RE: [ActiveDir] client time sync
Russ- In my experience recent versions of W32time will not correct an offset that large ( 5 minutes) and will issue the exact message you quoted. By far the easiset thing to do is a net time /set /yes to the closest DC. Once the clock is pulled in within W32time's sanity checking parameters it should be fine as long as the service is configured corectly. Pull it in with net time and then bounce the service, likely you will see messages in the event log that is is now receiving time from DCxx. This works for me the vast majority of the time, usually the problem is someone who thinks they know better and goes in and mucks around with the settings or installs some 3rd party [EMAIL PROTECTED] If you issue the folowing it should look something like this for a domain member- c:\admin\scriptsw32tm /dumpreg /subkey:parameters Value Name Value Type Value Data ServiceMain REG_SZ SvchostEntry_W32Time ServiceDll REG_EXPAND_SZ C:\WINDOWS\system32\w32time.dll TypeREG_SZ Nt5DS LocalNTPREG_DWORD 0 Period REG_SZ SpecialSkew If it's not Type=Nt5DS it's mis-configured. Sure there's other stuff that can go wrong but this works for me 99.9% of the time. From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Rimmerman, Russ Sent: Wednesday, January 10, 2007 6:38 PM To: [EMAIL PROTECTED] Subject: Re: [ActiveDir] client time sync I tried it, it says: The computer did not resync because no time data was available I followed http://support.microsoft.com/kb/929276 but it was already set right Try the command... w32tm /resync /rediscover See if that helps the client figure out where it should look for time. ~Ben -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Rimmerman, Russ Sent: Wednesday, January 10, 2007 2:12 PM To: [EMAIL PROTECTED] Subject: [ActiveDir] Client time sync I have a machine (at least one I know of) that isn't syncing time with the domain controller its logging into. I've restarted the win32time service on it to see if that would sync it and it doesn't. Any suggestions on where to start? The DC and the client are off by about 9 minutes. ~~ This email message is for the sole use of the intended recipient(s) and may contain confidential and privileged information of Cameron and its Operating Divisions. Any unauthorized use or disclosure is prohibited. If you are not the intended recipient, please contact the sender by reply email and delete and destroy all copies of the original message inclusive of any attachments. ~~ List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.activedir.org/ma/default.aspx
RE: [ActiveDir] OT: new ms-Sysinternals utils: .exe size gone up like crazy!
Someone asked- is there an accept switch to use? Now there is according to their blog- http://blogs.technet.com/sysinternals/rss.xml The following Sysinternals utilities and files have been updated: PsTools v.2.42: all PsTools now support the switch '-accepteula' on the command-line in order to avoid breaking non-interactive scenarios (e.g. scripts and other automation) http://www.microsoft.com/technet/sysinternals/utilities/pstools.mspx Cool -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Free, Bob Sent: Tuesday, November 14, 2006 10:51 AM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] OT: new ms-Sysinternals utils: .exe size gone up like crazy! is there an accept switch to use? How about a workaround? http://kb.ultratech-llc.com/Scripts/?File=SetEULA.BAT Kudos to Andrew for sharing it. -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of [EMAIL PROTECTED] Sent: Monday, November 13, 2006 2:04 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] OT: new ms-Sysinternals utils: .exe size gone up like crazy! Better question ... is there an accept switch to use? If you try a tool in a loop against a set of servers, it prompts for every one of them... :m:dsm:cci:mvp | marcusoh.blogspot.com -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Brett Shirley Sent: Monday, November 13, 2006 4:05 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] OT: new ms-Sysinternals utils: .exe size gone up like crazy! We had to compile in bbisw.lib (Big Brother Is Watching). You might think that's against your rights, but you signged them away when you accepted the 5k larger eula.txt below (which you didn't read). Cheers, BrettSh [EMAIL PROTECTED] -- I've decided its funny when I use it. Just b/c I know this kind of thing can go rabbidly out of control, _YES, I WAS KIDDING._ On Mon, 13 Nov 2006, Steve Egan (Temp) wrote: Back in my days of programming in C, if we used the C-Worthy Interface Library (CWIL), a simple three-line program would be a MINIMUM of 170K. Maybe it's because a GUI is now included, or somesuch?? Steve Egan Purcell Systems System/Network Administrator desk 509 755-0341 x110 cell 509 475-7682 fax 509 755-0345 -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Brian Desmond Sent: Monday, November 13, 2006 10:33 AM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] OT: new ms-Sysinternals utils: .exe size gone up like crazy! I think MS may have signed them all. Dunno if that increases size. Thanks, Brian Desmond [EMAIL PROTECTED] c - 312.731.3132 -Original Message- From: [EMAIL PROTECTED] [mailto:ActiveDir- [EMAIL PROTECTED] On Behalf Of Javier Jarava Sent: Monday, November 13, 2006 12:47 PM To: ActiveDir@mail.activedir.org Subject: [ActiveDir] OT: new ms-Sysinternals utils: .exe size gone up like crazy! Hi! Just a quick question to the list, to see what the honrable members (tm) think. I have just d/l some of the the updated sysinternals tools from MS (filemon, regmon, autoruns and pstools to be precise), and I have noticed that most if not all the utils have grown in size A LOT. As an example, this is the change I see from pstools v2.34 and v2.4: Archive: SYSINTERNALS PsTools v2.34 -20060710- PsTools.zip Length Date TimeName 122880 20/03/06 16:19 psshutdown.exe 94208 02/08/05 11:14 pskill.exe 65536 30/03/06 10:05 psloglist.exe 49152 27/03/06 13:07 psloggedon.exe 106496 21/07/05 10:22 psgetsid.exe 146704 26/07/00 12:00 pdh.dll 57344 06/04/06 14:52 psservice.exe 53248 30/12/05 03:15 psfile.exe 135168 11/07/06 09:00 psexec.exe 63786 08/07/06 11:10 Pstools.chm 135168 13/12/05 09:51 Psinfo.exe 106496 07/11/03 14:42 pssuspend.exe 86016 01/12/04 17:27 pslist.exe 57344 16/05/04 08:36 pspasswd.exe 1969 11/02/06 09:22 Eula.txt 39 10/07/06 13:58 version.txt --- 1281554 16 files Archive: SYSINTERNALS PsTools v2.4 -20061101- PsTools.zip Length Date TimeName 412472 01/11/06 13:07 psexec.exe 166712 01/11/06 13:06 psfile.exe 322360 01/11/06 13:07 psgetsid.exe 428856 01/11/06 13:07 Psinfo.exe 318264 01/11/06 13:07 pskill.exe 191288 01/11/06 13:06 pslist.exe 162616 01/11/06 13:06 psloggedon.exe 187192 01/11/06 13:06 psloglist.exe 170808 01/11/06 13:06 pspasswd.exe 179000 01/11/06 13:06 psservice.exe 404280 01/11/06 13:07 psshutdown.exe 375608 01/11/06 13:07 pssuspend.exe 63786 08/07/06 11:10 Pstools.chm
RE: [ActiveDir] What is Websence
Umm, it's a suite of products and services. Depends on what you buy :-) http://www.websense.com/global/en/ProductsServices/ What we have is for our websense installation is several windows servers that serve as content filters and proxy servers with a subscription based filter. All the logs roll to a common reporting database, they sit behind loadbalancers so client proxy configuration and redundancy is simplified -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Ravi Dogra Sent: Thursday, December 07, 2006 3:30 PM To: ActiveDir@mail.activedir.org Subject: [ActiveDir] What is Websence Is it a box or software driven web filtering. Please provide some info on this. -- Thanks, RD List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir@mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir@mail.activedir.org/
RE: [ActiveDir] security
MSGINA is the Logon Process that was loaded.(GINA= Graphical Identification and Authentication) KSecDD,RASMAN,Secondary Logon Service,LAN Manager Workstation Service,CHAP,DCOMSCM,Winlogon,Winlogon\MSGina are all standard logon processes you could see in the logs according to what mechanism is being used to authenticate. You will see those events at startup and during authentication attempts. MGGINA is the standard interactive logon interface you see when you press ctrl-alt-del, as implemented by msgina.dll. 3rd parties, such as RSA or PCAnywhere, can extend the functionality and present a different graphical interface to the user during the logon process. Winlogon and the standard GINA interact as follows: 1. Winlogon detects a Secure Action Sequence (SAS) event. (E.G. ctrl-alt-del) 2. Winlogon determines the system state when the SAS was detected. 3. Winlogon calls the appropriate GINA function. 4. The GINA function called performs the necessary operation. 5. The GINA passes a return value to Winlogon. If auditing is enabled, you should be able to see who knocked you off in the security logs. -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Ramon Linan Sent: Friday, December 01, 2006 12:31 PM To: ActiveDir@mail.activedir.org Subject: [ActiveDir] security Hi, What is the meaning of this event, Does it means that MSGINA was trying to login into that machine where the event was found? I was connected to an XP pro using remote desktop and all the sudden it kicked me out saying someone else connected to it, how do I find out who was it? Thanks A trusted logon process has registered with the Local Security Authority. This logon process will be trusted to submit logon requests. Logon Process Name:Winlogon\MSGina For more information, see Help and Support Center at http://go.microsoft.com/fwlink/events.asp. Rezuma List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir@mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir@mail.activedir.org/
RE: [ActiveDir] Is it 2000 or 2003?
If you follow the thread's consensus, it is that it's just a bug in gpresult. I have a forest built from scratch on 2003 that's never seen hide nor hair of anything w2k and gpresult still reports it as 2000. -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Bart Van den Wyngaert Sent: Thursday, November 16, 2006 3:07 PM To: ActiveDir@mail.activedir.org Subject: Re: [ActiveDir] Is it 2000 or 2003? Well actually I didn't use the adfind tool yet, when I read the beginning of this thread I looked in the GUI Active Directory Domains and Trust where is listed that my functional level of domain forrest is W2K3 (which I raised some months ago and seems correct). But when I run the gpresult tool, it states that my domain type is Windows 2000, which I find a bit odd. Did I miss something in the upgrade process or something? Is it an issue? On 11/16/06, joe [EMAIL PROTECTED] wrote: AdFind only determines the Directory level, it doesn't look for functional modes or mixed mode. The way I get directory level is through the supportedCapabilities attribute of the rootdse of the DC. Of course it is possible to hit one DC looking for info and I pull the ROOTDSE from that DC and then in the background a referral is processed which ends up getting the info from another DC in another domain (or same domain if looking at app parts). You can get functionality modes from the rootdse attributes domainFunctionality and forestFunctionality. For all of those, just do an AdFind -rootdse And you will see what I am decoding and logically how I ascertain directory level. Mixed mode versus native you simply use the domain NCs nTMixedDomain attribute. joe -- O'Reilly Active Directory Third Edition - http://www.joeware.net/win/ad3e.htm -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Paul Williams Sent: Thursday, November 16, 2006 11:50 AM To: ActiveDir@mail.activedir.org Subject: Re: [ActiveDir] Is it 2000 or 2003? I don't understand where you are seeing this info. Are you referring to the applet that is used to raise the FL? Or something else? As for the flag that is used to identify the directory, it is usually a combination of: msDS-Behavior-Version nTMixedDomain supportedCapabilities Or at least, that is the way I put info. such as server and directory in each of my scripts. Just like Joe does in ADFIND and ADMOD. I believe he does it the same way too. Basically, check msDS-Behavior-Version. If it's 0, check nTMixedDomain. If it's 2, check supportedCapabilities to see whether or not it is ADAM (it's ADAM if one of the supportedCapabilities is 1.2.840.113556.1.4.1851 [LDAP_CAP_ACTIVE_DIRECTORY_ADAM_OID]). In my test lab(s), my directory is considered a 2003 directory. In my labs, I used either DOMAIN.MSC or ADMOD to increase the FLs. --Paul - Original Message - From: [EMAIL PROTECTED] To: ActiveDir@mail.activedir.org Sent: Thursday, November 16, 2006 3:45 PM Subject: RE: [ActiveDir] Is it 2000 or 2003? I've entered this thread late so apologies if the below has already been stated: I recently created a new dev forest, with multiple domains. I too raised DFL and FFL as soon as all domains were built. I do not see the issues you describe and would suggest you download the scripts available here http://www.jadonex.com/ One of the scripts (written by Dean) checks the DFL and FFL for the forest and across all domains. For a manual check, I also look here: FFL === CN=Partitions,CN=Configuration,DC=xxx Attribute msDS-Behavior-Version 0=w2k FFL, 1=interim FFL, 2=w2k3 FFL DFL === CN=domainName,CN=Partitions,CN=Configuration,DC=xxx Attribute msDS-Behavior-Version 0=w2k DFL, 1=interim DFL, 2=w2k3 DFL Hope that helps, neil -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Tim Onsomu Sent: 16 November 2006 14:35 To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Is it 2000 or 2003? I got curios about this and decide to dcpromo my vm image of windows 2003 R2. After the AD installation (which sits at Windows 2000 for domain type) I raised the functionality for the domain and forest. The result for domain type was windows 2000. I am not sure it is supposed to be different. Anybody out there who can say their install says something else? -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Susan Bradley, CPA aka Ebitz - SBS Rocks [MVP] Sent: Wednesday, November 15, 2006 3:15 PM To: ActiveDir@mail.activedir.org Subject: Re: [ActiveDir] Is it 2000 or 2003? Were these clean installs or inplace? Bart Van den Wyngaert wrote: Well I also have a strange thing... It concerns 2 SBS 2003 systems. Some months ago I raised both domain and forrest functional
RE: [ActiveDir] OT: new ms-Sysinternals utils: .exe size gone up like crazy!
is there an accept switch to use? How about a workaround? http://kb.ultratech-llc.com/Scripts/?File=SetEULA.BAT Kudos to Andrew for sharing it. -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of [EMAIL PROTECTED] Sent: Monday, November 13, 2006 2:04 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] OT: new ms-Sysinternals utils: .exe size gone up like crazy! Better question ... is there an accept switch to use? If you try a tool in a loop against a set of servers, it prompts for every one of them... :m:dsm:cci:mvp | marcusoh.blogspot.com -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Brett Shirley Sent: Monday, November 13, 2006 4:05 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] OT: new ms-Sysinternals utils: .exe size gone up like crazy! We had to compile in bbisw.lib (Big Brother Is Watching). You might think that's against your rights, but you signged them away when you accepted the 5k larger eula.txt below (which you didn't read). Cheers, BrettSh [EMAIL PROTECTED] -- I've decided its funny when I use it. Just b/c I know this kind of thing can go rabbidly out of control, _YES, I WAS KIDDING._ On Mon, 13 Nov 2006, Steve Egan (Temp) wrote: Back in my days of programming in C, if we used the C-Worthy Interface Library (CWIL), a simple three-line program would be a MINIMUM of 170K. Maybe it's because a GUI is now included, or somesuch?? Steve Egan Purcell Systems System/Network Administrator desk 509 755-0341 x110 cell 509 475-7682 fax 509 755-0345 -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Brian Desmond Sent: Monday, November 13, 2006 10:33 AM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] OT: new ms-Sysinternals utils: .exe size gone up like crazy! I think MS may have signed them all. Dunno if that increases size. Thanks, Brian Desmond [EMAIL PROTECTED] c - 312.731.3132 -Original Message- From: [EMAIL PROTECTED] [mailto:ActiveDir- [EMAIL PROTECTED] On Behalf Of Javier Jarava Sent: Monday, November 13, 2006 12:47 PM To: ActiveDir@mail.activedir.org Subject: [ActiveDir] OT: new ms-Sysinternals utils: .exe size gone up like crazy! Hi! Just a quick question to the list, to see what the honrable members (tm) think. I have just d/l some of the the updated sysinternals tools from MS (filemon, regmon, autoruns and pstools to be precise), and I have noticed that most if not all the utils have grown in size A LOT. As an example, this is the change I see from pstools v2.34 and v2.4: Archive: SYSINTERNALS PsTools v2.34 -20060710- PsTools.zip Length Date TimeName 122880 20/03/06 16:19 psshutdown.exe 94208 02/08/05 11:14 pskill.exe 65536 30/03/06 10:05 psloglist.exe 49152 27/03/06 13:07 psloggedon.exe 106496 21/07/05 10:22 psgetsid.exe 146704 26/07/00 12:00 pdh.dll 57344 06/04/06 14:52 psservice.exe 53248 30/12/05 03:15 psfile.exe 135168 11/07/06 09:00 psexec.exe 63786 08/07/06 11:10 Pstools.chm 135168 13/12/05 09:51 Psinfo.exe 106496 07/11/03 14:42 pssuspend.exe 86016 01/12/04 17:27 pslist.exe 57344 16/05/04 08:36 pspasswd.exe 1969 11/02/06 09:22 Eula.txt 39 10/07/06 13:58 version.txt --- 1281554 16 files Archive: SYSINTERNALS PsTools v2.4 -20061101- PsTools.zip Length Date TimeName 412472 01/11/06 13:07 psexec.exe 166712 01/11/06 13:06 psfile.exe 322360 01/11/06 13:07 psgetsid.exe 428856 01/11/06 13:07 Psinfo.exe 318264 01/11/06 13:07 pskill.exe 191288 01/11/06 13:06 pslist.exe 162616 01/11/06 13:06 psloggedon.exe 187192 01/11/06 13:06 psloglist.exe 170808 01/11/06 13:06 pspasswd.exe 179000 01/11/06 13:06 psservice.exe 404280 01/11/06 13:07 psshutdown.exe 375608 01/11/06 13:07 pssuspend.exe 63786 08/07/06 11:10 Pstools.chm 38 15/10/06 16:32 psversion.txt 153672 01/11/06 13:05 pdh.dll 7005 28/07/06 08:32 Eula.txt --- 3543957 16 files Just wondering outloud what is the reason for the size change. Different compiler, maybe? Thanks a lot for your time in reading thus far. Javier Jarava List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir@mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive:
RE: [ActiveDir] OT: new ms-Sysinternals utils: .exe size gone up like crazy!
pasted all the guesses into one mail thread (because people on this alias are so terrible at finding the tip of the thread) Like BrettSh said, someone guessed pretty close...now who would that be? LOL Too bad this isn't the thread he quoted... -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Mark Parris Sent: Tuesday, November 14, 2006 11:17 AM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] OT: new ms-Sysinternals utils: .exe size gone up like crazy! And the answer is: From: Mark Russinovich Sent: 14 November 2006 19:15 To: [EMAIL PROTECTED] Subject:Can you comment on this please? The growth is primarily due to the EULA. We've come up with a way to shrink it and so the sizes will decrease as we update the tools. -Original Message- From: [EMAIL PROTECTED] Sent: Tuesday, November 14, 2006 6:07 AM To: Mark Russinovich Subject:Can you comment on this please? Importance: High Mark, this email is floating around the activedir email list and was wondering if you could answer it. Mark Mark Parris Base IT Ltd Active Directory Consultancy +44 (0)7801 690596 -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Brett Shirley Sent: 14 November 2006 17:09 To: ActiveDir@mail.activedir.org Subject: Re: [ActiveDir] OT: new ms-Sysinternals utils: .exe size gone up like crazy! I did not say that compiler options produced the increase in size. I said someone guessed pretty close, and pasted all the guesses into one mail thread (because people on this alias are so terrible at finding the tip of the thread). Cheers, -BrettSh On Tue, 14 Nov 2006, Javier Jarava wrote: Hey! I wonder why everybody assumes that I am implying there is something sneaky going on?? :)) I mean, it's not like any of you had seen my new tinfoil hat, and I believe I haven't ranted about my conspiracy theories on-list not even once!! (I was about to say that I am SURE I've never referred to MS using the M money shortcut, but I think that might be getting a little too close to irony, and probably joke might be misread, so I decided to be on the safe side and try to be serious and avoid it And then decided that the day is boring enough so what the h..!) (Note: yes, the above paragraphs are not to be taken seriously and can be skipped over without losing any content). Conspiracy theories aside, the reason of my OP was that I tend to enjoy lean utils and when a program just about doubles its size for no apparent reason, I like to ask why. There was a time loong ago when I thought I knew something about programming (that was around the time of VS5 and BCB1/3, so I guess that explains how outdated I sometimes feel), and I remember getting big changes in exe sizes just by playing around with compiler options. Thats what I believed the reason for the change was, and I guess the thread more or less confirms is (specially BrettSH's posts). But I was (and still am) curious as to the how/what/why of the change. I mean, I (obviously) don't have the code for the sysinternals utils (and probably wouldn't be able to make much sense of it if I had), but I tend to remember that the little code I've seen from Sysinternals (something to do with file defrag. IIRC) was clean and neat-looking, w/o dangerous shortcuts and similar hocus-pocus that might be cleaned off and thus get a bigger exe. And if the reason is sysinternals used an standard MS compiler vs in-house use of better tools... well, I know that exe size is not everything.. but... being honest, if you had an established and working product, and one of your programmers used better tools to get a result that is 2x, wouldn't you wonder if it was worth it? So I guess it boils down to a matter of curiosity, and I also feel that there is a lesson there worth knowing. After all, I truly believe the Sysinternals utils are true gems and I hope they are maintained and grown to be even better. soapbox off :) On 13/11/06, joe [EMAIL PROTECTED] wrote: Could be various things of which most would probably be a little difficult to ascertain. Compiler versions can certainly cause deltas, as well as individual switches in a compiler. For instance, if I use Borland Builder 6.0 to compile something and then use Borland Developer Studio (Basiclaly Borland Builder 7.0) I will see a reduction usually of about 10-40% in binary size. However, if I select certain switches (primarily things like inline function expansion while using STL code), the BDS compile can grow from 50-300% and probably more, 300% is about the most I have seen. It is likely that MSFT would compile the tools with something different than Mark would have and use. From the times I have looked at Mark's source, I am pretty sure he just used the standard Visual Studio product that was current for the time. I won't speak for MSFT on what
RE: [ActiveDir] OT: new ms-Sysinternals utils: .exe size gone up like crazy!
I would think in part it has to be the new GUI EULA that pops up and the code they use to update the registry of acceptance of said EULA. From: [EMAIL PROTECTED] on behalf of Javier Jarava Sent: Mon 11/13/2006 9:46 AM To: ActiveDir@mail.activedir.org Subject: [ActiveDir] OT: new ms-Sysinternals utils: .exe size gone up like crazy! Hi! Just a quick question to the list, to see what the honrable members (tm) think. I have just d/l some of the the updated sysinternals tools from MS (filemon, regmon, autoruns and pstools to be precise), and I have noticed that most if not all the utils have grown in size A LOT. As an example, this is the change I see from pstools v2.34 and v2.4: Archive: SYSINTERNALS PsTools v2.34 -20060710- PsTools.zip Length Date TimeName 122880 20/03/06 16:19 psshutdown.exe 94208 02/08/05 11:14 pskill.exe 65536 30/03/06 10:05 psloglist.exe 49152 27/03/06 13:07 psloggedon.exe 106496 21/07/05 10:22 psgetsid.exe 146704 26/07/00 12:00 pdh.dll 57344 06/04/06 14:52 psservice.exe 53248 30/12/05 03:15 psfile.exe 135168 11/07/06 09:00 psexec.exe 63786 08/07/06 11:10 Pstools.chm 135168 13/12/05 09:51 Psinfo.exe 106496 07/11/03 14:42 pssuspend.exe 86016 01/12/04 17:27 pslist.exe 57344 16/05/04 08:36 pspasswd.exe 1969 11/02/06 09:22 Eula.txt 39 10/07/06 13:58 version.txt --- 1281554 16 files Archive: SYSINTERNALS PsTools v2.4 -20061101- PsTools.zip Length Date TimeName 412472 01/11/06 13:07 psexec.exe 166712 01/11/06 13:06 psfile.exe 322360 01/11/06 13:07 psgetsid.exe 428856 01/11/06 13:07 Psinfo.exe 318264 01/11/06 13:07 pskill.exe 191288 01/11/06 13:06 pslist.exe 162616 01/11/06 13:06 psloggedon.exe 187192 01/11/06 13:06 psloglist.exe 170808 01/11/06 13:06 pspasswd.exe 179000 01/11/06 13:06 psservice.exe 404280 01/11/06 13:07 psshutdown.exe 375608 01/11/06 13:07 pssuspend.exe 63786 08/07/06 11:10 Pstools.chm 38 15/10/06 16:32 psversion.txt 153672 01/11/06 13:05 pdh.dll 7005 28/07/06 08:32 Eula.txt --- 3543957 16 files Just wondering outloud what is the reason for the size change. Different compiler, maybe? Thanks a lot for your time in reading thus far. Javier Jarava List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir@mail.activedir.org/ winmail.dat
RE: [ActiveDir] Is it 2000 or 2003?
I noticed the same thing yesterday with gpresult in 2 different forests and I can assure you they are both at 2003 FFL, I wrote it off to a bug in gpresult. Also noticed the same thing with netdiag- duh- how can 2K server have a build number from 2K3? Microsoft Windows [Version 5.2.3790] (C) Copyright 1985-2003 Microsoft Corp. C:\WINNTnetdiag Computer Name: DNS Host Name: System info : Windows 2000 Server (Build 3790) Anyway, I'd bet dollars to donughts that your levels are OKor should that be euros to eclairs? :-) You can just check msDS-Behavior-Version with adfind if you really want to put your mind at rest. adfind -s base -b dc=noahs,dc=domain DS-Behavior-Version Domain functional level setting The attribute is msDS-Behavior-Version on the NC head root of each domain DC=Mydomain, DC=ForestRootDom, DC=tld object. *Value of 0 or not set=mixed level domain *Value of 1=Windows Server 2003 domain level *Value of 2=Windows Server 2003 domain level Forest level setting The attribute is msDS-Behavior-Version on the CN=Partitions, CN=Configuration, DC=ForestRootDom, DC=tld object. *Value of 0 or not set=mixed level forest *Value of 1=Windows Server 2003 interim forest level *Value of 2=Windows Server 2003 forest level Mixed/Native mode setting The attribute is ntMixedDomain on the NC head root of each domain DC=Mydomain, DC=ForestRootDom, DC=tld object. *Value of 0=Native level domain *Value of 1=Mixed level domain From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Noah Eiger Sent: Friday, November 10, 2006 9:12 AM To: ActiveDir@mail.activedir.org Subject: [ActiveDir] Is it 2000 or 2003? Hi - Several months ago, I upgraded a small, multi-site domain from W2k to W2k3. Or so I thought. The various markings in the schema indicate that the upgrade was successful. But when I run, for example, gpresult, it reports a Windows 2000 domain. Is this just some flag or string that did not get set properly or is there really a problem with the upgrade? Thanks. -- nme P.S. I also just noticed that when I run netdiag on a new W2k3EN DC, it says System info: Windows 2000 Server (Build 3790). -- No virus found in this outgoing message. Checked by AVG Free Edition. Version: 7.1.409 / Virus Database: 268.13.32/523 - Release Date: 11/7/2006 List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir@mail.activedir.org/
RE: [ActiveDir]event log monitoring.
I've looked at this a LOT over the years, It would be helpful to know more specifically what your needs are and what scale you are talking about as there are literally dozens of choices now. GFI has a good reputation and had a nice price point for a smaller environment last time I looked. From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Ramon Linan Sent: Thursday, November 09, 2006 10:25 AM To: ActiveDir@mail.activedir.org Subject: [ActiveDir]event log monitoring. Hi, I want to implement a system that will send me an email whenever there is an error in any of the event logs in my servers. I could do this with an script or similar, but I don't have the time to do it that way and many other reasons. I was wondering if any of you has used GFI EventsManager, my main concern is to know if monitoring the events will put to much work on the servers that I am monitoring, I don't want to crash my server because I am monitoring it. Any suggestion? Thanks Rezuma List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir@mail.activedir.org/
RE: [ActiveDir] OT: M$
I never use that moniker but how about a positive spin...people use it because the co-founders are always on the short list of top U.S. philanthropists ? :-) From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Laura A. Robinson Sent: Thursday, November 09, 2006 10:14 AM To: ActiveDir@mail.activedir.org Subject: [ActiveDir] OT: M$ Just out of curiosity, what makes people think it's appropriate to refer to Microsoft as M$ on an MS-focused mailing list whose participants include Microsoft employees, Microsoft contractors, Microsoft MVPs and various other people who may have a relatively positive view of Microsoft? Laura From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Jitendra Kalyankar Sent: Thursday, November 09, 2006 10:16 AM To: ActiveDir@mail.activedir.org Subject: Re: [ActiveDir] Beginner's Book on Scripting - WSH or VBScript? This is the link to M$ to start with...very good info http://msdn.microsoft.com/library/default.asp?url=/library/en-us/dnancho r/html/scriptinga.asp -- Sincerely, J On 11/9/06, Stu Packett [EMAIL PROTECTED] wrote: Hello everyone. After reading through a lot of the posts on this mailing list, I realize I could make my job easier if I knew how to script. I have no experience in scripting, but would like to know what books do you recommend as a beginner's book on scripting? Also, I don't really know the difference between WSH and VBScript, so if anyone could explain that, I'd appreciate that. After browsing through Amazon, I saw several books on WSH and VBScript, but don't know where I should focus on. I'm also open to computer based training (CBT) videos of any exist. Thanks in advance. List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir@mail.activedir.org/
RE: [ActiveDir] OT for those in California
us SBSers have been been putting 5 servers and the kitchen sink service on one box for years and I've not gotten a dime from PGE Ummm...I think it read consolidating servers in the datacenter...The SBS server in the corner of the lunchroom might not qualify as a datacenter. OTOH, the Fresno Irrigation District may be very interested in how you integrated the kitchen sink service into your server... LOL There are plenty of programs for the SBS crowd, heck they even used the name you are so fond of in the url- http://www.pge.com/biz/rebates/small_business/ :-) /Just having a little fun, Definitely NOT speaking for my employer/ yada yada -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Susan Bradley, CPA aka Ebitz - SBS Rocks [MVP] Sent: Tuesday, November 07, 2006 7:12 PM To: ActiveDir@mail.activedir.org Subject: [ActiveDir] OT for those in California http://blogs.technet.com/windowsserver/archive/2006/11/07/LA-Traffic-_2D 00_-1_2C00_500-Shirts-in-150-minutes.aspx The show floor proved to be really busy this morning. One piece of evidence: we distributed 1,500 shirts in 2.5 hours. The orange shirts say Virtualize World Peace and the crowd was 2-deep at demos for Virtual Machine Manager (in beta now), SoftGrid and Windows Server virtualization (the hypervisor-based architecture for Longhorn). The sessions have proved to be muc better than the keynote. A few sessions on VDI and some interesting insights on how that model can create even more power consumption than before and the scalability challenge of adding all those desktop images to the servers/blades. The power consumption challenge was perhaps the most interesting given the comments from PGE earlier today in the keynote. PGE, which provides power to most of California, is providing business with credits ($700-$1,300) for consolidating servers in the datacenter using server virtualization. More to come later. Patrick -- Tax credits... interesting. and excuse me us SBSers have been been putting 5 servers and the kitchen sink service on one box for years and I've not gotten a dime from PGE and I'm a shareholder snort ;-) http://searchservervirtualization.techtarget.com/originalContent/0,28914 2,sid94_gci1226458,00.html High Tech and Healthcare Program: http://www.pge.com/biz/rebates/hightech/ http://www.pge.com/docs/word_xls/biz/rebates/2006_Incentive_App/2006%20P GE%20app%20forms.xls -- Letting your vendors set your risk analysis these days? http://www.threatcode.com If you are a SBSer and you don't subscribe to the SBS Blog... man ... I will hunt you down... http://blogs.technet.com/sbs List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir@mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir@mail.activedir.org/
RE: [ActiveDir] List Groups I'm In?
I believe the whoami question was answered, I used to get where.exe from the 2000 reskit, it is one of the tools from the reskit that thankfully made it into 2003 Server, I just copy that file to my XP systems. Should be in System32 on any 2K3 server. -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of F. Javier Jarava Sent: Thursday, October 26, 2006 6:13 AM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] List Groups I'm In? Hi! Just a little question RE: whoami: I have Windows Server 2003 Service Pack 1 32-bit Support Tools :) installed on my laptop, and I can't find the whoami utility you are refering to.. Also, I see from your excerpt that you use where that seems to behave like which but for Windows: I'd really apreciate it if you could refer me to that utility ;) Thanks a lot in advance. Javier Jarava -Mensaje original- De: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] En nombre de Free, Bob Enviado el: miércoles, 25 de octubre de 2006 19:07 Para: ActiveDir@mail.activedir.org Asunto: RE: [ActiveDir] List Groups I'm In? whoami /groups C:\Admin\Utilwhere whoami C:\Program Files\Support Tools\whoami.exe Not exacty stock but then again I consider Support Tools as an essential part of an installation :-) -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Michael B Allen Sent: Wednesday, October 25, 2006 9:47 AM To: ActiveDir@mail.activedir.org Subject: [ActiveDir] List Groups I'm In? Was is the easiest way for a user (say on a stock XP client) to list what groups they're in? Specifically I'd like the user to be able to just type a command like 'net user list groups' or some such and get a list of NT Account names for tokenGroups. Or if there is a dialog somewhere that's good too. Ideas? Mike -- Michael B Allen PHP Active Directory SSO http://www.ioplex.com/ List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir@mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir@mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir@mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir@mail.activedir.org/
RE: [ActiveDir] List Groups I'm In?
whoami /groups C:\Admin\Utilwhere whoami C:\Program Files\Support Tools\whoami.exe Not exacty stock but then again I consider Support Tools as an essential part of an installation :-) -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Michael B Allen Sent: Wednesday, October 25, 2006 9:47 AM To: ActiveDir@mail.activedir.org Subject: [ActiveDir] List Groups I'm In? Was is the easiest way for a user (say on a stock XP client) to list what groups they're in? Specifically I'd like the user to be able to just type a command like 'net user list groups' or some such and get a list of NT Account names for tokenGroups. Or if there is a dialog somewhere that's good too. Ideas? Mike -- Michael B Allen PHP Active Directory SSO http://www.ioplex.com/ List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir@mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir@mail.activedir.org/
RE: [ActiveDir] recover a file server in Windows 2003
HKLM\SYSTEM\CurrentControlSet\Services\LanmanServer\Shares Saving and restoring existing Windows shares: http://support.microsoft.com/kb/125996 From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Philobatheer Guirgis Sent: Wednesday, October 11, 2006 2:25 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] recover a file server in Windows 2003 Hi Paul, Unfortunately, this server is not clustered. I built another server similar to it. The production server is connected to the SAN. Suppose I want to disconnect the SAN and reconnect it to the new lab server; I think the shared folders will not be shared anymore on the lab server. Do you know where in the registry the sharenames are located? I would like to copy the registry key from one server to another. Or I need a script that copies the sharenames from the old server to the new server without losing any data. Thanks, Phil Paul van Geldrop [EMAIL PROTECTED] wrote: How exactly do you plan to failover to this server (at least, that's what I presume you want to do) ? First option that springs to mind is setting up a two-node cluster, letting the cluster-resources reside on the SAN disks. That way, if one of the servers fails, everything'll smoothly transfer to the other server. Keep in mind, however, that during the transfer connections to open files will hiccup (or even completely falter). The nice part about clustering the lot is that you can just maintain the resource per se, instead of having to configure folders etc on two separate servers. Regards, Paul -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Philobatheer Guirgis Sent: Wednesday, October 11, 2006 2:18 AM To: ActiveDir@mail.activedir.org Subject: [ActiveDir] recover a file server in Windows 2003 Hi, I am working on building a recovery server for a Windows 2003 file server. This file server is connected to the SAN and contains many shared folders. How could I configure the recovery server with the same shared folder if I connected it to the same SAN volumes.? Thanks, Philo List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.activedir.org/ml/threads.aspx
RE: [ActiveDir] OT: Exchange in environment - reboot necessary after a DC has been made a GC
I can't for the life of me recall the name at the moment. NSPItool.exe ? -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of joe Sent: Tuesday, October 10, 2006 3:45 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] OT: Exchange in environment - reboot necessary after a DC has been made a GC The only other way I know to test if NSPI is working is to actually send NSPI calls to the GC. There is a little unsupported command line tool out there than can do that but I can't for the life of me recall the name at the moment. -- O'Reilly Active Directory Third Edition - http://www.joeware.net/win/ad3e.htm -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of [EMAIL PROTECTED] Sent: Wednesday, September 27, 2006 7:48 AM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] OT: Exchange in environment - reboot necessary after a DC has been made a GC I was misinformed, the rev of the DC is W2K, not W2K3 SP1. So that clears up why Exchange is complaining about the GC needing a reboot since it wasn't rebooted after it had been made a GC. Interesting tool, RPC Dump, unfortunately I didnt get it to work just yet. It gave me an error: The NTVDM CPU has encountered an illegal instruction, when I choose Ignore the Command.com or Cmd.exe starts using 100% cpu. Out of curiosity; is there another way to check if the MS NT Directory NSP Interface is listed? -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of joe Sent: zaterdag 23 september 2006 2:52 To: ActiveDir@mail.activedir.org Subject: RE: RE: [ActiveDir] OT: Exchange in environment - reboot necessary after a DC has been made a GC What is the rev of the DC? Using RPC Dump do you see MS NT Directory NSP Interface interfaces listed? joe -- O'Reilly Active Directory Third Edition - http://www.joeware.net/win/ad3e.htm -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of victor- [EMAIL PROTECTED] Sent: Friday, September 22, 2006 11:07 AM To: ActiveDir@mail.activedir.org Subject: Re: RE: [ActiveDir] OT: Exchange in environment - reboot necessary after a DC has been made a GC Yeah, I thought so, thanks for the info. The damn thing is that Exchange still throws event 9176: Event ID 9176 from MSExchangeSA occurred 1 times (NSPI Proxy can contact Global Catalog servername but it does not support the NSPI service. After a Domain Controller is promoted to a Global Catalog, the Global Catalog must be rebooted to support MAPI Clients. Reboot servernamerio as soon as possible. - Oorspronkelijk bericht - Van: joe [EMAIL PROTECTED] Datum: vrijdag, september 22, 2006 4:38 pm Onderwerp: RE: [ActiveDir] OT: Exchange in environment - reboot necessary after a DC has been made a GC This is no longer necessary with current revs of AD. It was necessary previously to get the NSPI functionality to fire up. Now it does that automagically. -- O'Reilly Active Directory Third Edition - http://www.joeware.net/win/ad3e.htm -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of victor- [EMAIL PROTECTED]: Friday, September 22, 2006 10:31 AM To: ActiveDir@mail.activedir.org Subject: [ActiveDir] OT: Exchange in environment - reboot necessary after a DC has been made a GC A question came up wether or not a reboot is really necessary after a DC has been made GC and Exchange would need to use this GC. I have worked in a pretty large environment (at least to my standards :- )). Where DC's did not get rebooted afther having been made GC's. The AD admins simply waited until event 1119 appeared. I have read the following article which indicates a reboot is necessary if you have Exchange in the environment. http://support.microsoft.com/kb/304403/ But is this really still necessary with Exchange 2003 SP2 and Windows 2003 SP1? Cheers, Victor List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.activedir.org/ml/threads.aspx List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.activedir.org/ml/threads.aspx List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.activedir.org/ml/threads.aspx List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.activedir.org/ml/threads.aspx List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.activedir.org/ml/threads.aspx List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.activedir.org/ml/threads.aspx List info :
RE: [ActiveDir] OT: uptime.exe in a 2003/sp1 world - problem
I've had some problems with the NT 4 RK version (1.x), are you using the 2000 RK version(2.0)? It was a fairly significant update IIRC. From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Thommes, Michael M. Sent: Thursday, September 07, 2006 8:08 AM To: ActiveDir@mail.activedir.org Subject: [ActiveDir] OT: uptime.exe in a 2003/sp1 world - problem Hi, I have moved a job that employs uptime.exe (in a loop using the FOR command) from a Windows 2000/SP4 server to a Windows 2003/SP1 server. Now part way through the job, I get: Event Type: Information Event Source:Application Popup Event Category: None Event ID: 26 Date:9/7/2006 Time:9:29:36 AM User:N/A Computer: ODDJOB221 Description: Application popup: UPTIME.EXE - Application Error : The instruction at 0x7c837cf5 referenced memory at 0xfffd. The memory could not be read. Click on OK to terminate the program Click on CANCEL to debug the program For more information, see Help and Support Center at http://go.microsoft.com/fwlink/events.asp. Any thoughts? TIA! Mike Thommes List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.activedir.org/ml/threads.aspx
RE: [ActiveDir] Logging successful logons in AD security log
I can say that I have seen logs way bigger than the specified max size. That's probably due to the little bug in the Policy setting vs actual size, I don't have the reference with me but it's back at the office, I had to figure it out because my DC logs actual sizes weren't matching what was in the Domain Controller GPO. Anyway, the point I mentioned the other day and that Mark later reinterated was the practical limit of ~300MB, or risk of introducing problems with services.exe, lsass, the audit subsystem etc on a DC. Are you saying you have seen the aggregate size of the eventlogs go over that? I found out about the instability the hard way and then once I knew what to look for the references became apparent. From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Akomolafe, Deji Sent: Thursday, August 31, 2006 9:15 AM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Logging successful logons in AD security log I can say that I have seen logs way bigger than the specified max size. I can't say it's hurt the servers in any way. Sincerely, _ (, / | /) /) /) /---| (/_ __ ___// _ // _ ) /|_/(__(_) // (_(_)(/_(_(_/(__(/_ (_/ /) (/ Microsoft MVP - Directory Services www.akomolafe.com x-excid://3277/uri:http://www.akomolafe.com - we know IT -5.75, -3.23 Do you now realize that Today is the Tomorrow you were worried about Yesterday? -anon From: Glenn Corbett Sent: Thu 8/31/2006 2:53 AM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Logging successful logons in AD security log Interesting. from the article: Microsoft plans to resolve these problems in the next version of Windows by rewriting the event logging system from the ground up. since the last update was Mar 28 2003, I wonder how this applies to Wndows 2003 R2 and the 64 Bit versions of Windows, or if this will only be fixed in Longhorn. Glenn From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Mark Parris Sent: Thursday, 31 August 2006 7:20 PM To: ActiveDir@mail.activedir.org; ActiveDir@mail.activedir.org Subject: Re: [ActiveDir] Logging successful logons in AD security log Does everyone know this recomendation from Microsoft? On Windows XP, member servers, and stand-alone servers, the combined size of the application, security, and system event logs should not exceed 300 MB. On domain controllers, the combined size of these three logs - plus the Directory Service, File Replication Service, and DNS Server logs - should not exceed 300 MB. http://technet2.microsoft.com/WindowsServer/en/library/5a86ab0f-c7eb-45e d-9e 5e-514173bf15e31033.mspx?mfr=true Mark Return-Path: [EMAIL PROTECTED] Thu Aug 31 04:12:18 2006 Received: from smarthost1.giacom.net [194.131.240.55] by mail1.giacom.net with SMTP; Thu, 31 Aug 2006 04:12:18 +0100 Received: from mail.activedir.org ([12.168.66.190]) by smarthost1.giacom.net with MailEnable ESMTP; Thu, 31 Aug 2006 04:12:15 +0100 Received: from smtp111.sbc.mail.mud.yahoo.com [68.142.198.210] by mail.activedir.org (SMTPD32-8.15) id A27721B0148; Wed, 30 Aug 2006 23:07:35 -0400 Received: (qmail 99368 invoked from network); 31 Aug 2006 03:07:35 - Received: from unknown (HELO ?192.168.16.19?) ([EMAIL PROTECTED]@69.106.185.80 with plain) by smtp111.sbc.mail.mud.yahoo.com with SMTP; 31 Aug 2006 03:07:35 - DomainKey-Signature: a=rsa-sha1; q=dns; c=nofws; s=s1024; d=pacbell.net; h=Received:Message-ID:Date:From:User-Agent:MIME-Version:To:Subject:Refer ence s:In-Reply-To:Content-Type:Content-Transfer-Encoding; b=PEIfvYwJhIYktsWE3wK8pnfo1RmbheeJg4LXCAQ1cS/3aIkBB+zWPBGoNL0vpHGQ7U+CwL +WPV R6qNv7o1jr4Xp9zMxBmnzKaUuWHbmSmTn++z6CEr/Q5njP0rjFViu7J0fVz2mvIfjfh29qkH O6+P EuYRMiJ3/EUAyhoBySfo8= ; Message-ID: [EMAIL PROTECTED] Date: Wed, 30 Aug 2006 20:07:29 -0700 From: Susan Bradley, CPA aka Ebitz - SBS Rocks [MVP] [EMAIL PROTECTED] User-Agent: Thunderbird 1.5.0.5 (Windows/20060719) MIME-Version: 1.0 To: ActiveDir@mail.activedir.org Subject: Re: [ActiveDir] Logging successful logons in AD security log References: [EMAIL PROTECTED] In-Reply-To: [EMAIL PROTECTED] Content-Type: text/plain; charset=ISO-8859-1; format=flowed Content-Transfer-Encoding: 7bit Precedence: bulk Sender: [EMAIL PROTECTED] Reply-To: ActiveDir@mail.activedir.org Received-SPF: none (smarthost1.giacom.net: mail.activedir.org does not designate permitted sender hosts) X-Declude-Sender: [EMAIL PROTECTED] [12.168.66.190] X-Note: This E-mail was scanned in real-time by Giacom Anti-Spam and Giacom Anti-Virus. Advanced Virus and Spam protection is available to subscribers of Giacom Business Pro Plus. Visit http://www.giacom.com for more details. X-Spam-Tests-Failed: ROUTING [-1] X-Note: This E-mail was sent from
RE: [ActiveDir] Logging successful logons in AD security log
Exactly. As described in KB824245. Thanks David. That is exactly what happed to me, I was controlling the size with the GPO (or so I thought) and when I was done testing and wanted to reduce the size, the actual logs never reflected the GPO setting. -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of David Adner Sent: Friday, September 01, 2006 12:16 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Logging successful logons in AD security log The bug you're probably referring to is that in 2003 RTM you cannot reduce the size of an Event Log via GPO. You can increase the size but not decrease it. This can cause you to have larger logs than what you think if all you do is review what the GPOs say. -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Free, Bob Sent: Friday, September 01, 2006 1:37 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Logging successful logons in AD security log I can say that I have seen logs way bigger than the specified max size. That's probably due to the little bug in the Policy setting vs actual size, I don't have the reference with me but it's back at the office, I had to figure it out because my DC logs actual sizes weren't matching what was in the Domain Controller GPO. Anyway, the point I mentioned the other day and that Mark later reinterated was the practical limit of ~300MB, or risk of introducing problems with services.exe, lsass, the audit subsystem etc on a DC. Are you saying you have seen the aggregate size of the eventlogs go over that? I found out about the instability the hard way and then once I knew what to look for the references became apparent. From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Akomolafe, Deji Sent: Thursday, August 31, 2006 9:15 AM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Logging successful logons in AD security log I can say that I have seen logs way bigger than the specified max size. I can't say it's hurt the servers in any way. Sincerely, _ (, / | /) /) /) /---| (/_ __ ___// _ // _ ) /|_/(__(_) // (_(_)(/_(_(_/(__(/_ (_/ /) (/ Microsoft MVP - Directory Services www.akomolafe.com x-excid://3277/uri:http://www.akomolafe.com - we know IT -5.75, -3.23 Do you now realize that Today is the Tomorrow you were worried about Yesterday? -anon From: Glenn Corbett Sent: Thu 8/31/2006 2:53 AM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Logging successful logons in AD security log Interesting. from the article: Microsoft plans to resolve these problems in the next version of Windows by rewriting the event logging system from the ground up. since the last update was Mar 28 2003, I wonder how this applies to Wndows 2003 R2 and the 64 Bit versions of Windows, or if this will only be fixed in Longhorn. Glenn From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Mark Parris Sent: Thursday, 31 August 2006 7:20 PM To: ActiveDir@mail.activedir.org; ActiveDir@mail.activedir.org Subject: Re: [ActiveDir] Logging successful logons in AD security log Does everyone know this recomendation from Microsoft? On Windows XP, member servers, and stand-alone servers, the combined size of the application, security, and system event logs should not exceed 300 MB. On domain controllers, the combined size of these three logs - plus the Directory Service, File Replication Service, and DNS Server logs - should not exceed 300 MB. http://technet2.microsoft.com/WindowsServer/en/library/5a86ab0 f-c7eb-45e d-9e 5e-514173bf15e31033.mspx?mfr=true Mark Return-Path: [EMAIL PROTECTED] Thu Aug 31 04:12:18 2006 Received: from smarthost1.giacom.net [194.131.240.55] by mail1.giacom.net with SMTP; Thu, 31 Aug 2006 04:12:18 +0100 Received: from mail.activedir.org ([12.168.66.190]) by smarthost1.giacom.net with MailEnable ESMTP; Thu, 31 Aug 2006 04:12:15 +0100 Received: from smtp111.sbc.mail.mud.yahoo.com [68.142.198.210] by mail.activedir.org (SMTPD32-8.15) id A27721B0148; Wed, 30 Aug 2006 23:07:35 -0400 Received: (qmail 99368 invoked from network); 31 Aug 2006 03:07:35 - Received: from unknown (HELO ?192.168.16.19?) ([EMAIL PROTECTED]@69.106.185.80 with plain) by smtp111.sbc.mail.mud.yahoo.com with SMTP; 31 Aug 2006 03:07:35 - DomainKey-Signature: a=rsa-sha1; q=dns; c=nofws; s=s1024; d=pacbell.net; h=Received:Message-ID:Date:From:User-Agent:MIME-Version:To:Sub ject:Refer ence s:In-Reply-To:Content-Type:Content-Transfer-Encoding; b
RE: [ActiveDir] Logging successful logons in AD security log
Depends on how much info you need but doing it through the native event log in an environment of that size is nearly futille unless you have SAN space and CPU cycles to burn, ours is 1/4 that size and I tried it and did the calcs and it's storage reqs were unbelievable. IIRC I was also seeing more than 100/sec in aggregate but I would need my notes and abacus to confirm that. For the short time I actually had it on, the logs were updating so fast it rendered event viewer useless, it couldn't even refresh on the PDCe. (they were set to 125MB and unmanagable at that size when I tried it) b) won't work because the total of ALL your event logs together are limited a practical maximum somewhere around 300MB since they have to be memory mapped and are sharing the 1 GB memory space of services.exe. Eric Fitzgerald had a great blog entry about it a while back. c) possible but still takes a lot of resources, I have been playing with 3rd party tools and DAD/MACS/ACS for a while, none are panacea IMO. I'm beginning to like the approach at least one of the 3rd party vendors uses of just grabbing the changes to the AD attribute instead of using the native audit subsystem. I'm leaning toward A and either checking the AD attribute or using something in a logon script to update a database with the who/what/when/where stuff. Depends on your needs I guess. Sorry this is a little choppy but I'm pressed for time. -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Isenhour, Joseph Sent: Wednesday, August 30, 2006 2:10 PM To: ActiveDir@mail.activedir.org Subject: [ActiveDir] Logging successful logons in AD security log What is the general consensus on logging successful logon events? For example if you have a domain with 100K users or so and you use AD as your primary authentication service for: application, file, email, and web access then it is plausible that you will end up with up to 100 log entries per second. That kind of volume will no doubt cause the logs to roll over frequently thus making them somewhat useless. The only alternatives I see are: a) Don't log success logon. b) Set your event log size to a very large (and possibly unmanageable) size. c) Invest in a fancy log management system that will collect, index, and retain all of your logs. List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.activedir.org/ml/threads.aspx List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.activedir.org/ml/threads.aspx
RE: [ActiveDir] cn=meetings
MS NetMeeting uses the Meetings container to publish network meeting objects. From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Matheesha Weerasinghe Sent: Thursday, July 27, 2006 12:31 AM To: ActiveDir@mail.activedir.org Subject: [ActiveDir] cn=meetings All Just a quick query. Does anyone know what cn=meetings,cn=system,dc=domainfqdn is for? Cheers M@ List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.activedir.org/ml/threads.aspx
RE: [ActiveDir] Where's that account being used?
It's been a while but I used to use Small Wonder's Service Explorer ( It's since been taken over by ScriptLogic) and it was was excellent for this, also gets scheduled tasks and it is definitely worth a peek. You can change the password on all those services (and tasks) at once with it, delete services, set parameters etc.. http://www.scriptlogic.com/products/serviceexplorer/ HTH -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of AdamT Sent: Tuesday, June 27, 2006 9:22 AM To: ActiveDir@mail.activedir.org Subject: [ActiveDir] Where's that account being used? Dear fountain of knowledge, We've inherited a particularly messy AD structure, and we're now trying to find out where a particular account is in use. There's around 80 servers in the domain and 3000 workstations, and this account appears to be used for pretty much anything that wants to log on as a service, or anyone who wants domain admin privs. Is there any kind of audit utility to scan servers and see which services are using the account, and ideally - any kind of monitoring package to flag up an alert each time the account is used to, say, map a drive or connect to a SQL db? -- AdamT A casual stroll through the lunatic asylum shows that faith does not prove anything. - Nietzsche List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.activedir.org/ml/threads.aspx List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.activedir.org/ml/threads.aspx
RE: [ActiveDir] DC Configuration
Al - Look in the archivies from 11/05 for the Raid suggestions for DC thread. It was discussed most thoroughly by some of our luminaries :-) HTH -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Al Lilianstrom Sent: Thursday, June 22, 2006 1:24 PM To: ActiveDir@mail.activedir.org Subject: [ActiveDir] DC Configuration We have some budget money to replace domain controllers this year. Not all of them but probably half of them. We've pretty much decided on 64 bit Dell PowerEdge servers. Most of the discussion is about disk configuration. Two schools of thought exist here. 1) 2x73GB 15K drives in RAID1. Carve up the volume at the OS level with 20GB or so for the OS and the remainder for NTDS, Sysvol, and system state backups 2) Two sets of 2x73 10K drives in RAID1. The first set is for the OS, the second is for NTDS, Sysvol, and system state backups. I've always liked physically separating the OS from the application data. Others here like carving up the volume at the OS. Any thoughts, opinions, suggestions? tia, al -- Al Lilianstrom CD/CSS/CSI [EMAIL PROTECTED] List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.activedir.org/ml/threads.aspx List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.activedir.org/ml/threads.aspx
RE: [ActiveDir] OT: Samaccountname attribute (20 char limit) not applicable to gr oups?
Look for the "Net localgroup limitation?" thread in January of this year, particularly joe's message of 1/23/2006 8:35 PM Also his message of 2/20/2005 8:37 AM in thread "samAccountName attribute length" Finally his listing from lmcons.h header file in "character limit for sAMAccountNames" from 3/8/2004 7:09 PM Sorry I don't have the links handy, those are from a search of my personal archives. HTH From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Al MulnickSent: Tuesday, June 06, 2006 6:25 AMTo: ActiveDir@mail.activedir.orgSubject: Re: [ActiveDir] OT: Samaccountname attribute (20 char limit) not applicable to gr oups? Jorge, if you happen to find that in the archives, please post the link. A quick search of the net brings back some items that seem to indicate that greater than 20 could result in a problem with some directory sync tools. samaccountname is listed as being expected to be 20 chars. It doesn't differentiate between groups and users that use the samaccountname. That just "seems" like a recipe for issues, but if you say it can be 256 without issue, then (I know Joe, you're using 64 and so did Jorge, but it looks like it was done for convenience vs. going with more chars.) Interesting. On 6/6/06, Almeida Pinto, Jorge de [EMAIL PROTECTED] wrote: About a year and a half ago I have tested this as I was doing a migration from NDS to AD. Worked like a charm! (I even did tests for legacy clients like W9x as those were my biggest concern, did not find anything) The NDS groups were 64 chars and accepted all kinds of funny chars. I had to cut them down to 64 chars. Although the samaccountname accepts 256 chars, the full name (common name) accepts only 64 chars. And in cases like this I like to use the weakest link (smallest value) which is the length of the full name. (that us why I cut them down to 64 chars in the NDS so I did not experience any crap during the migration) Even in NT4 you could create groups 20 charsUser Manager for domains allowed 20 chars and some other did the same. However, several third party tools like Hyena and others go beyond that limit. Even if you use scripts you can creare groups 20 chars. However you will not be able to manage them with user manager for domains. To my knowledge, AD has no problem with groups 20 chars By the way.. I remember another thread about this a while ago. Search the archives for it as I think you'll find more info on thisMet vriendelijke groeten / Kind regards,Ing. Jorge de Almeida PintoSenior Infrastructure ConsultantMVP Windows Server - Directory ServicesLogicaCMG Nederland B.V. (BU RTINC Eindhoven)( Tel : +31-(0)40-29.57.777( Mobile : +31-(0)6-26.26.62.80 * E-mail : see sender addressFrom: [EMAIL PROTECTED] on behalf of Joe KaplanSent: Tue 2006-06-06 02:03 To: ActiveDir@mail.activedir.orgSubject: Re: [ActiveDir] OT: Samaccountname attribute (20 char limit) not applicable to gr oups?Sure enough, rangeUpper is 256.I'm not sure where I got that 64 thing, but I'm guessing it was from memory and that was not up to the task again.Anyone else?Is it safe or not for groups to have a sAMAccountName 20characters but = 64?I'm going to assume that users definitely need to be = 20.Joe K.- Original Message -From: Al MulnickTo: ActiveDir@mail.activedir.orgSent: Monday, June 05, 2006 5:46 PMSubject: Re: [ActiveDir] OT: Samaccountname attribute (20 char limit) not applicable to gr oups?Interesting.The online version I see says rangeupper is 256.Not sure howimportant that is, but...http://msdn.microsoft.com/library/default.asp?url="">Given the purpose of samaccountname I have a hard time believing somethingdoesn't rely on that being 20 chars. Not to say that they haven't been since fixed, but that's too tempting for most folks not to just say, "well, to beusable it's limited to 20 chars and since Microsoft has that numberpublished everywhere, we'll just assume it's 20 chars all the time..." or something like that.AlList info : http://www.activedir.org/List.aspxList FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.activedir.org/ml/threads.aspxThis e-mail and any attachment is for authorised use by the intended recipient(s) only. It may contain proprietary material, confidential information and/or be subject to legal privilege. It should not be copied, disclosed to, retained or used by, any other party. If you are not an intended recipient then please promptly delete this e-mail and any attachment and all copies and inform the sender. Thank you.
RE: [ActiveDir] Logged in user
psloggedon \\Computername http://www.sysinternals.com/Utilities/PsLoggedOn.html From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Harding, Devon Sent: Tuesday, June 06, 2006 10:55 AM To: ActiveDir@mail.activedir.org Subject: [ActiveDir] Logged in user Is there a Command line util., to remotely tell what user is logged into a PC? -Devon --- This message (including any attachments) is intended only for the use of the individual or entity to which it is addressed and may contain information that is non-public, proprietary, privileged, confidential, and exempt from disclosure under applicable law or may constitute as attorney work product. If you are not the intended recipient, you are hereby notified that any use, dissemination, distribution, or copying of this communication is strictly prohibited. If you have received this communication in error, notify us immediately by telephone and (i) destroy this message if a facsimile or (ii) delete this message immediately if this is an electronic communication. Thank you. List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.activedir.org/ml/threads.aspx
RE: [ActiveDir] OT: srvinfo output incomplete
It's been a while but last time I checked srvinfo was predominately registry calls so I'd look at Remote Registry Service, policy settings like Network Access: Remotely accessible Registry paths, stuff like that. \HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurePipeServers\w inreg might be enlightening... Regmon on the remote machine should be helpful... From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Thommes, Michael M. Sent: Thursday, June 01, 2006 8:55 AM To: ActiveDir@mail.activedir.org Subject: [ActiveDir] OT: srvinfo output incomplete Situation: running srvinfo \\computer_name file://\\computer_name with domain admin credentials from a remote computer. One w2k3/sp1 server target returns the full complement of information, including CPU, BIOS info, hotfixes, network card info, uptime. Another w2k3sp1 server target returns only partial information, missing CPU, BIOS info, hotfixes, network card info, and uptime. Also, this second computer also returns Domain: Error 5 and PDC: Error 5. This same domain admin can log into the second computer target directly and run srvinfo and get a full complement of information! Both target computers are in AD and have the same policies applied to them. Security options appear to be the same. Does anyone have any thoughts as to what might be preventing a complete information disclosure when running srvinfo from across the network? TIA! Mike Thommes List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.activedir.org/ml/threads.aspx
RE: [ActiveDir] NET TIME command
Title: Message Net Time is using the gag Browser Service to determine the timesource in the scenarios you outline so all the foibles of the Browser mechanisms come into play. You would be much better served to use w32tm to troubleshoot time issues in an AD environment. IIRC, what you are seeing in the first example is the first system to answer that is advertising the TS flag and the secondis your DMB (Domain Master Browser) That's based on old recollection sinceI stoped trying to deal with browser issues a long time ago :-) If you checked them with browstat, I bet the browser flags for them look like this- \\SpokeDC NT 05.02 (W,S,BDC,TS,NT,BBR,DFS)\\HubDC NT 05.02 (W,S,PDC,TS,NT,MBR,DFS) From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Wyatt, DavidSent: Wednesday, May 24, 2006 9:20 AMTo: ActiveDir@mail.activedir.orgSubject: [ActiveDir] NET TIME command Seem to have an odd issue when using the net time command... Scenario: Windows 2003 FFL, single domain, single forest Hub/spoke site topology, London hub, other offices spokes I have logged onto a Windows 2000 Pro desktop (that is joined to domain) in the hub site. Open command prompt and type net time. After a pause I get the following: Current time at\\SPOKE DC is 5/24/2006 5:11 PM The command completed successfully. If I run the command net time /domain:DOMAINNAME I get: Current time at\\HUB DC is 5/24/2006 5:12 PM The command completed successfully. Why is the first command getting a reply from a spoke DC and not the hub DC? Is this expected? Regards -David This message contains confidential information and is intended only for the individual or entity named. If you are not the named addresseeyou should not disseminate, distribute or copy this e-mail. Please notify the sender immediately by e-mail if you have received this e-mail by mistake and delete this e-mail from your system.E-mail transmission cannot be guaranteed to be secure or error-freeas information could be intercepted, corrupted, lost, destroyed, arrivelate or incomplete, or contain viruses. The sender therefore does notaccept liability for any errors or omissions in the contents of this message which arise as a result of e-mail transmission. If verification is required please request a hard-copy version.This message is provided for informational purposes and should notbe construed as an invitation or offer to buy or sell any securities orrelated financial instruments.GAM operates in many jurisdictions and is regulated or licensed in those jurisdictions as required.
RE: [ActiveDir] NET TIME command
Title: Message Actually looking at my message in hindsight I think the /Domain arg is returning the PDC flag..am I talking to myself again ? :-] From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Free, BobSent: Wednesday, May 24, 2006 10:17 AMTo: ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] NET TIME command Net Time is using the gag Browser Service to determine the timesource in the scenarios you outline so all the foibles of the Browser mechanisms come into play. You would be much better served to use w32tm to troubleshoot time issues in an AD environment. IIRC, what you are seeing in the first example is the first system to answer that is advertising the TS flag and the secondis your DMB (Domain Master Browser) That's based on old recollection sinceI stoped trying to deal with browser issues a long time ago :-) If you checked them with browstat, I bet the browser flags for them look like this- \\SpokeDC NT 05.02 (W,S,BDC,TS,NT,BBR,DFS)\\HubDC NT 05.02 (W,S,PDC,TS,NT,MBR,DFS) From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Wyatt, DavidSent: Wednesday, May 24, 2006 9:20 AMTo: ActiveDir@mail.activedir.orgSubject: [ActiveDir] NET TIME command Seem to have an odd issue when using the net time command... Scenario: Windows 2003 FFL, single domain, single forest Hub/spoke site topology, London hub, other offices spokes I have logged onto a Windows 2000 Pro desktop (that is joined to domain) in the hub site. Open command prompt and type net time. After a pause I get the following: Current time at\\SPOKE DC is 5/24/2006 5:11 PM The command completed successfully. If I run the command net time /domain:DOMAINNAME I get: Current time at\\HUB DC is 5/24/2006 5:12 PM The command completed successfully. Why is the first command getting a reply from a spoke DC and not the hub DC? Is this expected? Regards -David This message contains confidential information and is intended only for the individual or entity named. If you are not the named addresseeyou should not disseminate, distribute or copy this e-mail. Please notify the sender immediately by e-mail if you have received this e-mail by mistake and delete this e-mail from your system.E-mail transmission cannot be guaranteed to be secure or error-freeas information could be intercepted, corrupted, lost, destroyed, arrivelate or incomplete, or contain viruses. The sender therefore does notaccept liability for any errors or omissions in the contents of this message which arise as a result of e-mail transmission. If verification is required please request a hard-copy version.This message is provided for informational purposes and should notbe construed as an invitation or offer to buy or sell any securities orrelated financial instruments.GAM operates in many jurisdictions and is regulated or licensed in those jurisdictions as required.
RE: [ActiveDir] Machine Psswd Age
The default was 7 days for NT, increased to 30 in W2K and above. See http://support.microsoft.com/kb/154501/ or q175468 or any of the old domain sizing docs. -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Ulf B. Simon-Weidner Sent: Wednesday, May 24, 2006 11:52 AM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Machine Psswd Age AFAIK the password change interval is set to 30 in XP (15 in NT, W2k), but the computer accounts starts to request renewal after 50% of the time is over. After 30 days it'll change it if being logged onto the domain for sure (unless otherwise configured or connected). Gruesse - Sincerely, Ulf B. Simon-Weidner Profile Publications: http://mvp.support.microsoft.com/profile=35E388DE-4885-4308-B489-F2F1214 C811 D Weblog: http://msmvps.org/UlfBSimonWeidner Website: http://www.windowsserverfaq.org -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Za Vue Sent: Wednesday, May 24, 2006 5:04 PM To: ActiveDir@mail.activedir.org Subject: [ActiveDir] Machine Psswd Age Anyone know how often machine passwords are renew/reset in the domain? -Z.V. List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
RE: [ActiveDir] Migrating Term service cals
You don't migrate, you reactivate the new LS...BTDT From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Tom Kern Sent: Wednesday, May 03, 2006 9:19 AM To: activedirectory Subject: [ActiveDir] Migrating Term service cals We are installing a new Citrix farm in a new Forest and decommissioning the old Citrix server in our old Forest. Are there any special procedures to migrate the CAL's over to the Licensing Server in the new Forest? Thanks List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
RE: [ActiveDir] Quiet? DEC? Related?
How was the Dean 'n Joe show? The Dean and Joe show was so awesome that Gil succumbed to the pressure for more of it and actually gave up his own slot for Dean and Joe- The Sequel... The session had amazing content and first-rate comedy, easily the highlight of this or any conference I can remember. They said the original slide deck was around 160, the content was simply amazing and could have easily gone on for 8 hours. was it a peaceable affair? It was fairly peaceable till they started on Guido's house, Jorge's name and the Gilbacca account :-] -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Tony Murray Sent: Thursday, March 30, 2006 12:43 AM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Quiet? DEC? Related? Sounds great. Sorry I missed it. How was the Dean 'n Joe show? Did the handbags come out or was it a peaceable affair? Tony -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Gil Kirkpatrick Sent: Thursday, 30 March 2006 11:07 a.m. To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Quiet? DEC? Related? Just wrapped up Day 3. 530 people. General consensus is that it was the best DEC ever. More to follow when I can type on something bigger than a credit card. -gil -Original Message- From: Ayers, Diane [EMAIL PROTECTED] To: ActiveDir@mail.activedir.org ActiveDir@mail.activedir.org Sent: 3/29/06 1:23 PM Subject: RE: [ActiveDir] Quiet? DEC? Related? Maybe we should ask a question on the merits of doubling down on an 11 when the dealer has a face card showing... :-) Diane From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Almeida Pinto, Jorge de Sent: Wednesday, March 29, 2006 9:35 AM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Quiet? DEC? Related? Don't worry we're still here.. ;-) Met vriendelijke groeten / Kind regards, Ing. Jorge de Almeida Pinto Senior Infrastructure Consultant MVP Windows Server - Directory Services LogicaCMG Nederland B.V. (BU RTINC Eindhoven) ( Tel : +31-(0)40-29.57.777 ( Mobile : +31-(0)6-26.26.62.80 * E-mail : see sender address From: [EMAIL PROTECTED] on behalf of Moon, Brendan Sent: Wed 2006-03-29 19:26 To: ActiveDir@mail.activedir.org Subject: [ActiveDir] Quiet? DEC? Related? Hmm.. everyone must be having fun at DEC... this list has been very quiet this week! - Brendan Moon List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
RE: [ActiveDir] SPN issue
Your syntax looks backwardyou have the hostname in front of the SPN -A = add arbitrary SPN Usage: setspn -A SPN computername setspn -A http/daserver daserver1 It will register SPN http/daserver for computer daserver1 From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Tom Kern Sent: Tuesday, February 21, 2006 1:26 PM To: ActiveDir@mail.activedir.org Subject: Re: [ActiveDir] SPN issue Thank you for the advice. I will in the future. This is the output from setspn /A C:\Program Files\Resource Kitsetspn -A OP5080570765 host/OP5080570765 Unable to locate account host/OP5080570765 C:\Program Files\Resource Kitsetspn -A OP5080570765 host/OP5080570765.corp.opro ot.opco.com Unable to locate account host/OP5080570765.corp.oproot.opco.com The weird thing is, these accounts were migrated months ago and had no issue till today. There was no change made to AD by hand or by app. Thanks On 2/21/06, [EMAIL PROTECTED] [EMAIL PROTECTED] wrote: Try the /A option. btw, try munging your resource/domain names when you post to a forum such as this. Sincerely, Dèjì Akómöláfé, MCSE+M MCSA+M MCT Microsoft MVP - Directory Services www.readymaids.com - we know IT www.akomolafe.com Do you now realize that Today is the Tomorrow you were worried about Yesterday? -anon From: [EMAIL PROTECTED] mailto:[EMAIL PROTECTED] on behalf of Tom Kern Sent: Tue 2/21/2006 1:01 PM To: ActiveDir@mail.activedir.org Subject: Re: [ActiveDir] SPN issue I get this, when I use netbios name- C:\Program Files\Resource Kitsetspn -R OP5080570765 Failed to crack name CORP\OP5080570765 into the FQDN, (0) 1 0x2 I get this when i use FQDN- C:\Program Files\Resource Kitsetspn -R OP5080570765.corp.oproot.opco.com Could not find account OP5080570765.corp.oproot.opco.com The name is in DNS and AD. As i said, DNS is functioning properly. Thanks On 2/21/06, [EMAIL PROTECTED] [EMAIL PROTECTED] wrote: Try manually resetting or adding the SPN for one of the computers and see if that takes care of your problem. If it does, the I'd do the same for the rest or just disjoin and rejoin them to the domain if there are not too many of them. you can use setspn to do this. Like so: setspn /R the_computer_NetBIOS_Name OR setspn /A host/NetBIOS_Name the_computer_NetBIOS_Name setspn /A host/FQDN_NAme the_computer_FQDN Sincerely, Dèjì Akómöláfé, MCSE+M MCSA+M MCT Microsoft MVP - Directory Services www.readymaids.com http://www.readymaids.com http://www.readymaids.com - we know IT www.akomolafe.com Do you now realize that Today is the Tomorrow you were worried about Yesterday? -anon From: [EMAIL PROTECTED] on behalf of Tom Kern Sent: Tue 2/21/2006 11:52 AM To: activedirectory Subject: Re: [ActiveDir] SPN issue Ok, I came up with some more stuff- If i use the FQDN, I can map a drive without the login error. I ran Ethereal will mapping a drive, both ways. With the flat name and fqdn. When mapping with the flat name, I see a KRB5KDC_ERR_PREAUTH_FAILED(24) Then later, I see, KRB5KRB_AP_ERR_MODIFIED,Error: STATUS_MORE_PROCESSING_REQUIRED(0x016) When I use FQDN, I see- KRB5KDC_ERR_S_PRINCIPAL_UNKNOWN(7) and then it defaults to NTLM and lets me in. With a flat name, it never gets to NTLM. I've checked the Troubleshooting Kerberos Errors MS whitepaper but I can't find anything to help me there. The SPN in AD of my box and the server I'm connecting to seems find. Both client and server are in the same Domain. DNS is functioning. Time is in sync. Anyplace else I should be looking? Thanks a lot. On 2/21/06, Tom Kern [EMAIL PROTECTED] mailto:[EMAIL PROTECTED] wrote: I'm at
RE: [ActiveDir] Strange deleted object issue
I wouldn't be straying near any open garage doors if I were you :-] From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Rich MilburnSent: Thursday, January 12, 2006 9:21 AMTo: ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] Strange deleted object issue Ah the infamous changing the syntax of a utility issue. Who would do that? :op From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of joeSent: Wednesday, January 11, 2006 6:27 PMTo: ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] Strange deleted object issue That should work in any version of AD since release, the metadata has been there. However note that that version of the command didn't exist in earlier versions of repadmin, you instead used repadmin /showmeta which has a different ordering of parameters. I don't recall why that was done but I recall that there was some good reason for it even if it was someone thought it was better/more consistent that way. From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of TIROA YANNSent: Wednesday, January 11, 2006 6:37 PMTo: ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] Strange deleted object issue Glad that helps :) When I said in my previous post "...Not sure if that works but i am in w2k3 FFL mode...", it was rather "...Not sure if the switch //showobjmetaworks in w2k forest because it works in w2k3...". So you confirm that it also worksin w2k forest. Yann De: [EMAIL PROTECTED] de la part de Tom KernDate: mer. 11/01/2006 17:40À: ActiveDir@mail.activedir.orgObjet : Re: [ActiveDir] Strange deleted object issue That worked. Thank you very much!! On 1/11/06, TIROA YANN [EMAIL PROTECTED] wrote: Not sure if that works but i am in w2k3 FFL mode. *BUT* when i tried with the repadmin /showmeta switch, it shows me the same error as you. Soyou would try to install the adminpak.msi for w2k3 in your windows XP box, because the repadmin /showobjmetais only available in the w2k3 adminpak.msi . Then try again the process. Try it and let me know if that works. Yann De: [EMAIL PROTECTED] [mailto: [EMAIL PROTECTED]] De la part de Tom KernEnvoyé: mercredi 11 janvier 2006 16:00 À: ActiveDir@mail.activedir.orgObjet: Re: [ActiveDir] Strange deleted object issue Yann, does this command work against a win2k forest? When i run it against any DC in my forest, i get a . C:\repadmin /showmeta opnyc10.mydomain.com "CN=YIPJ\0ADEL:f9eeaf3f-07f6-43d2-9a00-22923bef2fcb,CN=Deleted Objects,DC=mydomain,DC=com" DsBindWithCred to CN=YIPJ\0ADEL:f9eeaf3f-07f6-43d2-9a00-22923bef2fcb,CN=DeletedObjects,DC=mydomain,DC=com failed with status 1722 (0x6ba): The RPC server is unavailable. Thanks On 1/11/06, Tom Kern [EMAIL PROTECTED] wrote: Brian, I apologize for being so grammatically and syntactically cavalier with my posts to this list. If a dangling participle, split infinitive,or misspelled word has offended you, you have my sincerest regret and I promise to work on being a bit more diligent on that matter. If it helps any, by way of explanation, I usually write most of my posts from home while chasing after 2 kids. I can never seem to find the time to post from work or a more quiet place. But I'm sure that's more information than you or the list has needed to know By "everyone", I mean I have enabled "Audit account management" policy and I'm auditing user object creation/deletion for the "everyone" well know security principle. Hope that helps On 1/11/06, TIROA YANN [EMAIL PROTECTED] wrote: Hi Tom, i used the following: if the user yann is deleted from AD: 1) adfind -default -showdel -f isdeleted=TRUE -gc del.txt to list all deleted users in del.txt (the -gc query the GCs, i found it much faster to query gcs than dcs). 2) search for your user yann and pickup it's DN "CN=yann\0ADEL:2a299250-27ea-4a05-bdf7-5ca9558ff733,CN=Deleted Objects,DC=univ-lyon1,DC=fr". 3) type repadmin /showobjmetaMYDC "CN=dac\0ADEL:2a299250-27ea-4a05-bdf7-5ca9558ff733,CN=Deleted Objects,DC=univ-lyon1,DC=fr" | find /i "isdeleted" to localize the DC in which the deletion occured. Ex: here is the result of the command: 17730966 MYSITE\MYDC 17730966 2005-10-27 10:37:11 1 isDeleted You can see that the deletion occured at 10:37:11 AM the 2005-10-27 on the DC "MYDC". 4) you can then usepsloglist \\MYDC security -i 630 -a 10/27/05 which shows u all deleted accounts occured before the 10/27/05, or connect to MYDC to search in the event security log. If you can not findyour userat the time, it may be that an other domain admin has disabled the policy account applied by default, so you may see with your peers to confirm this. hope it helps De: [EMAIL PROTECTED] [mailto: [EMAIL PROTECTED]] De la part de Tom KernEnvoyé: mercredi 11 janvier 2006 01:24À: ActiveDir@mail.activedir.orgObjet: Re: [ActiveDir] Strange deleted object issue that wont work. You have to
RE: [ActiveDir] Disabling Distributed Link Tracking Server on domain Controllers
I did it in the Default Domain Controller policies several years ago while still at 2000 native when the recommendation first came to light and it's never proven to be an issue in our environment From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of AD Sent: Monday, November 28, 2005 8:40 AM To: ActiveDir@mail.activedir.org Subject: [ActiveDir] Disabling Distributed Link Tracking Server on domain Controllers As anyone found any issues in disabling the distributed link tracking server on windows 2000 server domain controllers? I would like to take a two step approach in disabling this useless service. First on the DCs and them on all workstations. I was just wondering if there would be an impact on the clients seeing that cannot communicate with the server. Thanks Yves List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
RE: [ActiveDir] Legal Notice Caption Text
http://www.microsoft.com/technet/scriptcenter/resources/qanda/jan05/hey0 117.mspx any help? From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Rimmerman, Russ Sent: Friday, November 18, 2005 12:13 PM To: ActiveDir@mail.activedir.org Subject: [ActiveDir] Legal Notice Caption Text In Windows 2000 I was able to create a legal notice caption with carriage returns in it by editing the binary of the registry key and adding a 0D00 value (carriage return hex). This doesn't appear to work for me in Windows 2003 - it just shows a square box instead of doing the carriage return. Has anyone figured out how to put carriage returns in this registry key? ~~ This e-mail is confidential, may contain proprietary information of the Cooper Cameron Corporation and its operating Divisions and may be confidential or privileged. This e-mail should be read, copied, disseminated and/or used only by the addressee. If you have received this message in error please delete it, together with any attachments, from your system. ~~ List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
RE: [ActiveDir] ADSI Scripting - How to find Computer's OU.
Disclaimer- I am not a programmer nor do I play one on TV but this works for me. I am sure someone can pick it apart and tell me how dumb I am but hey, it works for me :-p It will default to local host and domain but prompt for either. Replace xyz with the default domain of choice. ' simple script to display LDAP path / DN rwf4-12:57 PM 3/11/2004 Set Network = WScript.CreateObject(WScript.Network) compname = InputBox (Enter NETBIOS name of computer - Default is local machine, GetComputerLocation In AD, Network.ComputerName ) domname = InputBox (Enter name of domain- Default is xyz, GetDomainName, XYZ) Set oNet = CreateObject(Wscript.Network) Set oTrans = CreateObject(NameTranslate) oTrans.Init 1, domname oTrans.Set 3, domname \ compname $ sAdsPath = oTrans.Get(1) Set oNet = Nothing Set oTrans = Nothing wscript.echo Computer Location in AD: sAdsPath -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Jitendra Kalyankar Sent: Wednesday, November 16, 2005 12:55 PM To: ActiveDir@mail.activedir.org Subject: Re: [ActiveDir] ADSI Scripting - How to find Computer's OU. This is to check for local computer. What will be the method to check it against the remote computers. I have a InputBox in the program which takes input from user, using that string value I want to determine the OU of remote computer. Please let me know if you can shed some light on this. Thank again, Jitendra Kalyankar On 11/16/05, Jitendra Kalyankar [EMAIL PROTECTED] wrote: Thanks much that is helpful Jitendra Kalyankar On 11/16/05, Tomasz Onyszko [EMAIL PROTECTED] wrote: Jitendra Kalyankar wrote: I need your guidance to write the script. I need to find out name of the OU to which the computer account belongs. Let me know how you can find it. http://groups.google.com/group/microsoft.public.scripting.vbscript/brows e_thread/thread/fa91247b1a4d65ba/1058b6ce8cad2cfe?lnk=stq=determine+com puter+OU+vbscriptrnum=1hl=en#1058b6ce8cad2cfe -- Tomasz Onyszko http://www.w2k.pl List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ -- Thanks, Jitendra Kalyankar List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
RE: [ActiveDir] Audit Collection Services
Since ACS is for scaling to millions of events in larger installations asking for it for 1 server seems a non sequitur... There are dozens of alternatives, either free or low cost that would provide a lot more features for small installations than ACS ever would. The ISV market is saturated with such products. If you find MOM particularly endearing, there's always the workgroup edition. -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Susan Bradley, CPA aka Ebitz - SBS Rocks [MVP] Sent: Monday, November 14, 2005 5:23 PM To: ActiveDir@mail.activedir.org Subject: Re: [ActiveDir] Audit Collection Services And hopefully Microsoft will realize that even small firm markets that they've traditionally never sold MOM to will possibly want audit collection features and thus have a Mom-lite edition. Sincerely, the annoying SBSer with the toy server networks where we don't buy MOM for our networks where we barely have one server let alone 10. Tomasz Onyszko wrote: Free, Bob wrote: Well the other Eric F from MS has weighed in (! ~eric) Once again the landscape has changed. It is going to be part of MOM...after all. Yup, You should not expect the ACS as separated product. it will be shiped with a MOM in its next version. -- Letting your vendors set your risk analysis these days? http://www.threatcode.com List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
RE: [ActiveDir] Audit Collection Services
Well the other Eric F from MS has weighed in (! ~eric) Once again the landscape has changed. It is going to be part of MOM...after all. A snip from his blog entry- http://blogs.msdn.com/ericfitz/archive/2005/11/09/490981.aspx The project was started in 2001 in the Windows Core Security group here at Microsoft. We finished what we intended to build last year, but during the time it took us to build it there were a number of external changes which affected the project- changes in Windows management and organization, and the rise of web services. It took us a while to sort out what to do with ACS in light of these changes. In the end we decided that it fit better with our Operations Manager product (MOM) than with Windows where we originally developed it. My team is working with them to include the ACS code in the next version of MOM, and to keep all of our ACS scenarios intact while gaining the advantages that MOM provides such as data warehousing and reporting. We are also making a change to the ACS protocol to allow convergence of our different event collection technologies in the future. The protocol is web-services based but is not textual XML over HTTP. We'll retain the tight, stingy bandwidth use that you've come to expect from ACS, but all of our technologies will interoperate in the future. So now the FAQ: Q1: How can I get ACS? A1: You can't. Please don't ask. The beta program is not accepting new testers at this time although we will continue to work with our existing testers. Q2: When can I get ACS? A2: When the next version of MOM ships, but I don't know the date. ACS integration will be for the beta 2 release in the spring. Q3: How much will it cost? A3: Licensing terms haven't been set yet. -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Medeiros, Jose Sent: Friday, May 13, 2005 5:34 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Audit Collection Services Hmm.. At the Technet Briefing Microsoft stated that it was going to be a free add on.. If it's not going to be free I a sure that people would rather just download an agent for free from source forge to write events to a free syslog server. Thank you so much for taking the time to reply! Hope you have a Happy Friday! Jose :-) - -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] Behalf Of Free, Bob Sent: Friday, May 13, 2005 5:27 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Audit Collection Services Jose- They closed the beta a long time ago. You also had to be nominated by your TAM to get in it in the first place. The architecture and scalability is pretty awesome but the landscape has changed so many times that I'm not sure what to think. Initially, way back when it was called DAD, indications were it would be a free product, that is obviously not the case now. bob -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Medeiros, Jose Sent: Friday, May 13, 2005 5:20 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Audit Collection Services Hi Bob, Thank you for the update. Would you happen to have the link to sign up to be a beta tester? How do you like it so far? Regards, Jose Medeiros -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] Behalf Of Free, Bob Sent: Friday, May 13, 2005 12:11 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Audit Collection Services The last communication I heard from the product group late last year was that the forwarder(agent) would be an optional no-cost component in future versions of Windows (R2 rumored) and the collector would be a separate product, not part of Windows or MOM, pricing and delivery mechanism as yet unknown. The was an online chat with the PM on April 6th for beta participants that I was unable to attend due to other obligations, maybe someone else here was able to and can weigh in. ./bob -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Francis Ouellet Sent: Friday, May 13, 2005 11:11 AM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Audit Collection Services Hi Guido, I didn't explain myself correctly ;) What I meant was that one of the component of ACS is available from the Add/Remove Windows Component with R2. Not built-in. Francis -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Grillenmeier, Guido Sent: May 13, 2005 12:20 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Audit Collection Services ACS is very independent from R2 - it may be released within the same timeframe, but doesn't rely on any technology introduced in R2. /Guido -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Francis Ouellet Sent: Freitag, 13. Mai 2005 17:39 To: ActiveDir@mail.activedir.org Subject
RE: [ActiveDir] Methods to verify GC promotion
Look for an Event log entry saying that the GC promotion has completed Source NTDS Event 1119 Look for a Registry entry called HKLM - System - CurrentControlSet - Services - NTDS - Parameters - Global Catalog Promotion Complete Dump the RootDSE contents using the LDAP Browser (LDP) and look for the isGlobalCatalogReady attribute set to TRUE. Use the Nltest utility that comes in the Windows Server 2003 Support Tools- nltest /dsgetdc:domainname look for the GC flag There are probably others but those come to mind -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Danny Sent: Tuesday, November 08, 2005 12:38 PM To: ActiveDir@mail.activedir.org Subject: [ActiveDir] Methods to verify GC promotion Could you please let me know all the ways to verify a DC has been successfully promoted to a GC? For example, will a dcdiag 100% verify this? Thanks, ...D List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
RE: [ActiveDir] NT enumeration
FWIW we used to manage NT computer accounts with an oldcmpNT writen in PERL using Win32::AdminMisc;Win32::NetAdmin; and Win32::Lanman. There are numerous variants of such things floating around but this should get you started- http://www.roth.net/perl/scripts/scripts.asp?WSClean.pl There's also a utility (netpwage[1]) and some vbscript wrappers around for it for managing SAM accounts based on age. http://www.optimumx.com/download/#NetPWAge [1]Displays the password age for all accounts in the specified domain, both users and machines. Very useful for cleaning out old, unused accounts from the NT SAM database. From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of joe Sent: Wednesday, November 02, 2005 5:54 AM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] NT enumeration NT4 doesn't allow to query with a filter. You enumerate and filter yourself. The way you would have to do it with getuserinfo is to get a list of all computers in the domain (net view) and then ask for info on each one and parse out the password age. You may be able to do a query like thing with WMI but it is still enumerating so has none of the speed of a real query like you get with AD. You can look for other tools that can dump en masse or maybe do the enumeration for you. I do not currently have anything. I thought about making an oldcmpNT but it is a completely different program from oldcmp and I just never did it as I had other things I wanted to do more. Alternatively, you should be able to write an entire adsi script to do dump everything as well. From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Tom Kern Sent: Tuesday, November 01, 2005 12:40 PM To: ActiveDir@mail.activedir.org Subject: Re: [ActiveDir] NT enumeration Thanks a lot. What I'm trying to do is get a listing of every active computer in an NT 4.0 domain. I guess i can't see anyway to make your tool(or any tool) filter based on that. I can only query 1 pc and get info for that. I guess WINS or a browse list is not accurate? Thanks again. cool tool On 11/1/05, joe [EMAIL PROTECTED] wrote: 1. You are welcome 2. You need to use NET * API. I have one tool that will get that info for computers in an NT4 domain and that is getuserinfo, it gets info for one single specified userid. You will specify a computer by the domain\machinename$. Don't forget the $ on the end. 3. Yeah, they should go every 30 days. joe From: [EMAIL PROTECTED] [mailto: [EMAIL PROTECTED] On Behalf Of Tom Kern Sent: Tuesday, November 01, 2005 11:56 AM To: ActiveDir@mail.activedir.org Subject: Re: [ActiveDir] NT enumeration 1.Thanks 2. I know how to get pwdLastSet in AD. How do you get passwords ages in NT sams? 3. If i have win2k clients, they would be setting their passwords every 30 days even in a NT domain? Thanks again. On 11/1/05, joe [EMAIL PROTECTED] wrote: If you just care about real machines (i.e. no Wintendo machines - Win9x) then you enumerate the computer accounts in the domain and try to contact all of them and verify their password ages. NT machines should be changing passwords every 7 days unless that was overridden. From: [EMAIL PROTECTED] [mailto: [EMAIL PROTECTED] mailto:[EMAIL PROTECTED] ] On Behalf Of Tom Kern Sent: Tuesday, November 01, 2005 11:10 AM To: activedirectory Subject: [ActiveDir] NT enumeration What is the most accurate way to enumerate live machines on an NT domain? Check WINS? Net View? What is the most accurate and reliable way to list all machines in an NT domain that are active? Thanks a lot List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
RE: [ActiveDir] Restricted Groups question
I want an easy way to make sure all users are local admins Use NT Authority\Interactive then whoever is logged on is admin without opening it up to everyone.[1] [1] Be prepared for a whole bunch of replies about why letting you users run as admin is !good.[2] [2] I'm not going to mention that but be prepared :-) -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Rimmerman, Russ Sent: Friday, October 28, 2005 8:37 AM To: ActiveDir@mail.activedir.org Subject: [ActiveDir] Restricted Groups question Is there any way to add Authenticated Users built-in group to the local administrator group on every PC using restricted groups GPO? Basically I want an easy way to make sure all users are local admins on their PCs without creating a custom group. Should I just use xxx\domain users instead? ~~ This e-mail is confidential, may contain proprietary information of the Cooper Cameron Corporation and its operating Divisions and may be confidential or privileged. This e-mail should be read, copied, disseminated and/or used only by the addressee. If you have received this message in error please delete it, together with any attachments, from your system. ~~ List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
RE: [ActiveDir] Security Log file size not reaching the maximum log file size
Another good reference from Eric Fitzgerald (Audit PM) Windows Security Logging and Other Esoterica : How big should my security event log be?: http://blogs.msdn.com/ericfitz/archive/2005/09/14/466336.aspx From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Steve Linehan Sent: Tuesday, October 18, 2005 8:59 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Security Log file size not reaching the maximum log file size And just so you do not think I am making this up here is the public reference that documents it: http://www.microsoft.com/technet/prodtechnol/windowsserver2003/library/T echRef/5a86ab0f-c7eb-45ed-9e5e-514173bf15e3.mspx :-) Thanks, -Steve From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Steve Linehan Sent: Tuesday, October 18, 2005 10:45 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Security Log file size not reaching the maximum log file size This problem is described in http://support.microsoft.com/default.aspx?scid=kb;en-us;312571 . The fix allows the automatic archiving of the log files but does not explain why the problem occurs. The issue is around the fact that a contiguous block of memory is needed for all of the log files and this is not pre-allocated so if the memory on the box becomes fragmented, which it will, then eventually the contiguous block can not be allocated and we will stop logging. Generally we recommend not setting the total size of all logs over 300 MB and using the feature above for the security log so that it can be automatically archived. Thanks, -Steve From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of [EMAIL PROTECTED] Sent: Tuesday, October 18, 2005 8:54 PM To: ActiveDir@mail.activedir.org Subject: [ActiveDir] Security Log file size not reaching the maximum log file size We recently increased our auditing and set the security log file size to 1G, but the security log over-writes at about 409MBs; thus never reaching the 1G security log file size. Windows 2003 Domain Controllers Anyone with any ideas ? List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
RE: [ActiveDir] Force a Domain Sync
Look into repadmin /syncall http://www.microsoft.com/technet/prodtechnol/windowsserver2003/library/T echRef/a103036b-5d82-4d99-8e61-23d434a8e6eb.mspx From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Narkinsky, Brian Sent: Wednesday, October 19, 2005 1:40 PM To: ActiveDir@mail.activedir.org Subject: [ActiveDir] Force a Domain Sync Isn't there some command line that will force all the DCs in a Domain to sync immediately? I can't remember what it is but, seems like there was some way. Brian Narkinsky System's Analyst Florida Department of Environmental Protection Tallahassee, FL 32399 List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
RE: [ActiveDir] Knowing when users were deleted.
Where's ACS? As the beta came to a end, the last I was told the agent would be in R2 (free) and the collector would be a separate product (!free) -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Ulf B. Simon-Weidner Sent: Monday, October 17, 2005 2:37 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Knowing when users were deleted. Another Hmm. I'd still like to see that better configured that putting it into the AD if the infos are already there (or configurable). We could request to make it default to log that kind of info. And as far as we are talking about looking into every server: Where's ACS? And also SNMP would be an option to get notified on a single system instead of looking into every DC. Ulf |-Original Message- |From: [EMAIL PROTECTED] |[mailto:[EMAIL PROTECTED] On Behalf Of Al Mulnick |Sent: Monday, October 17, 2005 3:10 AM |To: ActiveDir@mail.activedir.org |Subject: RE: [ActiveDir] Knowing when users were deleted. | |I'll see your Eurocents and add raise you two. :) | |I fully understand where you're coming from Ulf. Adding this |information into the DIT when it is currently possible to get |is something that grates against common sense and common |engineering principles even if you subscribe to belts and |braces methodologies. | |However, I think two things make this a worthwhile request |with a big payoff. First to Laura's point about diminishing |returns. I agree, at some point there will be diminishing |returns. I also believe that as hardware gets bigger (i.e. |Standard 80 GB hard drives, 1 GB memory in workstation |machines, etc. [1]) the bar gets raised until we get to the |diminishing return. Since we're targeting 80/20 out of the |box [2] it seems reasonable that 80% of the deployments would |benefit from such a change. The other 20 would be those that |a) don't care or know about such things and b) those that |can't tolerate the additional overhead and therefore wouldn't |want to deploy it. I say tough pickles to them. :) |Seriously, this could be on by default but configurable (group |policy?) to disable it as a performance issue etc. | |Second, I think that the major benefit is the ability to |actually get usable information native to the product vs. |having to invest in a third party product. Why? Because today |in order to get that information I have to have something that |scrapes the Security logs looking for such information. Is |this a good idea? I think it is. Is it something that could |be native? I think it could and should be native if |technically feasible. | |Making us look in a particular DC's event logs is more |difficult than it should be without yet another product. |That's fine for the really large companies that have deeper |pockets, and larger needs. For the small to medium |businesses, it should not be so difficult nor should it |*require* SQL licensing or expertise. | | | |[1] I'm not saying that the quality has kept up, only that the |hardware is bigger, faster, stronger and cheaper. |[2] I'm making that up, but it sounds reasonable | | | | |-Original Message- |From: [EMAIL PROTECTED] |[mailto:[EMAIL PROTECTED] On Behalf Of Ulf B. |Simon-Weidner |Sent: Sunday, October 16, 2005 4:42 PM |To: ActiveDir@mail.activedir.org |Subject: RE: [ActiveDir] Knowing when users were deleted. | | |Hmm. | |Do we really want to excuse prior failure of proper auditing |by putting more data into AD? Wouldn't that lead into every |request of non-configured auditing to requests for extending |the AD? Do it right the first way. | |I completely agree that we should make the people more |auditing aware, and it would be great to have a centralized |auditing together with some force of configuration instead of |the per server events and auditing which is rearly configured. | |However I'm not sure if I want this kind of data in the AD. | |Just my Eurocents. | |Ulf | ||-Original Message- ||From: [EMAIL PROTECTED] ||[mailto:[EMAIL PROTECTED] On Behalf Of Laura E. ||Hunter ||Sent: Sunday, October 16, 2005 10:28 PM ||To: ActiveDir@mail.activedir.org ||Subject: Re: [ActiveDir] Knowing when users were deleted. || ||Various thoughts from this thread: || ||[1] I agree with Al and Paul[1] on a desire for that sort of |metadata. ||I'm not as convinced of the trade-off value of bloating the DIT for ||full undelete information, particularly in monster big environments. ||For my teeny-tiny single domain it probably wouldn't be that bad of a ||hit, but I imagine that the laws of diminishing returns would quickly ||set in. || ||[2] Please finish the thought, Brett, I'm sure I'd find it ||helpful/enlightening/informative even if it's only speaking in ||hypotheticals. || ||[3] It's Gil and Darren's turn to crack me up today, I guess joe is ||taking a break. || || ||[1] *waves* Hi Paul! Glad to see you alive post-Summit. || ||- L ||List info :
RE: [ActiveDir] finding computer objects
Tom- I'll certainly not try to explain it while joe's around :-) but here's a KB that helped me when I was trying to grasp this. That and using adfind to look at the resultant values of objects that I knew the flags for already... How to use the UserAccountControl flags to manipulate user account properties: http://support.microsoft.com/default.aspx?scid=kb;en-us;Q305144 From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Tom Kern Sent: Friday, October 14, 2005 5:20 PM To: ActiveDir@mail.activedir.org Subject: Re: [ActiveDir] finding computer objects so how can i get just normal comp accounts which are NOT disabled? would you not use a bitwise filter for those types of queries. thanks p.s- since you responded to this one after my stupid salary query and this actually is one of those questions which has nothing to do with my current job, but for my own curiosty, i thought i'd pursue it. i've never really understood the proper way to use bitwise filters and when, even after reading robbie allen's brief explanation in the AD Cookbook. i really did try to look this one up. can you explain it to me in the context of this query? thanks again On 10/14/05, joe [EMAIL PROTECTED] wrote: Just a small expansion. Checking for 4096 with a BITWISE filter (which is used here) will not filter out disabled accounts. From: [EMAIL PROTECTED] [mailto: [EMAIL PROTECTED] mailto:[EMAIL PROTECTED] ] On Behalf Of Kamlesh Parmar Sent: Friday, October 14, 2005 12:58 PM To: ActiveDir@mail.activedir.org Subject: Re: [ActiveDir] finding computer objects You might want to know, checking for 4096 in useraccountcontrol will include disabled accounts also.. As bit 2 is set for account disabled, and and you are not checking its absence. ( http://support.microsoft.com/default.aspx?scid=kb;en-us;Q305144 http://support.microsoft.com/default.aspx?scid=kb;en-us;Q305144 ) Just extract useraccountcontrol in your dsquery output along with name, and check the status of accounts whose useraccountcontrol is set to 4098 ( 4096 + 2), you will find that those are disabled accounts. (which I think, you didn't want) If I misunderstood your requirement, please ignore this mail.. -- Kamlesh On 10/14/05, Tom Kern [EMAIL PROTECTED] wrote: Thanks. I used dsquery dsquery * dc=mydomain,dc=com -limit 0 -attr name -scope subtree -filter ((objectcategory=computer)(operatingSystem=windows server 2003)(useraccountcontrol:1.2.840.113556.1.4.804:=4096)) Thanks again. sorry to bug you. i should've posted i figured it out. On 10/14/05, Kamlesh Parmar [EMAIL PROTECTED] wrote: Why not use CSVDE.EXE, while joe gives us the adfind with -CSV switch and custom delimeter, in next few days. csvde -f output.txt -r ((objectCategory=computer)(!userAccountControl:1.2.840.113556.1.4.803: =2)(operatingSystem=Windows Server 2003)) -l cn,description only gripe is can't change the delimeter, and DN is always included in the result. On 10/14/05, Kern, Tom [EMAIL PROTECTED] wrote: -- ~~~ Fortune and Love befriend the bold ~~~ -- ~~~ Fortune and Love befriend the bold ~~~ List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
RE: [ActiveDir] LegalNoticeText maximum value
you will make Penn State proud! Don't folks at the University of Pennsylvania take umbrage when you call it Penn State ?? They did when I lived there :-] /Child of 2 Penn State alums -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of joe Sent: Friday, October 14, 2005 3:48 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] LegalNoticeText maximum value Sounds like something you could find on www.shutuplaura.com BTW, it is annoying that I have to get an account to leave a comment. I don't need any more accounts. So congrats on signing up for the run, you will make Penn State proud! -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Laura E. Hunter Sent: Thursday, October 13, 2005 9:00 PM To: ActiveDir@mail.activedir.org Subject: [ActiveDir] LegalNoticeText maximum value Forgive me if this is an obvious thing and my Google-fu is just failing me, but can someone remind me of the maximum string length on this when running 2003? I'm finding conflicting references between 255 and 512 characters. Thanks all. - Laura -- --- Laura E. Hunter Microsoft MVP - Windows Server Networking List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
RE: [ActiveDir] AD/DNS BPA?
We had one last year and it was a rather extraordinary experience IMHO. We learned a lot and picked up a lot of tips and tools from the MCS guys (Well they were ROSS guys actually) They also did an Exchange Health Check. One of the things they leave behind in the tool set besides all the other goodies is the ADHC website material so you can have your own up and running all the time. I *think* we had some extra incidents/resources left over from our premier pool and that's what paid for it Highly recommended even if you don't think you have any problems just for the information/knowledge transfer alone. -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Dean Wells Sent: Thursday, October 13, 2005 9:22 AM To: Send - AD mailing list Subject: RE: [ActiveDir] AD/DNS BPA? The tool I spoke about in confidence with Tony (just teasing ;o) is an offering from MCS known as the ADHC or AD Health Check ... it is a nicely shrink-wrapped series of powerful interrogation scripts/tools that, when compiled by someone sufficiently trained, produces a very detailed configuration breakdown, useful recommendations and/or general mis-configurations. As I understand it, it is available exclusively via an MCS engagement. -- Dean Wells MSEtechnology * Email: [EMAIL PROTECTED] http://msetechnology.com -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Tony Murray Sent: Tuesday, October 11, 2005 7:45 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] AD/DNS BPA? If find DNSlint to be pretty good, but obviously limited in scope. I think Dean mentioned to me recently that PSS have a tool that provides BPA-like functionality. It sounded like the output might be a little too complicated to make it publicly available. Perhaps Dean has more info on this (assuming it's not under NDA)? Tony -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Al Mulnick Sent: Wednesday, 12 October 2005 2:58 p.m. To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] AD/DNS BPA? The tools are there, but the interpretation is sometimes lacking G I've been told that several companies are currently offering health checks, but I haven't tested any of them. As for Microsoft tools, I'm a fan of using dcdiag and netdiag right after scanning the event logs. That'll give me an idea of where to focus more effort if needed. Most of what I want to know is going to show up there without having to do too much waving of the magic wand. There are some additional tools, but they get used after these two steps in my normal approach. That'll indicate whether or not I have to dig deeper. Some other tools such as repadmin are useful as well. And there was a tool, SPA that could be helpful in some situations depending on what you want to know. I haven't seen an AD BPA though. Be interesting to see one. -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Susan Bradley, CPA aka Ebitz - SBS Rocks [MVP] Sent: Tuesday, October 11, 2005 9:34 PM To: ActiveDir@mail.activedir.org Subject: [ActiveDir] AD/DNS BPA? lurk mode off Stupid question... okay we have Exchange Best practices analyzer right? http://www.microsoft.com/exchange/downloads/2003/exbpa/default.mspx I know you guys don't like GUI...but besides DNSlint, dnsdiag, Sysinternals, Joeware stuff and such things... is there currently enough tools in your bag'o'tricks to ensure DNS/AD is set up right? Do you guys have a tool that you consider 'the' DNS/AD BPA and if so what is it? Or is AD/DNS health review like security log reviews/dump files where it's an art and not a science? And feel free to lob 'SBS could run on ipx/spx' comments my way as well. ;-) lurk mode back on -- Letting your vendors set your risk analysis these days? http://www.threatcode.com List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ # This communication, including any attachments, is confidential. If you are not the intended recipient, you should not read it - please contact me immediately, destroy it, and do not copy or use any part of this communication or disclose anything about it. Thank You. Please note that this communication does not designate an information system for the purposes of the NZ Electronic Transactions Act 2002. This email has been scanned for Viruses and Content and cleared by NetIQ MailMarshal at Gen-i. # List info : http://www.activedir.org/List.aspx List FAQ:
RE: [ActiveDir] Documenting AD
I don't know about generally available but Steve Lineham of MS made it temporarily available a few months ago to list members based on a similar thread here , maybe he will do so again if he sees this. There was also the following suggestion from David Adner- If you're a Premier customer ask your TAM (or some other friendly MS employee) for a tool called ADMap This is a tool written by someone in Microsoft that will query your AD configuration and draw it in Visio (preferably version 2002 or higher). Although it's available to customers it's not available for download, hence the request to a MS employee. From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Becker, Jim Sent: Thursday, October 13, 2005 12:35 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Documenting AD As I understand it, apparently MS used to provide an ADMap-like functionality in Visio 2000, but was removed with 2002. Since I'm at V2003, I was wondering whether the admap program could be made generally available for all our benefit. Thanks, Jim Becker Asst. Dir. of Administrative Systems State University of New York System Administration [EMAIL PROTECTED] From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of [EMAIL PROTECTED] Sent: Thursday, October 13, 2005 4:47 AM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Documenting AD I sent the file separately. admap will *not* answer most of the questions you have, however. You will still need to rely upon docs and being a good detective and researcher :) neil ___ Neil Ruston Global Technology Infrastructure Nomura International plc From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Tim Sutton Sent: 13 October 2005 09:31 To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Documenting AD Cheers for the hints so far, folks. keep em coming! :) Phil: I've tried finding a copy of ADMap on the web, but can't seem to download it from the windows-servers.info site. do you know anywhere else I can grab it from? For Troup Bywaters + Anders Tim Sutton T: +44 (0) 113 243 2241 F: +44 (0) 113 242 4024 E: [EMAIL PROTECTED] mailto:[EMAIL PROTECTED] W: www.TBandA.com http://www.tbanda.com/ Eastgate House 10 Eastgate Leeds LS2 7JL Office Location Map http://www.multimap.com/map/browse.cgi?client=publicdb=pccidr_client= nonelang=pc=LS27JLadvanced=client=publicaddr2=quicksearch=ls27jla ddr3=addr1= From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Phil Renouf Sent: 12 October 2005 16:54 To: ActiveDir@mail.activedir.org Subject: Re: [ActiveDir] Documenting AD Some good comments on what to document. I will chime in to say that a lot of the initial stuff can be documented using ADMap and the GPMC, that will save you a bunch of work in Visio. If you have a TAM ask them to send you ADMap. Phil On 10/12/05, [EMAIL PROTECTED] [EMAIL PROTECTED] wrote: Additional components: = Schema Database Administrative support model Domain controller spec DC/GC placement Exchange topology and design DNS design (zone type, placement etc etc) SYSVOL/FRS DFS Administration: === User and group admin and tools DC admin/support and tools Forest admin and ownership GPO admin and tools I'll stop there and let others chime in... neil ___ Neil Ruston Global Technology Infrastructure Nomura International plc -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] mailto:[EMAIL PROTECTED] ] On Behalf Of Tim Sutton Sent: 12 October 2005 16:28 To: ActiveDir@mail.activedir.org Subject: [ActiveDir] Documenting AD Hey all, Being the local bod with AD knowledge at work I've been volunteered the job of documenting our domain (possibly more than one if this goes well). Whilst being a good little job it has already caused me a few problems, mainly just how much detail to put in, so I thought I'd ask for some pearls of wisdom from you guys. What do you lot do? How do you go about it? etc so far I'm thinking along these lines: - a general AD layout diagram detailing the OU structure - Visio will be the weapon of choice I think - list all GPO's, where they're linked to and what they do etc - a breakdown of sites and their links - a breakdown
RE: [ActiveDir] Different Versions of Internet Explorer
Tony- The numbers are in the form: major version.minor version.build number.sub-build number This is what the versions are for various versions of XP 6.00.2600. Internet Explorer 6 (Windows XP) 6.00.2800.1106 Internet Explorer 6 Service Pack 1 (Windows XP SP1) 6.00.2900.2180 Internet Explorer 6 for Windows XP SP2 Your second example matches one of my XP machines that was just upgraded to SP2 and has had no other IE patches applied (yet) http://support.microsoft.com/?kbid=164539 -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Anthony Crawford Sent: Tuesday, October 11, 2005 3:05 PM To: ActiveDir@mail.activedir.org Subject: [ActiveDir] Different Versions of Internet Explorer We have a web based application that is behaving slightly different depending on the users version/patches of Internet Explorer. I was wondering if someone would shed some light as to what the numbers mean under Version. I understand it is Version 6.0 but what do the subsequent numbers mean? I also understand under Update Version those are probably patches that have been applied. For example, Computer One works fine and this is what is listed under Help - About Version: 6.0.2800.1106 xpsp2.503001-1526 Cipher Strength: 128 bit Update Version: SP1; Q818529; Q330994; Q828750; Q832894; Q837009; Q823353; Q867801; Q903235 Computer Two is having the issue and this is what is listed under Help - About Version: 6.0.2900.2180 xpsp_sp2_gdr.050301-1519 Cipher Strength: 128-bit Update Version: SP2 The main difference between the two is Computer One has been on the network for some time and thus has quite a few security patches whereas Computer Two is new and only needed a few patches. The problem seems to be on the new workstations. Thanks. Tony List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
RE: [ActiveDir] single login size in bytes?
Rich- This paper isn't XP/2003 but essentially a lot of the same principals apply. I found this paper very illuminating in it's day so maybe it will be of some use to you. As far as the feasibility, I spent a lot of time at the wrong end of an ISDN line and it wasn't that bad but I never had more than 2 machines connected concurrently. Windows 2000 Startup and Logon Traffic Analysis: http://www.microsoft.com/technet/prodtechnol/windows2000serv/deploy/conf eat/w2kstart.mspx HTH Bob From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Rich Milburn Sent: Monday, October 10, 2005 9:01 AM To: [EMAIL PROTECTED] Subject: [ActiveDir] single login size in bytes? Does anyone happen to know a rough idea how many bytes are transmitted when a single user logs on to an XP box to a W2K3 AD, assuming cached credentials aside? I've been goog searching and finding a lot of detailed info about replication but not much about the size of the authentication packets etc. I am digging out net monitor as I type (well almost as I type) to see for myself, but anyone who would like to comment on the feasibility of having XP machines on the far end of a 56K frame circuit actually being members of the domain, please feel free to let me know. We're talking simple logging in, including a single GPO or maybe two - but no replication, etc. They do already get their email using Outlook to a pst. And please don't laugh. This is a very serious issue. ;-) Rich --- Rich Milburn MCSE, Microsoft MVP - Directory Services Sr Network Analyst, Field Platform Development Applebee's International, Inc. 4551 W. 107th St Overland Park, KS 66207 913-967-2819 --- I am always doing that which I can not do, in order that I may learn how to do it. - Pablo Picasso ---APPLEBEE'S INTERNATIONAL, INC. CONFIDENTIALITY NOTICE--- PRIVILEGED / CONFIDENTIAL INFORMATION may be contained in this message or any attachments. This information is strictly confidential and may be subject to attorney-client privilege. This message is intended only for the use of the named addressee. If you are not the intended recipient of this message, unauthorized forwarding, printing, copying, distribution, or using such information is strictly prohibited and may be unlawful. If you have received this in error, you should kindly notify the sender by reply e-mail and immediately destroy this message. Unauthorized interception of this e-mail is a violation of federal criminal law. Applebee's International, Inc. reserves the right to monitor and review the content of all messages sent to and from this e-mail address. Messages sent to or from this e-mail address may be stored on the Applebee's International, Inc. e-mail system. List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
RE: [ActiveDir] reset default domain policy
Yes I had to resort to it once in our lab when someone did something rather lame to sysvol. It worked as advertised, I reset the policies to their original values and all was OK after that. I don't recall any gotchas. From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Mike Williams Sent: Friday, October 07, 2005 7:20 AM To: ActiveDir@mail.activedir.org Subject: [ActiveDir] reset default domain policy Has anyone used recreateDefPol.exe to reset the default domain policy in a windows 2000 domain. And if so are there any gotchas to look out for? Thanks Mike Michael P. Williams Information Technology Carlyle Van Lines (660) 747-8128 X 3816 [EMAIL PROTECTED] www.carlylevanlines.com List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
RE: [ActiveDir] Modifying Domain Admins Administrators Group
Think about nested groups and primary group membership. Some of joe's discussions of primary group membership are in the archives and should lead you where you want to go. ...one of Diane's 'cohorts' :-) -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of David Cliffe Sent: Thursday, October 06, 2005 10:11 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Modifying Domain Admins Administrators Group Hi joe...I've seen you make this reference in the past and can't remember if you've elaborated on it as well (sorry for not searching - feel free to refer me...getting late here). Since we use the same idea mentioned by Diane below, but *do* use LDAP as the method... ...should we be using net user [or some distant cousin of it] additionally to catch memberships not returned by LDAP? Was that it? Thanks! -DaveC -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of joe Sent: Thursday, October 06, 2005 8:24 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Modifying Domain Admins Administrators Group How does it work? Do you use LDAP to look at the membership? If so, you probably have a whole in the implementation. -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Ayers, Diane Sent: Thursday, October 06, 2005 2:20 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Modifying Domain Admins Administrators Group We run a simple process that monitors the members of elevated privilege groups. Any changes trigger a notification. Doesn't address the prevention but will allow you to capture the occurrence and deal with it appropriately. Diane -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Devan Pala Sent: Thursday, October 06, 2005 10:00 AM To: ActiveDir@mail.activedir.org Subject: [ActiveDir] Modifying Domain Admins Administrators Group Hi, We have about 7 domain administrators in a particular child domain. I just found out someone added the DBA Group to part of the Administrators group in this domain. Not necessary, not required nor is it a policy. Event logs have obviously been overwritten therefore I would like to know the simplest method to avoid this scenario from ever happening again. What are my options? Thank you so much. List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ - Visit our Internet site at http://www.reuters.com To find out more about Reuters Products and Services visit http://www.reuters.com/productinfo Any views expressed in this message are those of the individual sender, except where the sender specifically states them to be the views of Reuters Ltd. List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
RE: [ActiveDir] Domain, Lab Computers DeepFreeze
For Windows 2000, Windows XP and Windows Server 2003, the default computer account password change is 30 days. You can change the frequency or disable the behavior altogether. http://support.microsoft.com/default.aspx?scid=kb;en-us;q175468 From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Matt Brown Sent: Thursday, September 08, 2005 7:47 AM To: ActiveDir@mail.activedir.org Subject: [ActiveDir] Domain, Lab Computers DeepFreeze I'm using Deepfreeze in my computer labs here on campus, (deepfreeze restores the computer on every restart). I also have all these computers as members of our Domain. I'm wondering if the computer accounts in the domain reset their passwords or something every so often and if my deepfreeze product might be messing this up? Here are the following event logs I'm getting on my domain controller. I've tried removing the computers from the domain and re-adding them, which sometimes fixes the problem but it seems to just come back. Both Computer Accounts are in the domain and were created less than 3 weeks ago after removing them and deleting the accounts in the domain. Event Type: Error Event Source: NETLOGON Event Category: None Event ID: 5805 Date: 9/8/2005 Time: 5:52:05 AM User: N/A Computer: DC2 Description: The session setup from the computer PSYCH-03 failed to authenticate. The following error occurred: Access is denied. For more information, see Help and Support Center at http://go.microsoft.com/fwlink/events.asp. Data: : 22 00 00 c0 ..À -- AND --- Event Type: Error Event Source: NETLOGON Event Category: None Event ID: 5723 Date: 9/8/2005 Time: 1:46:08 AM User: N/A Computer: DC2 Description: The session setup from computer 'PSYCH-05' failed because the security database does not contain a trust account 'PSYCH-05$' referenced by the specified computer. USER ACTION If this is the first occurrence of this event for the specified computer and account, this may be a transient issue that doesn't require any action at this time. Otherwise, the following steps may be taken to resolve this problem: If 'PSYCH-05$' is a legitimate machine account for the computer 'PSYCH-05', then 'PSYCH-05' should be rejoined to the domain. If 'PSYCH-05$' is a legitimate interdomain trust account, then the trust should be recreated. Otherwise, assuming that 'PSYCH-05$' is not a legitimate account, the following action should be taken on 'PSYCH-05': If 'PSYCH-05' is a Domain Controller, then the trust associated with 'PSYCH-05$' should be deleted. If 'PSYCH-05' is not a Domain Controller, it should be disjoined from the domain. For more information, see Help and Support Center at http://go.microsoft.com/fwlink/events.asp. Data: : 8b 01 00 c0 ..À Thanks, -- Matt Brown [EMAIL PROTECTED] Consultant for Student Technology Fee website: http://techfee.ewu.edu/ +--+ | 509.359.6972 ph. - 509.359.7087 fx | 307 MONROE HALL | Cheney, WA 99004 +--+ List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
RE: [ActiveDir] Win2k3 SP1 vs. W32Time
We have some apps groan that did. What we did was establish a CNAME imaginatively named AD :-) We tell the developers that want to point to a DC for such things to use the CNAME instead of hardcoding a DC and flip it to a different DC before we reboot the one it is usually pointed to. -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Jose Medeiros Sent: Wednesday, August 24, 2005 12:24 PM To: ActiveDir@mail.activedir.org Subject: Re: [ActiveDir] Win2k3 SP1 vs. W32Time Point well taken.. come to think of it, I did work at a startup several years back that had a Java based web app using a specific DC for user authentication via LDAP. Thanks for pointing that out. Jose - Original Message - From: Phil Renouf [EMAIL PROTECTED] To: ActiveDir@mail.activedir.org Sent: Wednesday, August 24, 2005 11:09 AM Subject: Re: [ActiveDir] Win2k3 SP1 vs. W32Time If you do something like this then you want to be 100% sure that there are no applications out there using your DC name specifically for authentication or LDAP queries and that there are no clients with LMHOSTS file entries etc. Phil On 8/24/05, Jose Medeiros [EMAIL PROTECTED] wrote: Hi David, I just wanted to let you know that we upgraded one of our domain's to AD 2003 with sp1 several month's ago and have not seen the issue that you are having. Also the reason why you have multiple DC's is so if one goes down, the other's can still authenticate the clients, so unless you are also using your DC's as file and print servers, rebooting one during the day would hardly be noticeable ( rebooting them during a lunch break is probably best ). I am sure that others on the list may have an argument to challenge what I just stated, however I would love to hear it. Jose :-) - Original Message - From: David Aragon [EMAIL PROTECTED] To: ActiveDir@mail.activedir.org Sent: Tuesday, August 23, 2005 7:26 PM Subject: RE: [ActiveDir] Win2k3 SP1 vs. W32Time David, Yes, I tried them both, step by step, exactly as the KB described the first on DC1, the second on DC2, and both on DC3. Each time with no joy). There was nothing about rebooting in the article, but I did restart Net Logon Service after each workaround was attempted. I won't be able to reboot any of the DC's for several more hours. David Aragon -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of David Adner Sent: Tuesday, August 23, 2005 6:02 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Win2k3 SP1 vs. W32Time *cough* That's the KB he referenced. :) David, did you try both workarounds or just one of them? Did you try rebooting after making the changes? Can you described the exact things you did? -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Thommes, Michael M. Sent: Tuesday, August 23, 2005 7:29 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Win2k3 SP1 vs. W32Time see http://support.microsoft.com/?kbid=892501SD=tech Mike Thommes From: [EMAIL PROTECTED] on behalf of David Aragon Sent: Tue 8/23/2005 6:40 PM To: ActiveDir@mail.activedir.org Subject: [ActiveDir] Win2k3 SP1 vs. W32Time We just upgraded our 2k3 DC's to SP1 this last weekend after several months of testing and re-testing. Shortly afterwards I noticed that the time service was stopped with error ID 7023 46 (see below). I went through the steps listed in kb892501 but to no avail. This issue did not appear in any of our test setups, however all our production DC's exhibit the behavior. Does anyone have any suggestions or ideas? David Aragon Event Type: Error Event Source: Service Control Manager Event Category: None Event ID: 7023 Date: 8/23/2005 Time: 3:58:47 PM User: N/A Description: The Windows Time service terminated with the following error: Not all privileges referenced are assigned to the caller. Event Type: Error Event Source: W32Time Event Category: None Event ID: 46 Date: 8/23/2005 Time: 3:58:47 PM User: N/A Description: The time service encountered an error and was forced to shut down. The error was: 0x80070514: Not all privileges referenced are assigned to the caller. List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive:
RE: [ActiveDir] GPO with Computer Accounts?
Yes, use a WMI filter. http://www.microsoft.com/technet/prodtechnol/windowsserver2003/library/ServerHelp/6237b9b2-4a21-425e-8976-2065d28b3147.mspx -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Harding, Devon Sent: Thursday, August 18, 2005 1:06 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] GPO with Computer Accounts? Is it possible to apply this to only Windows XP Computers? -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of [EMAIL PROTECTED] Sent: Thursday, August 18, 2005 2:48 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] GPO with Computer Accounts? Yes. Sincerely, Dèjì Akómöláfé, MCSE+M MCSA+M MCP+I Microsoft MVP - Directory Services www.readymaids.com - we know IT www.akomolafe.com Do you now realize that Today is the Tomorrow you were worried about Yesterday? -anon From: [EMAIL PROTECTED] on behalf of Harding, Devon Sent: Thu 8/18/2005 11:30 AM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] GPO with Computer Accounts? Does the group Authenticated Users includes domain computers? This way, I can use this to apply the GPO to all computers. -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of [EMAIL PROTECTED] Sent: Thursday, August 18, 2005 12:00 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] GPO with Computer Accounts? Since you said you want to apply it to all computer account in a domain, you'd need to apply it at the Domain level. If you don't want it to apply to the servers (since you said you moved them to a separate OU), you can block the GPO at the OU where the servers now reside. Alternatively, you could move all the computers you want to apply the GPO to into their own OU (I am thinking that these are different from the servers) and apply the GPO only to that OU. Sincerely, Dèjì Akómöláfé, MCSE+M MCSA+M MCP+I Microsoft MVP - Directory Services www.readymaids.com - we know IT www.akomolafe.com Do you now realize that Today is the Tomorrow you were worried about Yesterday? -anon From: [EMAIL PROTECTED] on behalf of Harding, Devon Sent: Thu 8/18/2005 8:51 AM To: ActiveDir@mail.activedir.org Subject: [ActiveDir] GPO with Computer Accounts? How can I apply a GPO to all computer accounts in a domain? I've already moved my servers out of the computers container into a separate OU, but I can't apply a GPO to a container, only domains and OU's Devon Harding Windows Systems Engineer Southern Wine Spirits - BSG 954-602-2469 - __ This message and any attachments are solely for the intended recipient and may contain confidential or privileged information. If you are not the intended recipient, any disclosure, copying, use or distribution of the information included in the message and any attachments is prohibited. If you have received this communication in error, please notify us by reply e-mail and immediately and permanently delete this message and any attachments. Thank You. List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
RE: [ActiveDir] User accounts with showInAdvancedViewOnly=TRUE
This is a bit surreal, I *just* got asked about this exact situation only a couple of minutes after Charlie's message. We are in a very similar environment although it's E2K instead of 2K3, is Unity a common denominator? -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Michael B. Smith Sent: Tuesday, August 16, 2005 1:33 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] User accounts with showInAdvancedViewOnly=TRUE I can't explain it to you, but you aren't alone. I've seen exactly the same thing happen (and I'm in the same environment you describe). But it never made it high enough up my priority list to investigate. -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Charlie Kaiser Sent: Tuesday, August 16, 2005 4:19 PM To: ActiveDir@mail.activedir.org Subject: [ActiveDir] User accounts with showInAdvancedViewOnly=TRUE I've recently run into a weird problem and can't find anything that explains it to me. W2K3 AD single-domain forest, 2K3 native mode, E2K3 enterprise, Cisco Unity VM schema extensions. Our junior admin recently handled a couple of user terminations. Disabled the account, set self to full mailbox access, moved account from Employees OU to terminated sub-OU. I had to do something to one of those accounts and didn't see it in ADUC. Knew it was there somewhere, so fired up ADFind. Turns out the showInAdvancedViewOnly attribute had been set to TRUE. Junior admin logs into exchange server to perform the account management, because it's the only machine that has the exchange admin tools on it that he can access. (That's changing today; he WILL load the tools on his machine. G) He didn't do anything special, doesn't use ADSIEdit or DSMOD; strictly the ADUC GUI. I'm trying to figure out why this would happen, and I don't have a clue. Any ideas? Easy enough to set the attribute back, but I'm wondering why it would set it in the first place. AFAIK, there isn't any way to set that attribute via the ADUC GUI... This has only happened on two accounts, both dealt with in the past couple of weeks... Thanks! ** Charlie Kaiser W2K3 MCSA/MCSE/Security, CCNA Systems Engineer Essex Credit / Brickwalk 510 595 5083 ** List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
RE: [ActiveDir] User accounts with showInAdvancedViewOnly=TRUE
Well, here's what we found- Totally unrelated to Unity, our Unity admin contacted me about not seeing an account in object picker to add to a group. I checked and showInAdvancedViewOnly=TRUE, I mentioned this discussion to him, so he looked at it from Unity interface- The setting in Unity for that account was Do not list subscriber in phone directory and Show subscriber in e-mail server address book. He changed it to Do not show in GAL. saved it. Then enabled both so the settings are now List in phone directory and Show subscriber in e-mail server address book I looked again and showInAdvancedViewOnly: was toggled to FALSE He's going to play around with it from the Unity side and see if he can repro the issue. hth -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Free, Bob Sent: Tuesday, August 16, 2005 1:56 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] User accounts with showInAdvancedViewOnly=TRUE This is a bit surreal, I *just* got asked about this exact situation only a couple of minutes after Charlie's message. We are in a very similar environment although it's E2K instead of 2K3, is Unity a common denominator? -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Michael B. Smith Sent: Tuesday, August 16, 2005 1:33 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] User accounts with showInAdvancedViewOnly=TRUE I can't explain it to you, but you aren't alone. I've seen exactly the same thing happen (and I'm in the same environment you describe). But it never made it high enough up my priority list to investigate. -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Charlie Kaiser Sent: Tuesday, August 16, 2005 4:19 PM To: ActiveDir@mail.activedir.org Subject: [ActiveDir] User accounts with showInAdvancedViewOnly=TRUE I've recently run into a weird problem and can't find anything that explains it to me. W2K3 AD single-domain forest, 2K3 native mode, E2K3 enterprise, Cisco Unity VM schema extensions. Our junior admin recently handled a couple of user terminations. Disabled the account, set self to full mailbox access, moved account from Employees OU to terminated sub-OU. I had to do something to one of those accounts and didn't see it in ADUC. Knew it was there somewhere, so fired up ADFind. Turns out the showInAdvancedViewOnly attribute had been set to TRUE. Junior admin logs into exchange server to perform the account management, because it's the only machine that has the exchange admin tools on it that he can access. (That's changing today; he WILL load the tools on his machine. G) He didn't do anything special, doesn't use ADSIEdit or DSMOD; strictly the ADUC GUI. I'm trying to figure out why this would happen, and I don't have a clue. Any ideas? Easy enough to set the attribute back, but I'm wondering why it would set it in the first place. AFAIK, there isn't any way to set that attribute via the ADUC GUI... This has only happened on two accounts, both dealt with in the past couple of weeks... Thanks! ** Charlie Kaiser W2K3 MCSA/MCSE/Security, CCNA Systems Engineer Essex Credit / Brickwalk 510 595 5083 ** List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
RE: [ActiveDir] User accounts with showInAdvancedViewOnly=TRUE
Hope it's not bad juju to reply to myself 2x in the same day :-] Here's what our Unity admin found on his side- When Show in the GAL is not checked, it makes the showInAdvancedViewOnly: TRUE When it's checked it shows showInAdvancedViewOnly: FALSE The list in phone directory setting doesn't make any difference. -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Free, Bob Sent: Tuesday, August 16, 2005 2:19 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] User accounts with showInAdvancedViewOnly=TRUE Well, here's what we found- Totally unrelated to Unity, our Unity admin contacted me about not seeing an account in object picker to add to a group. I checked and showInAdvancedViewOnly=TRUE, I mentioned this discussion to him, so he looked at it from Unity interface- The setting in Unity for that account was Do not list subscriber in phone directory and Show subscriber in e-mail server address book. He changed it to Do not show in GAL. saved it. Then enabled both so the settings are now List in phone directory and Show subscriber in e-mail server address book I looked again and showInAdvancedViewOnly: was toggled to FALSE He's going to play around with it from the Unity side and see if he can repro the issue. hth -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Free, Bob Sent: Tuesday, August 16, 2005 1:56 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] User accounts with showInAdvancedViewOnly=TRUE This is a bit surreal, I *just* got asked about this exact situation only a couple of minutes after Charlie's message. We are in a very similar environment although it's E2K instead of 2K3, is Unity a common denominator? -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Michael B. Smith Sent: Tuesday, August 16, 2005 1:33 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] User accounts with showInAdvancedViewOnly=TRUE I can't explain it to you, but you aren't alone. I've seen exactly the same thing happen (and I'm in the same environment you describe). But it never made it high enough up my priority list to investigate. -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Charlie Kaiser Sent: Tuesday, August 16, 2005 4:19 PM To: ActiveDir@mail.activedir.org Subject: [ActiveDir] User accounts with showInAdvancedViewOnly=TRUE I've recently run into a weird problem and can't find anything that explains it to me. W2K3 AD single-domain forest, 2K3 native mode, E2K3 enterprise, Cisco Unity VM schema extensions. Our junior admin recently handled a couple of user terminations. Disabled the account, set self to full mailbox access, moved account from Employees OU to terminated sub-OU. I had to do something to one of those accounts and didn't see it in ADUC. Knew it was there somewhere, so fired up ADFind. Turns out the showInAdvancedViewOnly attribute had been set to TRUE. Junior admin logs into exchange server to perform the account management, because it's the only machine that has the exchange admin tools on it that he can access. (That's changing today; he WILL load the tools on his machine. G) He didn't do anything special, doesn't use ADSIEdit or DSMOD; strictly the ADUC GUI. I'm trying to figure out why this would happen, and I don't have a clue. Any ideas? Easy enough to set the attribute back, but I'm wondering why it would set it in the first place. AFAIK, there isn't any way to set that attribute via the ADUC GUI... This has only happened on two accounts, both dealt with in the past couple of weeks... Thanks! ** Charlie Kaiser W2K3 MCSA/MCSE/Security, CCNA Systems Engineer Essex Credit / Brickwalk 510 595 5083 ** List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
RE: [ActiveDir] account operators
Has anyone used shim products like NetIQ DRA? I've used it previously when it was a product from Mission Critical We used it extensively in the NT days when it was Enterprise Administrator and liked it very much. DRA was a wholesale flop here and we replaced it with Active Roles as soon as we could get it past the bean counters. That was several years ago and the product may have improved substantially but the original offering after the acquisition was extremely unpopular here. -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Mylo Sent: Friday, August 12, 2005 1:04 PM To: ActiveDir@mail.activedir.org Subject: Re: [ActiveDir] account operators I remember reading something alluding to this on built-in groups in general... can't remember where (maybe it was joe), but the general principal was that if you utilise any of the built-in 'service' groups, elevating permissions with these legacy groups is generally a fairly easy thing to do for anyone with a bit of curiosity, determination and perhaps ill-intent. Has anyone used shim products like NetIQ DRA? I've used it previously when it was a product from Mission Critical... these just proxy changes to AD and empower ordinary domain users through the customer tools and (proxied) interfaces. I realise there are shortcomings... a domain admin is a domain admin after all but i'm interested in hearing comments. Cheers Mylo Rick Kingslan wrote: joe - no need to apologize. You're absolutely correct. Once I read your e-mail, I had doubts, but knowing joe, and knowing what joe knows, I had to go look to satisfy my curiosity. Honestly, what I saw scared me to a great degree. AO does have full and complete access to any user object and property - period. AO may not be able to manipulate it through the easy mechanisms (i.e. the GUI ADUC or the scripted CDOEXM, but any other interface that will allow manipulation of the objects *IS*possible - and that revelation is quite shocking, to say the least. For anyone that wants to duplicate what I did - make use of a resource that is right at your finger tips. Don't go poking around your production systems. And, even if you don't have Exchange, you can still check this out. Make use of the TechNet Virtual Labs for checking things out and determining if an idea will work - with no setup costs at all. Find a lab that has the components that you need, and party on. The labs are not restricted to allowing you to do only what the lab is designed for. You can do practically anything you want - sometimes including adding in extra Windows and Server System components. Find the Virtual Servers at: http://microsoft.demoservers.com Thanks, joe - for calling this to my attention and correcting my 'rosy security' view of separation of duties when it comes to Exchange. It's not as it appears - or as many writers have written. -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of joe Sent: Friday, August 12, 2005 12:00 AM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] account operators Sorry Rick, I have to correct you on this one. An account operator absolutely has enough rights to mailbox enable a user. AccOps by default have FC over user objects, they can do ANYTHING to a user they want to. The key is they have to know how to. You could for instance use admod or ldifde or adsiedit or anything that allows you to update mailnickname and homemdb. Or for that matter mailnickname and homeMTA. Also I think you can do mailNickname and msExchHomeServerName. The reason an AccOp can not use ADUC or CDOEXM to mailbox enable a user is because the tools are written to enumerate Exchange config info which an AccOp doesn't have access to. I don't know if it was intended as a security feature or not but it is how it works. I wouldn't be surprised if it was a security feature because it aligns with some other silly tool bases security MS did before like for instance being unable to view the admins group from usermgr if you weren't an admin but if you knew other mechanisms you could still do it... Or the GUI not listing hidden shares even though the server sends that info back to the clients requesting the info. RANT The permissioning model of Exchange, especially in AD, quite frankly, sucks ass. It does almost everything it can to make it a pain in the butt to separate administration between AD/NOS stuff and Exchange stuff. Instead of using the mail property set or creating their own they glommed onto the base property sets. In order to do any separation you either have to change the property sets and hear cries of unsupported from PSS or you have to put in a ton of ACEs or a half a ton of ACEs including a bunch of denies. Most admins haven't the foggiest clue how much access they have given away in AD to people. I have fielded many a question on how come some admin can send mail as someone or get access to read mail for other
RE: [ActiveDir] A bad bad thing...Manual push of AD?
why can no one keep the version and the USN straight? Is this something that could be resolved by the issue discussed in ~Eric's blog under the Brett Unplugged - Still no posts category? :-) -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Brett Shirley Sent: Thursday, August 11, 2005 3:22 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] A bad bad thing...Manual push of AD? NOT the USN. Everyone makes that mistake ... why can no one keep the version and the USN straight? The USN never resolves replication conflicts, only tells us WHAT to replicate, never WHAT should win. The version is the opposite, it never tells us what we need to replicate, only who should win in case of a conflict ... During auth restore the version is incremented by 10 (per day old the backup is), and the USN is simply allocated from the next available USN (i.e. it is only guaranteed to be at least 1 higher than the last USN, but more likely there is just some random number of USNs in between, so it jumps by some amount ...). Cheers, -BrettSh On Thu, 11 Aug 2005, Rick Kingslan wrote: A Right, right. I forgot the increase of 10 in the USN. This would effectively insure that the newly authed object would not be overwritten by the object on the DC yanked from the network. So, Guido is right (as always). Rebuilding the DC is not even remotely the issue - and is not even necessary once the USN is increased. Got it. Thanks for the clarification, all! Rick _ From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Almeida Pinto, Jorge de Sent: Thursday, August 11, 2005 3:34 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] A bad bad thing...Manual push of AD? You are both correct... However, what Brett says (and what I thought) is use another DC will the use still in full detail. Boot into DSRM Use NTDSUTIL and an AUTH restore so that the version of the object is increased (by 10) Because the version of the user has been increased the deleted version of the user will be undone. Only after restoring he should bring back the DC online. The deletion will replicate out and the undeletion (the object with a higher version) will replicate in. If he brings the DC back online before doing an auth restore of the object, the deletion will replicate to ther other DCs and then he will, as Brett said, need do do a system state restore. The procedure Brett described below and I above looks like the lag site structure and in this with only one DC and someone who can run really fast... ;-))) Jorge _ From: [EMAIL PROTECTED] on behalf of Rick Kingslan Sent: Thu 8/11/2005 9:10 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] A bad bad thing...Manual push of AD? Brett, How is this going to help him get the DC back online that he yanked the cable on? As soon as that system is plugged back in, it's going to repl out the change, no? Rick -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Brett Shirley Sent: Thursday, August 11, 2005 1:54 PM To: ActiveDir@mail.activedir.org Subject: Re: [ActiveDir] A bad bad thing...Manual push of AD? Well you're lucky that you yanked the network cable in time, now you don't have to do a system state restore to get the user back ... Find a DC where the user still exists in a pristine condition, all the mailbox details, etc. Reboot the DC in DS Restore mode(DSRM). Use ntdsutil.exe to auth restore just that user's object. You may (probably will) also have to restore links to that user, at this point it'd be nice if you were running on Win2k3 SP1, but if not it is still accomplishable. For Win2k3 Sp1, after auth restoring the user, there should be some ldf file(s) that will allow you to restore the links. Simply use ldifde, to apply these files to the appropriate DCs (up to one ldf per domain). For pre this latest generation (which is more likely, because you could yank the net cable in time), you may have to find the objects that are linked to the user, and restore them yourself. You can do this by performing an LDAP operation that deletes and re-sets the links to that user. BTW, there is a more extensive KB article you might find useful: http://support.microsoft.com/?kbid=840001 Cheers, BrettSh This posting is provided AS IS with no warranties, and confers no rights. On Thu, 11 Aug 2005, Shadow Roldan wrote: So I did a bad thing, I deleted a user at a different site and marked his mailbox for deletion Immediately recognizing my mistake I *ran* to the server room and yanked the network cable of the dc I was connected to. For now, none of the changes have replicated. I want to bring this machine back online, but I don't want those changes to
RE: [ActiveDir] how to replicate a production envrionment.. ?
It's been discussed several times, most recently last week, check the archives for the Replicating AD thread. From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Rob Ryan Sent: Wednesday, August 10, 2005 12:22 PM To: ActiveDir@mail.activedir.org Subject: [ActiveDir] how to replicate a production envrionment.. ? I'm faced with a bit of a challenge that hopefully someone can provide some better ideas than I've come up with.. my company is bringing in a fairly complex identity management product that is largely AD-unaware and I need to make sure it gets adequately tested before it makes it into our production environment - given the complexity of our tree, various schema additions, etc, I really need to be able to replicate everything in the directory over to the lab so we can determine what will break which this new software gets deployed. My initial ideas were to either a) do restores of the various domains in our lab onto new boxes, or b) just copy the VM's from a dc in each domain into the lab - either option would require significant metadata cleanup in the new forest to eliminate the hundred or so sites and other DC's we've got around our environment.. am I stuck down this route to get the data I need or is there an easier way that is just escaping my narrow view? -- r List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
RE: [ActiveDir] 2 quick favors
Not an SMS guy either, but ours says it's not inherent although it can be done :-) From: Al Mulnick [mailto:[EMAIL PROTECTED] On Behalf Of Al Mulnick Sent: Wednesday, August 10, 2005 3:16 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] 2 quick favors I don't honestly know if it would be inherent or if you'd have to write a script and get SMS to deliver/run it for you. I suspect the latter but I'm not an SMS type either. Be interesting to hear if anyone who has SMS knows that answer. From: [EMAIL PROTECTED] on behalf of Phil Renouf Sent: Wed 8/10/2005 5:42 PM To: ActiveDir@mail.activedir.org Subject: Re: [ActiveDir] 2 quick favors I'm not an SMS guy, but would SMS have that information (or the ability to gather it with the SMS agent)? Not too useful if you don't already have SMS... Phil On 8/10/05, Al Mulnick [EMAIL PROTECTED] wrote: Scripts to enumerate users on the workstations and member servers, would likely take you enumerating that class and then iterating through each one (connecting and gathering the information). Chock full of reasons why that might not work. That said, I think a pretty good approach would be to use a logon script for the workstations and use a centralized script for the member servers. Something like: http://groups-beta.google.com/group/microsoft.public.scripting.wsh/brows e_frm/thread/e97b62e4801a877b/58e383209f49a891?lnk=stq=vbscript+enumera te+groups+site:technet.comrnum=2hl=en#58e383209f49a891 Or http://www.microsoft.com/technet/scriptcenter/scripts/ad/computer/defaul t.mspx http://groups-beta.google.com/group/microsoft.public.scripting.vbscript/ browse_frm/thread/272360ec34f8ae9b/649cc13d7c44b99f?lnk=stq=vbscript+li st+administrators+group+membership+local+site:microsoft.comrnum=1hl=en #649cc13d7c44b99f -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Tom Kern Sent: Wednesday, August 10, 2005 2:47 PM To: ActiveDir@mail.activedir.org Subject: Re: [ActiveDir] 2 quick favors everything is locked down in this enviorment. there's 802.1x security on the switchport,etc so its a major pain to introduce any new machine. i have an xp laptop that i can't plug in without going thru 5 diff people so in the end i just thought this might be done thru win2k somehow via vbscript or some third party tool. if no one can figure out a solution to this query, how 'bout my second one- enumerate every local account/group(non-default) on every local machine sam in the domain? Thanks for all your help guys! On 8/10/05, Phil Renouf [EMAIL PROTECTED] wrote: Upgrade your workstation to XP and run it from there? Install a VPC that is running XP and run it from there? Phil On 8/10/05, Tom Kern [EMAIL PROTECTED] wrote: yeah, unfortunately, i'm saying there is not one xp box to be seen... can this be done from a win2k box somehow? thanks On 8/10/05, Grillenmeier, Guido [EMAIL PROTECTED] wrote: the enviorment i work in is all win2k pro/server so GPMC is out. Are you saying you don't even have a single WinXP box in this environment? If you have one, you could still install GPMC on the XP client - this will work fine against a win2k AD. Then execute the GetReportsForAllGPOs.wsf script that comes with GPMC (typically in the C:\Program Files\GPMC\Scripts folder). This will dump all settings of all GPOs in a domain including the links where the GPOs are applied. /Guido -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Tom Kern Sent: Mittwoch, 10. August 2005 19:26 To: ActiveDir@mail.activedir.org Subject: Re: [ActiveDir] 2 quick favors Ok, I think i'm finding it impossible to create a VBScript or use a tool to enumerate all the settings which are enabled in all or a specific gpo in a win2k domain from a win2k workstation. am i correct? On 8/10/05, Tom Kern [EMAIL PROTECTED] wrote: I get errors with this script- the active directory property cannot be found in the cache I'm running win2k native mode domain. thanks. sorry to bother. On 8/10/05, Alain Lissoir [EMAIL PROTECTED] wrote: For 1/, try this one below. For 2/ I don't have one close but I'm sure some folks here can feed you ... The script doesn't dump in a text file, but that's an easy addition. HTH ' FindGPOLinks v1.04.vbs - Version 1.04 - Alain Lissoir ' ' WSH Script browsing the 'DefaultNamingContext' and the 'configurationNamingContext' ' to retrieve the Group Policies linked to AD objects. ' This should facilitate the search of created policies in the Active Directory. ' ' The script is using a basic LDAP access in the current user context, ' so, you
[ActiveDir] Kerberos Delegation
We have a developer who wants us to allow delegation for a couple of SQL servers and their service accounts so he can do distributed queries across linked servers. This is new ground for us from an AD perspective that I have just started researching and I'd like to hear other's thoughts, policies etc. We are at 2003 functional level so from what I read, we can allow constrained delegation which is much better than un-constrained but most of the comments I come across indicate this isn't something to be taken lightly, has serious security ramifications, policies should be in place etc etc.. I can find a reasonable amount of information from the developers point-of-view, and I can see how to implement it technically (I think) but not a whole lot from the AD admin's perspective, especially as it pertains to the desirability of allowing it and how best to manage it if it is allowed. Any info greatly appreciated. Bob List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
RE: [ActiveDir] Kerberos Delegation
Assuming that you are aware of what constrained delegation is, how it operates, and what it should be used for... That's the point of my query, I certainly don't understand all I know about it and we have never allowed it, at this point I have just begun to scratch the surface. I was totally uncomfortable when it was first proposed and threw up the stop sign. I'm getting less comfortable by the minute as I read more about it. I'm reading the Kerberos Protocol Transition and Constrained Delegation article and the Troubleshooting Kerberos Delegation white paper and like I said, trying to understand all I know about it ;-( Everyone's comments so far are immensely appreciated. Thanks Bob -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Bernard, Aric Sent: Tuesday, August 09, 2005 1:38 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Kerberos Delegation Assuming that you are aware of what constrained delegation is, how it operates, and what it should be used for... Anytime you allow someone or something to impersonate, err, act on behalf of another security principal, there is always cause for concern. Constrained delegation certainly provides some flexibility in achieving this goal and fulfilling the applications need, but like any Domain Admin in your forest the developer and the application must be trusted. I would recommend clear documentation as to the architecture of the application, how and with what other systems it interoperates, and if you have the wherewithal (or can bring in someone who does) a code review to ensure that what is defined is accurate. I know this seems a little over-the-top, but we are taking about you accepting someone else walking around with my ID and saying he told me it was OK that I access fill in the blank on his behalf. Regards, Aric Bernard -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Free, Bob Sent: Tuesday, August 09, 2005 1:07 PM To: ActiveDir@mail.activedir.org Subject: [ActiveDir] Kerberos Delegation We have a developer who wants us to allow delegation for a couple of SQL servers and their service accounts so he can do distributed queries across linked servers. This is new ground for us from an AD perspective that I have just started researching and I'd like to hear other's thoughts, policies etc. We are at 2003 functional level so from what I read, we can allow constrained delegation which is much better than un-constrained but most of the comments I come across indicate this isn't something to be taken lightly, has serious security ramifications, policies should be in place etc etc.. I can find a reasonable amount of information from the developers point-of-view, and I can see how to implement it technically (I think) but not a whole lot from the AD admin's perspective, especially as it pertains to the desirability of allowing it and how best to manage it if it is allowed. Any info greatly appreciated. Bob List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
RE: [ActiveDir] Kerberos Delegation
Aric- (Also trying to answer Joe K's questions) The developer owns all 3 of the SQL servers involved so he definitely has a vested interest in the integrity of the data on the SQL servers. SQL server runs under a domain service account only used on them. They just wanted me to create the SPN's for the domain account the service runs under and tick the Account is trusted for delegation on the service account and Computer is trusted for delegation on the SQL servers' machine accounts. Seemed to me the proper way would be to utilize Trust this computer for delegation to specified services only to set up the middle tier service account to be only able to talk to the back end SQL servers' services and configure the account to use constrained delegation without protocol transition by selecting Use Kerberos Only. It also seemed like only the middle tier needed to have the machine account trusted for delegation and, finally, that it would be better to run the backend server under a separate service account with it's own SPN's. Am I close? Joe- Your point about the limiting the accounts by marking sensitive and cannot be delegated is well taken. As soon as I started looking at this can of worms, that occurred to me immediately. Thanks again Bob -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Bernard, Aric Sent: Tuesday, August 09, 2005 3:01 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Kerberos Delegation Bob, As Rick and Joe mentioned, as far as allowing a system to do something on behalf of a user, constrained delegation is a pretty good solution. Your developers need as I understand it is as follows: User connects to a front application server (i.e. web server) and authenticates to that server using Kerberos. The application needs to be able to contact multiple different SQL servers to perform a distributed query. If the application where to do with a service account, the response to the query would likely contain all of the information that the service account had that matched the query - this might contain more or less information than the user making the request has access to. In addition the audit trail on the SQL server should reflect that the application server made the access to the SQL server as opposed to the user. Using constrained delegation, the application server is provided the capability to act as the user when interacting with the identified SQL servers (only). If done properly, the application server will be delegated in a manner that explicitly identifies the SQL servers Service Principal names (which include port numbers) associated with each SQL computers object in the directory. Therefore the application server CAN impersonate the user but under the constraint that it may only occur when communicating with the remote server/service/port as named in the delegation. In your case the risk should be relatively low so long as your developer has a vested interest in the integrity of the data on the SQL servers. The only abuse of this specific configuration that I can think off the top of my head would be possibility for the developer to execute a stored procedure on the SQL server with more rights than he or she would typically have thereby gaining access to or altering data in the DB that they would otherwise not have access to. Now if your developer starts asking for constrained delegation from the application server to a DC, we should talk some more. :) Regards, Aric -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Free, Bob Sent: Tuesday, August 09, 2005 2:33 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Kerberos Delegation Assuming that you are aware of what constrained delegation is, how it operates, and what it should be used for... That's the point of my query, I certainly don't understand all I know about it and we have never allowed it, at this point I have just begun to scratch the surface. I was totally uncomfortable when it was first proposed and threw up the stop sign. I'm getting less comfortable by the minute as I read more about it. I'm reading the Kerberos Protocol Transition and Constrained Delegation article and the Troubleshooting Kerberos Delegation white paper and like I said, trying to understand all I know about it ;-( Everyone's comments so far are immensely appreciated. Thanks Bob -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Bernard, Aric Sent: Tuesday, August 09, 2005 1:38 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Kerberos Delegation Assuming that you are aware of what constrained delegation is, how it operates, and what it should be used for... Anytime you allow someone or something to impersonate, err, act on behalf of another security principal, there is always cause for concern. Constrained delegation certainly provides some flexibility in achieving
RE: [ActiveDir] OT - The downfall of Novell and NetWare (was- Biggest AD Gripes)
Novell Schmovell, Banyan had their own hardware then too and they even had had a _directory_. A real one, the 2x 3x Novell guys used to wonder how the servers talked to each other :-] I bet Gil has an old Banyan CNS in his museum... Besides, Novell couldn't touch Banyan in the Our-Marketing-Sucks department http://web.mit.edu/redelson/www/media/banad.pdf -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Rick Kingslan Sent: Friday, August 05, 2005 4:12 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] OT - The downfall of Novell and NetWare (was- Biggest AD Gripes) Heh From a pure technical view, quite right. However - that's where I started - NetWare 2.0 (I mean the FIRST NetWare 2.0). I still remember the proprietary servers that they used to manufacture. However, what really killed Novell was not the brilliant technical ideas of Drew Majors (who, I still respect as a guy with real vision), but the Megalomania and obsessive behavior or Ray Noorda. Ray so envied Bill Gates that he was going to do anything to better Gates. This meant that Ray effectively lost focus of what Novell was all about in the interest of buying up products that he thought would better Microsoft. Hence, absolutely ridiculous amounts of money (OK, for that time it was ridiculous...) were spent for WordPerfect and ATT Unix, as well as other pieces that were picked up. But, the focus was lost, NT 4.0 caught on, and the Microsoft marketing machine paid no attention (outwardly, at least) to Noorda. They just went after the customers who had lost patience with the very badly off track NetWare. What was once a major player - and owned greater than 80% of the server market all but became a bit player overnight. Rick -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Dean Wells Sent: Friday, August 05, 2005 8:01 AM To: Send - AD mailing list Subject: RE: [ActiveDir] Biggest AD Gripes All great points, lets not forget the less than well-thought-out client they produced (current versions are better but still remain lesser integrated than that of Windows' native ability) ... utterly, utterly pathetic attempt. Arrogance and a distinct lack of marketing (when compared to the competition) was also a contributing factor IMO. -- Dean Wells MSEtechnology * Email: [EMAIL PROTECTED] http://msetechnology.com -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Darren Mar-Elia Sent: Friday, August 05, 2005 7:22 AM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Biggest AD Gripes I think there were a few very important reasons why Netware lost the battle. I remember when NT first shipped the mantra was, Netware is great for file and print and NT is great for applications. Netware NLMs were impossible to develop and that meant that folks either developed apps on NT or more likely Unix (at the time). Apps are sticky, file and print is not. Over time, as Windows ruled the desktop and people realized that file and print was commodity and that arguing about whether Netware was a better file and print server than NT became meaningless compared to better desktop/server integration, Novell lost out. Novell failed to keep up, in my opinion. The market was theirs to lose...and they lost it. Proof once again that great technology coupled with bad management is just as bad as bad technology. -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Ruston, Neil Sent: Friday, August 05, 2005 5:05 AM To: 'ActiveDir@mail.activedir.org' Subject: RE: [ActiveDir] Biggest AD Gripes IMHO Novell lost out to MS due to the fact that Netware 3 was so clunky (ultra stable but diff to manage once you deployed more than ~100 servers). Netware 4/NDS had issues in its first version and quickly lost traction, leaving MS and NT to pick up the thread. It was for this reason that very few orgs deployed NDS across a large env - NDS was more than capable of supporting 100K users and the management/maintenance/support would have far simpler that it was for NT. Once NT gained the upper hand, momentum took over and led us to where we are today. neil -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of joe Sent: 05 August 2005 00:35 To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Biggest AD Gripes Yeah, ADAM scared some folks in the widget factory as well. On the positive side, it can register in AD so you can chase them down that way via their SCPs. If they don't register, well then that will be fun to chase as it will be like trying to find rogue AD's, network scanning but even worse, any port can be used... If all machines are part of a domain or forest, you could set up policies to block the running of the ADAM binaries I guess. I like AD/AM more from the standpoint that I think it can hint as to where AD will go. What is the
RE: [ActiveDir] Remove user rights
NTRIGHTS will probably do it for you. http://support.microsoft.com/?kbid=315276 -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Cothern Jeff D. Team EITC Sent: Thursday, August 04, 2005 2:02 PM To: ActiveDir@mail.activedir.org Subject: [ActiveDir] Remove user rights Is there a way thru script to remove an accounts user rights from a local policy on a machine without affect other accounts or groups that have that same right? For instance. Ensure that ASPNET account does not have login as a service, login as batch job user rights. But I don't want to affect any other accounts that may have that right. I know I could go in and manually edit the local policy but looking to do this in a batch file or something so I can ensure that all drive are built the same. Jeff List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
RE: [ActiveDir] End-to-End AD Authentication
Scott- One paper I found very illuminating was Windows 2000 Authentication: Under The Hood by Jan De Clercq from what was then Compaq. It's getting a bit long in the tooth but there's still a link to it at the bottom of this page- http://h71019.www7.hp.com/ActiveAnswers/cache/70499-0-0-0-121.aspx There's also some great material in Mission-Critical Active Directory he wrote with Micky Balladelli. I see he has a new book called Windows Server 2003 Security Infrastructures : Core Security Features that I was unaware of. Based on what I have seen of his past work, I'd be willing to bet it's pretty awesome. Has anyone here read it? Darrin Mar-Elia also wrote an article that I found to be an excellent summary of the login process- AD Network Interactions: http://www.windowsitpro.com/Article/ArticleID/37928/37928.html?Ad=1 hth Bob -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Rachui, Scott Sent: Tuesday, August 02, 2005 4:34 PM To: ActiveDir@mail.activedir.org Subject: [ActiveDir] End-to-End AD Authentication Are there some white papers or some other resources that you guys would recommend to give me an in-depth analysis of the Active Directory authentication process end-to-end? Specifically, I want to understand how things like DNS/WINS, Kerberos, NTLM, etc. play a role. Ultimately, I'm looking for a complete picture of authentication for both users and groups, including everything from how/when GPOs are processed during authentication to Kerberos/NTLM authentication to how DNS and WINS play a role. I'll say up front that I don't necessarily expect this to be in a single document. But if anyone has some good articles or books to refer me to that will give me a start, I'd appreciate it. Scott List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
RE: [ActiveDir] Urgh... troubleshooting....
Michel- Care to elaborate? We have 8.0i in the lab and I haven't noticed any ill effects on the DC's but this certainly caught my eye as we are scheduled to move it over to production soon. Thanks Bob -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Bruyere, Michel Sent: Friday, July 29, 2005 1:22 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Urgh... troubleshooting May look strange but are you running McAfee 8.0i?? Got someone that had something similar and the TDI driver of VS8 was the culprit... -Message d'origine- De : [EMAIL PROTECTED] [mailto:ActiveDir- [EMAIL PROTECTED] De la part de vex Envoyé : Friday, July 29, 2005 4:15 PM À : ActiveDir@mail.activedir.org Objet : [ActiveDir] Urgh... troubleshooting Greetings, I've been a lurker here for quite some time and have had a relatively quiet AD until recently. We have a small network with 2K servers and a mix of 2K and XP2 workstations. Until recently, everything was find. Then Something Happened. I'm not sure what started the ball rolling, but it's certainly rolling now. I have one server that is listed in the AD and DNS as a DC, but it won't replicate AD either direction. I've spent a couple of hours doing some web surfing and initial troubleshooting, but I've had less than stellar success. (at one point in time it was working fine, since I have a lot of older AD information on the problem server) I've run DnsLint and all the DNS entries look good. When I do a 'net view \\servername' from the DC that does not have up to date AD information, I get a message back, access denied, and a corresponding entry in the security log about a failure audit of the server I'm attempting to view. But when I do the same thing and use an IP address instead of a server name, the net view information displays. Another symptom is printer connections and drive mapping. If I'm at the server with the out of date AD information, I'm getting an 'access denied' message when attempting to connect to a network printer or map a network drive. All of the steps outlined above work fine when initiated from any of the other servers. It's almost like the server with the out of date AD information is allowing access, but the rest of the servers in the organization won't let *that* particular server have access to any domain related stuff, such as printers and network shares. I can't even run dcpromo and remove AD from the affected server because it asks for some sort of authorization from other DC's located in the organization, but the other DC's won't allow it to access information. I'm assuming it's trying to tell the other DC's to remove any pertinent entries from the AD in regards to the server that's attempting to have it's AD removed Does anyone have any links to places I can continue to search for troubleshooting information? --Brett List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
RE: [ActiveDir] 2003 domain controller rename
Mike- The process went fine. After the change, I did have to make the change that Jorge mentioned as referenced in http://support.microsoft.com/default.aspx?scid=kb;en-us;316826 (Thanks Jorge) You Must Rename the SYSVOL Member Object to Rename a Windows Server 2003 Domain Controller Any of the lessons learned were mostly unique to our environment, E.G.- Some 3rd party management agents didn't like the rename and had to be reinstalled. We use BIND so some adjustments had to be made to allow DDNS updates for the new hostname. I was planning on using netdom all along so, in that sense, I followed Dean's advice as well. It was very comforting that he didn't weigh in with any gotchas other than that :-) So basically what I did was follow- http://www.microsoft.com/technet/prodtechnol/windowsserver2003/library/S erverHelp/aad1169a-f0d2-47d5-b0ea-989081ce62be.mspx 1]netdom computername CurrentComputerName /add:NewComputerName Ensure the computer account updates and DNS registrations are completed 2]netdom computername CurrentComputerName /makeprimary:NewComputerName 3]Restart the computer. 4]netdom computername NewComputerName /remove:OldComputerName Before 1] I verified the DC's health, DS and FRS replication, recorded the SRV records and SPN's etc After 1] I verified the expected SRV records were in DNS and ensured that msDS-additionalDnsHostName and msDS-AdditionalSamAccountName attributes were replicated to all the other DC's. After the remainder of the steps, I verified all the old DNS records, additional names etc were gone, SPN's were proper, rechecked replication etc and renamed the SYSVOL Member Object as outlined in the KB. Bob -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Thommes, Michael M. Sent: Friday, July 22, 2005 7:34 AM To: ActiveDir@mail.activedir.org Subject: [ActiveDir] 2003 domain controller rename Back on May 12, Bob Free asked about any caveats regarding renaming a 2003 Domain Controller. Dean Wells and Jorge de Almeida Pinto responded (http://www.mail-archive.com/activedir@mail.activedir.org/msg28532.html) . We are ready to embark on a similar path. I wonder how Bob Free's exercise went and if there were any lessons learned? (Sorry, Bob, I wanted to send this directly to you but I couldn't find your email address.) Thanks! Mike Thommes List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
RE: [ActiveDir] computer description in AD vs. computer description in My Computer/Properties
These two descriptions seem to be unrelated to each other. They are unrelated, well relatively unrelated :-] One is an AD attribute(description) of the computer account and the other is a value of the system's local registry (srvcomment) in HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\lanmanserver\parame ters that is used primarily in the browse list. You could match them up somehow programmatically if it was deemed that important. -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Thommes, Michael M. Sent: Thursday, July 14, 2005 2:34 PM To: ActiveDir@mail.activedir.org Subject: [ActiveDir] computer description in AD vs. computer description in My Computer/Properties These two descriptions seem to be unrelated to each other. Has anyone ever tried to tie them together? Mike Thommes List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
RE: [ActiveDir] computer description in AD vs. computer description in My Computer/Properties
I also think there was an old gotcha When you use net config server it mucks with autotuning of the server service, at least it did through W2K. Don't know if that has changed since W2K. Server Service Configuration and Tuning http://support.microsoft.com/?kbid=128167 -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of David Cliffe Sent: Thursday, July 14, 2005 3:07 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] computer description in AD vs. computer description in My Computer/Properties One is the description for the browse list, while the other is the AD description seen in ADUC, etc... I usually set them both to be the same thing [manually], but I suppose you're asking if one tool can set them both at the same time? Possibly can script it with ADMOD for the AD side and net config server for the browse list. That might not be exactly what you're after, and I also think there was an old gotcha to configuring LANMANSERVER using that 'net' command. Can't think of it at the moment. -DaveC Reuters IST Service Delivery -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Thommes, Michael M. Sent: Thursday, July 14, 2005 5:34 PM To: ActiveDir@mail.activedir.org Subject: [spam] [ActiveDir] computer description in AD vs. computer description in My Computer/Properties These two descriptions seem to be unrelated to each other. Has anyone ever tried to tie them together? Mike Thommes List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ - Visit our Internet site at http://www.reuters.com To find out more about Reuters Products and Services visit http://www.reuters.com/productinfo Any views expressed in this message are those of the individual sender, except where the sender specifically states them to be the views of Reuters Ltd. List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
RE: [ActiveDir] computer description in AD vs. computer description in My Computer/Properties
DC's were missing from the browse list but as soon as I removed the computer description they came back Was the description 48 characters? That can cause the master browser to reject the announcement datagram. http://support.microsoft.com/default.aspx/kb/231312/EN-US/ -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Mark Parris Sent: Thursday, July 14, 2005 3:39 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] computer description in AD vs. computer description in My Computer/Properties From the afore mentioned article could I have this explained please? The Server service supports information levels that let you set each parameter individually. For example, the command NET CONFIG SRV /HIDDEN uses information level 1016 to set just the hidden parameter. However, NET.EXE queries and sets information levels 102 (hidden, comment, users, and disc parameters) and 502. As a result, all parameters in the information level get permanently set in the Registry. SRVMGR.EXE and the Control Panel Server query and set only level 102 (not level 502) when you change the server comment. Administrators wishing to hide Windows computers from the browse list or change the autodisconnect value should make those specific changes using REGEDT32.EXE instead of the command line equivalents discussed above. The server comment can be edited using the description field of the Control Panel Server applet or Server Manager. The reason for asking is this sort of fits in with an earlier post that I had to the list (see below) where my DC's were missing from the browse list but as soon as I removed the computer description they came back. /SNIP On 5/9/05, Mark Parris [EMAIL PROTECTED] wrote: All, I have a domain with a forest root (AD1) and two child domains (AD2 AD3). When I browse AD1 and AD2, no domain controllers are listed under Microsoft windows network\domain name. Yet under AD3 I can see all domain controllers with no issue. I have run all the normal troubleshooting tools and I am at a loss as what to try next, can anyone please suggest anything? /SNIP Many Thanks Mark -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Free, Bob Sent: 14 July 2005 23:17 To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] computer description in AD vs. computer description in My Computer/Properties I also think there was an old gotcha When you use net config server it mucks with autotuning of the server service, at least it did through W2K. Don't know if that has changed since W2K. Server Service Configuration and Tuning http://support.microsoft.com/?kbid=128167 -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of David Cliffe Sent: Thursday, July 14, 2005 3:07 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] computer description in AD vs. computer description in My Computer/Properties One is the description for the browse list, while the other is the AD description seen in ADUC, etc... I usually set them both to be the same thing [manually], but I suppose you're asking if one tool can set them both at the same time? Possibly can script it with ADMOD for the AD side and net config server for the browse list. That might not be exactly what you're after, and I also think there was an old gotcha to configuring LANMANSERVER using that 'net' command. Can't think of it at the moment. -DaveC Reuters IST Service Delivery -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Thommes, Michael M. Sent: Thursday, July 14, 2005 5:34 PM To: ActiveDir@mail.activedir.org Subject: [spam] [ActiveDir] computer description in AD vs. computer description in My Computer/Properties These two descriptions seem to be unrelated to each other. Has anyone ever tried to tie them together? Mike Thommes List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ - Visit our Internet site at http://www.reuters.com To find out more about Reuters Products and Services visit http://www.reuters.com/productinfo Any views expressed in this message are those of the individual sender, except where the sender specifically states them to be the views of Reuters Ltd. List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir
RE: [ActiveDir] joining to a domain
1-No, up to their quota they can add 2-Yes 3- You can allow the user right add workstations to the domain but it would be much preferred to delegate more discretely. You can get discrete you can get with delegwiz [1] but I don't remember the details because we've been doing it with ActiveRoles for so long. 4-Both [1] Jorge put up a nice description very recently in the 'Permission to Join a pc to domain' threaed -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Kern, Tom Sent: Friday, July 08, 2005 1:48 PM To: ActiveDir (E-mail) Subject: [ActiveDir] joining to a domain i have a couple of questions about the attribute ms-DS-MachineAccountQuota that allows auth users to join 10 workstations to a domain 1. Do these computer accounts have to already be precreated in AD or can any user do a create/join? 2. I assume the user still has to be a local admin to change the domain in the system applet on the workstation? 3. Is this a valid way to allow certain users to join workstations or should you use a gpo or delegation wizard? which is the preferred method? I read somewhere that you shoudn't use the gpo method but i forget why. 4. does this right apply to memeber servers too or just worstations? thanks. sorry for all the questions List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
RE: [ActiveDir] Security permissions on user object
It ssounds like it'sthe adminSDHolder behavior that's getting you. Are the users members of any of the other protected groups? It varies across versions, IIRC 2003 added more groups. The articles below should help point in the right direction. http://support.microsoft.com/default.aspx?scid=kb;en-us;318180 http://support.microsoft.com/default.aspx?scid=kb;en-us;817433 From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Rimmerman, RussSent: Wednesday, June 08, 2005 12:26 PMTo: ActiveDir@mail.activedir.orgSubject: [ActiveDir] Security permissions on user object We migrated all our users from an NT4 domain to our AD domain. Anyone who was in "Domain Admins" on our NT4 domain got migrated into "Domain Admins" on our AD domain. We took them out of Domain Admins on our AD domain, but their accounts are inheriting the permissions like a normal user inherits. Whenever someone who is NOT a domain admin tries to reset a password or modify any properties of these migrated "Domain Admins" who are no longer Domain Admins, they are denied access. If I open up one of these users, they are not inheriting the permissions on their user object like every other normal user does. If I open their account and go to the object security the "Inherit from parent the permission entries that apply to child objects. Include these with entries explicity defined here." box isnot checked like every other user. If I check the box, others are temporarily able to modify thatformer domain admins account, but eventually, the box is unchecked again and they inherit their old security on their user object and it's broken again. I know thatI once read that this is by design, but how the heck do Ifix these users once and for all? ~~This e-mail is confidential, may contain proprietary informationof the Cooper Cameron Corporation and its operating Divisionsand may be confidential or privileged.This e-mail should be read, copied, disseminated and/or used onlyby the addressee. If you have received this message in error pleasedelete it, together with any attachments, from your system.~~
RE: [ActiveDir] lastlogontimestamp
Where can I get the acctinfo2.dll? On someone here's suggestion, I just asked our TAM for it and an engineer sent it to me. Excerpt from instructions- One of the most common problems reported with the original version of ACCTINFO.DLL, was the fact that it didn't appear as an option when users were returned as the result of a query. The reason for this is that version 1 was a property page extension, and it was only available when you navigated to a user and selected them. The new version, version 2, is a Display Specifier. This requires a DLL be registered (like a normal COM component) and the Display specifier for the locale you are in to be updated in the configuration container. The LDAP path to this object is: CN=user-Display,CN=409,CN=DisplaySpecifiers,CN=Configuration,DC=ocean,DC =com To allow ACCTINFOV2.DLL to load when a user is returned from a search, either the LDAP path above needs to be updated (recommended) or if updating the forest-wide configuration container is not possible, you may be able to hijack another control. (to get it to run on an individual machine) From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of [EMAIL PROTECTED] Sent: Friday, May 27, 2005 12:06 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] lastlogontimestamp Hi Andrew Where can I get the acctinfo2.dll? Would be nice to have J Thank you and have a splendid day! Kind Regards, Freddy Hartono Windows Administrator (ADSM/NT Security) Spherion Technology Group, Singapore For Agilent Technologies E-mail: [EMAIL PROTECTED] From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Gould, Andrew D. Sent: Saturday, May 28, 2005 2:52 AM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] lastlogontimestamp I have seen the same discrepancy. There is a newer dll (acctinfo2.dll) available now. I don't know if it rectifies this particular issue, but it does allow the Additional Account Info tab to appear in a users properties that was returned as a result of a query. Andrew Gould -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Smith, Robin Sent: Friday, May 27, 2005 2:31 PM To: 'ActiveDir@mail.activedir.org' Subject: [ActiveDir] lastlogontimestamp Hi. Our domain is at the Windows 2003 server functional level. I have registered acctinfo.dll from the 2003 resource kit and have the Additional Account Info tab in ADUC. I am finding a big discrepancy between the lastlogontimestamp date on the Additional Account Info tab and the actual lastlogontimestamp date. For example, John Doe shoes a lastlogontimestamp of 11/23/04 in ADUC. However, if I execute the following script: Set objUser = GetObject(LDAP://cn=John Doe, ou=MOET (g14), ou=Field Users, ou=LWD Accounts, dc=njdol, dc=ad, dc=dol) Set objLastLogon = objUser.Get(lastLogonTimestamp) intLastLogonTime = objLastLogon.HighPart * (2^32) + objLastLogon.LowPart intLastLogonTime = intLastLogonTime / (60 * 1000) intLastLogonTime = intLastLogonTime / 1440 Wscript.Echo Last logon time: intLastLogonTime + #1/1/1601# (code was taken from here: http://www.microsoft.com/technet/scriptcenter/topics/win2003/lastlogon.m spx) I get a much more current date (5-25-05). This is happening with more than one user. Any explanation for why this happens. I've done a lot of reading this week and I understand that the lastlogontimestamp field could be off by 7-10 days but this is several months. Thanks, Robin NJDOL This e-mail and any files transmitted with it, are confidential to National Grid and are intended solely for the use of the individual or entity to whom they are addressed. If you have received this e-mail in error, please reply to this message and let the sender know. List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
RE: [ActiveDir] TR : Golbal catalog Infrasctucutre Master.
Try http://redmondmag.com/columns/article.asp?EditorialsID=403 From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of TIROA YANN Sent: Tuesday, May 24, 2005 2:00 PM To: ActiveDir@mail.activedir.org; ActiveDir@mail.activedir.org Subject: RE : [ActiveDir] TR : Golbal catalog Infrasctucutre Master. Hi tony :-) I would love to complete my formation with your article but your link you mailed me seems to be dead :( Regards, Yann De: [EMAIL PROTECTED] de la part de Tony Murray Date: mar. 24/05/2005 22:54 À: ActiveDir@mail.activedir.org Objet : RE: [ActiveDir] TR : Golbal catalog Infrasctucutre Master. Hi Yann The following article provides a reasonable explanation of the role of the Infrastructure Master: http://redmondmag=2Ecom/columns/article=2Easp=3FEditorialsID=3D403 http://redmondmag=2ecom/columns/article=2Easp=3FEditorialsID=3D403 Tony From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of TIROA YANN Sent: Wednesday, 25 May 2005 7:37 a.m. To: Jorge de Almeida Pinto; [EMAIL PROTECTED]; ActiveDir@mail.activedir.org Subject: RE : [ActiveDir] TR : Golbal catalog Infrasctucutre Master. Ok thanks for the good links :-)) I must apologize (again ;-), but i missed something... Just for my comprehension: I have 2 domains a and b. I add usera in groupa on DCa in domaina. DCa will create a phantom object wich is the reference of userb. right ? No, if i delete or modify userb on domainb, the phantom must be updated in my groupa on my DCa. So it's the job of the IM on domaina to compares updated information on GCa. IM will then updated the phantom on DCa and the world goes on :-) But there is one thing i didn't understand yet. sorry :-( If DCa is IM+GC, then the IM can not compares and update information about the phantom because it has the latest information, so DCa will then update userb in groupa.. right ? and this change will be replicate to all DCs and GCs of the forest ? So what's wrong for placing IM on DC which is GC ? Regards, Yann De: Jorge de Almeida Pinto [mailto:[EMAIL PROTECTED] Date: mar. 24/05/2005 20:13 À: TIROA YANN; '[EMAIL PROTECTED] '; 'ActiveDir@mail.activedir.org ' Objet : RE: [ActiveDir] TR : Golbal catalog Infrasctucutre Master. Hi, For more info on the infrastructure master see Phantoms, Tombstones and the Infrastructure Master (http://support.microsoft.com/?id=248047) In both W2K and W2K3 AD.. the following rules apply: * if you have only one domain - make all DCs also GCs as there is no additional overhead * if you have more than one domain in the forest - for each domain in the forest do not place the infrastructure master on a GC if you have at least another DC in that same domain that is not a GC also! In all cases: if all DCs = GCs there is no issue concerning the infrastructure master. In W2K, replication (for DCs/ for GCs) was/is of more importance because when a group membership changed the complete members attribute got replicated. This could be a pain, especially for universal groups In W2K3, replication (for DCs/ for GCs) is of less importance because as soon as you get to forest functional level windows 2003 you get linked value replication which simply means that only the new member replicates... so less impact! LVR also applies to other multi-valued attributes Cheers #JORGE# -Original Message- From: [EMAIL PROTECTED] To: ActiveDir@mail.activedir.org Sent: 5/24/2005 7:57 PM Subject: [ActiveDir] TR : Golbal catalog Infrasctucutre Master. Hello :-) Just a question concernng the placement of the global catalog (GC) and the Infrastructure Master (IM) on a DC. Microsoft said not to place the IM on a DC that is already a GC... Why? and should it be true for an AD 2003 forest with only one domain ? Regards, Yann This e-mail and any attachment is for authorised use by the intended recipient(s) only. It may contain proprietary material, confidential information and/or be subject to legal privilege. It should not be copied, disclosed to, retained or used by, any other party. If you are not an intended recipient then please promptly delete this e-mail and any attachment and all copies and inform the sender. Thank you. List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
RE: [ActiveDir] Adding 2000 terminal license server to domain
You can not add the license server to the domain after the fact, the system must be a member of the domain when you install the licensing service so it can write it's objects to AD for the discovery mechanism. Additionally, I am fairly sure you can not run a 2000 licensing service in a 2003 domain. The requirement to run the licensing service on a Domain Controller has been removed in 2003 (although personallyI prefer to run it on a DC). You can now run the Terminal Services Licensing service on either member servers or domain controllers. If the service runs on a member server, you must implement and maintain the LicenseServers registry key on each Terminal Server because the discovery process cannot locate it. My advice would be choose the mode that best fits your need (enterprise or domain), install it onone of the 2003DC's and reactivate your licenses. It's a fairly painless process. The 2003 service will dish out licenses to 2000 TS just fine. The load on the DC is negligible and unless you have a very large organization with complex internal license ownership issues, this is the simplest solution IME. From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Dan CoxSent: Friday, May 20, 2005 9:29 AMTo: ActiveDir@mail.activedir.orgSubject: [ActiveDir] Adding 2000 terminal license server to domain I am attempting to add a Terminal 2000 license server (also acts as the terminal server) to a 2003 domain. Once the server is added to the domain it fails to recognize itself as a licensing server and no longer allows remote access. How does one go about adding a license server to a domain? Any help is appriciated. Dan Cox
RE: [ActiveDir] Access denied connecting to remote Event Logs
Title: "Access denied" connecting to remote Event Logs You don't mention if you can view the logs on the 2003 box from it's own console but absent that info, I'll take a stab at it anyway Check that the account isn'ta member ofGuests, there is an explicit deny in 2003 for Guests. At the risk of incurring joe's wrath, whoami / groups works nicely as a starting point:-) This problemcould alsobe caused by an administrator addinng a group containing a broad category of users (such as the Everyone, INTERACTIVE, OR Authenticated users group) to the Guests group. From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Ruston, NeilSent: Friday, May 20, 2005 7:29 AMTo: ActiveDir@mail.activedir.orgSubject: [ActiveDir] "Access denied" connecting to remote Event Logs I have 2 DCs in a [test] domain - one w2k sp3, the other w2k3 sp0. The domain is w2k native. I am logged on to both DCs using an account which is a member of domain admins. If I connect to the event viewer on the w2k DC from the w2k3 DC, no problem. If I connect to the event viewer on the w2k3 DC from the w2k DC, I receive 'access denied'. Domain Admins have the right to "logon locally", "manage auditing and sec logs" and "access this computer from the network" (all set via GPO) Which setting / policy should I check or change to fix this issue? Thanks in advance, neil ==This message is for the sole use of the intended recipient. If you received this message in error please delete it and notify us. If this message was misdirected, Credit Suisse, its subsidiaries and affiliates (CS) do not waive any confidentiality or privilege. CS retains and monitors electronic communications sent through its network. Instructions transmitted over thissystem are not binding on CS until they are confirmed by us. Message transmission is not guaranteed to be secure. ==
RE: [ActiveDir] Windows 2000 terminal services again
The latter is a device that doesn't have a built-in license... IOW- A downlevel OS or client such as a 9x box that has to have a license issued. Existing Windows 2000 license which says built-in is a 2000 machine that has the builtin license by nature of the OS, a license is tracked but not issued by the service in the classic sense, IOW- It doesn't decrement the licenses you installed -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Kern, Tom Sent: Friday, May 20, 2005 1:39 PM To: ActiveDir (E-mail) Subject: [ActiveDir] Windows 2000 terminal services again Under terminal server license tool, I have 2 entries- Existing Windows 2000 license which under type says built-in and Windows 2000 server - Terminal server cal token(per-device) of which the type is open. What are the differences between the 2? Thanks List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
RE: [ActiveDir] Windows 2000 terminal services again
If it is a 2000 TS, the XP and 2000 have a builtin license, there is no grace period really once they contact the license server and it confirms them. The temporary license is only granted initially. The only time the buitin license will expire is if the client can't contact a license server. They won't use the CALs you installed which are the ones that appear as Terminal server cal token(per-device) because they don't need one by nature of their OS level -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Kern, Tom Sent: Friday, May 20, 2005 2:41 PM To: ActiveDir@mail.activedir.org Subject: Re: [ActiveDir] Windows 2000 terminal services again I installed real licenses from MS on this server. Where would they be. All my clients are using the built in ones and some are way past the grace period(90 days? 120 days?) and still working. All my clients are win2k and xp... Thanks -- Sent from my BlackBerry Wireless Handheld (www.BlackBerry.net) List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
RE: [ActiveDir] KDC error
How can I find out which servers are using this spn? I usually use ldp to locate it and setspn to delete the offender. http://support.microsoft.com/default.aspx?scid=kb;en-us;321044 Why does this occur? Sql DBA's are squirrelly? Sorry, but that's what I usually blame it on. Can it really screw things up? I usually only see it cause problems for the SQL servers having the duplicate names. I've seen other apps register dupe spns but the majority of the time it's SQL. Easy to remedy. -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Kern, Tom Sent: Wednesday, May 18, 2005 8:25 AM To: ActiveDir (E-mail) Subject: [ActiveDir] KDC error I got this error on my GC- Event Type: Error Event Source: KDC Event Category: None Event ID: 11 Date: 5/18/2005 Time: 11:07:36 AM User: N/A Computer: GCServer Description: There are multiple accounts with name MSSQLSvc/servername.domain.tld:1433 of type 10. For more information, see Help and Support Center at http://go.microsoft.com/fwlink/events.asp. How can I find out which servers are using this spn? LDP.exe? What's the syntax? Why does this occur? Can it really screw things up? Thanks a lot List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
RE: [ActiveDir] KDC error
Tom- If you don't want to use ldp as outlined in the KB, this works for me :-) Watch for wrapping... adfind -gc -b -f (objectcategory=computer)(serviceprincipalname=MSSQLSvc/servername.dom ain.tld.com:1433) -dn -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Free, Bob Sent: Thursday, May 19, 2005 9:11 AM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] KDC error How can I find out which servers are using this spn? I usually use ldp to locate it and setspn to delete the offender. http://support.microsoft.com/default.aspx?scid=kb;en-us;321044 Why does this occur? Sql DBA's are squirrelly? Sorry, but that's what I usually blame it on. Can it really screw things up? I usually only see it cause problems for the SQL servers having the duplicate names. I've seen other apps register dupe spns but the majority of the time it's SQL. Easy to remedy. -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Kern, Tom Sent: Wednesday, May 18, 2005 8:25 AM To: ActiveDir (E-mail) Subject: [ActiveDir] KDC error I got this error on my GC- Event Type: Error Event Source: KDC Event Category: None Event ID: 11 Date: 5/18/2005 Time: 11:07:36 AM User: N/A Computer: GCServer Description: There are multiple accounts with name MSSQLSvc/servername.domain.tld:1433 of type 10. For more information, see Help and Support Center at http://go.microsoft.com/fwlink/events.asp. How can I find out which servers are using this spn? LDP.exe? What's the syntax? Why does this occur? Can it really screw things up? Thanks a lot List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
RE: [ActiveDir] KDC error
The joeware shine will never wear off :o) I sent that way too quick before the caffeine kicked in, damn ctl-enter bites me again.. I meant to say I *used* to use ldp like outlined in the KB before I knew better -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of joe Sent: Thursday, May 19, 2005 10:52 AM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] KDC error Phew, I got worried when your previous post said LDP instead of adfind/admod Thought my shine was wearing off. :o) Oh, BTW, updated ADMOD was released last night. If anyone finds any issues let me know. http://blog.joeware.net/cat/updates/ -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Free, Bob Sent: Thursday, May 19, 2005 12:32 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] KDC error Tom- If you don't want to use ldp as outlined in the KB, this works for me :-) Watch for wrapping... adfind -gc -b -f (objectcategory=computer)(serviceprincipalname=MSSQLSvc/servername.dom ain.tld.com:1433) -dn -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Free, Bob Sent: Thursday, May 19, 2005 9:11 AM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] KDC error How can I find out which servers are using this spn? I usually use ldp to locate it and setspn to delete the offender. http://support.microsoft.com/default.aspx?scid=kb;en-us;321044 Why does this occur? Sql DBA's are squirrelly? Sorry, but that's what I usually blame it on. Can it really screw things up? I usually only see it cause problems for the SQL servers having the duplicate names. I've seen other apps register dupe spns but the majority of the time it's SQL. Easy to remedy. -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Kern, Tom Sent: Wednesday, May 18, 2005 8:25 AM To: ActiveDir (E-mail) Subject: [ActiveDir] KDC error I got this error on my GC- Event Type: Error Event Source: KDC Event Category: None Event ID: 11 Date: 5/18/2005 Time: 11:07:36 AM User: N/A Computer: GCServer Description: There are multiple accounts with name MSSQLSvc/servername.domain.tld:1433 of type 10. For more information, see Help and Support Center at http://go.microsoft.com/fwlink/events.asp. How can I find out which servers are using this spn? LDP.exe? What's the syntax? Why does this occur? Can it really screw things up? Thanks a lot List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
RE: [ActiveDir] Audit Collection Services
The last communication I heard from the product group late last year was that the forwarder(agent) would be an optional no-cost component in future versions of Windows (R2 rumored) and the collector would be a separate product, not part of Windows or MOM, pricing and delivery mechanism as yet unknown. The was an online chat with the PM on April 6th for beta participants that I was unable to attend due to other obligations, maybe someone else here was able to and can weigh in. ./bob -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Francis Ouellet Sent: Friday, May 13, 2005 11:11 AM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Audit Collection Services Hi Guido, I didn't explain myself correctly ;) What I meant was that one of the component of ACS is available from the Add/Remove Windows Component with R2. Not built-in. Francis -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Grillenmeier, Guido Sent: May 13, 2005 12:20 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Audit Collection Services ACS is very independent from R2 - it may be released within the same timeframe, but doesn't rely on any technology introduced in R2. /Guido -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Francis Ouellet Sent: Freitag, 13. Mai 2005 17:39 To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Audit Collection Services I'm still in the beta and no, no release yet. And no activity as well. Francis P.S. I think some of the functionality is built-in R2. -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Medeiros, Jose Sent: May 13, 2005 11:29 AM To: ActiveDir@mail.activedir.org Subject: [ActiveDir] Audit Collection Services Greetings, Does any one know if Microsoft Audit Collection Services has been released yet? I attended a Microsoft TechNet Briefing and the stated that it would be out some time last year, is any one using it? Sincerely, Jose Medeiros 408-449-6621 Cell Sincerely, Jose Medeiros 408-449-6621 Cell List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
RE: [ActiveDir] Audit Collection Services
Jose- They closed the beta a long time ago. You also had to be nominated by your TAM to get in it in the first place. The architecture and scalability is pretty awesome but the landscape has changed so many times that I'm not sure what to think. Initially, way back when it was called DAD, indications were it would be a free product, that is obviously not the case now. bob -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Medeiros, Jose Sent: Friday, May 13, 2005 5:20 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Audit Collection Services Hi Bob, Thank you for the update. Would you happen to have the link to sign up to be a beta tester? How do you like it so far? Regards, Jose Medeiros -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] Behalf Of Free, Bob Sent: Friday, May 13, 2005 12:11 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Audit Collection Services The last communication I heard from the product group late last year was that the forwarder(agent) would be an optional no-cost component in future versions of Windows (R2 rumored) and the collector would be a separate product, not part of Windows or MOM, pricing and delivery mechanism as yet unknown. The was an online chat with the PM on April 6th for beta participants that I was unable to attend due to other obligations, maybe someone else here was able to and can weigh in. ./bob -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Francis Ouellet Sent: Friday, May 13, 2005 11:11 AM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Audit Collection Services Hi Guido, I didn't explain myself correctly ;) What I meant was that one of the component of ACS is available from the Add/Remove Windows Component with R2. Not built-in. Francis -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Grillenmeier, Guido Sent: May 13, 2005 12:20 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Audit Collection Services ACS is very independent from R2 - it may be released within the same timeframe, but doesn't rely on any technology introduced in R2. /Guido -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Francis Ouellet Sent: Freitag, 13. Mai 2005 17:39 To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Audit Collection Services I'm still in the beta and no, no release yet. And no activity as well. Francis P.S. I think some of the functionality is built-in R2. -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Medeiros, Jose Sent: May 13, 2005 11:29 AM To: ActiveDir@mail.activedir.org Subject: [ActiveDir] Audit Collection Services Greetings, Does any one know if Microsoft Audit Collection Services has been released yet? I attended a Microsoft TechNet Briefing and the stated that it would be out some time last year, is any one using it? Sincerely, Jose Medeiros 408-449-6621 Cell Sincerely, Jose Medeiros 408-449-6621 Cell List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
[ActiveDir] Domain Controller Rename
Are there any caveats anyone knows of with the procedure outlined below for renaming a 2003 Domain Controller with netdom? This is a freshly built machine that was brought up in the same AD site as the old system it was replacing for operational reasons. The old system was demoted and removed a few weeks ago and we want to re-assume the original name. The domain (and forest) are at 2003 functional level. http://www.microsoft.com/technet/prodtechnol/windowsserver2003/library/S erverHelp/aad1169a-f0d2-47d5-b0ea-989081ce62be.mspx netdom computername CurrentComputerName /add:NewComputerName Ensure the computer account updates and DNS registrations are completed, then type: netdom computername CurrentComputerName /makeprimary:NewComputerName Restart the computer. netdom computername NewComputerName /remove:OldComputerName Thanks Bob List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
RE: [ActiveDir] Living without WINS
Outlook/Exchange even fall into this, right? Yep- Exchange Server 2003 and Exchange 2000 Server require NetBIOS name resolution for full functionality: http://support.microsoft.com/?id=837391 From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of David Cliffe Sent: Wednesday, May 11, 2005 1:59 PM To: ActiveDir@mail.activedir.org Subject: RE:[ActiveDir] Living without WINS Much as I would like to see it go away too, I think there are still too many applications that require it. I'm not a programmer, so may be stating this wrong, but I believe a lot of apps. still use the NetBIOS API calls for name resolution, and so would fail without some type of NBNS on a routed network. Outlook/Exchange even fall into this, right? -DaveC Reuters From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Peter Jessop Sent: Wednesday, May 11, 2005 3:44 PM To: ActiveDir@mail.activedir.org Subject: [spam] [ActiveDir] Living without WINS Good evening (morning or night) to you all. We have a AD structure with the following setup. DCs and servers W2K3 AND W2K. PCs NT4, W2K and XP. Name Resolutions DNS Server (with WINS lookup) WINS All clients have DNS name resolution activated. Some (older clients have both WINS and DNS) Most NT 4.0 clients have AD client. Obviously the NT 4.0 client do not ddns. We also have 2 clusters with Windows 2000. My question is the following. If I create static DNS records for the NT4 clients, can I do without WINS? What pitfalls and issues are there? Thanks (in advance) for your help. Peter Jessop - Visit our Internet site at http://www.reuters.com To find out more about Reuters Products and Services visit http://www.reuters.com/productinfo Any views expressed in this message are those of the individual sender, except where the sender specifically states them to be the views of Reuters Ltd. List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
RE: [ActiveDir] resetting default values
If you don't have custom permissions that you need how about dsacls with the /s or /t options? /S Restore the security on the object to the default for that object class as defined in AD Schema. /T Restore the security on the tree of objects to the default for the object class. This switch is valid only with the /S option. From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Stelley, DouglasSent: Tuesday, April 19, 2005 8:59 AMTo: ActiveDir@mail.activedir.orgSubject: [ActiveDir] resetting default values Within our domain {native 2003} perhaps a third of our users need to have there security reset toa default value. Right now we open each user in ADUC, open security / Advanced / Check the "Inherent from parent..." and hit the default button. This allows our "helpdesk" folks (who are members of the Account Operators group ) access to unlock, reset pwords, etc... Without doing this, these options are greyed out. Unknown what caused it initially but I need to bring it back for many many users. I've created many scriptsand I know my way around much of AD/WMI/ADSI, but does anyone know of a way to automate this? Doug Confidentiality Notice: The information contained in this message may be legally privileged and confidential information intended only for the use of the individual or entity named above. If the reader of this message is not the intended recipient, or the employee or agent responsible to deliver it to the intended recipient, you are hereby notified that any release, dissemination, distribution, or copying of this communication is strictly prohibited. If you have received this communication in error please notify the author immediately by replying to this message and deleting the original message. Thank you.
RE: [ActiveDir] Using net time
Net Time uses the old NetRemoteTOD API, for computers not running the time service, when they issue a NET TIME command without any parameters the clients issue a NetServerEnum to enumerate the servers from the browse list (yuk) with the TS (timesource )flag. Archaic and inaccurate as compared to W23time. In your situation, off the top of my head, I would be inclined to run NTP on the XP box with W32time disabled, point the PDCe of the forest to it and let W32time run in it's NT5DS mode on all the other machines so you have the proper hierarchical flow of time down the forest without making any changes anywhere else and it just appears as an external source to the PDCe. It might be possible to do it with W32time running on the XP box but I have no direct experience with doing it that way and you could conceivably introduce a time loop. -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Abbiss, Mark Sent: Wednesday, April 13, 2005 7:33 AM To: ActiveDir@mail.activedir.org Subject: [ActiveDir] Using net time Following on from my earlier question about time synchronisation, can anyone please tell me, when you type in the command net time, just where exactly how does the client determine where to pull this information from ? I ask because I assumed it would be querying its logon server by default, however in my case it is querying a DC from a sub-domain ?!?! Why on Earth is that ? The DC in question is not configured as a reliable time source (The AnnounceFlags value is 10 and not 4) I am confused and bewildered. Thanks again for any help. -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Abbiss, Mark Sent: Wednesday, April 13, 2005 4:15 PM To: ActiveDir@mail.activedir.org Subject: [ActiveDir] Time synchronisation in a W2K domain I was recently handed a new hardware clock to install into our domain. As the device needs to be placed in an area with good radio reception I decided to install it onto a PC. Our server farm is located in a secure bunker with no reception at all. I know the usual time sync model is for DC's to get the time from the PDC role holder and then the time filters down from there to members servers and workstations. However, my PC is running Windows XP. So the question is, is it possible to set the XP workstation (with hardware connected) as the reliable primary source for time in the domain ? Should the Windows Time service be disabled on the PC ? What changes need to be nmade to the PDC Role holder and other DC's in the domain to make sure they are forced to sync with the XP workstation. Or is it just not possible to use an XP workstation ? I have noticed that some of my machines are synching with the PC but others are not and I have not as yet determine why there is this erratic behviour. If I use the w32tm /resync command then on some machines it works and on others it doesn't. Do I need to manually configure all DC's t point to the XP machine ? Do members servers need special configuration ? Why are general user workstations not showing the same time as the Time PC ? Any advice greatly appreciated. List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
RE: [ActiveDir] Using net time
I'll try to answer to the best of my understanding of the questions- So you don't need W32Time running on the XP box to be a time source to the root PDCe? Not in the scenario I mentioned, the PDCe is just talking to a NTP provider. Is it possible? Probably, W32time is much more intricate in XP/2003. I am just experienced using NTP as a source separate from W32time. Will the XP box respond to NTPS from the PDCe without W32Time running on it? If you mean as a client, no. The XP box can't participate in the NT5DS mode if it doesn't run W32time. You don't want it to since you are trying to make it authoritative. It should only trust your HW clock. W32Time can be configured to 'NoSync' using W32TM on the XP box and therefore mitigate the time loop risk. NoSynch means it trusts it's own clock as a client. I was thinking more of the case where it could possibly be serving time to other clients if it had w32time running. I'm assuming that the root PDCe has W32Time set to 'NTP' but had assumed that it meant that the target box (the XP box in this case) also needed W32Time running. The PDCe has Type=NTP, that means it synchronizes from the servers specified in the NtpServer registry entry. That can be any NTP box. Perhaps when you say 'disabled' for W32Time you mean 'NoSync' or do you actually mean stopping and disabling the service? I meant disabled because I have actual experience with running NTPd on a W32 box, I *know* it works and it is rather trivial to implement. There are a lot more settings available for w32time in XP/2003 so you might be able to play with the TimeProviders keys and get it to work just fine. The registry settings are well documented in Windows Time Service Tools and Settings: http://www.microsoft.com/technet/prodtechnol/windowsserver2003/library/T echRef/b43a025f-cce2-4c82-b3ea-3b95d482db3a.mspx?pf=true One of the MS folks who owns W32time drops in here occasionally, he could certainly give you a more authoritative answer than I can if he sees this . -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Mike Baudino Sent: Wednesday, April 13, 2005 11:49 AM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Using net time Strongly agree on the use of W32TM over NET TIME. Questions though: So you don't need W32Time running on the XP box to be a time source to the root PDCe? Will the XP box respond to NTPS from the PDCe without W32Time running on it? W32Time can be configured to 'NoSync' using W32TM on the XP box and therefore mitigate the time loop risk. I'm assuming that the root PDCe has W32Time set to 'NTP' but had assumed that it meant that the target box (the XP box in this case) also needed W32Time running. I've been curious about this for some time but have not yet been able to test. Perhaps when you say 'disabled' for W32Time you mean 'NoSync' or do you actually mean stopping and disabling the service? Thanks, Mike Free, Bob [EMAIL PROTECTED] To: ActiveDir@mail.activedir.org Sent by:cc: [EMAIL PROTECTED] Subject: RE: [ActiveDir] Using net time tivedir.org 04/13/2005 11:51 AM Please respond to ActiveDir Net Time uses the old NetRemoteTOD API, for computers not running the time service, when they issue a NET TIME command without any parameters the clients issue a NetServerEnum to enumerate the servers from the browse list (yuk) with the TS (timesource )flag. Archaic and inaccurate as compared to W23time. In your situation, off the top of my head, I would be inclined to run NTP on the XP box with W32time disabled, point the PDCe of the forest to it and let W32time run in it's NT5DS mode on all the other machines so you have the proper hierarchical flow of time down the forest without making any changes anywhere else and it just appears as an external source to the PDCe. It might be possible to do it with W32time running on the XP box but I have no direct experience with doing it that way and you could conceivably introduce a time loop. -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Abbiss, Mark Sent: Wednesday, April 13, 2005 7:33 AM To: ActiveDir@mail.activedir.org Subject: [ActiveDir] Using net time Following on from my earlier question about time synchronisation, can anyone please tell me, when you type in the command net time, just where exactly how does the client determine where to pull this information from ? I ask because I assumed it would be querying its logon server by default, however in my case it is querying a DC from a sub-domain ?!?! Why on Earth is that ? The DC in question is not configured as a reliable time source (The AnnounceFlags value is 10 and not 4) I am confused and bewildered. Thanks again for any
RE: [ActiveDir] Installed NIC's not displayed
Is the Netman service (Network Connections) running? -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Devan Pala Sent: Wednesday, April 13, 2005 2:47 PM To: ActiveDir@mail.activedir.org Subject: [ActiveDir] Installed NIC's not displayed Hi, I have a couple of domain controllers (Windows 2000 Advanced Server, SP4). When I go to Network and Dialup Connections I cannot see the installed NIC's. The only way I can see them is in a command prompt through ipconfig/ all. Anyone ever experienced anything like this? Everything else is OK, pinging, DNS, Replication etc. the only thing out of ordinary is that I see DCOM errors (10002 10010) when RDP'ed into them. Thanks, List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
RE: [ActiveDir] Logging changes made to GPOs
You can employ a 3rd party tool like the offerings from NetPro, NetIQ, Quest etc Natively, if you enableAudit directory service access you can detect changes to GPOs by finding event ID 565s that have the Object Type value groupPolicyContainer, the Accesses value Write Property, and a Write Property that includes versionNumber From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Janson, JoeSent: Thursday, March 24, 2005 8:30 AMTo: ActiveDir@mail.activedir.orgSubject: [ActiveDir] Logging changes made to GPOs Is it possible to log changes made to Group Policy Objects?
RE: [ActiveDir] Enabling Password must meet complexity requirements
If you want it to happen faster, expire the passwords with a script. Gee Rick you missed a chance to prop joe? :-0 http://www.joeware.net/win/free/tools/expire.htm From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Kingslan, Rick T.Sent: Wednesday, March 23, 2005 8:38 AMTo: ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] Enabling Password must meet complexity requirements They will be required to meet complexity when their current password expires after the new requirements take effect. If you want it to happen faster, expire the passwords with a script. -rtk From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Greg FelzerSent: Wednesday, March 23, 2005 7:14 AMTo: ActiveDir@mail.activedir.orgSubject: [ActiveDir] Enabling Password must meet complexity requirements Does anyone know if this setting is enabledat the default domain policy are my users going to get prompted to change their passwords immediately if their current password does not meet the complexity requirements? Or will they be forced to use a complex password when they change their passwords? Thanks Greg Greg FelzerMCSE NT4, MCSE 2000, CCA, CCNA, CNASenior Systems EngineerWindows Infrastructure and Security Team LeaderOffice of the CIO Medical University of South Carolina
RE: [ActiveDir] License services
is the License server used by Windows to track cals, the same one that is used for terminal services app mode? Nope, that would be the Terminal Services Licensing Service, different beast -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Kern, Tom Sent: Thursday, March 17, 2005 10:32 AM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] License services sorry to reply to my own email- is the License server used by Windows to track cals, the same one that is used for terminal services app mode? i ask these questions because i demoted a dc that happened to be a license server and about 3 weeks later i got event id 213 errors in my app log on my pdc/rid/infra master and some users were unable to log into the domain. in ad sites and services, the old dc is still listed with no ntds object(i assume its still ther because a devloper installed msmq for AD and never uninstalled it). i demoted it clean using dcpromo. no errors. is the licensing server always a dc by default? do the other dc's cache license info for a period of time so things function for awhile even if they don't communicate with the master license server? and if so, what is the time period? i apologize for all the questions but i can't seem to find much in depth info on this service from MS or google. thanks Kern, Tom wrote: If I'm using the license service to keep track of licenses and i go over the alloted amount, will windows DC's prvent users from logging into the domain? thanks List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
RE: [ActiveDir] License services
It could if you were running it in per-seat mode IIRC. -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Kern, Tom Sent: Thursday, March 17, 2005 11:52 AM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] License services any idea if a windows dc will deny logons if the master lisence server cannot be contacted after a certain time period? thanks Free, Bob wrote: is the License server used by Windows to track cals, the same one that is used for terminal services app mode? Nope, that would be the Terminal Services Licensing Service, different beast -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Kern, Tom Sent: Thursday, March 17, 2005 10:32 AM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] License services sorry to reply to my own email- is the License server used by Windows to track cals, the same one that is used for terminal services app mode? i ask these questions because i demoted a dc that happened to be a license server and about 3 weeks later i got event id 213 errors in my app log on my pdc/rid/infra master and some users were unable to log into the domain. in ad sites and services, the old dc is still listed with no ntds object(i assume its still ther because a devloper installed msmq for AD and never uninstalled it). i demoted it clean using dcpromo. no errors. is the licensing server always a dc by default? do the other dc's cache license info for a period of time so things function for awhile even if they don't communicate with the master license server? and if so, what is the time period? i apologize for all the questions but i can't seem to find much in depth info on this service from MS or google. thanks Kern, Tom wrote: If I'm using the license service to keep track of licenses and i go over the alloted amount, will windows DC's prvent users from logging into the domain? thanks List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
RE: [ActiveDir] Machine Account Passwords - How often do they reset
2000 and above intervalis 30 days by default, NT default was 7. It can be disabled or the interval changed inGPO or registry. Search for MaximumPasswordAge and DisablePasswordChange From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of [EMAIL PROTECTED]Sent: Wednesday, March 16, 2005 8:30 AMTo: ActiveDir@mail.activedir.orgSubject: [ActiveDir] Machine Account Passwords - How often do they reset Quick question Does anyone know how often machine accounts reset their secure channel passwords, or do the passwords remain static until manually reset? Were thinking this happens every 30 days, however were having an issue with SMS. Thanks, -J This e-mail, and any attachment, is intended only for the person or entity to which it is addressed and may contain confidential and/or privileged material. Any review, re-transmission, copying, dissemination or other use of this information by persons or entities other than the intended recipient is prohibited. If you received this in error, please contact the sender and delete the material from any computer. The contents of this message may contain personal views which are not the views of Discovery Communications, Inc. (DCI).
RE: [ActiveDir] SYSVOL Question
Hi Scott- In addition to Steve's input, there were a couple of recent illuminating threads the heavyweights weighed in on that you should be able to see in the list archives- Forcing SYSVOL from authenticating DC and AD Sites and SYSVOL -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Rachui, Scott Sent: Tuesday, March 15, 2005 12:31 PM To: ActiveDir@mail.activedir.org Subject: [ActiveDir] SYSVOL Question I have a question... When a user is authenticating to AD, what mechanism directs him to a particular instance of SYSVOL? And is there some way to actually see which DC the client will be preferring? I ask this because Microsoft has recently told me that in certain circumstances, clients will always choose a different DC for SYSVOL than the one they choose for authentication. But I don't know how to actually see that list so I'll know which ones are being preferred. Thanks in advance, Scott List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
RE: [ActiveDir] renaming Drwatson log file
Start, Run, and type drwtsn32 without the quotes to configure Dr Watson options and log path. or [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\DrWatson] Value Name: LogFilePath Data Type: REG_EXPAND_SZ (Expanded String Value) Value Data: Directory Path Never heard of renaming it other than after the fact to preserve them. From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Manjeet Sent: Wednesday, March 09, 2005 5:26 AM To: ActiveDir@mail.activedir.org Subject: [ActiveDir] renaming Drwatson log file Do you guys have any idea about renaming the .Log files or its path generated by Drwatson utility and the registry key where it is set ? Thanks, Manjeet Celebrate Yahoo!'s 10th Birthday! Yahoo! Netrospective: 100 Moments of the Web http://birthday.yahoo.com/netrospective/ List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
RE: [ActiveDir] (l)user login auditing
Probably easisest to use logon/logoff scripts to populate a database than to try to grok through all the logs. From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Gideon AshcraftSent: Wednesday, March 09, 2005 7:29 AMTo: ActiveDir@mail.activedir.orgSubject: [ActiveDir] (l)user login auditing Some fool mentioned to our HR department that we can track our employees work routines by auditing the login events to our DCs instead of their supervisors actually doing work and tracking the work habits of their charges. So now I need to present reports to our illustrious HR department in terms they can understand (pretty pictures and colors with all the details washed out so they can grasp the picture). I started by enabling login successes in the default DC policy and was overwhelmed by a flood of events from login attempts and the constant flood of logins (20,000 security events/day) from our LANutil inventory (dont ever use PC-Duo) software (originally setup wrong by helpdesk staff and currently locking the accounts of anyone associated with that deployment (Im letting them suffer for the moment because they did it without asking for Domain Admin support). Currently I am using a 60 day trial of GFIs SELM log monitor to archive events (until my UNIX admin has the time to learn enough PROLOG to get Tivoli to mine our logs, or I learn how to use the free MS Log Parser to mine our DCs) and I did a test login and logout on a test user account (all events associated with that user were cleaned prior to testing) and I found that logging in created 28 mixed login and logout events (including 538, 540, 673 events) on login but only 1 540 logON event during logOFF and 2 538 logoff events 12 and 41 minutes after logging out!!! What I would really like to do is tell HR to [EMAIL PROTECTED] Themselves and tell the supervisors to do a better job tracking their employees and spend my valuable time tracking events for critical System and application events instead of babysitting the incompetents. But unfortunately the powers that be wish to appease the HR beast rather than put it in its place, so I have to clean up the flood of login events into a form that they can understand. Does anyone recommend any software suited to this purpose or can does anyone know of a simple query of events to pinpoint domain activity? Gideon Ashcraft Network Administrator Screen Actors Guild