please notify us by reply
e-mail and immediately and
permanently delete this message and any
attachments. Thank You.

RE: [ActiveDir] ou delegation - change password at next logon

[Dan Holme]

If you're an IT Pro mag subscriber, check this out:
http://www.windowsitpro.com/Article/ArticleID/41105/41105.html

If not, here's a QUICK summary...  

1) At the BOTTOM of this message, copy and everything.  
ON THE MACHINE *FROM* WHICH YOU DO YOUR DELEGATION (i.e. your machine)
2) BACK UP %windir%\inf\delegwiz.inf
3) REPLACE it with the text you copied below.
4) ALSO back up the 'new' file, since a service pack could theoretically
stomp back on the old lame file
5) Re-launch ADUC and you'll now see exactly the task you need to
delegate in the delegation of control wizard.

You need reset password (a 'control right') and specify user must
change password at next logon (a permission to change the pwdLastSet
attribute of the user account -- setting it to 0 forces change at next
logon; and when you check the box in the UI, you're setting it to 0).

If by some chance you're coming to Windows Connections in Orlando, I'll
be doing this at my delegation session as an example.

Dan


-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Graham Turner
Sent: Tuesday, March 28, 2006 7:45 AM
To: activedir@mail.activedir.org
Subject: [ActiveDir] ou delegation - change password at next logon

Dear all, was wondering if someone could give us a view on the
delegation of the
'user must change password at next logon'

it seems that having applied the delegation (using Windows 2000
delegation wizard on
a Windows 2000 domain) that allows 'reset password on user objects' ,
the delegate
can check the box from ADUC, but this does not in fact set the above
attribute

it would seem that we are going to need to apply a custom delegation,
from which it
is not immediately obvious how to delegate the setting of this
attribute.

would anyone be able to offer a 'walkthrough' using the Windows 2000
delegate
control wizard ??

Thanks

GT


List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive:
http://www.mail-archive.com/activedir%40mail.activedir.org/


=START COPYING BELOW

[Version]
signature=$CHICAGO$

[DelegationTemplates]

Templates = template1, template2, template3, template4, template5,
template6, template7, template8, template9, template10, template11,
template12, template13, template14, template15, template16, template17,
template18, template19, template20, template21, template22,
template23,template24, template25, template26, template27, template28,
template29, template30, template31, template32, template33,template34,
template35, template36, template37, template38, template39, template40,
template41, template42, template43,template44, template45, template46,
template47, template48, template49, template50, template51, template52,
template53,template54, template55, template56, template57, template58,
template59, template60, template61, template62, template63,template64,
template65, template66, template67, template68, template69, template70
;-
[template1]
AppliesToClasses=domainDNS,organizationalUnit,container

Description = Create, delete, and manage user accounts

ObjectTypes = SCOPE, user

[template1.SCOPE]
user=CC,DC

[template1.user]
@=GA
;-

;-
[template2]
AppliesToClasses=domainDNS,organizationalUnit,container

Description = Reset user passwords and force password change at next
logon

ObjectTypes = user

[template2.user]
CONTROLRIGHT= Reset Password
pwdLastSet=RP,WP
;--


;--
[template3]
AppliesToClasses=domainDNS,organizationalUnit,container

Description = Read all user information

ObjectTypes = user

[template3.user]
@=RP

;--
[template4]
AppliesToClasses = organizationalUnit,container

Description = Create, delete and manage groups

ObjectTypes = SCOPE, group

[template4.SCOPE]
group=CC,DC

[template4.group]
@=GA

;--


;--
[template5]
AppliesToClasses=domainDNS,organizationalUnit,container

Description = Modify the membership of a group

ObjectTypes = group

[template5.group]
member=RP,WP
;--


;--
[template6]
AppliesToClasses = domainDNS

Description = Join a computer to the domain

ObjectTypes = SCOPE

[template6.SCOPE]
computer=CC
;--



;--
[template7]
AppliesToClasses = domainDNS,organizationalUnit,site

Description = Manage Group Policy links

ObjectTypes = SCOPE

[template7.SCOPE]
gPLink=RP,WP
gPOptions=RP,WP

RE: [ActiveDir] When and how often are EA rights needed?

[Dan Holme]

Title: When and how often are EA rights needed?








EA rights, once a forest is
deployed and delegated, are needed only for in case of emergency break
glass  i.e. pretty much never. When youre talking EA, youre
pretty much talking the Administrator account of the forest root domain (first
domain installed), so think of them one and the sameyou will be locking
down that Administrator account to lock down EA. Either its the ONLY
account in the EA group (default) or any other account in EA should be locked
down pretty much equivalently.



The break glass scenario is,
particularly in a multi-domain forest, someone does some nasty delegation (ACL
modification) that effectively locks out an OU. Just like you
could, theoretically, lock yourself out of an NTFS folder. Just
like an NTFS folder, the owner of the folder ALWAYS can change
the ACL, and open it back up again. In AD the owner is EA
it owns the forest. So, one container at a time, EA will be able to dig down
and unblock.



Case study: One client of mine (100k
employees) has only three accounts in the EA group, which in their case is in a
dedicated forest root. I dont believe theyve used the accounts
on over a year. Another client (global financial services company) has ONLY
the default Administrator account in EA, and that account has had a three-way
password created: three admins each entered PART of a password, the password pieces
were put into an envelope in a physically secure location in Europe and another
in N.America. AFAIK they havent used it since they locked the account
down.



Read the MS doc Best practices for
AD Delegation to effectively delegate your forest, PARTICULARLY if you
have more than one domain in your forest. The things that tend to get missed
that impact day-to-day or even occasional operations are things like delegating
the creation of sites, subnets, and site links; the ability to kick off
replication (not recommended but); and authorize new DHCP Servers. Im
sure that others on the list will have other tips as well.



Dan















From:
[EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of [EMAIL PROTECTED]
Sent: Tuesday, March 14, 2006 9:29
AM
To: ActiveDir@mail.activedir.org
Subject: [ActiveDir] When and how
often are EA rights needed?







We're
trying to understand when EA rights are needed within a multi domain forest,
where each domain represents a fairly autonomous region.

Mgmt
have suggested that the following is true : 
-
EA not needed on daily basis 
-
EA rights rarely needed after initial deployment 

Can
anyone please throw a few reasons at me why you would need EA rights on a daily
basis? Troubleshooting? Diagnosis? 

How
would you be impacted if you had to request access to a EA account each time it
was required? 

I'd
like to build a case whereby we have permanent EAs and would like some
additional ammo from you guys :) 

***Feel
free to argue against my views and explain to me how/why you *could* manage a
forest such as the above, without access to an EA account on a daily basis.

Thanks,

neil




PLEASE READ: The information contained in this email is
confidential and 





intended for the named recipient(s) only. If you are not an
intended 





recipient of this email please notify the sender immediately
and delete your 





copy from your system. You must not copy, distribute or take
any further 





action in reliance on it. Email is not a secure method of
communication and 





Nomura International plc ('NIplc') will not, to the extent
permitted by law, 





accept responsibility or liability for (a) the accuracy or
completeness of, 





or (b) the presence of any virus, worm or similar malicious
or disabling 





code in, this message or any attachment(s) to it. If
verification of this 





email is sought then please request a hard copy. Unless
otherwise stated 





this email: (1) is not, and should not be treated or relied
upon as, 





investment research; (2) contains views or opinions that are
solely those of 





the author and do not necessarily represent those of NIplc;
(3) is intended 





for informational purposes only and is not a recommendation,
solicitation or 





offer to buy or sell securities or related financial
instruments. NIplc 





does not provide investment services to private customers.
Authorised and 





regulated by the Financial Services Authority. Registered in
England






no. 1550505 VAT No. 447 2492 35. Registered Office: 1 St Martin's-le-Grand, 





London, EC1A 4NP. A member of the
Nomura group of companies. 

RE: [ActiveDir] When and how often are EA rights needed?

[Dan Holme]

Title: When and how often are EA rights needed?








Thats an ENTIRELY different
question but heres MY two cents worth. In 90-98% of enterprises,
if you were to begin designing an AD forest today knowing everything that has
been learned in real world implementations of AD over the past 7
years, you would NOT end up with a dedicated forest root domain. So the answer
to your question is, It depends, but there probably ARENT three reasons.




Theres a LOT of background to that
abrupt statement. Read the Best Practices documents on AD security 
delegation  design and youll begin to see. Its just too big
of a topic to tackle in this forum. Unfortunately, I really dont have
bandwidth right now to support the likely responses that this might generate in
the group but, Rocky (or anyone), if you want to contact me directly we can chat
about it I just cant monitor the group regularly right now. You email
me directly at dan dot holme at intelliem dot com.



Dan











From:
[EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Rocky Habeeb
Sent: Tuesday, March 14, 2006
10:28 AM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] When and
how often are EA rights needed?







Dan,











Thanks for posting this. Now ... could you spend just a minute
giving us the top three reasons (if there are any at all) on why one would have
a Dedicated Forest Root domain versus just a single domain.











I personally, would appreciate it ...











Thank you again.











RH





___





-Original Message-
From:
[EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]On Behalf Of Dan Holme
Sent: Tuesday, March 14, 2006
11:51 AM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] When and
how often are EA rights needed?

EA rights, once a forest is
deployed and delegated, are needed only for in case of emergency break
glass  i.e. pretty much never. When youre talking
EA, youre pretty much talking the Administrator account of the forest
root domain (first domain installed), so think of them one and the
sameyou will be locking down that Administrator account to lock down
EA. Either its the ONLY account in the EA group (default) or any
other account in EA should be locked down pretty much equivalently.



The break glass scenario is,
particularly in a multi-domain forest, someone does some nasty delegation (ACL
modification) that effectively locks out an OU. Just like
you could, theoretically, lock yourself out of an NTFS folder.
Just like an NTFS folder, the owner of the folder ALWAYS
can change the ACL, and open it back up again. In AD the
owner is EA it owns the forest. So, one container at
a time, EA will be able to dig down and unblock.



Case study: One client of mine (100k
employees) has only three accounts in the EA group, which in their case is in a
dedicated forest root. I dont believe theyve used the
accounts on over a year. Another client (global financial services
company) has ONLY the default Administrator account in EA, and that account has
had a three-way password created: three admins each entered PART of a
password, the password pieces were put into an envelope in a
physically secure location in Europe and
another in N.America. AFAIK they havent used it since they locked
the account down.



Read the MS doc Best practices for
AD Delegation to effectively delegate your forest, PARTICULARLY if you
have more than one domain in your forest. The things that tend to get
missed that impact day-to-day or even occasional operations are
things like delegating the creation of sites, subnets, and site links; the
ability to kick off replication (not recommended but); and authorize new
DHCP Servers. Im sure that others on the list will have other tips
as well.



Dan















From:
[EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of [EMAIL PROTECTED]
Sent: Tuesday, March 14, 2006 9:29
AM
To: ActiveDir@mail.activedir.org
Subject: [ActiveDir] When and how
often are EA rights needed?







We're
trying to understand when EA rights are needed within a multi domain forest,
where each domain represents a fairly autonomous region.

Mgmt
have suggested that the following is true : 
-
EA not needed on daily basis 
-
EA rights rarely needed after initial deployment 

Can
anyone please throw a few reasons at me why you would need EA rights on a daily
basis? Troubleshooting? Diagnosis? 

How
would you be impacted if you had to request access to a EA account each time it
was required? 

I'd
like to build a case whereby we have permanent EAs and would like some
additional ammo from you guys :) 

***Feel
free to argue against my views and explain to me how/why you *could* manage a
forest such as the above, without access to an EA account on a daily basis.

Thanks,

neil




PLEASE READ: The information contained in this email is
confidential and 





intended for the named recipient(s) only. If you are not an
intended 





recipient of this email please notify

RE: [ActiveDir] When and how often are EA rights needed?

[Dan Holme]

Title: When and how often are EA rights needed?








Check out the Delegation paper I mentioned
EA has a lot of delegations the few I mentioned there are the most
important DAY-TO-DAY. There are tons of detailed, techy/geeky things that
are critical to AD internals  security you want to keep those
things tightly secured and delegate OUT the day-to-day stuff.



Dan 











From:
[EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of [EMAIL PROTECTED]
Sent: Tuesday, March 14, 2006
10:00 AM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] When and
how often are EA rights needed?





Case study: One client of
mine (100k employees) has only three accounts in the EA group, which in their
case is in a dedicated forest root. I dont believe theyve
used the accounts on over a year. Another client (global financial
services company) has ONLY the default Administrator account in EA, and that
account has had a three-way password created: three admins each entered
PART of a password, the password pieces were put into an envelope
in a physically secure location in Europe and another in N.America. AFAIK
they havent used it since they locked the account down.



So how do they manage and t.shoot their
AD?







Read
the MS doc Best practices for AD Delegation to effectively
delegate your forest, PARTICULARLY if you have more than one domain in your
forest. The things that tend to get missed that impact
day-to-day or even occasional operations are things like delegating the
creation of sites, subnets, and site links; the ability to kick off replication
(not recommended but); and authorize new DHCP Servers. Im
sure that others on the list will have other tips as well.









IMHO, if you have rights to do all the
above, you are an EA equivalent any way :)





Thnanks for the comments.





neil









From:
[EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Dan Holme
Sent: 14 March 2006 16:51
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] When and
how often are EA rights needed?

EA rights, once a forest is
deployed and delegated, are needed only for in case of emergency break
glass  i.e. pretty much never. When youre talking
EA, youre pretty much talking the Administrator account of the forest
root domain (first domain installed), so think of them one and the
sameyou will be locking down that Administrator account to lock down
EA. Either its the ONLY account in the EA group (default) or any
other account in EA should be locked down pretty much equivalently.



The break glass scenario is,
particularly in a multi-domain forest, someone does some nasty delegation (ACL
modification) that effectively locks out an OU. Just like
you could, theoretically, lock yourself out of an NTFS folder.
Just like an NTFS folder, the owner of the folder ALWAYS
can change the ACL, and open it back up again. In AD the
owner is EA it owns the forest. So, one container at
a time, EA will be able to dig down and unblock.



Case study: One client of mine (100k
employees) has only three accounts in the EA group, which in their case is in a
dedicated forest root. I dont believe theyve used the
accounts on over a year. Another client (global financial services
company) has ONLY the default Administrator account in EA, and that account has
had a three-way password created: three admins each entered PART of a
password, the password pieces were put into an envelope in a
physically secure location in Europe and
another in N.America. AFAIK they havent used it since they locked
the account down.



Read the MS doc Best practices for
AD Delegation to effectively delegate your forest, PARTICULARLY if you
have more than one domain in your forest. The things that tend to get
missed that impact day-to-day or even occasional operations are
things like delegating the creation of sites, subnets, and site links; the ability
to kick off replication (not recommended but); and authorize new DHCP
Servers. Im sure that others on the list will have other tips as
well.



Dan















From:
[EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of [EMAIL PROTECTED]
Sent: Tuesday, March 14, 2006 9:29
AM
To: ActiveDir@mail.activedir.org
Subject: [ActiveDir] When and how
often are EA rights needed?







We're
trying to understand when EA rights are needed within a multi domain forest,
where each domain represents a fairly autonomous region.

Mgmt
have suggested that the following is true : 
-
EA not needed on daily basis 
-
EA rights rarely needed after initial deployment 

Can
anyone please throw a few reasons at me why you would need EA rights on a daily
basis? Troubleshooting? Diagnosis? 

How
would you be impacted if you had to request access to a EA account each time it
was required? 

I'd
like to build a case whereby we have permanent EAs and would like some
additional ammo from you guys :) 

***Feel
free to argue against my views and explain to me how/why you *could* manage a
forest such as the above, without access

RE: [ActiveDir] Folder redirection exceptions?

[Dan Holme]

Ken: I am 99% certain I solved this for a client... I will dig back through my 
notes and find out what we did.  I know the requirement for local My Music 
(and videos, pictures and PSTs) while redirecting the rest of My Docs was met.  
Can't remember how elegant it was. 

Please ping me in about a week at dan dot holme at intelliem dot com and I hope 
to have had time to find the answer to that again.

Dan

 

-Original Message-
From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Ken Schaefer
Sent: Tuesday, March 14, 2006 6:40 PM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] Folder redirection exceptions?

Hi,

For My Documents redirection, if you look at the second tab, there is an
option to not redirect the My Pictures folder

I know that doesn't help with My Music

Cheers
Ken


From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Arnold Arce
Sent: Wednesday, 15 March 2006 12:24 PM
To: ActiveDir@mail.activedir.org
Subject: [ActiveDir] Folder redirection exceptions?

Hi everyone.   Long time reader, first time poster ☺

I have a simple question which I’m hoping has a simple answer.  I’ve set up a
group policy that redirects everyone’s ‘My Documents’ directory to their home
directory on the server.  Works great, except people’s Music and Pictures are
being stored on the server too.  IS there a way to exclude the My Music and
My Pictures directories from being redirected and left on the local
workstation?

Arnold
[EMAIL PROTECTED]   Vry-4ibb
[EMAIL PROTECTED]   ��V�r�y���-�÷Š¾4���i�b��b��

RE: [ActiveDir] Folder redirection exceptions?

[Dan Holme]

(see my previous reply also!)

Actually, Ken, I'll talk off the top of my head for a second so that you have 
SOMETHING to go for and test while I dig up my notes.

As I mentioned in prev reply, I'm not completely certain HOW I solved it (but 
will find out) but I *think* the answer was a simple registry poke to TWO parts 
of the HKCU registry key, which obviously can be done in your 'image', using a 
vbscript, with a custom GPO template, or using a GPO extension tool.  My 
recollection is that by redirecting My Music in the registry it worked just 
fine even when folder redirection was set up.  It may be that we had to 
deselect the My Pictures option in the GPO -- it might have been that by 
telling Windows not to auto-redirect My Pictures it also skipped 
auto-redirecting My Music.  You can test those out while I find and test out my 
notes again.

BTW, we created a folder in the user profile, %userprofile%\My Personal Data\ 
under which we put My Music, etc.  We excluded My Personal Data from roaming 
profiles.  We put a SHORTCUT in My Documents called My Music that pointed to My 
Personal Data\My Music so that users who were accustomed to seeing My Music 
there would still see it, but when they clicked it they'd end up in the 
non-redirected folder.  Applications, which are (should be) coded to look for 
the *variable* (shell folder) My Music, went to the non-redirected folder 
automatically.

Hope this helps you chew on something until we chat.

Dan



-Original Message-
From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Ken Schaefer
Sent: Tuesday, March 14, 2006 6:40 PM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] Folder redirection exceptions?

Hi,

For My Documents redirection, if you look at the second tab, there is an
option to not redirect the My Pictures folder

I know that doesn't help with My Music

Cheers
Ken


From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Arnold Arce
Sent: Wednesday, 15 March 2006 12:24 PM
To: ActiveDir@mail.activedir.org
Subject: [ActiveDir] Folder redirection exceptions?

Hi everyone.   Long time reader, first time poster ☺

I have a simple question which I’m hoping has a simple answer.  I’ve set up a
group policy that redirects everyone’s ‘My Documents’ directory to their home
directory on the server.  Works great, except people’s Music and Pictures are
being stored on the server too.  IS there a way to exclude the My Music and
My Pictures directories from being redirected and left on the local
workstation?

Arnold
[EMAIL PROTECTED]   Vry-4ibb
[EMAIL PROTECTED]   ��V�r�y���-�÷Š¾4���i�b��b��

RE: [ActiveDir] Merging Multiple AD Groups

[Dan Holme]

Did you add c to the second command
(continue despite errors)?











From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On
Behalf Of Frank Abagnale
Sent: Thursday, February 09, 2006
9:05 PM
To: ActiveDir@mail.activedir.org
Subject: Re: [ActiveDir] Merging
Multiple AD Groups







I have two existing groups:











1. USAT_HR_RO (24 members)





2. USNY_HR_RO (45 members)











I created a new group to merge members of both groups above into the
new group.











3. USHR_PROJSAP_RO (0 members)











Some users are members of groups 1  2.











I want to copy the users from groups 1  2 into the new group 3 so
this would contain 69 members.











I tried the following command 1st











dsget group CN=USAT_HR_RO,OU=GGroups,dc=Intara,dc=com
-members | dsmod group CN=USHR_PROJSAP_RO,ou=GGroups,dc=Intara,dc=com
-addmbr





then I tried the following command











dsget group CN=USNY_HR_RO,OU=GGroups,dc=Intara,dc=com
-members | dsmod group
CN=USHR_PROJSAP_RO,ou=GGroups,dc=Intara,dc=com -addmbr











but this does not work...does this make sense?

Al Mulnick
[EMAIL PROTECTED] wrote:





complains? Can you give
more detail? 



On 2/9/06, Frank
Abagnale [EMAIL PROTECTED]
wrote: 









I have two global groups which I need to merge the users in both into
one new group. What is the best way to do this, I have used DSGET  DSMOD
but it complains about existing users





any ideas?











Yahoo! Mail - Helps protect you from nasty viruses. 















Relax. Yahoo! Mail virus
scanning helps detect nasty viruses!

RE: [ActiveDir] Going Native in root domain

[Dan Holme]

Make sure you know your environment, particularly anything that uses AD
to AUTHENTICATE.  For example, a while back there was a VERY popular NAS
device that broke when you went Native in AD: it had issues with
Kerberos authentication.  (BTW: no, I'm not going to mention it by name
b/c I haven't had coffee yet and don't remember AND I would hope they
fixed it by now)  Just make sure that anything that authenticates is
going to be OK with your new functional level.  Check non-MS OS's and
hardware and apps.

That caution aside, you shouldn't run into too many problems, and
assuming your root is basically empty the odds of you running into
problems are low.  Just research and test first, as any consultant is
bound to say!

Dan 

-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Jason Benway
Sent: Tuesday, December 13, 2005 8:42 AM
To: ActiveDir@mail.activedir.org
Subject: [ActiveDir] Going Native in root domain

We have a flat, multi-domain 2000 AD.

Does anyone see any issue if the root domain goes domain native but
stays mixed mode forest?

Thanks,jb

--
Jason Benway
[EMAIL PROTECTED]
GHSP
1250 S.Beechtree
Grand Haven, MI 49417
616-847-8474
Fax: 616-850-1208

Required space inevitably expands to exceed available space...
List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive:
http://www.mail-archive.com/activedir%40mail.activedir.org/
List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/

RE: [ActiveDir] Home directories issue

[Dan Holme]

Title: Home directories issue








%USERNAME% wont help, as it is
translated on the fly to the users name the moment you use
it, so it ends up joe.user anyway.

Are your users having the problem using
W2K or later, I assume? (if not, theres your answer) And you
ARE using a real share, not a DFS root share, right?











From:
[EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Arnold Arce
Sent: Monday, December 12, 2005
9:00 PM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] Home
directories issue





I have experienced this same
problem. Usually logging off and logging on fixes it. I need to
find a better answer. Ill try the %USERNAME% variable like someone
else suggested.











From:
[EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Condra, Jerry W Mr HP
Sent: Monday, December 12, 2005
3:42 PM
To: ActiveDir@mail.activedir.org
Subject: [ActiveDir] Home
directories issue





Hoping
someone has seen this problem before.

Users
are mapping home folders using AD profile tab
which maps X: to \\servername\home\joe.user. Occasionally, upon
logon, users will map to \\servername\home and not all the way to their
own home directory. Ive seen several blogs and the same problem posted elsewhere
but no cause or solution. 



Thanks

Jerry

RE: [ActiveDir] Saved Query for Distinguished Name Contains

[Dan Holme]

Thanks For the scoop, Joe!!!



And yes, I LOVE ADFIND, but it
doesnt provide a result set within the MMC Im trying to do
an MMC (AD UC snap-in) Saved Query as the basis for a custom Taskpad 
Sorry I wasnt clear about that. Guess Im out of luck.



Thanks again, though! At least I
know not to keep beating my head against the wall!



Dan













From:
[EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of joe
Sent: Monday, December 05, 2005
3:20 PM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] Saved
Query for Distinguished Name Contains





It seems I have been answering a lot of
questions like this lately...



You can not put parts of the DN into the
LDAP query. The only way to control what branches a query looks at are



1. Permissions

2. Search base

3. Search scope.



You need to be the most specific you need
to be to either include or exclude various branches of the tree.



That being said, someone who wanted to
have those specific branches filtered out or filtered in to the outputted
return set but didn't mind actually returning a lot more data could look to see
if they can find a tool that was written by someone bright enough to add
options to let you do that.



Hey there is one... It is called adfind
and has excldn and incldn switches to allow you to specify portions of a DN of
objects you would like outputted. 



FYI, there is a bug in the objects
returned counter when using incldn, I have to go in and fish it out of there.
It is because I cut and pasted the excldn code to produce the incldn section.
;o)



Anyway, your query would look something
like



adfind -default -f objectcategory=computer
-incldn ou=workstations



Keep in mind though that every computer in
your org will be passed back to your client so if you have 100k computers and
only 10 are in the ou=workstations ou's it will seem AWFULLY SLOW There is
no way for me to get around that.





 joe











From:
[EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Dan
 Holme
Sent: Sunday, December 04, 2005
2:18 PM
To: ActiveDir@mail.activedir.org
Subject: [ActiveDir] Saved Query
for Distinguished Name Contains

Hey, all!



I am trying to create a saved query to pull
out computers that exist within a WORKSTATIONS ou; and that OU may exist within
several higher-level OUs, i.e.



distinguishedName=*OU=Workstations*



but the Saved Queries interface in ADUC
doesnt seem to like distinguishedName (Ive also tried dn= and
DN=). Any ideas, please?





Dan
 Holme

[ActiveDir] Saved Query for Distinguished Name Contains

[Dan Holme]

Hey, all!



I am trying to create a saved query to
pull out computers that exist within a WORKSTATIONS ou; and that OU may exist
within several higher-level OUs, i.e.



distinguishedName=*OU=Workstations*



but the Saved Queries interface in ADUC
doesnt seem to like distinguishedName (Ive also tried dn= and
DN=). Any ideas, please?





Dan Holme

[ActiveDir] RIS WinPE Question

[Dan Holme]

I
hope some of you brainiacs can help me out here. I have a WinPE image loaded
into a W2K3 RIS server. It launches as a standard image just fine, but creates
a computer account in AD. I know that W2K3 SP1 is supposed to have the
functionality where I can change the *.sif value ImageType=Flat to
ImageType=WinPE and then WinPE is supposed to show up in my TOOLS
menu, but it doesnt. It just disappears as an option altogether.



Ive
tried various combinations of the Choice Options GPO, including Disabling all
options EXCEPT Tools, at which point the PXE client just says Cant
show you anything ha ha ha. (or something evil to that effect).



After
2 hours of experimentation and googling, Im at wits end Any help
would be greatly appreciated.




Dan

RE: [ActiveDir] Display in ADUC

[Dan Holme]

The Display Name is not what is showing
in ADUC. ADUC in the Name column is showing the CN. The CN *must* be unique for an user in a specific
OU, and therefore is the field that can be used to select and
open the properties of a user object.



Right-click and RENAME the user.



TIPS

You will also want to think about adding more
useful columns to your ADUC view: View  Add/Remove Columns. (Helps you
sort by last name) for example.

One tip about that: when you add a column
in a normal AD UC node (e.g. add last name to a
user OU) that column will appear in *every*
node (even in a computers OU) which is stupid and youll
hate it. Saved Queries allow you to have unique columns visible per query, so
you could create a query that shows *anything*
(even a show all users in this OU query) and that will let you
add the last name column to just that query.



Dan















From:
[EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Ellis, Debbie
Sent: Wednesday, October 12, 2005
5:37 AM
To: ActiveDir@mail.activedir.org
Subject: [ActiveDir] Display in
ADUC





We have 2003 AD. I changed the display name of a user in
their property sheet but it still shows the old display name when you
look at it in Active Directory Users and Computers. You can look at the
properties and it shows the new display name.. What else do I need to do?

RE: [ActiveDir] dns suffix search list

[Dan Holme]

Marcus: What scope option is that? Funny
I thot it was there too and couldnt find the option



Tom:

http://www.microsoft.com/technet/scriptcenter/scripts/network/client/modify/nwmovb21.mspx
is the WMI script

also 

Group Policy allows configuring the DNS
Suffix Search Order.











From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On
Behalf Of [EMAIL PROTECTED]
Sent: Thursday, September 22, 2005
8:08 PM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] dns
suffix search list





By lots of machines, are you referring to
workstations? If so, are they in a scope thats managed by
DHCP? You could manipulate the search suffix that way 











From:
[EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Kern, Tom
Sent: Thursday, September 22, 2005
2:50 PM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] dns
suffix search list







I'm only running win2k





I'd like to make the script query a text file of client names, so i can
just execute it from my desktop rather than a script.





how would i go about doing that?





Thanks







-Original
Message- 
From: Grillenmeier, Guido
[mailto:[EMAIL PROTECTED] 
Sent: Thu 9/22/2005 2:31 PM 
To: ActiveDir@mail.activedir.org

Cc: 
Subject: RE: [ActiveDir] dns
suffix search list

RE: [ActiveDir] Folder Redirection

[Dan Holme]

Probably a permissions problem. Since youre
just TESTING, start by setting perms on the folder so that the user has full
control. This is not the ideal permission set, but it will tell
you whether thats causing the problem. Once you know if thats
the issue, we can chat about the exact permissions for future tests



Also check DNS, etc try connecting
to a normal shared folder on the same server



Dan













From:
[EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Patrick Paul
Sent: Tuesday, August 16, 2005
11:42 AM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] Folder
Redirection





I am a newbie  studying for mcse
2000. I do not claim to know much but could use your patience and help!

I logged on to one of the pcs as
the user that has the GPO (no override is checked) for folder redirection (its my
docs folder) saved something in it, but did not find the saved file in the
redirected folder .

Any advice is greatly appreciated.











From:
[EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Brian Desmond
Sent: Sunday, August 14, 2005 5:02
PM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] 





Right click and goto properties



A subject would help your message greatly.





Thanks,
Brian
Desmond

[EMAIL PROTECTED]



c -
312.731.3132















From:
[EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Patrick Paul
Sent: Sunday, August 14, 2005 7:33
PM
To: ActiveDir@mail.activedir.org
Subject: [ActiveDir] 





How do you setup folder redirection? How does it work?

1. create
shared folder 
2.
start,
programs,
administrative
tools, AD Users  Computers 
3.
OU
right click, properties, Group policy 
4.
new,
any
name, click name, edit, user config, windows
settings 
5.
folder
redirection, my docs 

Where do you go from here?

Thanks all 

RE: [ActiveDir] dhcp

[Dan Holme]

Sorry--I wasn't even considering a scenario where you have a mix of
stand-alone and domain member servers on the same subnet (the one
'exception to the rule' as the article you mention points out)... So
what was the question then???


-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Tom Kern
Sent: Friday, August 12, 2005 6:40 PM
To: ActiveDir@mail.activedir.org
Subject: Re: [ActiveDir] dhcp

this article from MS claims that a stand alone will send out a dhcp
inform(among other things) packet to query the auth dhcp servers and
if it gets an ack, it will stop giving out addys.
of course it has to be win2k or 2k3 and on the same subnet as the auth
dhcp servers for them to hear the broadcast.
http://www.microsoft.com/technet/prodtechnol/windowsserver2003/library/S
erverHelp/9a4157c4-3c2f-4871-9ffe-7d405781f2cf.mspx



On 8/12/05, Dan Holme [EMAIL PROTECTED] wrote:
 No.  The only DHCP server that WON'T give out addresses is a 2K or 2K3
 *domain member*.  Everyone else, every platform, every standalone,
will
 give out IPs ... they care nothing about AD.
 
 
 
 -Original Message-
 From: [EMAIL PROTECTED]
 [mailto:[EMAIL PROTECTED] On Behalf Of Tom Kern
 Sent: Friday, August 12, 2005 5:26 PM
 To: activedirectory
 Subject: [ActiveDir] dhcp
 
 is it true that even a stand alone win2k dhcp server will not give out
 ip's if it contacts a AD dhcp server?
 List info   : http://www.activedir.org/List.aspx
 List FAQ: http://www.activedir.org/ListFAQ.aspx
 List archive:
 http://www.mail-archive.com/activedir%40mail.activedir.org/
 List info   : http://www.activedir.org/List.aspx
 List FAQ: http://www.activedir.org/ListFAQ.aspx
 List archive:
http://www.mail-archive.com/activedir%40mail.activedir.org/

List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive:
http://www.mail-archive.com/activedir%40mail.activedir.org/
List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/

RE: [ActiveDir] csvde syntax

[Dan Holme]

DUMPCOMPUTERS.BAT
@echo off
set OU=%1
set FileName=%2

ldifde -f %FileName%.ldf -d %OU%,dc=us,dc=ray,dc=com -p SubTree -r
(objectClass=computer) -l
objectClass,description,name,sAMAccountName

echo on


the ldifde line is ONE line (watch for word wrap in the email)

Call this file as in:
DUMPCOMPUTERS.BAT dc=windomain,dc=local computers.txt


Dan




-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Tom Kern
Sent: Thursday, August 11, 2005 11:18 AM
To: activedirectory
Subject: [ActiveDir] csvde syntax

what's the ldap filter to use with csvde to just export all computer
objects in a domain to a file?
thanks
List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive:
http://www.mail-archive.com/activedir%40mail.activedir.org/
List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/

RE: [ActiveDir] csvde syntax

[Dan Holme]

OOPS sorry I sent an LDIF version.  I think the syntax is the same
(don't have time to check) for CSVDE, though...



-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Dan Holme
Sent: Thursday, August 11, 2005 11:30 AM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] csvde syntax

DUMPCOMPUTERS.BAT
@echo off
set OU=%1
set FileName=%2

ldifde -f %FileName%.ldf -d %OU%,dc=us,dc=ray,dc=com -p SubTree -r
(objectClass=computer) -l
objectClass,description,name,sAMAccountName

echo on


the ldifde line is ONE line (watch for word wrap in the email)

Call this file as in:
DUMPCOMPUTERS.BAT dc=windomain,dc=local computers.txt


Dan




-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Tom Kern
Sent: Thursday, August 11, 2005 11:18 AM
To: activedirectory
Subject: [ActiveDir] csvde syntax

what's the ldap filter to use with csvde to just export all computer
objects in a domain to a file?
thanks
List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive:
http://www.mail-archive.com/activedir%40mail.activedir.org/
List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive:
http://www.mail-archive.com/activedir%40mail.activedir.org/
List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/

RE: [ActiveDir] large profiles

[Dan Holme]

Don't forget about using My Documents and Desktop folder redirection in
addition to your roaming profile as a very viable option for this kind
of situation...

Dan 

-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Freddie Coleman
III
Sent: Wednesday, August 10, 2005 7:14 AM
To: ActiveDir@mail.activedir.org
Subject: Re: [ActiveDir] large profiles

that's exactly what I was looking for, don't know how I overlooked it
before, thanks!

fred



 I think this might help if you are using Roaming Profiles:

 Using Group Policy to Delete Cached Copies of Roaming Profiles
 http://support.microsoft.com/kb/274152/EN-US/

 In not, you can clean up the machine(s) using delprof:

http://www.microsoft.com/downloads/details.aspx?displaylang=enfamilyid=
901A9B95-6063-4462-8150-360394E98E1E

 john



 When several users share the same machine, it doesn't take long for
the
 Docs  Settings directory to eat up too much space on the drive.  Is
 there
 a setting that will allow their profiles to be removed from the local
 machine at logoff (other than mandatory profiles)?  I don't want Deep
 Freeze or anything similiar, just a setting in Active Directory.


List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive:
http://www.mail-archive.com/activedir%40mail.activedir.org/
List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/

RE: [ActiveDir] user profiles

[Dan Holme]

Do you want them each to get their 'own' profile (that they can change
and those changes would be there the next time they log on) or is it a
'standard' profile that needs to be the same for every user, every time
they log on?

-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Freddie Coleman
III
Sent: Monday, August 08, 2005 12:06 PM
To: ActiveDir@mail.activedir.org
Subject: [ActiveDir] user profiles


What would be the easiest way to setup a default profile for a few
thousand users and make sure that their profile is deleted from their
local machines at logoff.


List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive:
http://www.mail-archive.com/activedir%40mail.activedir.org/
List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/

RE: [ActiveDir] Virtual Domain Controllers

[Dan Holme]

Title: Virtual Domain Controllers








My experience (and youll want to
listen to others as well, of course) is that youll be in pretty
good shape. Dont even give yourself the CHANCE of using snapshots
rolling back is the main issue (as it will hose replication and
new objects) and is the primary issue discussed related to running DCs in VMs
so set the DC with persistent disks that cant even BE snapshotted.





Dan Holme

Intelliem











From:
[EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Seely Jonathan J
Sent: Friday, August 05, 2005
12:54 PM
To: ActiveDir@mail.activedir.org
Subject: [ActiveDir] Virtual
Domain Controllers





Hi
All, 

I
have a question about running DCs on GSX server. I understand that MS
does not support this configuration, but I've heard that many people are
running DCs in this fashion. Can anyone give some advice in this
arena? The idea here is to do VM for a file/print, and another one for a
DC in our remote sites. Currently, we've got different hardware for each
box, but we're trying to consolidate a bit out there.

Thank
you. 

JJ
Seely 
Systems
Administrator 
Oregon
Department of Justice 
Division
of Child Support 
(503)
378-4500 x22277 
[EMAIL PROTECTED]




*CONFIDENTIALITY
NOTICE*

This e-mail may contain information that is privileged, confidential, or
otherwise exempt from disclosure under applicable law. If you are not the
addressee or it appears from the context or otherwise that you have received
this e-mail in error, please advise me immediately by reply e-mail, keep the
contents confidential, and immediately delete the message and any attachments
from your system. 

RE: [ActiveDir] OT WEB Hosting

[Dan Holme]

Ive used Intermedia.net and
interland.net for web hosting; and have recently gone the route of a dedicated
SERVER at godaddy.com b/c the rate was unbelievable. Very happy with all 3.











From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On
Behalf Of Brian Desmond
Sent: Thursday, August 04, 2005
4:09 PM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] OT WEB
Hosting





ServerIntellect has been nothing but the best for me 





Thanks,
Brian
Desmond

[EMAIL PROTECTED]



c -
312.731.3132















From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On
Behalf Of Peter Jessop
Sent: Thursday, August 04, 2005
5:02 AM
To: ActiveDir@mail.activedir.org
Subject: [ActiveDir] OT WEB
Hosting





Completely
OT

I would be grateful if anyone could recommendWEB hosting services.


Regards

Peter Jessop

RE: [ActiveDir] DCPromo Answer file....no DNS.

[Dan Holme]

Title: DCPromo Answer fileno DNS.








No. DCPromo looks ONLY at the DCPromo
section.

Run Sysoc.inf against the answer file.



For a fresh dc, run
SYSOC.INF followed by DCPROMO as your two commands in the [GUIRunOnce] Section











From:
[EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Smith, Brad
Sent: Wednesday, August 03, 2005
6:34 AM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] DCPromo
Answer fileno DNS.







The bit that threw me is that my DCPromo
process ignored the section 



[NetOptionalComponents]



DNS = 1











Hence first invoking.











C:\WINNT\SYSTEM32\SYSOCMGR
/I:C:\WINNT\SYSTEM32\SYSOC.INF /u:C:\my_answer_file.txt











Also
FYI - This is not the first DC on the network, and is not the first AD based
DNS server either (obviously). This is being run after the machine has been
sitting on the network, in the domain as a member server for a couple of days
(to allow forpatching and prove the h/w isn't immediately faulty). This
is all W2K3.











Should
DCPromo be actioning the [NetOptionalComponents] section ?



















































From:
[EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Dan Holme
Sent: Tuesday, August 02, 2005
8:25 PM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] DCPromo
Answer fileno DNS.



To clarify what Brian meant, you run

dcpromo /answer:answer_file

and it will use those [DCPromo] settings. It
does NOT run automatically as part of setup, unless you ALSO put
that command in your GUIRunOnce section, i.e.

[GUIRunOnce]

dcpromo /answer:answer_file

and set up Auto Logon, perhaps

BUT

In [DCPromo] there is the

DNSOnNetwork = No

Setting, which installs DNS on the server. That only works
for the FIRST dc in the forest.

After that, you need to use other means to get DNS on
the server. Off the top of my head, that would be

[NetOptionalComponents]

DNS = 1

You would need to point the second DC to the FIRST DC
as its DNS server, until the second DC has been DCPromod

HTH

Dan











From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On
Behalf Of Brian Desmond
Sent: Tuesday, August 02, 2005
11:13 AM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] DCPromo
Answer fileno DNS.



What do you mean? Thats exactly what the thing does  Just
call dcpromo and point it to the file.



Thanks,
Brian Desmond



[EMAIL PROTECTED]



c -
312.731.3132









<hr size=2 width="100%" align=center tabIndex=-1>



From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On
Behalf Of Smith, Brad
Sent: Tuesday, August 02, 2005
3:57 AM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] DCPromo
Answer fileno DNS.





Cheers, that has worked nicely. I was a bit
surprised still that you can't drive the DCPromo wizard by using settings in
the [DCPromo] section of the answer file.











From:
[EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Brian Desmond
Sent: Saturday, July 30, 2005 7:45
AM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] DCPromo
Answer fileno DNS.



You have DNS installed? You need to use the sysoc stuff (look it up in
the ref.chm in deploy.cab) to install DNS first





Thanks,
Brian Desmond



[EMAIL PROTECTED]



c
- 312.731.3132







hr size=2 width=100%
align=center tabIndex=-1 

From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On
Behalf Of Smith, Brad
Sent: Friday, July 29, 2005 9:45
AM
To: ActiveDir@mail.activedir.org
Subject: [ActiveDir] DCPromo
Answer fileno DNS.



Hii
All, 



I
have set up a Win2K domain (single DC, SP3) and have joined a Win2K3 member
server. I have promoted the W2K3 Member server using a dcpromo answer
file, but cannot seem to force it to install DNS.

Any
ideas ?? 

Brad




PS:
Answer file below. 

;This
file is an answer file for the DCPromo process. The answers held within
this file will automatically be applied to 

;all
DC's that are created with the DCPromo /answer:filename where this file
is used. 

;More
information about these and additional settings are available at the link
below, or in the Deployment assistence ;guide that stored in the windows
server 2003 install source\SUPPORT\TOOLS\DELPOY.CAB\REF.CHM

;http://www.microsoft.com/technet/prodtechnol/windowsserver2003/library/TechRef/b7a68c24-fe69-407a-b220-0005ad1f884d.mspx

[DCInstall] 



;Specifies
whether any pre-Windows 2000 server authenticates users from this domain or any
trusted domain. 
AllowAnonymousAccess
= Yes 



;Specifies
whether the DCPROMO wizard configures DNS for the new domain if it detects that
the DNS dynamic update protocol is not available.

AutoConfigDNS
= Yes 

;Specifies
whether the replica is also a global catalog. 
ConfirmGc
= Yes 

 

;Specifies
whether the promotion operation performs only critical replication and then
continues, skipping the noncritical (and potentially lengthy) portion of
replication.

CriticalReplicationOnly
= No  

;Specifies
the fully qu

RE: [ActiveDir] Domain DFS Roots hosted on DC

[Dan Holme]

Title: Message








Theres one much bigger issue that
may or may not impact you, but is usually missed by folks. That
is the delegation of MAINTENANCE OF THE DFS ROOT.



DFS Roots are really, technically and
practically, a scope for delegation
of administration, as well as a root of a namespace. One should have separate
DFS roots whenever separate teams/people will be supporting those roots (i.e.
adding/removing/maintaining links).



To maintain a DFS root, you must be
delegated permissions to the appropriate object in AD (under the SYSTEM node in
ADUC) *and* you **MUST BE AN
ADMINISTRATOR OF THE MACHINE ON WHICH THE DFS ROOT TARGET IS HOSTED** This is
a SUPER BIGGIE GOTCHA in your situation, perhaps because as soon as you
host a DFS root target on a DC, you must have Administrators credentials on the
DC, which means you 1) have to log on with domain administrator equivalence
just to maintain your root (nasty!) and 2) you can only delegate maintenance of
the root to folks who are trusted as domain administrators.



Therefore, I always recommend that DFS
root targets be hosted on member servers!!



Dan















From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On
Behalf Of Myrick, Todd (NIH/CC/DNA)
Sent: Wednesday, August 03, 2005
4:38 AM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] Domain
DFS Roots hosted on DC





Correct Neil, 



I dont want to host data on the
DCs, just use them to refer to the actual data hosted on fileservers.



Thanks,



Todd











From: Ruston, Neil
[mailto:[EMAIL PROTECTED] 
Sent: Wednesday, August 03, 2005
7:31 AM
To: 'ActiveDir@mail.activedir.org'
Subject: RE: [ActiveDir] Domain
DFS Roots hosted on DC







I agree with your sentiments in principle,
but would state that the number of links rather than users is of importance.
Domain and stand alone DFS each have their own limitations so you should
ascertain whether domain DFS will meet your requirements, whatever they may be.











I assume DCs would not host links and
therefore as you say, would simply refer clients to the correct server. As
such, the overhead will be minimal as you say.











neil





-Original Message-
From:
[EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Myrick, Todd (NIH/CC/DNA)
Sent: 03 August 2005 12:23
To: ActiveDir@mail.activedir.org
Subject: [ActiveDir] Domain DFS
Roots hosted on DC









Hey all,



Have a quick question about Domain DFS
roots. If you have about 3000 users, do you recommend hosting the DFS
root on DC's or having dedicated boxes to host the Domain DFS roots?
Since the root is mainly just doing referrals, my though is that as long as you
have sufficient memory on the DC's it should work. My concern is that
since my strategy is to locate all the domain resources through DFS, it might
be a lot of overhead to put on the DC's. The other part of my brain
things since it is basically just referral traffic, it can't be any more
overhead than running DDNS. 



Thanks,



Todd











==
Please access the attached hyperlink for an important electronic communications
disclaimer: 

http://www.csfb.com/legal_terms/disclaimer_external_email.shtml

==

RE: [ActiveDir] Set UserAccountControl

[Dan Holme]

Title: Set UserAccountControl








I may be talking out of my butt here, but
I think that you may be running into an issue of the version of AD youre
using.   I have a vague recollection that I ran into this problem and needed to
set the pwdLastSet attribute, rather than the User Account Control, to force pw
to change at next logon Im leaning towards the thought that you
CANT set that attribute that way perhaps youve tried doing
it separately and it worked?  In which case, forget what I just said.  
Otherwise, look into it



Dan















From:
[EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Peter Johnson
Sent: Wednesday, August 03, 2005
6:09 AM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] Set
UserAccountControl





Im just curious to know why, if you
dont mind, you need to set both at the same time.











From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On
Behalf Of Fernandez Rego, Ramon
Sent: 03 August 2005 14:44
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] Set
UserAccountControl







Thanks, i know but i need it. 











Your suggestion is good andi will do
what you say if i don't have another possibility

















-Mensaje original-
De:
[EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]En nombre de Peter Johnson
Enviado el: miércoles, 03 de agosto
de 2005 14:30
Para: ActiveDir@mail.activedir.org
Asunto: RE: [ActiveDir] Set
UserAccountControl

AFAIK these are mutually exclusive. Why
would you need both? If you want to force at least one password change and then
have it never expire you could create the account with the User Must
Change password at next logon property to on and then have your script
check the state of the Change password property and if its clear then
set the Password never sets flag.



You certainly cant , IIRC, create
or set both at the same time.



Regards

Peter Johnson











From:
[EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Fernandez Rego, Ramon
Sent: 03 August 2005 14:22
To: ActiveDir@mail.activedir.org
Subject: [ActiveDir] Set UserAccountControl





Hi,


Is
there any possibility of setting both properties? 

Password
never expires and User must change password at next logon


I
tried with this script, but i can't: 

--

Set
objConnection = CreateObject(ADODB.Connection) 
objConnection.Open
Provider=ADsDSOObject; 
m=0


strOU
= cn=test,ou=usuarios,ou=XXX 

Set
objCommand = CreateObject(ADODB.Command) 
objCommand.ActiveConnection
= objConnection 
objCommand.Properties
(Size Limit)= 1001 
objCommand.Properties
(Cache Results)= False 
objCommand.Properties(Page
Size) = 1001 
objCommand.CommandText
= _ 

LDAP:// strOU
,dc=asp,dc=mundo-r,dc=com;(objectCategory=user)  _


;distinguishedName,name,mail,ADsPath;subtree 
Set
objRecordSet = objCommand.Execute 

While
Not objRecordSet.EOF 

strADsPath = objRecordset.Fields(ADsPath) 

Set objUser = GetObject(strADsPath) 
 objUser.Put UserAccountControl ,
524288 ' 0x8 + 0x10200 = pass never exp + user must
change 

objUser.SetInfo 

wscript.echo strADsPath  ;  objUser.UserAccountControl


m=m+1 

objRecordSet.MoveNext 
Wend


objConnection.Close

wscript.echo
Numero objetos afectados:  m 
--




Thanks,


Moncho






**
Este mensaje se dirige exclusivamente a su destinatario. Puede contener
información privilegiada, confidencial o legalmente protegida.
Si ha recibido este mensaje por error le rogamos que lo borre inmediatamente,
así como todas
sus copias, y lo comunique al remitente.
En virtud de la legislación vigente está prohibida la utilización, divulgación,
copia o impresión sin autorización.
No existe renuncia a la confidencialidad o privilegio por causa de una
transmisión errónea.
**



**
Este mensaje se dirige exclusivamente a su destinatario. Puede contener
información privilegiada, confidencial o legalmente protegida.
Si ha recibido este mensaje por error le rogamos que lo borre inmediatamente,
así como todas
sus copias, y lo comunique al remitente.
En virtud de la legislación vigente está prohibida la utilización, divulgación,
copia o impresión sin autorización.
No existe renuncia a la confidencialidad o privilegio por causa de una
transmisión errónea.
**

RE: [ActiveDir] Distribute a template delegation.

[Dan Holme]

Im attaching a script I used for a
scripted delegation demonstration.  There is a lot of code (applying a lot of templates)
but the guts can be seen in one section and the RunDSACLS routine
at the end.  Im sorry I dont have time to document this fully for
you, but Im heading out of town.  Hopefully you can make heads and tails
out of it.



set
objShell=WScript.CreateObject(WScript.Shell)



' ===EUROPE
HELP DESK===



strGroup=WINDOMAIN\ZEUR_HelpDesk

strOU=OU=Users,OU=EUR,DC=windomain,DC=local

Level1UserTasks(strGroup,strOU)



strOU=OU=Groups,OU=EUR,DC=windomain,DC=local

Level1GroupTasks(strGroup,strOU)



' ===EUROPE
ENGINEERS===



strGroup=WINDOMAIN\ZEUR_Engineers

strOU=OU=Users,OU=EUR,DC=windomain,DC=local

Level2UserTasks(strGroup,strOU)



strOU=OU=Groups,OU=EUR,DC=windomain,DC=local

Level2GroupTasks(strGroup,strOU)



strOU=OU=Clients,OU=EUR,DC=windomain,DC=local

Level2ComputerTasks(strGroup,strOU)



strOU=OU=Servers,OU=EUR,DC=windomain,DC=local

Level2ComputerTasks(strGroup,strOU)



strOU=OU=Admins,OU=EUR,DC=windomain,DC=local

Level1UserTasks(strGroup,strOU)



' ===USA HELP DESK===



strGroup=WINDOMAIN\ZUSA_HelpDesk1

strOU=OU=Users,OU=USA,DC=windomain,DC=local

Level1UserTasks(strGroup,strOU)



strOU=OU=Travelers,OU=Users,OU=EUR,DC=windomain,DC=local

Level1UserTasks(strGroup,strOU)



' ===USA LEVEL 2===



strGroup=WINDOMAIN\ZUSA_HelpDesk2

strOU=OU=Users,OU=USA,DC=windomain,DC=local

Level2UserTasks(strGroup,strOU)



strOU=OU=Groups,OU=USA,DC=windomain,DC=local

Level2GroupTasks(strGroup,strOU)



strOU=OU=Clients,OU=USA,DC=windomain,DC=local

Level2ComputerTasks(strGroup,strOU)



' ===USA ENGINEERS===



strGroup=WINDOMAIN\ZUSA_Engineers

strOU=OU=Servers,OU=USA,DC=windomain,DC=local

Level2ComputerTasks(strGroup,strOU)



strOU=OU=Admins,OU=USA,DC=windomain,DC=local

Level1UserTasks(strGroup,strOU)



' ===USA CORE AD TEAM===



strGroup=WINDOMAIN\ZUSA_CoreADTeam

strOU=OU=Admins,OU=USA,DC=windomain,DC=local

Level2UserTasks(strGroup,strOU)



strOU=OU=Groups,OU=USA,DC=windomain,DC=local

Level2UserTasks(strGroup,strOU)





Sub Level1UserTasks(strGroup,strOU)

    strPerms=CA; 
Quote(Reset Password)  ;user

    strInher=/I:S

    RunDSACLS(strGroup,strOU,strInher,strPerms)



    strPerms=rpwp; 
Quote(pwdLastSet)  ;user

    strInher=/I:S

   
RunDSACLS(strGroup,strOU,strInher,strPerms)



    strPerms=rpwp; 
Quote(lockoutTime)  ;user

    strInher=/I:S

    RunDSACLS(strGroup,strOU,strInher,strPerms)

End Sub



Sub Level1GroupTasks(strGroup,strOU)

    strPerms=rpwp; 
Quote(member)  ;group

    strInher=/I:S

   
RunDSACLS(strGroup,strOU,strInher,strPerms)

End Sub



Sub Level2UserTasks(strGroup,strOU)

    strPerms=CC;user

    strInher=/I:T

   
RunDSACLS(strGroup,strOU,strInher,strPerms)



    strPerms=GA;;user

    strInher=/I:S

   
RunDSACLS(strGroup,strOU,strInher,strPerms)

End Sub



Sub Level2GroupTasks(strGroup,strOU)

    strPerms=CCDC;group

    strInher=/I:T

   
RunDSACLS(strGroup,strOU,strInher,strPerms)



    strPerms=GA;;group

    strInher=/I:S

   
RunDSACLS(strGroup,strOU,strInher,strPerms)

End Sub



Sub Level2ComputerTasks(strGroup,strOU)

    strPerms=CCDC;computer

    strInher=/I:T

    RunDSACLS(strGroup,strOU,strInher,strPerms)



    strPerms=GA;;computer

    strInher=/I:S

   
RunDSACLS(strGroup,strOU,strInher,strPerms)

End Sub





Sub GPOLinkTasks(strGroup,strOU)

    strPerms=rpwp; 
Quote(gPLink)

    strInher=

   
RunDSACLS(strGroup,strOU,strInher,strPerms)



    strPerms=rpwp; 
Quote(gPOptions)

    strInher=

   
RunDSACLS(strGroup,strOU,strInher,strPerms)



Sub DeleteUserTask(strGroup,strOU)

    strPerms=DC;user

    strInher=/I:S

    RunDSACLS(strGroup,strOU,strInher,strPerms)

End Sub



Sub
RunDSACLS(strGroup,strOU,strInher,strPerms)

    strCommand=DSACLS  
strOU strInher   /G   strGroup
 :  strPerms

    strMsg = strCommand  vbCRLF

    'ObjShell.Run %comspec% /c
  strCommand,1,true

    set objExec=objShell.Exec(strCommand)

    set objOut=objExec.StdOut

    While not objOut.AtEndOfStream

    strLastLine=objOut.ReadLine

    Wend

    strMsg = strMsg  strLastLine

End Sub



Function Quote(strText)

    Quote=chr(34)  strText 
str(34)

End Function











From:
[EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of joe
Sent: Wednesday, August 03, 2005
5:37 PM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir]
Distribute a template delegation.





Yep best to script this.



Last place I was an ops guy for, we wrote
an entire create ou script. You told it what domain and the building number and
it did the rest, built all of the OUs structures needed, created all of the
groups, put into place all of the delegations, linked the proper group policy
objects, etc. We then wrapped that script in another script and when a batch
request came in for say 20 new buildings being added to AD we fired off one
command (something like buildous domain filename) and off it would run building
them all. A 

RE: [ActiveDir] Account lockout

[Dan Holme]

Title: Account lockout








Go to the command prompt and do a net
use see if there are any connections (mapped drives or otherwise)
that look out of place. Perhaps do a NET USE * /D (to delete all network
connections) and see if the problem stops.



Dan











From:
[EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Jake Stabl
Sent: Tuesday, August 02, 2005
8:53 AM
To: ActiveDir@mail.activedir.org
Subject: [ActiveDir] Account
lockout





Good
day everyone. Here is a crazy problem I am having today. I am
logged on to my laptop writing emails and administering my domain and then all
of a sudden my account will get locked out.. Just about every 5 minutes this is
happening and I dont really know why? Where can I start looking to
fix this?? I am lost.

Jake

RE: [ActiveDir] Replicating AD

[Dan Holme]

Title: Message








Boy THAT is the golden question from MY
clients!!



One option Ive seen used (and would
be interested in other members opinions about) is to yank a DC out of
production (cleaning out its meta data of course), putting that DC in a
(disconnected) lab, and wiping ITS metadata of the other (production) DCs. Sounds
like a lot of effort to me.



A big issue is what you are testing and how
perfect your testing must be. My largest clients have found labs
pretty lacking, since it is virtually impossible to test all appropriate
variables (incl link speeds, specific app servers  storage devices,
etc.). Assuming all you want to do is test an AD change, then sure, you could have
a lab with your AD structure mimiced. 



Ive been slowly building scripts to
help me do this. Id be happy to give them to you (email me at dan dot
holme at intelliem dot com) as long as you promise to help me test and improve
them Once theyre solid I plan on releasing them
publicly for anyone.



Dan













From:
[EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Antonio Aranda
Sent: Tuesday, August 02, 2005
9:48 AM
To: ActiveDir@mail.activedir.org
Subject: [ActiveDir] Replicating
AD







Im trying to setup a test AD that's
identical to the production AD with the same OU structure and user
accounts. I'd like to avoid having to manually creating them by hopefully
finding a tool that would import all those object. Does any one know of such a
tool?



Antonio

RE: [ActiveDir] DCPromo Answer file....no DNS.

[Dan Holme]

Title: DCPromo Answer fileno DNS.








To clarify what Brian meant, you run

dcpromo /answer:answer_file



and it will use those [DCPromo] settings.
It does NOT run automatically as part of setup, unless you ALSO
put that command in your GUIRunOnce section, i.e.

[GUIRunOnce]

dcpromo /answer:answer_file



and set up Auto Logon, perhaps



BUT



In [DCPromo] there is the

DNSOnNetwork = No

Setting, which installs DNS on the
server. That only works for the FIRST dc in the forest.



After that, you need to use other means to
get DNS on the server. Off the top of my head, that would be

[NetOptionalComponents]

DNS = 1



You would need to point the second DC to
the FIRST DC as its DNS server, until the second DC has been DCPromod



HTH



Dan













From:
[EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Brian Desmond
Sent: Tuesday, August 02, 2005
11:13 AM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] DCPromo
Answer fileno DNS.





What do you mean? Thats exactly what the thing does  Just
call dcpromo and point it to the file.





Thanks,
Brian
Desmond

[EMAIL PROTECTED]



c -
312.731.3132















From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On
Behalf Of Smith, Brad
Sent: Tuesday, August 02, 2005
3:57 AM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] DCPromo
Answer fileno DNS.







Cheers, that has worked nicely. I
was a bit surprised still that you can't drive the DCPromo wizard by using
settings in the [DCPromo] section of the answer file.











From:
[EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Brian Desmond
Sent: Saturday, July 30, 2005 7:45
AM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] DCPromo Answer
fileno DNS.



You have DNS installed? You need to use the sysoc stuff (look it up in
the ref.chm in deploy.cab) to install DNS first





Thanks,
Brian
Desmond





[EMAIL PROTECTED]



c -
312.731.3132









hr size=2
width=100% align=center tabIndex=-1 

From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On
Behalf Of Smith, Brad
Sent: Friday, July 29, 2005 9:45
AM
To: ActiveDir@mail.activedir.org
Subject: [ActiveDir] DCPromo
Answer fileno DNS.



Hii
All, 

I
have set up a Win2K domain (single DC, SP3) and have joined a Win2K3 member
server. I have promoted the W2K3 Member server using a dcpromo answer
file, but cannot seem to force it to install DNS.

Any
ideas ?? 

Brad


PS:
Answer file below. 

;This
file is an answer file for the DCPromo process. The answers held within
this file will automatically be applied to 

;all
DC's that are created with the DCPromo /answer:filename where this file
is used. 

;More
information about these and additional settings are available at the link
below, or in the Deployment assistence ;guide that stored in the windows
server 2003 install source\SUPPORT\TOOLS\DELPOY.CAB\REF.CHM

;http://www.microsoft.com/technet/prodtechnol/windowsserver2003/library/TechRef/b7a68c24-fe69-407a-b220-0005ad1f884d.mspx

[DCInstall] 

;Specifies
whether any pre-Windows 2000 server authenticates users from this domain or any
trusted domain. 
AllowAnonymousAccess
= Yes 

;Specifies
whether the DCPROMO wizard configures DNS for the new domain if it detects that
the DNS dynamic update protocol is not available.

AutoConfigDNS
= Yes 

;Specifies
whether the replica is also a global catalog. 
ConfirmGc
= Yes 

 

;Specifies
whether the promotion operation performs only critical replication and then
continues, skipping the noncritical (and potentially lengthy) portion of
replication.

CriticalReplicationOnly
= No  

;Specifies
the fully qualified, non-UNC path to a directory on a fixed disk of the local
computer that contains the domain database.

DatabasePath
= %SYSTEMROOT%\Data 

;Specifies
whether to disable the Cancel button during a DNS installation. 
DisableCancelForDnsInstall
= Yes 

;Specifies
the fully qualified, non-UNC path to a directory on a fixed disk of the local
computer that contains the domain log files.

LogPath
= $SYSTEMROOT%\Logs 

;Specifies
whether to restart the computer upon successful completion. 
RebootOnSuccess
= Yes 

;Specifies
the DNS domain name of the domain to replicate. 
ReplicaDomainDNSName
= 1234testdomain.com 

;Specifies
whether to install a new domain controller as the first domain controller in a
new directory service domain or to install it as a replica directory service
domain controller.

ReplicaOrNewDomain
= Replica 

;Specifies
the fully qualified, non-UNC path to a directory on a fixed disk of the local
computer. 
SysVolPath
= %SYSTEMDRIVE%\Sysvol 

;Specifies
the domain name for the user name (account credentials) used for promoting the
member server to a domain controller.

UserDomain
= 1234testdomain.com 

;Specifies
the user name (account credentials) used for promoting the member server to a
domain controller. 
UserName
= administrator 

This email and any attached files are confidential and copyright
protected. If you 

RE: [ActiveDir] Replicating AD

[Dan Holme]

Title: Message








OK I took some time to gather my scripts
I was concerned that all the advice to use LDIFDE would leave you
lacking, since the command takes some tweaking to make it useful.
You dont want to export all properties from a production AD, as
importing them can be painful.



So please go to http://intelliem.editme.com/scripting
and click the last link. Youll find scripts that will export


OUS

COMPUTERS

USERS

GROUPS

Using LDIFDE



And

SITES

SUBNETS

SITE LINKS

SERVERS

Using _vbscript_



Enjoy and please provide feedback to dan
dot holme at intelliem dot com.



Dan











From:
[EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Antonio Aranda
Sent: Tuesday, August 02, 2005
9:48 AM
To: ActiveDir@mail.activedir.org
Subject: [ActiveDir] Replicating
AD







Im trying to setup a test AD that's
identical to the production AD with the same OU structure and user
accounts. I'd like to avoid having to manually creating them by hopefully
finding a tool that would import all those object. Does any one know of such a
tool?



Antonio

RE: [ActiveDir] copy or migrating local to domain accounts

[Dan Holme]

And for #4, use SUBINACL from MS
note, though, that this tool has been revised since its ResKit release,
so get the newest version.



Dan











From:
[EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Michael B. Smith
Sent: Tuesday, August 02, 2005
1:08 PM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] copy or
migrating local to domain accounts





How good are your scripting skills?



1) Dump the passwords from the local
server using pwdump3e

2) Crack all the passwords using rainbow
crack or l0phtcrack or whatever

3) Script the creation of the users in the
domain setting those passwords you cracked 



Pretty easy. (And if you already know all
the passwords, you can skip items 1 and 2 -- net users will list
your local users and you can use dsadd to add them to the domain!)



For extra credit:

4) Scan the filesystem finding all files
with ACLs including the above users, write the filenames and ACLs to a file and
after you've promoted the users and joined the domain, go back and re-ACL the
files.



That's a little harder.



:-)



I've promoted web servers
toa domain this way several times.



The real question is why does a local user
no longer meet the needs on the local server?



M









From:
[EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Steve Shaff
Sent: Tuesday, August 02, 2005
2:34 PM
To: ActiveDir@mail.activedir.org
Subject: [ActiveDir] copy or
migrating local to domain accounts

I think that I already know the answer to the question, but
I will ask anyways. I have a test box (server) that is a
stand-alone. I need to add it to a domain, but I have a lot of local
users on this box. Is there any way to move, copy, or migrate the user
accounts to the domain level?

Thanks

Lazy.. J

RE: [ActiveDir] OT and silly

[Dan Holme]

Wait until the person who is in charge of the MS Word numbered list
feature is walking beneath your window, please.

Dan


-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Kern, Tom
Sent: Monday, August 01, 2005 12:29 PM
To: ActiveDir@mail.activedir.org
Subject: [ActiveDir] OT and silly

Ok, I'm trying to install office 2k on a winxp sp2 box and I keep
getting the windows file protection warning to insert the winxp sp 2 cd.
This drives me nuts because
A. I only have a winxp sp1 cd which I installed the os with and later
downloaded sp2.

B. It doesn't let you browse to a share or local folder, it only wants a
cd.

Is there anyway to get around this?
I don't have a cd burner right now, so I can't exract sp2 and burn it.

Also, I may throw this pc out the window if I can't find a solution to
this issue.

Thanks a lot!
--
Sent from my BlackBerry Wireless Handheld (www.BlackBerry.net)

List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive:
http://www.mail-archive.com/activedir%40mail.activedir.org/
List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/

RE: [ActiveDir] OT and silly

[Dan Holme]

Actually, as a serious answer, I just created an 'image' for a client
with O2K on an XP machine and I did NOT get this problem.

What you might try is installing from a patched admin share of O2K.  I
suggest this only b/c that's what we did and did not encounter the
problem.

I'd be happy to cut your time in creating this share (I have one ready
to go) but we'd need to make sure it's the edition you want, and
obviously would need to use your product key.

Email or call me directly if you'd like to go this route.

Dan Holme
602.943.8346
Dan dot holme at Intelliem dot com


-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Kern, Tom
Sent: Monday, August 01, 2005 12:29 PM
To: ActiveDir@mail.activedir.org
Subject: [ActiveDir] OT and silly

Ok, I'm trying to install office 2k on a winxp sp2 box and I keep
getting the windows file protection warning to insert the winxp sp 2 cd.
This drives me nuts because
A. I only have a winxp sp1 cd which I installed the os with and later
downloaded sp2.

B. It doesn't let you browse to a share or local folder, it only wants a
cd.

Is there anyway to get around this?
I don't have a cd burner right now, so I can't exract sp2 and burn it.

Also, I may throw this pc out the window if I can't find a solution to
this issue.

Thanks a lot!
--
Sent from my BlackBerry Wireless Handheld (www.BlackBerry.net)

List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive:
http://www.mail-archive.com/activedir%40mail.activedir.org/
List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/

RE: [ActiveDir] Add domain user to local group?

[Dan Holme]

I put a script on my WIKI that may be a big help for you
http://intelliem.editme.com/vbsadmingroupstartup



-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Almeida Pinto,
Jorge de
Sent: Wednesday, July 27, 2005 12:07 PM
To: ActiveDir@mail.activedir.org; ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] Add domain user to local group?

better exists use the restricted groups feature of a GPO where you
can dictate who the MEMBERS are of a group or where you can define to
which group a user or a group is a MEMBER OF
 
Works great!
 
Cheers
#JORGE#



From: [EMAIL PROTECTED] on behalf of Harding, Devon
Sent: Wed 7/27/2005 9:04 PM
To: ActiveDir@mail.activedir.org
Subject: [ActiveDir] Add domain user to local group?



Is there a vb script out there that I can run in a GPO to add a domain
user to the 'Administrators' group on every local PC's in a domain?

 

Sorta like this:

http://www.microsoft.com/technet/scriptcenter/scripts/ad/groups/adgpvb03
.mspx 

 

Devon Harding

Windows Systems Engineer

Southern Wine  Spirits - BSG

954-602-2469

 



__
This message and any attachments are solely for the intended recipient
and may contain confidential or privileged information. If you are not
the intended recipient, any disclosure, copying, use or distribution of
the information included in the message and any attachments is
prohibited. If you have received this communication in error, please
notify us by reply e-mail and immediately and permanently delete this
message and any attachments. Thank You. 



This e-mail and any attachment is for authorised use by the intended
recipient(s) only. It may contain proprietary material, confidential
information and/or be subject to legal privilege. It should not be
copied, disclosed to, retained or used by, any other party. If you are
not an intended recipient then please promptly delete this e-mail and
any attachment and all copies and inform the sender. Thank you.
List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive:
http://www.mail-archive.com/activedir%40mail.activedir.org/
List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/

RE: [ActiveDir] generating signatures and remote desktop

[Dan Holme]

This may not be authoritative Im
not at my system right now, but



1) Computer Configuration / Admin Templates / Windows Components /
Terminal Services / Allow users to connect remotely using Terminal Services

a. My recollection is that this will enable RD on clients 90%
sure

2) My recollection is that this is one of the many core
features of MS Office that isnt as easy as it should be, 10 years into
the product suite.  Check the O2K3 Resource Kit on MSs web site.  Its
possible that you can use an Office Profile Settings (OPS) file to distribute
the signature, or an .oft.  But Im not sure











From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On
Behalf Of Peter Jakobsson
Sent: Thursday, July 21, 2005 6:50
AM
To: ActiveDir@mail.activedir.org
Subject: [ActiveDir] generating
signatures and remote desktop







hi all!











2 questions for you











1. is there a way to generate and distribute signatures for
outlook 2003?











2. how do i enable remote desktop at my clients, i can´t
seem to find that specific gpo?











regards jake

RE: [ActiveDir] Redirecting PC's into the proper OU

[Dan Holme]

There are two additional options for you:



1) If you are sysprepping your machines (or using an unattended answer
file) XP supports a new parameter, MachineObjectOU, which you can put into the
script.

2) *** I HAVE POSTED A CUSTOM TOOL *** that you can use its
raw but quite functional and easy to tweak to your needs:
http://intelliem.editme.com/depjoindomain




Enjoy



Dan











From:
[EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of David Adner
Sent: Friday, July 22, 2005 11:59
AM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir]
Redirecting PC's into the proper OU





You can change the default location (with
redircomp), but it's a default, not something that can be unique per
computer. If you want to be able to create computer accounts in varying
OU's then it's something you'll either have to script (such as with netdom
/join /ou) or you could pre-create the accounts in the proper OU's.
Or you can be stuck doing it manually. :)









From:
[EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of P West
Sent: Friday, July 22, 2005 1:48
PM
To: ActiveDir@mail.activedir.org
Subject: [ActiveDir] Redirecting
PC's into the proper OU



I know you can redirect computer account to a specified OU,
using redircomp. But what if you have multiple Ou's and
want the pc to be added to the proper OU with some sort of logic.











Does this not exist or is this something that would need to
be scripted? Am I stuck doing this manually?























Thanks 











P west

RE: [ActiveDir] Logon script with Admin rights **Work Around**

[Dan Holme]

I would check your assumption that users won't be able to see the batch
file just because it's running as part of a GPO  Have you
ever dug through a SYSVOL share?  You can see a lot more than you would
think.

Dan

-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Harding, Devon
Sent: Thursday, July 21, 2005 7:18 AM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] Logon script with Admin rights **Work Around**

Joe, you're absolutely correct.  I'm going to look for a vbscript course
as soon as possible.  If anyone has any recommendation, lemme know.

As for the admin rights script, I worked around it by first putting it
in GPO, then used the 'runas' command along with a freeware program
called 'sanur' which piped the password back into the runas command.
And since this is being run through GPO, the batch file was not visible
to the end user.  The end result was this:

runas /u:domain\admin \\SERVER1\SDLIB$\INSTALL.EXE |
\\SERVER1\SDLIB$\sanur password

-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of joe
Sent: Wednesday, July 20, 2005 10:13 PM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] Logon script with Admin rights

This is the kind of thing why you hire in admins with scripting
capabilities
or encourage your admins to learn how to script or set up a tool group
to
write scripts for everyone.

A long time ago in a galaxy far far away I worked at a very large
company on
NT4 stuff. We used SMS but found it to be so crappy (It was like SMS 1.2
or
something like that) that it could barely properly deliver a menu pick
so we
sat down for a month and wrote a software delivery system for NT from
perl.
It wasn't completely original, the client integration group had done
something similar with I think C for Win9x. We just took the idea and
expanded it to NT. Basically the perl script would read a null share
read
only file share to find out what needed to be delivered to a specific
machine and then went to another share with a copy of the software
package
to install and ran the install batch file (this could easily be keyed by
AD/AM or AD attributes now now to keep the info together, didn't have
that
option with NT4). 

You could compile this and make it into a service or you could use
srvany to
make it run as a perl script directly as a service. The package was a
simple
batch file that had all the commands that needed to be run and it logged
everything to another share on the server so it was all recorded. There
was
a simple web interface to queue up jobs, it simply listed what could be
deployed and listed which machines to deploy too, you could also
manually
type in the machine. In the end I believe we could specify it by user as
well if we wanted. The packages themselves were usually broken out of
their
native install packets and broken into reg updates and file updates,
however
we had several that were native installshield packages and we had made a
few
installshield packages as well. When the request went into the web
system,
it would record that it was queued and would warn the software inventory
system so we could track it later that way too. It ran in whatever
context
the service ran in or it could be fired as a logon script as well to run
as
users. 

If you don't want to pay for something because it sucks or because it
just
doesn't do things in a way that suits your model, writing a simple
scripted
tool to do this stuff usually isn't rocket science. It is much easier to
build a simple system for yourself than it is to build a generic system
that
would work for anyone. So people who look at say an SMS and say, we
couldn't
build something like that are right. You can't. But you could build
something you can use that will be tailored to you and probably more to
your
liking. You just have to continue to support it.

That support part scares people too. However I have written many scripts
back in the 90's that are still used daily today. I just chatted with
some
friends about some scripts I wrote back in 2001 or so that were supposed
to
be short term scripts until a better solution came along and they have
run
so well, they became the solution.

If you aren't a scripter, become one. It can really help. I recommend
perl,
it hasn't done me wrong. The difficult it makes easy, the impossible it
simply makes difficult.

Oh, another thing to look at is CPAU on www.joeware.net. It is like
runas
but will let you encode (and I mean encode, not encrypt) a JOB file with
a
userid and password so that you can run it in a logon script and get
enhanced rights. Make sure you read up on the use of the -profile switch
when using it that way. It was designed to give you network credentials
by
default, I always hated typing /NETONLY in runas when I wrote it and one
of
the big reasons I wrote it. I got pinged by Novell some time ago because
they wanted to list this tool in their useful tools for admins section
of
some 

RE: [ActiveDir] Default Domain

[Dan Holme]

REG ADD has a disadvantage b/c it runs every time (thus adding to
startup delay) but of course has one big advantage... it runs every
time.  Unless you configure the registry client side extension
otherwise, it doesn't refresh (b/c the GPO itself hasn't changed)... so
you could still have a user from another domain change the domain, then
the next user is logging on to the wrong domain... A startup script is
useful to enforce that setting.

However, I agree that educating users to log on with the upn is a much
more viable answer for multidomain environments I would try to aim
for that.

Dan


-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of
[EMAIL PROTECTED]
Sent: Tuesday, July 19, 2005 3:37 PM
To: ActiveDir@mail.activedir.org
Cc: ActiveDir@mail.activedir.org; [EMAIL PROTECTED]
Subject: RE: [ActiveDir] Default Domain

We are using a startup script that has two reg add commands

reg add HKLM\software\microsoft\windows nt\currentversion\winlogon /v
altdefaultdomainname /t REG_SZ  /d DOMAINAME /f

reg add HKLM\software\microsoft\windows nt\currentversion\winlogon /v
defaultdomainname /t REG_SZ  /d DOMAINAME /f

This has worked very well for us during and post migration.  Most of our
users came from small NT domains and we only finished the 1000 NT
domains
to 9 AD domains over the last 6 months.  Where this does not work is if
I
choose to logon, then hit escape - for some reason when I hit ctrl alt
del
the second time the last domain I logged into shows up instead of the
specified DOMAINAME above.  This might have been specific to one machine
or
may be a problem with one of the entries - I only saw it the once and
have
not had time to go back and investigate.

Regards;

James R. Day
Active Directory Core Team
Office of the Chief Information Officer
National Park Service
[EMAIL PROTECTED]


 

  Grillenmeier, Guido

  [EMAIL PROTECTED]To:
ActiveDir@mail.activedir.org

  com   cc:   (bcc:
James Day/Contractor/NPS)   
  Sent by:   Subject:  RE:
[ActiveDir] Default Domain

  [EMAIL PROTECTED]

  tivedir.org

 

 

  07/19/2005 11:59 PM ZE2

  Please respond to

  ActiveDir

 





got ya - makes sense in this case.

however, you could also edjucate users to logon via UPN thus not
requiring the selection of a domain at all, regardless of the
domain-affiliation of the PC used during logon...

-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Salandra,
Justin A.
Sent: Dienstag, 19. Juli 2005 23:54
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] Default Domain

I am actually thinking of using it since I have 7 domains in one forest,
if someone from a different domain uses someones computer, on reboot the
domain that is selected in the drop down list is the proper domain for
that computer.  Similar to when my helpdesk people login to the local
machine, the user doesn't try to then login to the local machine using
their domain username, hence reducing phone calls to the helpdesk.

Justin A. Salandra
MCSE Windows 2000  2003
Network and Technology Services Manager
Catholic Healthcare System
212.752.7300 - office
917.455.0110 - cell
[EMAIL PROTECTED]

-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Grillenmeier,
Guido
Sent: Tuesday, July 19, 2005 5:51 PM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] Default Domain

should work just like setting any other registry key on the client.

The question is, if you really need it/want it. Most computer migration
tools can set that value during the migration of the PC from source to
target.  But you might very well not want to change this value at the
time of the computer-migration = you'll typically want to change it
during migration/activation of the user accounts.  This is often not
done at the same time, so changing the value via GPO with the computer
migration could actually be counter-productive.

Further, it's not enough if you're implementing a new naming conventions
for user-accounts or simply need to change logon-names due to duplicates
during a domain-migration that consolidates multiple source domains to
one AD domain.  In this case you'll no only want to generically update
the DefaulDomainName value to help your users, but at the same time
you might want to update the DefaultUserName value with the new
accountname for the target domain. Hardly doable with a GPO - I
typically do this with custom scripts triggered centrally during account
activation (quite independently from the computer migration).

But nothing goes over edjucating your users about the changes in the
infrastructure and specifically those related to their domain logon -
otherwise 

RE: [ActiveDir] OT: Roaming profiles and XP themes

[Dan Holme]

I'm not clear... do you want the 'classic' look or the 'xp' look for all
users?

-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Dan Stanford
Sent: Wednesday, July 20, 2005 12:51 AM
To: ActiveDir@mail.activedir.org
Subject: [ActiveDir] OT: Roaming profiles and XP themes


We are just about to migrate over to Server 2003 from 2000, and in our
test set up, when newly created users with roaming profiles log into an
XP station, they get a modified desktop theme, instead of the default XP
teletubbies one - it has the classic task bar and start menu.  This
doesn't happen if I create a user with a local profile.  I know this is
going to fox some users - does anyone know how to stop it?

TIA,
Dan
List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive:
http://www.mail-archive.com/activedir%40mail.activedir.org/
List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/

RE: [ActiveDir] converting .exe to .msi

[Dan Holme]

See the CURRENT thread, Logon
Script with Admin Rights as it is very relevant to your issue.



WinInstall LE is a great, free tool. www.ondemandsoftware.com



Well, I take that back Just checked
my URL and now its $50 still far from steep

http://www.ondemandsoftware.com/PurchaseLE.asp



Dan













From:
[EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Senthil Kumar
Sent: Wednesday, July 20, 2005
7:39 AM
To: Active directory group
Subject: [ActiveDir] converting
.exe to .msi









Dear all,











I am having a installation program which is based on setup.exe . I want
to convert it to a msi based program so that i can implement it through group
policy. I want to know through which program i can convent .exe based program
to a .msi based program.











Thanks in advance.











Regards,











K.SENTHIL KUMAR





__
Do You Yahoo!?
Tired of spam? Yahoo! Mail has the best spam protection around 
http://mail.yahoo.com 

RE: [ActiveDir] Delegation of privilege

[Dan Holme]

This may be a rotten answer
or a perfect answer Check out TWEAKUI for Windows XP. Its
ACCESS CONTROL section gives you UI ability to change very
specific activities permissions, e.g. creating a share, etc. You might
try it (in a lab, first of course) as far as how it works on 2003 for the
specific things you are trying to accomplish. Because the Access Control will
be server (in your case, DC) specific, it might just work. Ive NOT
tried it but I think itd be worth a shot. 



Dan











From:
[EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Sakari Kouti
Sent: Monday, July 18, 2005 3:01
PM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir]
Delegation of privilege





Hi Yann,



You could grant your user those privileges
that are listed as User Rights, by applying a corresponding Group Policy Object
to only one DC. However, this is probably not enough for you. For example, you
cannot grant a privilege to format hard drives or share folders this way.



Yours, Sakari



















From:
[EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of TIROA YANN
Sent: Monday, July 18, 2005 8:39
PM
To: ActiveDir@mail.activedir.org
Subject: [ActiveDir] Delegation of
privilege





Hello AD Gurus :)











I would like to give toone of my user server
operator privilegeon only one DC, and not the whole DCs of my AD
2003.





I know that DCs do not havesam locally, and the only
way to give this privilege is to use the Built-in Groups in the Built-in
Container. But doing thisallow my user to be server op for all DCs in my
domain.











The purpose of myquestion is;





=to give one user the privilege to fully manage
*only one* DCwith server operator privilege,
without having the right to use MMCs such as ADUC, Schema, dssite, replmon,
repadmin commands.











Is this possible ?











Thanks for input.











Cheers,











Yann

RE: [ActiveDir] User with LDAP userPassword permissions

[Dan Holme]

I didnt see any responses to this
dont know if I missed an answer but you should be able to ACL the
Write permission to the userPassword property to any account you want
and youre right to do it to a limited account, although Id
be concerned about ANY code that could be accessed and leveraged to change
passwords but thats a security discussion, not a delegation
discussion



Whats the actual PROBLEM? Is
it the delegation or how to do it? Ive not dealt with that
attribute recently, but I might have the piece (that most people miss) for you.
Hopefully this is the answer:



You need to expose the
permissions for that property in order to delegate them. There are LOTS
of properties of a user (and other objects) that are hidden to
keep the ACL Editor clean.



On the machine FROM WHICH YOU ADMINISTER,
open Notepad and open %windir%\system32\dssec.dat

Find the section [user].

Find the line userPassword=7. Delete
it. (the =7 hides the permissions for this property in the
ACL editor)

Restart AD Users  Computers.



In ADUC View  Advanced Features.

Right-click the OU that contains the users
for whom you want this PHP app to set the passwords for. 

Security  Advanced  Add

Specify the account (or a group containing
the account) used by the PHP app.

In the dialog box, click the PROPERTIES
tab.

In the drop down list, choose USER
OBJECTS.

Scroll down and youll find Write
userPassword.



If this doesnt work, or wasnt
quite the problem you were having, please reply. IN such case, please let
us know what domain and forest functional level youre running and if you
have SP1 on your W2K3 DCs. It makes a difference, as you might know.



Dan















From:
[EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Matt Brown
Sent: Monday, July 18, 2005 1:49
PM
To: ActiveDir@mail.activedir.org
Subject: [ActiveDir] User with
LDAP userPassword permissions







Hi,











I'm trying to give an account permission to update the
userPassword field via LDAP protocol in PHP. I have it working perfect
using my Admin account. But since that has to be stored in the PHP file I
would really like to have an account with much tighter security able to make
the modification.











Any ideas?









Thanks,

--

Matt Brown [EMAIL PROTECTED]
Consultant for Student Technology Fee
website: http://techfee.ewu.edu/
+--+
| 509.359.6972 ph. - 509.359.7087 fx
| 307 MONROE HALL | Cheney, WA 99004
+--+

RE: [ActiveDir] Logon script with Admin rights

[Dan Holme]

I don't know what your budget might be, but a couple of my clients use
TQCRunAs by Quimeras (www.quimeras.com) for this kind of thing... this
tool lets you encapsulate a secondary logon, the credentials for that
logon, and a command in an encrypted .exe, which you could then use in a
logon script.  It's not free, but it's not expensive either, and it's a
great way to push things to users that require higher credentials,
without exposing any accounts.

Dan 

-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Rick Kingslan
Sent: Tuesday, July 19, 2005 8:27 AM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] Logon script with Admin rights

Al,

One of the problems with the .ZAP format - it only executes the
underlying
program for install - but cannot be executed with elevated privliges as
it
is run under the user's context.

.MSI is much better, but is not easy to create them correctly and
effectively without some experience and practice.  However, they can be
written to install at an elevated context.

Rick

-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Al Garrett
Sent: Tuesday, July 19, 2005 10:02 AM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] Logon script with Admin rights

Use the ZAP format.

See KB 231747 below

http://support.microsoft.com/default.aspx?scid=kb;en-us;231747



-Original Message-
From: Harding, Devon [mailto:[EMAIL PROTECTED] 
Sent: Tuesday, July 19, 2005 7:17 AM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] Logon script with Admin rights


Unfortunately, this software is not a .msi format.  Can this still be
installed via GPO?

-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Za Vue
Sent: Tuesday, July 19, 2005 10:09 AM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] Logon script with Admin rights

 Software installation from GPO works like a charm.

Z.V.

-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Harding, Devon
Sent: Tuesday, July 19, 2005 9:10 AM
To: ActiveDir@mail.activedir.org
Subject: [ActiveDir] Logon script with Admin rights

How can I run a batch file logon script to map a drive and install an
application on a user's PC as an Administrator?  I don't want to expose
the password using 'run as'

Devon Harding
Windows Systems Engineer
Southern Wine  Spirits - BSG
954-602-2469


-
__
This message and any attachments are solely for the intended recipient
and may contain confidential or privileged information.  If you are not
the intended recipient, any disclosure, copying, use or distribution of
the information included in the message and any attachments is
prohibited. If you have received this communication in error, please
notify us by reply e-mail and immediately and permanently delete this
message and any attachments.  Thank You.

List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive:
http://www.mail-archive.com/activedir%40mail.activedir.org/


List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive:
http://www.mail-archive.com/activedir%40mail.activedir.org/
List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive:
http://www.mail-archive.com/activedir%40mail.activedir.org/
List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive:
http://www.mail-archive.com/activedir%40mail.activedir.org/

List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive:
http://www.mail-archive.com/activedir%40mail.activedir.org/
List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/

RE: [ActiveDir] DC Backups

[Dan Holme]

I'm sure you've figured this out on your own, but just in case, you're
right... AD is part of the system state and even if you CAN back up
NTDS.DIT 'separately' as a file, you shouldn't.  You need the system
state to do any kind of restore operation in Dir Svcs Restore Mode.  

So b/c you can't do anything with it, so you're wasting time, tape, and
who knows what else.  Don't get too caught up in why you can or can't
see it or can or can't (de)select it... 

Instead (something COOL and not publicized enough) -- test your DC
restore process on a 2K3 SP1 machine and check out the LDIF file that
Auth Restore creates for you to help make restoring group memberships
MUCH easier  COOL! grin and off the subject, but cool...

Dan Holme
Intelliem
List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/

RE: [ActiveDir] OT: File properties

[Dan Holme]

Title: [ActiveDir] DFS Client for Mac and UNIX








That could be it but also
CHECK YOUR *SHARE*
PERMISSIONS!! That could absolutely and easily be causing this problem.
Share Perms must be *FULL CONTROL*
a *MODIFY* (or read obviously)
Share Perm will override NTFS Write Permissions.



Dan













From:
[EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Douglas M. Long
Sent: Thursday, July 14, 2005 9:52
AM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] OT: File
properties





I take that back. The files in the share
are inherited. Nothing above that level in the tree is inheriting permissions
though













From:
[EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Douglas M. Long
Sent: Thursday, July 14, 2005
12:13 PM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] OT: File
properties





It only seems like inheritance. Nothing is
actually set to inherit permissions. 











From:
[EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Kern, Tom
Sent: Thursday, July 14, 2005
12:06 PM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] OT: File
properties







you have to go up the tree and set the
perms on the source of the inheritance or uncheck inheritance.





-Original Message-
From: Douglas M. Long
[mailto:[EMAIL PROTECTED]
Sent: Thursday, July 14, 2005
12:01 PM
To: ActiveDir@mail.activedir.org
Subject: [ActiveDir] OT: File
properties



I feel pretty stupid asking this question
because I know it is something very simple that I am overlooking. 



I have full control to a file or folder,
am the owner, but still cant edit permissions. The buttons are all
greyed out. It seems like this just happened, although I could have overlooked
it in the past. It seems like everything is explicitly inheriting permissions.
Any ideas?

RE: [ActiveDir] Remote Desktop vs. Remote assistance

[Dan Holme]

RA is helping a user... by definition, shadowing... You have the
option of allowing control (i.e. move the user's mouse for them)...
Can be controlled by user or set through policy.

RD is getting to my desk while away to put it simply.

They use many identical underlying technologies... Just two different
uses for the technology formerly known as terminal services client.

As a support person, you can drop in on a user and propose to help
them, without them having to email/im/transfer.  This IS done through
GPO.  Look under Computer Configuration \ Administrative Templates.

http://support.microsoft.com/default.aspx?scid=kb;en-us;306496
has local gpo steps but same in AD GPO.

You CANNOT drop in uninvited AND unaccepted to spy on a user using
RA.  The user will always be notified that you are RA'ing in and allowed
to accept/refuse, to my experience.


Dan


-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Kern, Tom
Sent: Thursday, July 14, 2005 10:30 AM
To: ActiveDir (E-mail)
Subject: [ActiveDir] Remote Desktop vs. Remote assistance

What is the actual diff between RD and RA?

If i RD to a winxp desktop, that allows 1 connection. Can someone Shadow
it or no?

Is there any reason to use one over the other for support? or is RA just
easier/better  because you can share the session and you can see what a
user is doing and interact?



Also, is there a gpo or reg hack that allows me as a Domain Admin to RA
to a user w/o her asking for RA via and email or im or file transfer or
allowing me to log on?

Thanks





List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive:
http://www.mail-archive.com/activedir%40mail.activedir.org/
List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/

RE: [ActiveDir] Remote Desktop vs. Remote assistance

[Dan Holme]

http://support.microsoft.com/default.aspx?scid=kb;en-us;301527
Even better.

-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Kern, Tom
Sent: Thursday, July 14, 2005 10:30 AM
To: ActiveDir (E-mail)
Subject: [ActiveDir] Remote Desktop vs. Remote assistance

What is the actual diff between RD and RA?

If i RD to a winxp desktop, that allows 1 connection. Can someone Shadow
it or no?

Is there any reason to use one over the other for support? or is RA just
easier/better  because you can share the session and you can see what a
user is doing and interact?



Also, is there a gpo or reg hack that allows me as a Domain Admin to RA
to a user w/o her asking for RA via and email or im or file transfer or
allowing me to log on?

Thanks





List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive:
http://www.mail-archive.com/activedir%40mail.activedir.org/
List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/

RE: [ActiveDir] Remote Desktop vs. Remote assistance

[Dan Holme]

BOTTOM LINE

I think I know what you're saying and RA *is* the answer.  Set up RA
using GPOs.  IN group policy, you add your Help Desk group as the
HELPERS group that is allowed to OFFER remote assistance:
Computer config\admin templates\system\remote assistance
And specify that they are allowed to remotely control the system.

That's all you need to do.

Now, when a user calls, the help desk says hold on, launches an RA
session to the user's desktop.

The ONLY potential difference from VNC is that the user will get a
little notice that says Dan is wanting to offer remote assistance and
will have to click OK.  At that point the helper can view, no problem.

There is a second confirmation box IF the helper actually launches
control.  But believe me, the messages are clear enough and the help
desk is on the phone anyway, right? So it's not tough to figure out!

It beats having a third party app doing the same thing!  One less
thing to manage (and RA, as part of XP and GPO infrastructure is EASIER
to manage), and one less thing to have to keep up with patches on.


DETAILS

You cannot shadow a ts connection to xp.  Remember how it works on a
server... the user is ts'd to the server; the support person has a
SEPARATE ts to the server and jumps in to the user's ts.  It requires
multiple TS connections and XP doesn't support that.

The ONLY 'shadow' to a THICK client is RA.

If XP is TS'd into a TS, then you can shadow that TS connection (as
described above).

I am working with a high profile client right now and we just 'banished'
VNC on XP systems.  We found its admin logon encryption lacking, in the
version we were using, and, more importantly, it just wasn't necessary.



-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Kern, Tom
Sent: Thursday, July 14, 2005 11:09 AM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] Remote Desktop vs. Remote assistance

thanks alot, rick and dan.

can you shadow a ts connection to xp like on server?


as to the user giving me control, i thought that was just a policy that
could be configured, NOT hardwired into the os somehow.
I thought if i was a DA and by default then a local admin on the box,
when i RA in, i could over rule that setting somehow since i am in
actuallity a admin of the box.
I only ask because we use VNC here for some help desk stuuf and i wanted
to replace it with RA since we are mostly xp on the client but i'm araid
with this asking for help stuff and allowing access, my users would
get confused awfully quick.
they don't adapt well to change.

usually, someone here calls them and then says ok, i'm gonna connect to
your machine or they might be away and a help desk admin connects to
their box.
RA doesn't seem to make this as simple as vnc does, i guess.

I still wonder how as an admin you can be denied RA access to a box or
need permission. is it a local system thing?

thanks for all your help and sorry to bore you with my issues.

-Original Message-
From: Rick Kingslan [mailto:[EMAIL PROTECTED]
Sent: Thursday, July 14, 2005 1:51 PM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] Remote Desktop vs. Remote assistance


With Remote Desktop, you are going to take over the machine (in the case
of
XP) kicking off any logged on person in the act of taking over the
machine.
Your access is the same as the credentials in which you login as.

With Remote Access, you need to receive an invitation and the user is
not
kicked off.  Both of you will see what is on the screen, and initially
you
have view only access.  The user has to GIVE you control, and can take
it
back, in the event that you go nuts and attempt to format the drive,
delete
files, etc.  Not that it would ever happen to you, Tom...  ;-)

Does that help?

Rick

-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Kern, Tom
Sent: Thursday, July 14, 2005 12:30 PM
To: ActiveDir (E-mail)
Subject: [ActiveDir] Remote Desktop vs. Remote assistance

What is the actual diff between RD and RA?

If i RD to a winxp desktop, that allows 1 connection. Can someone Shadow
it
or no?

Is there any reason to use one over the other for support? or is RA just
easier/better  because you can share the session and you can see what a
user
is doing and interact?



Also, is there a gpo or reg hack that allows me as a Domain Admin to RA
to a
user w/o her asking for RA via and email or im or file transfer or
allowing me to log on?

Thanks





List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive:
http://www.mail-archive.com/activedir%40mail.activedir.org/

List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive:
http://www.mail-archive.com/activedir%40mail.activedir.org/
List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive:

RE: [ActiveDir] Keep existing attributes from users restored.

[Dan Holme]

Title: RE: [ActiveDir] Keep existing attributes from users restored.








Im curious, Al, as to what you mean
about .NET not handling group memberships well do you mind elaborating
on that (can be a separate thread)?



Thanks!



Dan













From:
[EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of joe
Sent: Tuesday, July 12, 2005 8:03
AM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] Keep
existing attributes from users restored.





As Al indicated interesting thread, my
comments



1. I don't see the reason not to do this.
I like it andthink it is a good idea. The point I would start to
reconsider is if you do a lot of deleting and creating, saying in a test lab,
this may make your DIT grow out of control. Also if you have an excessively
long TSL it may not be optimum as well. Otherwise, I think this is extremely
useful and MUCH easier than following the auth restore processes which are, frankly
IMO, rather involved for what it is. That is why people are willing to shell
out so much money for third party products. I agree this should be a very rare
thing to do, but if would be willing to do an auth restore to get something
back, I think being willing to do this first makes more sense. 



2. As Guido mentioned, this doesn't work
for everything. Be aware of what it does and doesn't work for PRIOR to hoping
it saves your butt on something. For the things that it doesn't work for, it
shouldn't be too terribly hard to set up an AD/AM instance or a DB to maintain
the info you want repopulated. The really hard things are like objectSID,
ObjectGUID, sIDHistory, etc as you can't easily put those back into place. 



3. I am with ~Eric and I don't see where
password is being kept. I have also been over that section of the source and
don't recall anything with passwords. It also doesn't appear the password
attributes are marked in the schema either.Are we sure passwords are
being kept? I admit to not trying it. I really haven't done much with SP1 yet
due to the Virtual Server guest bits blunder. The docs I have seen mention
sIDHistory but not the password attributes (there are several password
attributes that would need to be saved).



















From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On
Behalf Of Al Mulnick
Sent: Tuesday, July 12, 2005 9:08
AM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] Keep
existing attributes from users restored.





Interesting thread. I've always
been a fan of keeping the information separate for this situation. I need
the sid in order to allow the user to access the resources he had prior to
accidental deletion (that's another thread :) but otherwise, I wouldn't want
password for a user I restored. That would be very dangerous in my mind
as it could allow a rogue admin (yet another thread right?) access to resources
that purposefully deleted users had and they'd be able to do so in a relatively
covert manner. They'd be hard to track for sure. 











Additionally, restoring the user to groups could be a
nightmare. I'd prefer to keep that information in a separate off-line
format (text file? db?) where I can report against it and use it to breath life
into a reanimated user should the need absolutely arise. 











I'm a huge fan of setting up process to do as much as
possible to prevent the accidental deletion of users at every turn. My thoughts
are that those shops with the wherewithal to set the schema mods, aren't the
ones that need an undelete in most cases, but good processes are always a good
idea.











Still, the odd accident can occur. I realize
that. Now I'm just not sure that taking the time to practice against such
a thing is worth the effort of practicing this on a regular basis to make
sureyou don't mess it up. Besides, you'll have to restore the other
information anyway, so you may as well get what's absolutely needed (sidHistory
should be in that list IMHO) but planto getother information (fax
#? Phone#, group information, nickname, petname, etc) separately.
To try and hold it in deleted items would be more of a PITA due
toreplication than it would be to store itout of band for other
uses. 











My $0.04 (USD) anyway. 











Al











P.S. if you use .NET to write an app to suck the data out to
an off-line storage medium, be awarethat it doesn't natively handle group
membership very well. Trust me, that's important ;)



























From:
[EMAIL PROTECTED] on behalf of Dean Wells
Sent: Mon 7/11/2005 5:36 PM
To: Send - AD mailing list
Subject: RE: [ActiveDir] Keep
existing attributes from users restored.







No.



--
Dean Wells
MSEtechnology
* Email: [EMAIL PROTECTED]
http://msetechnology.com















From:
[EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Grillenmeier, Guido
Sent: Monday, July 11, 2005 5:05
PM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] Keep
existing attributes from users restored.

thanks for the useful information,
Eric. You've 

[ActiveDir] DSQUERY DSGET provide inconsistent results - help

[Dan Holme]

A
client is using DSQUERY is to dump a list of the Domain Admins group every 15
minutes or so. Theyre finding that it misses some memberstheyll
be there in one query, gone the next, then reappear. Has anyone seen this
behavior with this command?



dsquery group -name %GRP% | dsget group members



Were
going to look at ADFind or just VBS to solve the problem too!!



Thanks!





Dan

RE: [ActiveDir] Replication Delegating

[Dan Holme]

Yes. The AD Best Practices doc appendix
details this.



http://www.microsoft.com/downloads/details.aspx?FamilyID=29dbae88-a216-45f9-9739-cb1fb22a0642DisplayLang=en



Start on Page 193 I think it will
get you where you want to go.



You might also look at the entire
whitepaper. Go to MS Downloads and search for keywords: Best Practices Active
Directory











From:
[EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Brian Desmond
Sent: Thursday, June 30, 2005 9:39
AM
To: ActiveDir@mail.activedir.org
Subject: [ActiveDir] Replication
Delegating





Anyway to delegate the ability to click Replicate Now in ad
sites/services short of being in domain admins?





--brian

RE: [ActiveDir] Compare GPO RSOPs

[Dan Holme]

Even more scientific: MS Word Compare
Docs grin. But it works!



Dan











From:
[EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Darren Mar-Elia
Sent: Wednesday, June 29, 2005
1:06 PM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] Compare
GPO RSOPs





There are no in-the-box tools for this but
what I've done in the past to skin it is to use GPMC or gpresults to export GP
settings (or RSOP) to an XML or HTML file. Then you can use your favorite diff
tool (e.g. Windiff) to compare the differences. That's about the most
scientific method I've seen.



Darren









From:
[EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of [EMAIL PROTECTED]
Sent: Wednesday, June 29, 2005
12:53 PM
To: ActiveDir@mail.activedir.org
Subject: [ActiveDir] Compare GPO
RSOPs


Anyone got a good method to compare two GPOs and
determine the delta between the two GPOs being compared ? 

Thank You ! And have a nice day !

**
Mark Lunsford
KAISER PERMANENTE
Security Operations
Email: [EMAIL PROTECTED]
Outside Phone: 925-926-5898
Tie Line Phone: 8-473-5898
C ell: 925-200-4077
Remedy Group: NOPS SECURITY EDOS SYS
**

RE: [ActiveDir] ? on MCSE Exam 70-290 (W2K3S)

[Dan Holme]

$username$ is the right token... which is why it's a tricky question
grin and as you know, MS likes tricky questions grin again..

http://www.microsoft.com/technet/prodtechnol/windowsserver2003/library/S
erverHelp/8d37ecb0-ac28-4e05-aa05-da82dc36b54b.mspx 

has the scoop on the syntax.

Good luck on the exam and getting through the book :-)

Dan Holme



-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of joe
Sent: Monday, June 27, 2005 3:15 PM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] ? on MCSE Exam 70-290 (W2K3S)

Last I looked, dsmod uses $username$ but it doesn't create anything on
the
filesystem, it only updates AD attributes. Specifying a homedir in the
user
object doesn't make it appear except when you use ADUC which actually
goes
off and does it separately.

  joe



-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Rocky Habeeb
Sent: Monday, June 27, 2005 8:57 AM
To: ActiveDir@mail.activedir.org
Subject: [ActiveDir] ? on MCSE Exam 70-290 (W2K3S)

Ladies and Gentlemen;

In reading Dan Holme's and Orin Thomas' fine MCSE Self Paced training
Kit
training manual, I have come upon a question in the Chapter 3 lesson
review
on page 3-55:

What variable can be used with the DSMOD and DSADD commands to create
user-specific home folders and profile folders?
a.  %Username%
b.  $Username$
c.  CN=Username
d.  Username

The correct answer is b

Is this true?

Thanks in advance.

_

Rocky Habeeb
Microsoft Systems Administrator
James W. Sewall Company
Old Town, Maine
Voice: 207.827.4456  Ext. 387
Email: [EMAIL PROTECTED]
www.jws.com
_


List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive:
http://www.mail-archive.com/activedir%40mail.activedir.org/

List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive:
http://www.mail-archive.com/activedir%40mail.activedir.org/
List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/

RE: [ActiveDir] Scripts

[Dan Holme]

Of course the big problem is the security.  User must be a local admin (to 
successfully change the Administrator password) and how to encrypt the new 
password.

There are several options out there.  I would suggest that doing it via a login 
script is probably NOT the best way.  Scripting (I know you use the command 
line...) really is... by remoting the change, the concerns about exposing the 
pw diminish greatly.

BUT if you gotta gui:
Check out both Desktop Standard (www.desktopstandard.com) and FullArmour 
(www.fullarmor.com) both companies offer extensions to group policy that 
support changing the local admin password.  You'll be paying for the privilege 
to use the GUI.

Check out TQCRunAs (www.quimeras.com).  This is a super cool tool, IMHO.  It 
allows you to wrap up any command or script (OK, you'll actually use the NET 
USER command, but you get to wrap it up using a gui grin) within an encrypted 
package that executes a RunAs... solving many of the issues in your task.

Just some thoughts... I'm sure you'll get many others.

Actually, now that I think about your suggestion, I'd actually like to build a 
sample that allows you to do exactly what you suggest using the Active 
Directory Users  Computers snap-in.  Email me directly late next week (dan dot 
holme at Intelliem dot com) and I'll hash out an example for you, and make it 
available to everyone else on the list.  I'm just swamped now and I know I'll 
forget.  

Dan
 

-Original Message-
From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Haaker, Chris
Sent: Monday, June 20, 2005 11:57 AM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] Scripts

I guess I should have (*) that I always use the GUI. I know there are a lot
of WMI hooks in the software though. I just open the computer container,
select all, right-click and choose specify local account password. As long
as the account you want to change the password for on the local machine are
all the same name you can do it in one fell swoop.

 
Chris Haaker
ITS Infrastructure
x7841
 
 


-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Rick Kingslan
Sent: Monday, June 20, 2005 2:23 PM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] Scripts

Could we get some more detail on that?  I've used Hyena, but I'm not sure
how to use that in a scripted fashion.

Thanks!

Rick

-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Haaker, Chris
Sent: Monday, June 20, 2005 11:57 AM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] Scripts

I know of a piece of software that will; Hyena.

 
Chris Haaker
ITS Infrastructure
x7841
 
 


-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Ellis, Debbie
Sent: Sunday, June 19, 2005 5:22 PM
To: ActiveDir@mail.activedir.org
Subject: [ActiveDir] Scripts

Does anyone know of a script I can include in the login scripts to change
the local admin passwords on the computers in my environment?
List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/

List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/

RE: [ActiveDir] OT: Missing Offline Files

[Dan Holme]

You're not going to be able to get to them there, at least not by 'mere
mortal' means.  You need to go thru the GUI.

Log on as an administrator (or as the user, if her account is in the
Administrators group).  Open My Computer.  Choose Tools - Folder
Options.  Click Offline Files.  Click VIEW FILES.  This UI exposes what
is 'stuffed' in the CSC.  If you don't see em there, you're more than
likely out of luck.

Dan


-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Charlie Kaiser
Sent: Friday, June 17, 2005 10:21 AM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] OT: Missing Offline Files

They're stored by default in %systemroot%\CSC...
Here's a bit more info...
http://www.windowsitpro.com/Articles/Index.cfm?ArticleID=20373DisplayTa
b=Article

**
Charlie Kaiser
MCSE, CCNA
Systems Engineer
Essex Credit / Brickwalk
510 595 5083
**
 

 -Original Message-
 From: [EMAIL PROTECTED] 
 [mailto:[EMAIL PROTECTED] On Behalf Of 
 Carerros, Charles
 Sent: Friday, June 17, 2005 10:08 AM
 To: ActiveDir@mail.activedir.org
 Subject: [ActiveDir] OT: Missing Offline Files
 
 I have a user who has lost all of their data from the past four months
 because they were using off line file sync with their my 
 documents folder
 but didn't have the default to sync the files in subfolders.
 
 As she has lost all of her data, she would like it back but I 
 don't know
 where to look for it.
 
 I can't seem to find where the system saves the offline 
 synced files.  Does
 anyone where this is?  
 
 Does anyone have any good solution to working around this 
 type of issue.  My
 only guess at this time is to throw a document recovery 
 program at that
 machine and see if the data is in a deleted state on the hard 
 drive.  I'm
 not to confident in this scenario.
 
 Thanks,
 
 Charlie
 List info   : http://www.activedir.org/List.aspx
 List FAQ: http://www.activedir.org/ListFAQ.aspx
 List archive: 
 http://www.mail-archive.com/activedir%40mail.activedir.org/
 
List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive:
http://www.mail-archive.com/activedir%40mail.activedir.org/
List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/

RE: [ActiveDir] DFS and Access Based Enumeration

[Dan Holme]

You could test it in a lab, but since ABE works on ACLs on shared
folders, and since the actual folders in the DFS target folder are not
ACLed, I think you'd be making a big mistake.

I agree wholeheartedly with Jorge.

-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Jorge de
Almeida Pinto
Sent: Friday, June 10, 2005 1:04 PM
To: 'Nathan Casey '; '[EMAIL PROTECTED] ';
'ActiveDir@mail.activedir.org '
Subject: RE: [ActiveDir] DFS and Access Based Enumeration

In my opinion I would only enable ABE on the actual shares that are used
for
the DFS links

Cheers
#JORGE#

-Original Message-
From: [EMAIL PROTECTED]
To: ActiveDir@mail.activedir.org
Sent: 6/10/2005 7:01 PM
Subject: [ActiveDir] DFS and Access Based Enumeration

Does anyone have and experience yet enabling ABE on a DFS root share? If
I enable ABE on the DFS root share, DFS links from the root to other
shares only show up when accessed by an admin. ABE is not enabled on the
linked shares. Any ideas?
Thanks
Nathan


List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive:
http://www.mail-archive.com/activedir%40mail.activedir.org/


This e-mail and any attachment is for authorised use by the intended
recipient(s) only. It may contain proprietary material, confidential
information and/or be subject to legal privilege. It should not be
copied, disclosed to, retained or used by, any other party. If you are
not an intended recipient then please promptly delete this e-mail and
any attachment and all copies and inform the sender. Thank you.
List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive:
http://www.mail-archive.com/activedir%40mail.activedir.org/
List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/

RE: [ActiveDir] OT: Cloned machine domain membership

[Dan Holme]

No... straight GHOST image.

-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Douglas M. Long
Sent: Tuesday, June 07, 2005 7:29 AM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] OT: Cloned machine domain membership

Dan, are you using a ghost boot partition in your images?


-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Dan Holme
Sent: Monday, June 06, 2005 11:46 AM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] OT: Cloned machine domain membership

If you have already figured out a way to come up with a unique computer
name, you're in great shape.

To join the domain, you can do one of the following:


OPTION #1: SYSPREP SCRIPT

In your SYSPREP.INF file (if you're not familiar with what this file is,
ask and I'll elaborate), include the following section:

[Identification]
DomainAdmin = PatC
DomainAdminPassword = abcdef123
JoinDomain = MYDOMAIN
JoinWorkgroup = MYUSERGROUP
MachineObjectOU = OU = myou,OU = myparentou,DC = mydom,DC =
mycompany,DC = com

If you do this, there are issues with the password, obviously.  The
script should be placed in the C:\SYSPREP folder (PRIOR to imaging) and
that folder is deleted during mini-setup.  But there is still a possible
exposure.  Suggestions to overcome this:

1) Have a domain account that ONLY can add computers to the OU where you
want these machines, and has no other access to resources in the domain

2) (Best): PRESTAGE the computer accounts: create the computer accounts
IN ADVANCE in AD, and set DOMAIN USERS as the account that can join the
workstation to that account.  Then there's far less of an issue.  There
are scripts that will let you do this:
http://support.microsoft.com/default.aspx?scid=kb;en-us;q315273 for
starters


OPTION #2: POST-IMAGE (FIRST LOGON) SCRIPT

Depending on your imaging procedure, if a LOCAL administrator will log
on to the computer for the first time post-imaging, you can have a
script that runs at that time, either pointed to in the [RunOnce] key of
the registry or in the Startup program group or a Startup/Logon script
in Group Policy.  The URL above shows the syntax for NETDOM which is one
script you can use.
http://www.microsoft.com/technet/scriptcenter/scripts/ad/computer/cptrvb
06.mspx shows another example that works well on XP.  Again, consider
the security implications of the domain accounts that are used and any
possible password exposure.

LMK if you need more detail, but this should get you going.

Dan 

-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Douglas M. Long
Sent: Monday, June 06, 2005 8:32 AM
To: ActiveDir@mail.activedir.org
Subject: [ActiveDir] OT: Cloned machine domain membership

I am trying to figure out the best way to re-image our labs (XP only)
without any interaction. Currently we are using Ghost 7.5, and it will
add the machine account to the domain, but doesn't actually join the
machine to the domain. This would be fine if the machines only needed
re-imaged twice a year, but at times they need re-imaged weekly. Any
suggestions on a way to do this with what we have? Other suggestions? 

List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive:
http://www.mail-archive.com/activedir%40mail.activedir.org/
List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive:
http://www.mail-archive.com/activedir%40mail.activedir.org/

List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive:
http://www.mail-archive.com/activedir%40mail.activedir.org/
List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/

RE: [ActiveDir] Modifying behaviour of Users and Computers snap-i n

[Dan Holme]

I have a page that has a script to make this process significantly
easier... you can hook ANY script, web page, etc., into a new context
menu command in AD UC.

http://intelliem.editme.com/admindispspec

BTW, the article referenced below does a similar thing --just more
'manually' -- your question about adding items to an existing PROPERTY
PAGE requires significantly more development, but is possible.  I'd
suggest starting with MSDN for that.

Until you figure that out, use this method--it gets the job done.

Dan



-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Ruston, Neil
Sent: Tuesday, June 07, 2005 5:26 AM
To: 'ActiveDir@mail.activedir.org'
Subject: RE: [ActiveDir] Modifying behaviour of Users and Computers
snap-i n

The object
cn=user-display,cn=409,cn=displayspecifiers,cn=configuration,dc=xxx,dc=
yyy, attribute adminpropertypages may be altered. [409 refers to the
English language, others may be in use in your org.]

Additional entries may be provided - one per additional attribute to be
exposed in the UI.

An example is found here
http://www.windowsitpro.com/Article/ArticleID/21588/21588.html

neil


-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Peter Jessop
Sent: 07 June 2005 12:18
To: ActiveDir@mail.activedir.org
Subject: [ActiveDir] Modifying behaviour of Users and Computers snap-in


Good day to you all.

How can the Users and Computers snap-in be modified to display
additional properties? For example I might wish to see the employeeID
property of a user in the Organization tab.


Regards

Peter Jessop
List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive:
http://www.mail-archive.com/activedir%40mail.activedir.org/


==
Please access the attached hyperlink for an important electronic
communications disclaimer: 

http://www.csfb.com/legal_terms/disclaimer_external_email.shtml


==

List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive:
http://www.mail-archive.com/activedir%40mail.activedir.org/
List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/

RE: [ActiveDir] OT: Cloned machine domain membership

[Dan Holme]

If you have already figured out a way to come up with a unique computer
name, you're in great shape.

To join the domain, you can do one of the following:


OPTION #1: SYSPREP SCRIPT

In your SYSPREP.INF file (if you're not familiar with what this file is,
ask and I'll elaborate), include the following section:

[Identification]
DomainAdmin = PatC
DomainAdminPassword = abcdef123
JoinDomain = MYDOMAIN
JoinWorkgroup = MYUSERGROUP
MachineObjectOU = OU = myou,OU = myparentou,DC = mydom,DC =
mycompany,DC = com

If you do this, there are issues with the password, obviously.  The
script should be placed in the C:\SYSPREP folder (PRIOR to imaging) and
that folder is deleted during mini-setup.  But there is still a possible
exposure.  Suggestions to overcome this:

1) Have a domain account that ONLY can add computers to the OU where you
want these machines, and has no other access to resources in the domain

2) (Best): PRESTAGE the computer accounts: create the computer accounts
IN ADVANCE in AD, and set DOMAIN USERS as the account that can join the
workstation to that account.  Then there's far less of an issue.  There
are scripts that will let you do this:
http://support.microsoft.com/default.aspx?scid=kb;en-us;q315273 for
starters


OPTION #2: POST-IMAGE (FIRST LOGON) SCRIPT

Depending on your imaging procedure, if a LOCAL administrator will log
on to the computer for the first time post-imaging, you can have a
script that runs at that time, either pointed to in the [RunOnce] key of
the registry or in the Startup program group or a Startup/Logon script
in Group Policy.  The URL above shows the syntax for NETDOM which is one
script you can use.
http://www.microsoft.com/technet/scriptcenter/scripts/ad/computer/cptrvb
06.mspx shows another example that works well on XP.  Again, consider
the security implications of the domain accounts that are used and any
possible password exposure.

LMK if you need more detail, but this should get you going.

Dan 

-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Douglas M. Long
Sent: Monday, June 06, 2005 8:32 AM
To: ActiveDir@mail.activedir.org
Subject: [ActiveDir] OT: Cloned machine domain membership

I am trying to figure out the best way to re-image our labs (XP only)
without any interaction. Currently we are using Ghost 7.5, and it will
add the machine account to the domain, but doesn't actually join the
machine to the domain. This would be fine if the machines only needed
re-imaged twice a year, but at times they need re-imaged weekly. Any
suggestions on a way to do this with what we have? Other suggestions? 

List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive:
http://www.mail-archive.com/activedir%40mail.activedir.org/
List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/

RE: [ActiveDir] Alternate install Directory for W2K3 load

[Dan Holme]

Rick's right... has to be done in an ANSWERFILE.  HOWEVER, you can
create an answer file with ONLY the parameters you need, and leave all
others blank. Launch the installation with an answerfile (winnt /u or
winnt32 /unattend) and it will PROMPT you for all non-answered
parameters... i.e. it's still an interactive installation, but the
'hidden' parameter you want has been tackled.



-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Rick Kingslan
Sent: Monday, June 06, 2005 8:29 AM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] Alternate install Directory for W2K3 load

No, sorry to say that there isn't.  The installer is designed to take
this
type of input from an answer file, and stipulated by the /u:file name
parameter.

Rick

-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Bahta Nathaniel
V
Contr NASIC/SCNA
Sent: Monday, June 06, 2005 7:37 AM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] Alternate install Directory for W2K3 load

Ok, but I am trying to do it from an install that I am doing
interactively.
Isnt there some kind of command line switch or something like that for
WINNT.EXE?  I looked through the switches again, but none of them say
they
are to change the install directory.

Nate 

-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Peter Johnson
Sent: Monday, June 06, 2005 6:45 AM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] Alternate install Directory for W2K3 load

I believe you can do this using an answer /transform file for the
unattended
install process. 

-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Bahta Nathaniel
V
Contr NASIC/SCNA
Sent: 06 June 2005 12:06
To: ActiveDir@mail.activedir.org
Subject: [ActiveDir] Alternate install Directory for W2K3 load

Hey all,

I am trying to create an image for Windows 2003 member servers for our
domain and the SMS/Tivoli folks want to keep the default directory for
the
OS load at C:\WINNT.  I have gone through the setup many times booting
from
the CD and walking through the menus, but there is no option for where I
want to install the OS besides selecting the drive and partition.  It
defaults to C:\WINDOWS.  I can specify which directory I want if I am
upgrading from a previous OS in the GUI setup mode, but this is to be
made
for a fresh install, not an upgrade.  Any ideas on how to load W2K3 into
c:\winnt from the start?  

Thanks,
Nate 

-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Rick Kingslan
Sent: Sunday, June 05, 2005 10:35 PM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] DNS Error

Good point, David.  Thanks for enhancing the suggestion.

Rick

-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of David Adner
Sent: Sunday, June 05, 2005 7:34 PM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] DNS Error

The /e switch for dcdiag will run the test against every DC in the
Forest.
Might be good to make sure every DC is seeing the same thing as all
others. 

 -Original Message-
 From: [EMAIL PROTECTED]
 [mailto:[EMAIL PROTECTED] On Behalf Of Rick Kingslan
 Sent: Sunday, June 05, 2005 19:24
 To: ActiveDir@mail.activedir.org
 Subject: RE: [ActiveDir] DNS Error
 
 I've seen exactly the same when an Infrastructure Master was missing.

 Check all FSMO owners to be sure that they really DO exist.  To do 
 this, it's best to run
 
  
 
 DCDIAG /v /test:KnowsOfRoleHolders
 
  
 
 You will need to run this in each domain for the domain FSMO roles, 
 but it will query the domain controllers directly for who they know of

 and can they be contacted (have you heard from this DC lately).
 
  
 
 This is superior to NETDOM QUERY FSMO which seems to just blindly 
 return the information without any verification.
 
  
 
 Rick
 
 
 
 From: [EMAIL PROTECTED]
 [mailto:[EMAIL PROTECTED] On Behalf Of Steve 
 Rochford
 Sent: Sunday, June 05, 2005 4:32 PM
 To: ActiveDir@mail.activedir.org
 Subject: RE: [ActiveDir] DNS Error
 
  
 
 When I had a similar error it was because the domain naming master 
 was not available (server had failed and been rebuilt but the FSMO 
 role had not been seized)
 
  
 
 Steve
 
  
 
 
 
 From: [EMAIL PROTECTED] on behalf of Za
 Sent: Sat 04/06/2005 05:13
 To: ActiveDir@mail.activedir.org
 Subject: [ActiveDir] DNS Error
 
 Good evening all. A W2K DC was upgraded to W3K and it is also a DNS 
 server.
 No problem at all with prepping and upgrading from W2K-W3K. 
 I am getting the error below every few minutes. Anyone have a 
 solution?
 
 
  
 Event Type: Error   
 Event Source:   DNS 
 Event Category: None 
 Event ID:   4015   
 Date:   5/15/2004 
 Time:   8:49:51 AM 
 User:   N/A   
 Computer:   PC Name 
 Description:  
 The DNS 

RE: [ActiveDir] User account and home directory management

[Dan Holme]

Ive had good luck finding solutions
like this using Google a hint is to use _vbscript_ as a
keyword, e.g. _vbscript_ users (home directories OR home
folders)  Last I looked I found a lot of samples of this kind of
thing. Unfortunately I didnt capture the one I thought was best
sorry.



Dan











From:
[EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Dan Stanford
Sent: Monday, June 06, 2005 6:37
AM
To: ActiveDir@mail.activedir.org
Subject: [ActiveDir] User account
and home directory management









Hi to all on the list.











Forgive me if this subject has been covered, as I am new to
the list. I manage a school network, and one of the issues I face is that
an AD user account, the user profile and the user's home directory share are
inextricably linked. I need to be able to create users and shares in on go, so
that the account is set up, the share and profilecreated, and permissions
set, and the details entered into the AD object. Does anyone know of any
software or scripts that would accomplish this? I would ideally like to
be able to do it for individual users or in bulk.











Thanks in advance,





Dan Stanford.













The contents of this email and any attachments do not
necessarily represent the views or policies of Ibstock Place
 School, its employees or
pupils. They are intended for the confidential use by the named recipient
only and may be legally privileged and should not be communicated to, or relied
upon by, any other party without our written consent. Although this
message is believed to be virus free, Ibstock Place
 School does not accept
liability for any damage, loss or cost caused by software viruses. If
received in error, please advise the sender immediately and delete all record
of it from your system. 

RE: [ActiveDir] Seeking AD monitoring software recomendations

[Dan Holme]

You asked about MOM vs. NetPro, and the feedback I've been getting from
clients is that while both tools are great, they serve slightly
different purposes.  One client described well what several have said:
that MOM is, like many MS tools, a fantastic *platform* (extensible, a
basis for future solutions, etc.) but thus was more complex than they
desired for the level of functionality they require right now.  

NetPro was more out-of-box, ready-to-go.  I agree with what was said
earlier: your ramp-up time and expectation for hands free may be a
little lofty.  But if that is the case, my guess is that NetPro may
serve you well.  HPOV has advantages in very heterogeneous environments,
of course, and can serve spaces that NetPro and MS don't touch yet.

On a *personal* note, I've never met someone from NetPro I didn't
*like*--they seem to be very adept at hiring super smart, personable
folks.  That actually can make a difference in the long run.

But you're looking at the right tools.  You might be BEST served by
having each vendor spend 1/2 to 1 day pitching you, and hit them up with
the excellent feedback you've been getting in this thread.  I have one
client who just did that exact thing, and I'd be happy to hook you up
with him--he may have some very fresh opinions for you.

Dan Holme
Intelliem




-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of David Adner
Sent: Sunday, June 05, 2005 5:21 PM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] Seeking AD monitoring software recomendations

If you're determined to put as little time as needed into whatever tool
you
choose, then I don't have a lot of faith in you deploying something like
MOM, HPOV, NetIQ, etc.  Time after time I've seen customers deploy such
a
tool and expect it to just work out of the box with little to no
configuration or attention.  Since that's not how these things work, the
customers just end up not really using it and it sits mostly dormant and
ignored.  There's typically a lot of up-front cost in time and learning
to
get things configured to where it becomes useful.

If you really want to do things right, then you're going to have to
commit
to the time and effort.  Otherwise you may as well put the money into
something else.

You probably want to also refine your requirements and do some good
research
and testing of the various candidates before biting the bullet and
signing
the purchase order.

 -Original Message-
 From: [EMAIL PROTECTED] 
 [mailto:[EMAIL PROTECTED] On Behalf Of Mark
 Sent: Sunday, June 05, 2005 18:47
 To: ActiveDir@mail.activedir.org
 Subject: [ActiveDir] Seeking AD monitoring software recomendations
 
 I work for a large enterprise company running w2k3 in 2003 
 mode with the expectation the main user domain will hold 150K 
 users. Currently has about 80 DCs.
  
 We finally have funding to buy some AD specific monitoring tools.
  
 
 * I am looking for an application(s) that will tell us 
 when AD is not functioning as it should in a simple screen 
 and email us.
 * Would like to be able to bench mark systems.
 * Will tell us when someone changed a piece of the 
 infrastructure (Auditing)
 * Would like to have the install done in about a week and 
 be proficient in about a month.
 
 I need a system I do not have to spend a lot of time with, 
 and will tell me when something wrong/changed.
  
 anyone have any good suggestions ?
  
 Thanks, You guys are great!
 M. Lunsford
 

List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive:
http://www.mail-archive.com/activedir%40mail.activedir.org/
List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/

RE: [ActiveDir] DFS

[Dan Holme]

Your workgroup servers can be targets of links. No problem. You can also
'point' to UNIX/LINUX (SAMBA) and NetWare resources - anything that can
be referred to with a UNC (\\server\share) can be a link in DFS...
definitely doesn't have to be a domain member.

HOWEVER
You cannot have a workgroup server host a ROOT TARGET, i.e. the DFS
Server itself needs to be a server in the domain - and in a
distributed env like CHW you'll be best served by hosting the root
targets on MEMBER SERVERS in the domain where the DFS root is, rather
than on DCs.  There are administrative and delegation issues that make
hosting a root target on a DC in a distributed, decentralized enterprise
a very bad idea.

ALSO
Replication will be challenging, but not just b/c you're in a multiple
domain environment.  The real issue is that FRS sucks, particularly if
you have a situation where changes will be made to multiple copies of a
replica.  

In other words, if you have FOLDER A replicated to SERVER1 and SERVER2,
and people are making changes to FOLDER A on both servers, FRS tends to
have issues.  Many of these will be solved in Windows 2003 R2, with it's
new replication technology.

Until then, my general guidance to clients is
1)  Use FRS only where there is a 'master - replica' topology, where
changes are made only to one server and replicated to all copies.  This
can be 'managed' by setting share permissions (NOT NTFS permissions,
which are replicated) on the master to allow modify/full and share
permissions on the replicas to allow only read. Don't use FRS across
servers in different domains/workgroups.

2)  Use another tool for replication in all other scenarios.
RoboCopy and DoubleTake are popular among my clients.

THIS DOCUMENT IS AWESOME:
http://www.microsoft.com/technet/prodtechnol/windowsserver2003/library/T
echRef/20ffb860-f802-455c-9ca2-5194f79a9eb4.mspx

Dan Holme
Director of Training  Consulting
Intelliem, Inc.


-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Salandra,
Justin A.
Sent: Friday, June 03, 2005 7:32 AM
To: ActiveDir@mail.activedir.org
Subject: [ActiveDir] DFS

Can a DFS Root be created in a Root Domain and contain servers from
child domains in the DFS Share?  Is there any good information on how to
deal with permissions with this kind of setup?

Justin A. Salandra
MCSE Windows 2000  2003
Network and Technology Services Manager
Catholic Healthcare System
212.752.7300 - office
917.455.0110 - cell
[EMAIL PROTECTED]


List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive:
http://www.mail-archive.com/activedir%40mail.activedir.org/
List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/

RE: [ActiveDir] OT Assign Icon in script

[Dan Holme]

Title: OT Assign Icon in script








Ive done that sort of thing simply
by creating the shortcut then _copying_
it via a script.


Dan











From:
[EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Aaron Visser
Sent: Wednesday, June 01, 2005
2:39 PM
To: ActiveDir@mail.activedir.org
Subject: [ActiveDir] OT Assign
Icon in script





Is it possible to assign an icon to a shortcut, to all the
computers in the domain via GPO Logon Scripts?

What I have got is this:
set ws = Wscript.CreateObject(Wscript.Shell)
dsktop = ws.SpecialFolders(Desktop)

Set scut = ws.createShortcut (dsktop  \shortcut name.lnk)
scut. TargetPath = http://enter url
here
scut.Save

Now this is all great and works (creating the Shortcut on the desktop) but I
would also like to assign a custom icon is this at all possible?

Thanks,

Aaron Visser 

RE: [ActiveDir] Home Directories

[Dan Holme]

Modify permission on an NTFS ACL *does* include DELETE.

Anyway, what Steve suggests is simply not possible to achieve without
workarounds such as 'resetting the acl' regularly.  Here's why, and a
suggestion.

1) The CREATOR/OWNER of a file or folder ALWAYS can change permission on
that file or folder.  There's no way to prevent that.  In other words,
if you let a user save a file, they CAN change permission.

2) The only workaround I've heard for this (and I've not tested it
myself but it is on good authority) is to set a SHARE permission of
MODIFY (not Full Control).  The lack of full control on a share
apparently prohibits anyone (including the owner) from changing an
ACL... cool assuming it's true, though managing share permissions is a
whole other can of worms, and PLEASE don't go there with this thread.
It's a solution, not a perfect one (and there isn't a perfect solution
given Steve's requirements).

3) You can *always* provision anything in windows.  Go bananas with a
script or process that creates the folder for the user with the right
permissions on that user's folder, and then of course you can restrict
the root more.  The permissions I listed are the minimum required
permissions for out-of-box Windows functionality.

Hope this helps.

D



-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of joe
Sent: Tuesday, May 31, 2005 4:35 PM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] Home Directories

Are you sure about that? 

-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Dryden, Karen
Sent: Tuesday, May 31, 2005 6:47 PM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] Home Directories

Modify rights doesn't give them the ability to delete files/folders.
You
have to go to the Advanced tab on permissions and edit their rights and
check the box to enable them to delete their own home drive
files/folders

-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Steve Rochford
Sent: Tuesday, May 31, 2005 5:10 AM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] Home Directories


The trouble is that Microsoft's idea of locked down and my idea of
locked
down don't match...

I work in a college (and I think Debbie works in a similar environment)
and
there's no way I'd give users full control over even their own folders -
the
most they get is modify on everything in their user area. (Giving full
allows them to change permissions - most will do this accidentally and
manage to remove themselves from the list or they will give access to
other
users. In a work environment this may be a good thing - it allows users
to
share work on an ad-hoc basis. For students, it's typically a way to
move
pirate material around...)

There's also a problem in that if users can create folders in the root
share
then they will - again, some will do this accidentally and lose work in
that
way; others will do it maliciously. Whichever, when you have 14,000
folders
to worry about you don't want odd ones sneaking in
:-)

The downside of this is that you can't then have the folder created by
the
redirection process as the user logs on; no big deal - we script the
user
creation so we also create the home folder with the permissions we want
(admins, system - full; user - modify)

On a regular basis we also force the permissions and ownership back to
what
they should be - I've found setacl (http://setacl.sourceforge.net) to be
easier to use for this than subinacl.

Steve

 -Original Message-
 From: [EMAIL PROTECTED]
 [mailto:[EMAIL PROTECTED] On Behalf Of Dan Holme
 Sent: 27 May 2005 16:14
 To: ActiveDir@mail.activedir.org
 Subject: RE: [ActiveDir] Home Directories
 
 The best practice permissions for the ROOT SHARE (for home 
 directories, roaming profiles  folder redirection) are listed below.

 There is a lot of confusion about these perms, b/c there are 
 inconsistencies in MS doc.
 I've tested these to make sure they work and (as you'll see) they're 
 pretty well locked down.
 
 The root share
 ==
 ACL
 Users*:Allow:List Folder  Create Folders
 
   Inheritance: This folder only ( THIS IS TRICKY AND IS NOT
THE 
 DEFAULT  Set Apply onto to THIS FOLDER ONLY)
 
   *Or another group that includes users who will have folders
under 
 this root
 
 Creator Owner:Allow:Full
   Inheritance: Subfolders  files only
 
 System:Allow:Full
   Inheritance: This folder, subfolders  files
 
 Administrators: depends
   Set based on Enterprise information security policy
 
 Share
   Hidden share name (sharename$)
   Share permissions: Everyone:Allow:Full
 
 ** Do not create individual user folders ** How folders are created 
 === Home folders: created  perm'd automatically
 
 Redirected folders: created, perm'd, user owner
 
   SUBINACL on Res Kit to change ownership if you must create
folder in

 advance. (Be sure to download newest

RE: [ActiveDir] Enhancement Question

[Dan Holme]

Charlie:

This is a question I'm getting from a LOT of my clients these days.  I'd
be happy to chat through some ideas with you, but it's too much to type
out.  Give me a shout and I'll spend a bit of time talking you through
some ooh-ahh-wow things you can do with AD.   888.381.6956.

Dan Holme
Intelliem


-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Tony Murray
Sent: Tuesday, May 31, 2005 1:10 PM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] Enhancement Question

You could look at pre-populating the location field for printer
searches.
This is quite a nice feature that uses the IP subnet of the workstation
the
user is logged on to to locate the nearest printer.  There's a few tasks
you
need to do to enable this, but it can be worth the effort, especially in
distributed organisations.  See the following whitepaper for more
information on this.

http://www.microsoft.com/windows2000/technologies/fileandprint/print/add
eplo
y.asp 

As you suggest, there are not a huge number of benefits that are
directly
visible to the end user.  

Tony

-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Carerros,
Charles
Sent: Wednesday, 1 June 2005 3:05 a.m.
To: 'ActiveDir@mail.activedir.org'
Subject: [ActiveDir] Enhancement Question

This is an odd question.

We have just about finished up rolling out AD 2003 (from an NT domain)
and I
have been charged with finding several ways to utilize Active Directory
to
optimize the management of our applications and infrastructure.  At
least
one of the solutions should enhance functionality directly for the user
community.

I'm having problems of finding ways to enhance functionally for the
end-users.  Besides tying the AD into a one of our outsourced web based
applications to reduce their password count I'm stretching.  

I know of a number of management and infrastructure enhancements that
could
be made but none enhance the functionality of our end-users to a point
where
they will notice it and say Wow, now that's cool.  

Does anyone know of a location where I can get ideas on this topic?  

Increased security, stability, management.  These core things are not
seen
by the end-user even though they directly affect them. I need to find
something that the end-users will like to see and something that
benefits
them.  I'm just coming up blank on this.  In the past, I have always
been
instructions to use AD in ways that the end-user doesn't notice but
increases the functionality.

Thanks,

Charlie
List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive:
http://www.mail-archive.com/activedir%40mail.activedir.org/



List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive:
http://www.mail-archive.com/activedir%40mail.activedir.org/
List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/

RE: [ActiveDir] Selective moving/migration of users

[Dan Holme]

Take a look at the documentation of the ADMT.  You can use a SELECTION
FILE to specify the users  groups you wish to modify, so that you don't
have to manually select them in the user interface.  There are also a
number of options to *script* the ADMT, which means you could utilize
any language (e.g. vbscript, .bat) to create the 'logic' to select your
users and groups.

To expand on what Jorge mentioned, there are lots of ways to migrate,
but by far the *easiest* with the ADMT is to migrate the global groups
you want *first*, then, as a second 'pass' through the ADMT, migrate the
users you want.

Dan


-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of
[EMAIL PROTECTED]
Sent: Monday, May 30, 2005 3:50 PM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] Selective moving/migration of users

As Jorge mentioned earlier Quest DMW has an option to find out the
groups that user is a member of and migrate that as well (nice
checkbox)...not sure bout ADMT though..

Thank you and have a splendid day!
 
Kind Regards,
 
Freddy Hartono
Windows Administrator (ADSM/NT Security)
Spherion Technology Group, Singapore
For Agilent Technologies
E-mail: [EMAIL PROTECTED]
 

-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Jorge de
Almeida Pinto
Sent: Monday, May 30, 2005 7:56 PM
To: '[EMAIL PROTECTED] '; ''Lucia Washaya ' ';
'''ActiveDir@mail.activedir.org' ' '
Subject: RE: [ActiveDir] Selective moving/migration of users

almost forgot:
think about closed sets (meaning: if I migrate these objects, what other
objects should be migrated also)

what about the groups the NT users you want to migrate are members of?
Don't
you need to migrate those as well?

cheers,
#JORGE#

-Original Message-
From: [EMAIL PROTECTED]
To: 'Lucia Washaya '; '[EMAIL PROTECTED] ';
''ActiveDir@mail.activedir.org' '
Sent: 5/30/2005 1:42 PM
Subject: RE: [ActiveDir] Selective moving/migration of users

Hi,

You can always select the user and/or groups you want to migrate. It all
depends on the requirements and situations but it is not needed to
migrate
the domain at once.
There are a lot of tools available that help you with your object
migration
(user, groups, computers) en resource updating (re-acl, etc.)
One of the free tools available is ADMTv2 (ADMTv3 is in beta at the
moment)
which can migrate objects and standard windows resource updating (incl
exchange). If you however need to update resources on SQL or SMS you
will
likely need to use a third party tool like Quest DMW
Cheers,
#JORGE#

-Original Message-
From: [EMAIL PROTECTED]
To: [EMAIL PROTECTED]; 'ActiveDir@mail.activedir.org'
Sent: 5/30/2005 12:52 PM
Subject: [ActiveDir] Selective moving/migration of users


Colleagues, 

Is there a way to selectively move or migrate users between NT and
windows2000 domains. I have two domains one on NT and another on Widows
2000. I want to move some of the users form NT to 2000. Is there a way
to do it? 

Thank you in advance for your assistance 


Regards,
Lucia Washaya
UNAMSIL
Tel Ext.: 5497 or Local Tel.: 022-295-526
Int'l Tel.: Via Italy +(39) 083123-5497
Via USA +1(212) 963-9915 (after audio response dial 174-5497)





==

The cobra will bite whether you call it Cobra or Dear Mr. Cobra.

=== 

__ 




This e-mail and any attachment is for authorised use by the intended
recipient(s) only. It may contain proprietary material, confidential
information and/or be subject to legal privilege. It should not be
copied, disclosed to, retained or used by, any other party. If you are
not an intended recipient then please promptly delete this e-mail and
any attachment and all copies and inform the sender. Thank you.
List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive:
http://www.mail-archive.com/activedir%40mail.activedir.org/

This e-mail and any attachment is for authorised use by the intended
recipient(s) only. It may contain proprietary material, confidential
information and/or be subject to legal privilege. It should not be
copied, disclosed to, retained or used by, any other party. If you are
not an intended recipient then please promptly delete this e-mail and
any attachment and all copies and inform the sender. Thank you.
List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive:
http://www.mail-archive.com/activedir%40mail.activedir.org/

List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive:
http://www.mail-archive.com/activedir%40mail.activedir.org/
List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/

RE: [ActiveDir] Home Directories

[Dan Holme]

The best practice permissions for the ROOT SHARE (for home directories,
roaming profiles  folder redirection) are listed below.  There is a lot
of confusion about these perms, b/c there are inconsistencies in MS doc.
I've tested these to make sure they work and (as you'll see) they're
pretty well locked down.

The root share
==
ACL
Users*:Allow:List Folder  Create Folders

Inheritance: This folder only ( THIS IS TRICKY AND IS NOT
THE DEFAULT  Set Apply onto to THIS FOLDER ONLY)

*Or another group that includes users who will have folders
under this root

Creator Owner:Allow:Full
Inheritance: Subfolders  files only

System:Allow:Full
Inheritance: This folder, subfolders  files

Administrators: depends
Set based on Enterprise information security policy

Share
Hidden share name (sharename$)
Share permissions: Everyone:Allow:Full

** Do not create individual user folders **
How folders are created
===
Home folders: created  perm'd automatically 

Redirected folders: created, perm'd, user owner

SUBINACL on Res Kit to change ownership if you must create
folder in advance. (Be sure to download newest patched version of
SubInACL from MS web site)

Profiles: created  perm'd automatically


Hope this helps

Dan


-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of
[EMAIL PROTECTED]
Sent: Friday, May 27, 2005 8:00 AM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] Home Directories

Yes, make sure that the top level home folder that your share is
pointing to does not have rights for those users to make changes.  They
should only have rights at their individual folder.

For instance:

Share Level Perms
\\server\home1 is your home folder share which has the following perms:
Administrators - FC
Domain Users - C

NTFS Perms
That folder maps to h:\home1 on your server.  Home1 should have the
following:
Administrators - FC

There's a user folder under home1 that exists under home1 that maps to
JohnDoe such as h:\home1\johndoe.

At the johndoe folder, you want to make sure the following permissions
are set:
Administrators - FC
JohnDoe - Modify


So now you can map the user's H: drive or whatever to
\\server\home1\johndoe.

Hope that helps...

:m:dsm:cci:mvp

-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Ellis, Debbie
Sent: Friday, May 27, 2005 10:50 AM
To: 'ActiveDir@mail.activedir.org'
Subject: RE: [ActiveDir] Home Directories

But it also allows then to create new folders under the top level Home
share. Is there a way around that?

-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of
[EMAIL PROTECTED]
Sent: Friday, May 27, 2005 10:40 AM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] Home Directories

Now that your share-level permissions are correct, you need to add the
individual user to their respective home folder and grant modify
permissions (ntfs).  That should give them change access to their files.

:m:dsm:cci:mvp

-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Ellis, Debbie
Sent: Friday, May 27, 2005 9:04 AM
To: 'ActiveDir@mail.activedir.org'
Subject: RE: [ActiveDir] Home Directories


I appreciate all the feedback. I had to end up giving domain users
change
access on the top level Home share folder.  (On both file and share) I
removed domain users from the individual home directory/folders.  The
problem I have with the solution is that won't users be able to create
folders in the Home Folder? Is there a solution to this?

-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of
[EMAIL PROTECTED]
Sent: Friday, May 27, 2005 8:30 AM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] Home Directories

Sorry.  Please don't perceive my earlier post as disrespecting your
opinion.  Simply typing in brevity.  :)

At any rate, I read it as a user end permission error, not as a copy
process failure.

:m:dsm:cci:mvp

-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Medeiros, Jose
Sent: Thursday, May 26, 2005 6:34 PM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] Home Directories

No problem in disagreeing, as long as we can respect each others
opinions. 

Granted Debbie did not give a us lot of details,  but based on what
Debbie wrote, it sounds like she is having trouble copying the files
from the server, and if her users had full control enabled on the
original NT 4 home directory, then in the middle of the move process she
would probably have an access denied even though she is the admin. 

By taking ownership of the files prior to her move this issue would be
resolved. She also stated that the permissions are change ( Change for
end users is better then Full control in my option) and Debbie stated
that she 

RE: [ActiveDir] Delivering MSI packages effectively

[Dan Holme]

If your domain is in Windows 2000 native mode (or Windows 2000 domain
functional level) or higher, you can effectively nest global groups into
global groups.

With a dispersed OU structure (I echo Jorge's question, why), I would
suggest:

1) A global group containing the computers of each classroom
2) A global group representing the software package
3) Nest the classroom groups into the software group
4) Filter the GPO to apply only to the software group.  Remove (don't
deny - remove) Authenticated Users ability to Apply Group Policy and
allow the Software group Read and Apply Group Policy.  If you're using
the GPMC (which you should be), it's even easier: remove Auth Users and
add the software group.

Dan

-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Jorge de
Almeida Pinto
Sent: Tuesday, May 24, 2005 7:08 AM
To: 'Steven Wood '; '[EMAIL PROTECTED] ';
'ActiveDir@mail.activedir.org '
Subject: RE: [ActiveDir] Delivering MSI packages effectively

You have two possibilities:
For both create a GPO with the APP assigned.
(1) link the GPO to each classroom and you're done
(2) link the GPO to the workstations OU and use group filtering by
giving a
group (that represents the classroom) read and apply permissions to the
GPO.
Each workstation must be a member of their corresponding group

Question: why do you have such a deep structure? Delegations?, GPOs?
something else

Cheers,
#JORGE#

-Original Message-
From: [EMAIL PROTECTED]
To: ActiveDir@mail.activedir.org
Sent: 5/24/2005 3:48 PM
Subject: [ActiveDir] Delivering MSI packages effectively

I'm hoping someone can explain to me the most effective way to deliver
an MSi package in the following scenairo.
 
My AD structure looks something like this:
 
Workstations
Building One
   Classroom 1
   Classroom 2
   etc to
   Classroom 99
Building Two
   Classroom 1
   etc to
   Classroom 99
Building Three
   Classroom 1
   etc to
   Classroom 99
 
I have an GPO connected to most rooms. If I have an MSI package that I
need to deliver to say 25 rooms what would be the most effective way to
assign to the required classrooms? Currently I have to assign the app 25
times, once to each room.
 
Regards
 
Steven
 
---
This email is from Oldham Sixth Form College, but expresses the views
of the sender and not necessarily the views of the college. The email
and any files transmitted with it are confidential to the intended
recipient at the e-mail address to which it has been addressed. It may
not be disclosed or used by any other than that addressee, nor may it
be copied in any way. If received in error, please notify
[EMAIL PROTECTED] quoting the name of the sender.

This message has been scanned for viruses by F-Secure Anti-Virus.

Please note that we cannot accept any responsibility for any
transmitted viruses. It is, therefore, your responsibility to scan
attachments (if any).


This e-mail and any attachment is for authorised use by the intended
recipient(s) only. It may contain proprietary material, confidential
information and/or be subject to legal privilege. It should not be
copied, disclosed to, retained or used by, any other party. If you are
not an intended recipient then please promptly delete this e-mail and
any attachment and all copies and inform the sender. Thank you.
List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive:
http://www.mail-archive.com/activedir%40mail.activedir.org/
List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/

RE: [ActiveDir] AD DR - replication lag site----Why?

[Dan Holme]

 will have Brett snickering at you.

As I mentioned in an earlier post, if you are afraid of deleted objects,
I
would recommend judicious use of searchflags0x08 and admod with the
-undel
option. Couple that with a simple AD/AM directory that you don't let
your
loose cannon admins to have access to and you can pretty easily get
things
back.


  joe



-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of David Adner
Sent: Friday, May 20, 2005 5:24 PM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] AD DR - replication lag siteWhy?

Using my non-scientific personal observations, of the last 50 or so
customers I've been to I believe only 3 had lag sites.  Of those 3, none
had
done what I'd call a good job of setting it up (they had basically just
created a separate site with a longer replication interval).  Of the
other
~47, perhaps half knew of lag sites and were either interested in the
concept or had plans to implement them.  How many actually will I can't
say.
These are all Premier customers.

So, based on my personal experience, I'm more inclined to agree with
Todd.
I think, however, that over the next couple years lag sites will become
the
norm as virtualization becomes commonplace and best practices are better
documented and understood.

 -Original Message-
 From: [EMAIL PROTECTED]
 [mailto:[EMAIL PROTECTED] On Behalf Of Rick Kingslan
 Sent: Friday, May 20, 2005 15:49
 To: ActiveDir@mail.activedir.org
 Subject: RE: [ActiveDir] AD DR - replication lag siteWhy?

 Todd,

 With all due respect, I think there are more people doing this than 
 you think.  You aren't using a Lag Site, so it's 'whacky'.  Your 
 opinion, so you're entitled to it.

 PSS blessed our implementation, BTW.  If you'd like, I'll be happy to 
 provide you with contacts for the ROSS tech (out of Los Colinas) that 
 did our recent AD Health check in advance of our Win2k3/E2k3 upgrade.
 He stated that this was becoming a cheap, scalable solution to 
 providing DR - and a few large organizations were using them at 
 warm/hot sites because they also meet criteria for DR as addressed and

 required for Sarbanes.

 And, I don't question the fact that a poor site design can cause 
 problems.  But, humbly, I submit that I know what I'm doing.  Learn 
 from what I do - or learn not.  That's up to you.  I know that you 
 have a liking for Quest - which is fine.  I use some of their tools - 
 just not Recovery Manager.
  However, in a DR situation when your DCs are being rebuilt from 
 scratch - Recovery Manager is not a very valuable tool when there are 
 no objects to 'undelete'.

 As for Guido - I hope he chimes in as well.  He seems to be one of the

 few that you trust - regardless of those that have supported you in 
 the past.  Hopefully then - we can put this behind us.  Me, I'll keep 
 doing what has been successful for me for two years, thank you.

 -rtk

 

 

 From: [EMAIL PROTECTED]
 [mailto:[EMAIL PROTECTED] On Behalf Of Myrick, Todd
 (NIH/CC/DNA)
 Sent: Friday, May 20, 2005 11:59 AM
 To: ActiveDir@mail.activedir.org; ActiveDir@mail.activedir.org
 Subject: RE: [ActiveDir] AD DR - replication lag siteWhy?

 

 I disagree that Lag sites are popular, maybe with you and at AD 
 conferences as a session.  I tend to avoid those sessions.

 

 To all those considering this as a viable solution, why not run it by 
 MSC or PSS and see what they say.  We get something called a 
 supportability review before we implement anything to whacky at my 
 organization.

 

 There are so many things that can go wrong with a improper site design

 and object reanimation that I just say avoid doing it.

 

 I am waiting for Guido to chime in on this.

 

 Todd

 

 

 From: Dan Holme [mailto:[EMAIL PROTECTED]
 Sent: Thu 5/19/2005 10:16 AM
 To: ActiveDir@mail.activedir.org
 Subject: RE: [ActiveDir] AD DR - replication lag siteWhy?

 Two more notes on this issue:

 1) THIRD PARTY AD RESTORE TOOLS.  Sounds like it's clear, now, WHY lag

 sites are so popular.  Yes, there are third party products 
 (particularly Quest Recovery Manager) that work quite well if you have

 a budget for that.  Here's my take as to why my IT budget shouldn't be

 spent on those tools (and *should* be spent on OTHER tools by some of 
 those same companies).

 a) Deleted objects can be avoided with proper delegation. 
 It's so important that you properly delegate and properly use accounts

 with administrative logon (i.e. with 'secondary logon' only) that this

 trumps just about everything.  At most of my clients, NOBODY (from a 
 practical
 perspective) can delete users or groups.  We have a process we call 
 graveyarding, whereby an account is tagged (using a variety of
 methods) and, with a SCRIPT, moved to an OU where they stay for 90 
 days before being deleted (again, only by the SCRIPT).  The only other

 accounts that can delete users

RE: [ActiveDir] Scripting Delegation Question

[Dan Holme]

Thanks! Ill definitely look at your tools 
book, Alain!


Dan











From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On
Behalf Of Alain Lissoir
Sent: Friday, May 20, 2005 11:41
PM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] Scripting
Delegation Question





Deleting an ACE is obviously supported.

Supporting removal of ACE is a granular way requires an
extensive regression testing, which way more complex than removing all ACE
using the same trustee. Therefore, it is more than just implementing the
feature in the tool. That's why it is not supported even though if technically
this should work fine. I've been doing some testing with the script below and
it works great so far.



HTH

/Alain









From:
[EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of joe
Sent: Friday, May 20, 2005 10:07
PM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] Scripting
Delegation Question

 Microsoft doesn't support this and this is why no tool doing this
exists.









I am confused, what specifically isn't supported? 











Deleting a single ACE is obviously supported, the reason
DSACLS doesn't do it I would bet is programmer laziness versus anything being
unsupported. You would have to add additional switches to specify the specific
ACL to remove versus simply yanking all of the ACEs with a specific secprin.
The latter is much much easier to implement. DSACLS has lots of shortcuts like
that, look at the case sensitivity for more examples there.

















 joe
















From:
[EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Alain Lissoir
Sent: Friday, May 20, 2005 7:10 PM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] Scripting
Delegation Question

Check
out the script at http://users.skynet.be/alain.lissoir/conferences/WMIManageSD.zipI
wrote for my books.

This
script is fully documented in my WMI books at http://www.lissware.net
(Vol 2).

It
supports the management of security descriptors for files, folders, file
shares, registry, WMI namespaces, AD, Exchange 2000/2003 mailboxes.

It
requires the registration of some resource DLLs where it is started in order to
work.



For
instance, if you want to delegate Modify the membership of a group
(as the delegation wizard displays).



The
command line to for WMIManageSD.Wsf is:



Set OU=OU=Department,DC=LissWare,DC=NET


Set TRUSTEE=VMLissWareNET\Alain.Lissoir

Cscript.Exe //Nologo WMIManageSD.Wsf
/ADObject:%OU% ^

/Trustee:%TRUSTEE% ^

/ACEType:ADS_ACETYPE_ACCESS_ALLOWED_OBJECT ^

/ACEMask:ADS_RIGHT_DS_READ_PROP,ADS_RIGHT_DS_WRITE_PROP ^

/ACEFlags:ADS_ACEFLAG_CONTAINER_INHERIT_ACE,ADS_ACEFLAG_INHERIT_ONLY_ACE ^

/ObjectType:{BF9679C0-0DE6-11D0-A285-00AA003049E2} ^

/InheritedObjectType:{BF967A9C-0DE6-11D0-A285-00AA003049E2} ^

/AddAce+ /ADSI+



Then
to undelegate one ACE, you specify the exact same command line, but you use the
/DelAce and /Granular+ switches instead.

If
you dont't specify the /Granular+ switch, then it removes all ACEs for the
trustee.

If
you do, it removes the ACE specified for the trustee.



Set OU=OU=Department,DC=LissWare,DC=NET


Set TRUSTEE=VMLissWareNET\Alain.Lissoir

Cscript.Exe //Nologo WMIManageSD.Wsf
/ADObject:%OU% ^

/Trustee:%TRUSTEE% ^

/ACEType:ADS_ACETYPE_ACCESS_ALLOWED_OBJECT ^

/ACEMask:ADS_RIGHT_DS_READ_PROP,ADS_RIGHT_DS_WRITE_PROP ^

/ACEFlags:ADS_ACEFLAG_CONTAINER_INHERIT_ACE,ADS_ACEFLAG_INHERIT_ONLY_ACE ^

/ObjectType:{BF9679C0-0DE6-11D0-A285-00AA003049E2} ^

/InheritedObjectType:{BF967A9C-0DE6-11D0-A285-00AA003049E2} ^

/DelAce+ /ADSI+ /Granular+



Note
that even though this may work in most cases, Microsoft doesn't support this
and this is why no tool doing this exists.



HTH

/Alain









From:
[EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Dan Holme
Sent: Friday, May 20, 2005 10:20
AM
To: ActiveDir@mail.activedir.org
Subject: [ActiveDir] Scripting
Delegation Question

I am
at the latter stages of a script to pump out delegation from a
business administrative model description. Ive had great luck automating
DSACLS to drive delegation. Now Ive hit a wall though and maybe
someone can help.



DSACLS
wont let you remove a
single permission. It will let you remove all permissions for a security principal; it will let you deny; but it wont remove an allowed permission.



My
goal is to be able to drive a delegation of almost full control
of users  groups, whereby an admin group can do everything except delete, because we want to
provision the deletion process to avoid accidental deletions. Id
like to delegate this as I would in the UI: click Full Control
then UNCHECK Delete and Delete Subtree.



Does
anyone have any ideas how to script this? Id prefer not to have to
dive into the security descriptor using _vbscript_, but if thats what it
takes Ill do that, if someone has a sample.



THANKS!





Dan



(BTW:
Yes, Ill be posting this tool for everyone once its finished)

RE: [ActiveDir] delegwiz.inf file replaced with w2k3/sp1 upgrade

[Dan Holme]

I've done a lot of Delegwiz.inf customization and to my experience do
not believe there's a way to avoid what you experienced.  The only
workaround is a cheesy one.  I have a workflow for post-SP repairs --
a share where I keep anything that needs to be 'replaced' after an SP.

BTW, I assume you've seen the Appendices to the Active Directory Best
Practices?   The Delegwiz.inf file in there rocks as a starting point.

http://tinyurl.com/e3n2u



-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Jorge de
Almeida Pinto
Sent: Friday, May 20, 2005 9:11 AM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] delegwiz.inf file replaced with w2k3/sp1
upgrade

I think not...

What I would do:
* Rename the default DELEGWIZ.INF to DELEGWIZ-SPx.ORG (where x is the
service pack number)
* Create my own DELEGWIZ.INF (or customize the default) and create a
copy
called DELEGWIZ.INF.CUSTOM

Implement the custom DELEGWIZ.INF on all DCs that are used to configure
delegation, and do the above only on one DC (like the PDC FSMO for
example)

Cheers
#JORGE#

-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Thommes,
Michael M.
Sent: Friday, May 20, 2005 17:52
To: ActiveDir@mail.activedir.org
Subject: [ActiveDir] delegwiz.inf file replaced with w2k3/sp1 upgrade

We discovered today that our custom delegwiz.inf (the input file for the
delegation GUI) was replaced during the upgrade from w2k3/sp0 to
w2k3/sp1.
8-(  Luckily, we do have backups.  8-)  Anybody ever caught up in this
issue?  Files likely to be customized by MS customers should be handled
with
kid gloves by MS during standard upgrades.  Is there some way to
designate
another location so we don't get surprised again?
Thanks!

Mike Thommes
List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive:
http://www.mail-archive.com/activedir%40mail.activedir.org/

This e-mail and any attachment is for authorised use by the intended
recipient(s) only. It may contain proprietary material, confidential
information and/or be subject to legal privilege. It should not be
copied, disclosed to, retained or used by, any other party. If you are
not an intended recipient then please promptly delete this e-mail and
any attachment and all copies and inform the sender. Thank you.
List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive:
http://www.mail-archive.com/activedir%40mail.activedir.org/
List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/

RE: [ActiveDir] Prevent certain users being added to a group

[Dan Holme]

TMK theres no way to prevent a
particular account from being added to the group in this scenario. The
permission youre leveraging is obviously Allow:WriteProperty:Member on
the group object. Once you have that permission, you can add any member.



What youll want to do, therefore,
is have some LOGIC IN THE CODE TO SOLVE THE PROBLEM, where the logic evaluates
the security principal that is being requested to add to the
group and decides whether or not thats kosher.



Dan













From:
[EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Steven Wood
Sent: Friday, May 20, 2005 8:54 AM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] Prevent
certain users being added to a group





Sorry this is short,
Im about to leave work and go on holiday for a week. This is a bit of
asp code that adds the user to the group DeniedNetAccess. There is another page
that removes them and one that lists all members of the group. Use Windows
Authentication in IIS to restrict access to the page and a form which the staff
can then add a students account name (read in here as usr).



If I remember after my
break Ill post more.



Steven




%

 Dim
usr


usr=request.form(usr2)


remUserfromGroup domainNameHere,usr,DeniedNetAccess


response.write(Internet access for   ucase(usr)  
has been enabled) 



 Sub
remUserfromGroup(strDomain,strUsername,strGroupname)


Dim User


Dim Group




Set User = GetObject(WinNT://  strDomain  /
 strUsername  ,user)


Set Group = GetObject(WinNT://  strDomain  /
 strGroupname  ,group)


 on error resume next


Group.remove(User.ADsPath)


Group.Setinfo



 Set
User = nothing

 End Sub

%











From:
[EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Brenda Casey
Sent: 20 May 2005 15:31
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] Prevent
certain users being added to a group





Steven-

I can't help
with your question, but would love to hear more about your web page that allows
staff to add students to and Active Directory group to deny web access.







Thanks,

Brenda









From:
[EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Steven Wood
Sent: Friday, May 20, 2005 3:04 AM
To: ActiveDir@mail.activedir.org
Subject: [ActiveDir] Prevent
certain users being added to a group

Hi,



Using ADSI I have a web page that allows staff to add
students to an Active Directory group called DeniedNetAccess.
Members of this group as the name implies are of course denied access to the
web. How can I prevent staff from adding other members of staff to this group?
Is this possible using AD permissions?



Thanks



Steven







---
This email is from Oldham Sixth Form College, but expresses the views
of the sender and not necessarily the views of the college. The email
and any files transmitted with it are confidential to the intended
recipient at the e-mail address to which it has been addressed. It may
not be disclosed or used by any other than that addressee, nor may it
be copied in any way. If received in error, please notify
[EMAIL PROTECTED] quoting the name of the sender.

This message has been scanned for viruses by F-Secure Anti-Virus.

Please note that we cannot accept any responsibility for any
transmitted viruses. It is, therefore, your responsibility to scan
attachments (if any).

[ActiveDir] Scripting Delegation Question

[Dan Holme]

I am
at the latter stages of a script to pump out delegation from a
business administrative model description. Ive had great luck
automating DSACLS to drive delegation. Now Ive hit a wall though and maybe
someone can help.



DSACLS
wont let you remove a
single permission. It will let you remove all
permissions for a security principal; it will let you deny; but it wont remove an allowed permission.



My
goal is to be able to drive a delegation of almost full control
of users  groups, whereby an admin group can do everything except delete, because we want to
provision the deletion process to avoid accidental deletions. Id like
to delegate this as I would in the UI: click Full Control then
UNCHECK Delete and Delete Subtree.



Does
anyone have any ideas how to script this? Id prefer not to have to dive
into the security descriptor using VBScript, but if thats what it takes
Ill do that, if someone has a sample.



THANKS!





Dan



(BTW:
Yes, Ill be posting this tool for everyone once its finished)

RE: [ActiveDir] AD DR - replication lag site

[Dan Holme]

The major issue is the SPEED of recovery.  With a lag site, you ONLY
have to do an authoritative restore (NTDSUTIL).

Without a lag site, you must first restore the AD from backup tape
('normal' restore), which can take quite some time Then, and only
then, can you do the auth restore.

-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of TIROA YANN
Sent: Wednesday, May 18, 2005 11:46 PM
To: [EMAIL PROTECTED]; ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] AD DR - replication lag site

Hello,

Thanks for this interesting tips, but i didn't really understand the
behind the techno  of a lag site in case of just a deletion of an
entire OU with many objects.

For example,if I have AD 2003 domain with 2 sites:
Site A has 2 DCs
Site B has one DC and is the lag site
Between 2 sites, i scheduled repl to appear every 1 week.

In the situation of an OU deletion, i go to the DC i have made the
deletion, and do an autoritative restore in dsmode and after rebbot,
wait for replication to take place in order to repopulate all my domain
with my OU restored. So what will the lag site help me in this situation
?

I can understand that a lag site will help me if all my DCs in site A
crashed. So i would take all informations from the lag site to be
restored in site A such as copy my domain from the lag site by doing a
dcpromo /adv, and go my freshly installed DCs on site A, and restored my
whole domain. 
However, I think i will have more updated information by restoring from
my yerterday backup than from the lag site...

So, could you help me better understand the behind the techno of a lag
site, i thing i misunderstand something important ;-(

Thank you for your feedback.

Have a nice day :-)

Regards,

Yann 

List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/

RE: [ActiveDir] AD DR - replication lag site----Why?

[Dan Holme]

 the deletion immediately. You therefore have a window of opportunity
in which the deletion may be 'undone'.

The deleted object may be auth restored on DC2 and thus replicated /
reanimated on DC1 (and any other DC which has received the deletion).

[My terminology may not be acceptable to some - I have deliberately
explained this in simplistic terms :)]

neil


-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of TIROA YANN
Sent: 19 May 2005 08:54
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] AD DR - replication lag site


Hello,

I must apologize, but i'm a little bit confused. You said With a lag site,
you ONLY have to do an authoritative restore (NTDSUTIL). 

Do you mean if i delete my OU in DC in site A, all i have to do is do an
autoritative restore, not on site A, BUT on DC on lag site, reboot, and
dforce replication to site A ? And the non-autoritative restore will be in
fact the data on the lag site, that explain your prévious sentence ? Waou!
That's very celver !!

Am I right ?

Regards,

Yann



-Message d'origine-
De : [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] De la part de Dan Holme Envoyé :
jeudi 19 mai 2005 08:51 À : ActiveDir@mail.activedir.org Objet : RE:
[ActiveDir] AD DR - replication lag site

The major issue is the SPEED of recovery.  With a lag site, you ONLY have to
do an authoritative restore (NTDSUTIL).

Without a lag site, you must first restore the AD from backup tape ('normal'
restore), which can take quite some time Then, and only then, can you do
the auth restore.

-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of TIROA YANN
Sent: Wednesday, May 18, 2005 11:46 PM
To: [EMAIL PROTECTED]; ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] AD DR - replication lag site

Hello,

Thanks for this interesting tips, but i didn't really understand the behind
the techno  of a lag site in case of just a deletion of an entire OU with
many objects.

For example,if I have AD 2003 domain with 2 sites:
Site A has 2 DCs
Site B has one DC and is the lag site
Between 2 sites, i scheduled repl to appear every 1 week.

In the situation of an OU deletion, i go to the DC i have made the deletion,
and do an autoritative restore in dsmode and after rebbot, wait for
replication to take place in order to repopulate all my domain with my OU
restored. So what will the lag site help me in this situation ?

I can understand that a lag site will help me if all my DCs in site A
crashed. So i would take all informations from the lag site to be restored
in site A such as copy my domain from the lag site by doing a dcpromo
/adv, and go my freshly installed DCs on site A, and restored my whole
domain. 
However, I think i will have more updated information by restoring from my
yerterday backup than from the lag site...

So, could you help me better understand the behind the techno of a lag site,
i thing i misunderstand something important ;-(

Thank you for your feedback.

Have a nice day :-)

Regards,

Yann 

List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/


==
This message is for the sole use of the intended recipient. If you received
this message in error please delete it and notify us. If this message was
misdirected, Credit Suisse, its subsidiaries and affiliates (CS) do not
waive any confidentiality or privilege. CS retains and monitors electronic
communications sent through its network. Instructions transmitted over this
system are not binding on CS until they are confirmed by us. Message
transmission is not guaranteed to be secure. 

==

List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/

RE: [ActiveDir] AD DR - replication lag site

[Dan Holme]

Changing SRV weight is NOT ENOUGH because there is still a chance that they 
will be used for authentication (e.g. if higher weighted records don't respond 
to the LDAP bind by the client fast enough).   You must either prevent the SRV 
records from registering (per the originally-cited article, which I have not 
tried) or stop NetLogon or both.

All of these are minimal TCO impact because ALL can be done thru GPOs.  (e.g. 
Services policy to set NetLogon to disabled).

DDan

-Original Message-
From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of [EMAIL PROTECTED]
Sent: Thursday, May 19, 2005 10:04 AM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] AD DR - replication lag site

Killing off the rules stops those particular DCs from running the latency 
rules... but how do you overcome the latency rules from any DC not in a lag 
site with connection objects to DCs in the lag site?

:m:dsm:cci:mvp
-Original Message-
From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Rick Kingslan
Sent: Thursday, May 19, 2005 11:15 AM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] AD DR - replication lag site

Marcus,

I kill off the specific rules on those servers.  If I'm not interested in a
particular message, it's gone.

-rtk

-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of [EMAIL PROTECTED]
Sent: Thursday, May 19, 2005 9:24 AM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] AD DR - replication lag site

For those of you that are a MOM environment and have created a lag site, how
are you overcoming the replication latency messages?

:m:dsm:cci:mvp

-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Ruston, Neil
Sent: Thursday, May 19, 2005 4:09 AM
To: 'ActiveDir@mail.activedir.org'
Subject: RE: [ActiveDir] AD DR - replication lag site

If the deletion occurs on DC1, then a DC (DC2) in the lag site will not
receive the deletion immediately. You therefore have a window of opportunity
in which the deletion may be 'undone'.

The deleted object may be auth restored on DC2 and thus replicated /
reanimated on DC1 (and any other DC which has received the deletion).

[My terminology may not be acceptable to some - I have deliberately
explained this in simplistic terms :)]

neil


-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of TIROA YANN
Sent: 19 May 2005 08:54
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] AD DR - replication lag site


Hello,

I must apologize, but i'm a little bit confused. You said With a lag site,
you ONLY have to do an authoritative restore (NTDSUTIL). 

Do you mean if i delete my OU in DC in site A, all i have to do is do an
autoritative restore, not on site A, BUT on DC on lag site, reboot, and
dforce replication to site A ? And the non-autoritative restore will be in
fact the data on the lag site, that explain your prévious sentence ? Waou!
That's very celver !!

Am I right ?

Regards,

Yann



-Message d'origine-
De : [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] De la part de Dan Holme Envoyé :
jeudi 19 mai 2005 08:51 À : ActiveDir@mail.activedir.org Objet : RE:
[ActiveDir] AD DR - replication lag site

The major issue is the SPEED of recovery.  With a lag site, you ONLY have to
do an authoritative restore (NTDSUTIL).

Without a lag site, you must first restore the AD from backup tape ('normal'
restore), which can take quite some time Then, and only then, can you do
the auth restore.

-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of TIROA YANN
Sent: Wednesday, May 18, 2005 11:46 PM
To: [EMAIL PROTECTED]; ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] AD DR - replication lag site

Hello,

Thanks for this interesting tips, but i didn't really understand the behind
the techno  of a lag site in case of just a deletion of an entire OU with
many objects.

For example,if I have AD 2003 domain with 2 sites:
Site A has 2 DCs
Site B has one DC and is the lag site
Between 2 sites, i scheduled repl to appear every 1 week.

In the situation of an OU deletion, i go to the DC i have made the deletion,
and do an autoritative restore in dsmode and after rebbot, wait for
replication to take place in order to repopulate all my domain with my OU
restored. So what will the lag site help me in this situation ?

I can understand that a lag site will help me if all my DCs in site A
crashed. So i would take all informations from the lag site to be restored
in site A such as copy my domain from the lag site by doing a dcpromo
/adv, and go my freshly installed DCs on site A, and restored my whole
domain. 
However, I think i will have more updated information by restoring from my
yerterday backup than from the lag site...

So, could you help me better understand the behind the techno of a lag site,
i thing i misunderstand something important ;-(

Thank you for your feedback

RE: [ActiveDir] AD DR - replication lag site

[Dan Holme]

I have several large clients who are going this direction and are in
testing right now.  Things look quite good.

I had read somewhere that an alternative approach to preventing
authentication to the 'lag' DCs was to stop the Netlogon service.  The
approach of removing DNS records seems more elegant, and I'll be
interested to hear ppls thoughts on these alternatives.



Dan

-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Danny
Sent: Wednesday, May 18, 2005 6:45 AM
To: ActiveDir@mail.activedir.org
Subject: [ActiveDir] AD DR - replication lag site

I am interested in your thoughts regarding this suggestion for DR:

http://searchwin2000.techtarget.com/tip/1,289483,sid1_gci1086805,00.htm
l
(You may need to register)

Basically it states that you should create another AD site and set the
replication for 168 hours.

Thank you,

...D
List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive:
http://www.mail-archive.com/activedir%40mail.activedir.org/
List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/

RE: [ActiveDir] delegation not working on Win2k AD

[Dan Holme]

Title: Re: [ActiveDir] delegation not working on Win2k AD








I wonder if something is just
broken (and missed) as youve been making changes. It
sounds like everything is in place correctly.



You might try this, as it will serve you
well in many ways:



Background

It is a best practice not to be adding computers willy
nilly to the Computers container, since it is unmanaged.
Youll probably want to be adding computers to an actual OU, to which
youve linked appropriate GPOs. It is also a best practice to
create the computer account in advance
of joining the computer to the domain; or to use NETDOM or WMI to join
computers to the domain, so that one way or another they end up in the correct
(end state) OU, rather than in a generic container. If you have W2K3
domain functaional level, you can also redirect the default
computers container into a custom OU. See http://support.microsoft.com/default.aspx?scid=kb;en-us;324949
.



Suggestion

Start over with your task, since
youve tried everything and have done things well. Start with a
fresh OU, delegate your techs group the CC (Create Child) and GA
(Full Control) of computer objects in the OU. Test by logging on as a
tech and using ADUC to create a computer object; then join a workstation (same
name) to the domain. See what breaks, if anything. If anything
breaks, create a NEW tech user account, put it in the same group that has been
delegated permissions, and try again. If the new tech can add computers
(using ADUC) to the new OU and join computers to the new accounts, try one last
round of the new tech doing the same thing back in your old
container. 



NEXT STEPS



Id be happy *try* to help you directly if youd
like. LMK where exactly things are breaking. Id just need to
look at the ACL on the Computers container and your new OU and an
RSoP of a Technician



1) Use the following command to dump the permissions on the container:

dsacls
CN=Computers,DC=windomain,DC=local desktop\dsaclsdump.txt

Replacing
the domain name and/or Container/OU as appropriate

2) Please run two RSoP reports using the Group Policy Management
Console

a. A Technician on a technicians computer

b. A Technician on a domain controller

Save the
reports (they come out as HTML)



Send me the three files (I probably
dont need all three, but theyll be helpful). I
dont have *tons* of time
today, but Ill be happy to take a quick look. My email is
dan-dot-holme-at-intelliem-dot-com.



Dan Holme















From:
[EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Bruyere, Michel
Sent: Wednesday, May 18, 2005 6:28
AM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] delegation
not working on Win2k AD





Hi Rick , 


Thanks for the answer, I double checked and I already have the
technicians full control on computer objects set on the Computers
container.



Any other Ideas?













De: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] De
la part de Rick Kingslan
Envoyé: Tuesday, May 17,
2005 6:09 PM
À: ActiveDir@mail.activedir.org
Objet: RE: [ActiveDir]
delegation not working on Win2k AD





I agree with many of the other posts here
 a domain level is likely the correct area to do this, simply because
the usual location for a joined computer is the Computers Container  not
an OU. If they dont have access to the container, then they
arent going to be able to join them.



What is the scope of the delegated
permissions? Is it This object and all child objects?
Also, I think that Id create a new delegation in the Advanced properties
of the AD Securities tab (it might exist  if you arent used to
using the Advanced view of Security in AD, you wont see it) for the
techs. This time, however  you are going to want to select
Computer Objects from the dropdown, then select Full Control for
the techs. Save this.



If you dont have a clear idea on
how to proceed, reply back. Ill send or post detailed instructions
with pictures, if necessary, on how to do exactly what you want.



-rtk











From:
[EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Bruyere,
 Michel
Sent: Tuesday, May 17, 2005 2:15
PM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir]
delegation not working on Win2k AD





Hi, 


Thanks for the hint, but I did it too

Here are the settings I have. In the user rights
the group technicians is allowed to add computers to the domain.



I also have the following perms on the
Computers OU

List content

Read all properties

Write all properties

Read permissions

Create computer objects

Delete computer objects

Read Container info

Write container info

Read heuristics

Write heuristics





I used the delegation wizard on the
domain, not on the OU.



Is there anything else Im missing?



Thanks




















De:
TIROA YANN [mailto:[EMAIL PROTECTED] De la part de TIROA YANN
Envoyé: Tuesday, May 17,
2005 2:23 PM
À: ActiveDir@mail.activedir.org;
Bruyere, Michel
Objet: RE: [ActiveDir]
delegation not working on Win2k AD





Hello ;-)

If You

RE: [ActiveDir] Windows / AD Conferences

[Dan Holme]

Windows Connections is a pretty unique event, in that you have access to
the best 'gurus' around (many of us also present at TechEd, DEC, and
TechMentor) but it's generally a MUCH more sane environment with fewer
attendees, so you'll get MUCH more 'face time' with the experts than you
would elsewhere.

Imagine yourself with a question you want answered in a room of
500-1000+ versus 80-150.  You get the picture.

We've also instituted some really cool ways for you to get the answers
you need (i.e. free consulting) in our Ask the Experts booth (manned
by the gurus during all breaks  meals) and a new brain share format
where selected sessions (e.g. my AD session in October) are open format,
specifically to address attendee issues.

OK, it's a shameless plug, but it's good for you to know about since
you're asking.

Dan Holme


-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Mark Parris
Sent: Wednesday, May 18, 2005 3:05 PM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] Windows / AD Conferences

I would go to the one where John Craddock was presenting.

Mark

-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of
[EMAIL PROTECTED]
Sent: 18 May 2005 22:01
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] Windows / AD Conferences

Be nice to get to go to more than one. :-)  DEC

-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] Behalf Of Jorge de Almeida
Pinto
Sent: Tuesday, May 17, 2005 5:11 AM
To: 'Charlie Saliba '; '[EMAIL PROTECTED] ';
'ActiveDir@mail.activedir.org '
Subject: RE: [ActiveDir] Windows / AD Conferences


DEC
IT Forum
TechEd

#JORGE#

-Original Message-
From: [EMAIL PROTECTED]
To: ActiveDir@mail.activedir.org
Sent: 5/17/2005 4:35 AM
Subject: [ActiveDir] Windows / AD Conferences

If you had to go to three conferences a year on Microsoft Windows /
Active Directory / Security, which would you attend?

Thanks,
Charlie

List info : http://www.activedir.org/List.aspx List FAQ :
http://www.activedir.org/ListFAQ.aspx List archive:
http://www.mail-archive.com/activedir%40mail.activedir.org/

This e-mail and any attachment is for authorised use by the intended
recipient(s) only. It may contain proprietary material, confidential
information and/or be subject to legal privilege. It should not be
copied,
disclosed to, retained or used by, any other party. If you are not an
intended recipient then please promptly delete this e-mail and any
attachment and all copies and inform the sender. Thank you.
List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive:
http://www.mail-archive.com/activedir%40mail.activedir.org/
List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive:
http://www.mail-archive.com/activedir%40mail.activedir.org/




List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive:
http://www.mail-archive.com/activedir%40mail.activedir.org/
List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/

RE: [ActiveDir] Sites and Folder Redirection | more

[Dan Holme]

I have not seen a reply to this thread so I thought I might
pitch in my thoughts:



In my geographically distributed clients, we face the same
problem. We address it using global groups to represent the geographic
location of users. If a user is transferred to another site
(location) we change their global group membership. The global group is used either to filter a GPO redirecting folders
to a specific server (or via a site-related DFS link) or the groups are used in
a single GPO to create advanced folder redirection, whereby you
can point groups to different servers. That way, traveling users, dial-in
users, etc. were accessing their folder-redirected-folders in their home
server  we didnt want to replicate tons of user data in those
environments just for the few



So to make a long story short, we just didnt use
site-linked GPOs for anything to do with user data. Also made it much easier
on the help desk issues, since help desk could change the membership of these
location-related global groups easily.



Dan Holme

Intelliem













From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On
Behalf Of Noah Eiger
Sent: Thursday, May 12, 2005 3:31
PM
To: ActiveDir@mail.activedir.org
Subject: [ActiveDir] Sites and
Folder Redirection | more





Hello:



I am
working with redirecting My Documents in various sites. I have some follow up
questions to the thread I started a few months ago.



Some
sites have poor connectivity. There is no replication of data between sites
(for home directories). Laptop users use Offline Files. Single domain, W2k. All
redirection is handled via User GPOs. The root Home directory resides on a file
server at each site; users at that site point there based on the GPO. Security
is defined as per MSKB 274443.



Where
to apply the GPO? As Aric pointed out, applied at the Site level will cause
users to redirect to the local Home share when they just drop by with their
laptops. What happens to Offline Files in this case? It seems better to create
OUs for uses at each Site and apply the GPO there. Under this scenario, would
Slow Link Detection prevent the redirection from trying to find Home over the
slow WAN link? Would it then just resort to Offline Files?



Finally,
if we use DFS to create a unified namespace, all user home directories would be
created under a single Home directory. Without folder replication, how would we
control the Site and file server where the folder actually gets created?



Many
TIA.



--
nme

RE: [ActiveDir] Strange problem

[Dan Holme]

To add to what Joe just said, you might run

DSACLS DN of OU /S /T

This command will reset the permissions on the OU *and* all objects
beneath it to the default set by the schema.  This might help prevent
any junk other than the perms you're trying to set from causing
problems...  This is what it sounds like -- a RESET TO DEFAULT -- so
don't use it if you have other delegation attached to the OU that you
want to preserve.  However, the default DOES include inherit, so any
perms attached explicitly to OUs (or the domain) above this OU will be
inherited.


Dan
List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/