[ActiveDir] Reset BadPwdCount property for users
Title: Message Is the BadPwdCount propertyread only? I have tried to reset this with the following script and get errors Set Ulist = GetObject("LDAP://ou=My Users,DC=My,DC=domain,DC=com")For Each User In Ulist If user.badpwdcount 5 thenWScript.Echo(user.fullname " " user.badpwdcount) user.badpwdcount = 0 user.setinfo End ifNext John Hann BancorpSouth 662.678.7179
RE: [ActiveDir] Reset BadPwdCount property for users
Title: Message err.number = -2147016651 And it does not reset to 0 -Original Message-From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Gil KirkpatrickSent: Thursday, March 27, 2003 4:19 PMTo: '[EMAIL PROTECTED]'Subject: RE: [ActiveDir] Reset BadPwdCount property for users Hi John, I would have thought that it was read-only, but I didn't see anything in the schema or the SD that would make it read-only. What kind of errors are you getting? -gil -Original Message-From: John F. Hann [mailto:[EMAIL PROTECTED] Sent: Thursday, March 27, 2003 3:02 PMTo: ActiveDir ListSubject: [ActiveDir] Reset BadPwdCount property for users Is the BadPwdCount propertyread only? I have tried to reset this with the following script and get errors Set Ulist = GetObject("LDAP://ou=My Users,DC=My,DC=domain,DC=com")For Each User In Ulist If user.badpwdcount 5 thenWScript.Echo(user.fullname " " user.badpwdcount) user.badpwdcount = 0 user.setinfo End ifNext John Hann BancorpSouth 662.678.7179
RE: [ActiveDir] Reset BadPwdCount property for users
Thing is...You can go into ADSIEdit and modify it -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Free, Bob Sent: Thursday, March 27, 2003 5:09 PM To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] Reset BadPwdCount property for users It's a SAM read-only object AFAIK, you can't modify it. -Original Message- From: John F. Hann [mailto:[EMAIL PROTECTED] Sent: Thursday, March 27, 2003 2:02 PM To: ActiveDir List Subject: [ActiveDir] Reset BadPwdCount property for users Is the BadPwdCount property read only? I have tried to reset this with the following script and get errors Set Ulist = GetObject(LDAP://ou=My Users,DC=My,DC=domain,DC=com) For Each User In Ulist If user.badpwdcount 5 then WScript.Echo(user.fullname user.badpwdcount) user.badpwdcount = 0 user.setinfo End if Next John Hann BancorpSouth 662.678.7179 List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
[ActiveDir] Old Computer Accts
Title: Message Given that active computers change their domain password every 7 days by default, how old of a last modified date would you guys suggest be used for deletion? John Hann BancorpSouth 662.678.7179
RE: [ActiveDir] Old Computer Accts
I remembered the default for W2K right after I sent the msgBut thanks for the info and the gentle reminder -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Free, Bob Sent: Wednesday, March 19, 2003 2:46 PM To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] Old Computer Accts We always used 90 days for NT, haven't gotten around to changing it for W2K [which btw defaults to 30 day password age] -Original Message- From: John F. Hann [mailto:[EMAIL PROTECTED] Sent: Wednesday, March 19, 2003 11:54 AM To: ActiveDir List Subject: [ActiveDir] Old Computer Accts Given that active computers change their domain password every 7 days by default, how old of a last modified date would you guys suggest be used for deletion? John Hann BancorpSouth 662.678.7179 List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
RE: [ActiveDir] Default Domain Controller Container
Title: Message We had created sub-OUs in the DC OU. Had seperated the DCs by regional location. There were small problems with dcdiag and other utils that expect the DCs to reside in the DC OU. SOwe reverted back to the DCs just being in the DC OU -Original Message-From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Ninet SegarSent: Thursday, March 06, 2003 8:38 AMTo: [EMAIL PROTECTED]Subject: Re: [ActiveDir] Default Domain Controller Container My reasoning for considering a move is to hopefully gain control over some subsets of DC's. Such as to allow one group backup operator rights to a subset of DC's. Or to allow one group to have log on locally rights to just a subset of DC's. Or to assign server operator rights to a group of local admins at a small branch site.
[ActiveDir] Security Priv over Services on a DC
Title: Message What/Where would I adjust the security to allow a group to start/stop services on a DC? Obviously, I would only do this for certain services, since this group will not have DA level access. John Hann BancorpSouth 662.678.7179
RE: [ActiveDir] User's Account Locked out Every morning
Title: Message Logged in another PC under an old password -Original Message-From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]] On Behalf Of Kevin FelkerSent: Wednesday, January 15, 2003 9:01 AMTo: [EMAIL PROTECTED]Subject: [ActiveDir] User's Account Locked out Every morning Every morning I have to unlock one of my users accounts because it is locked out every morning. Does anyone know what could be causing this? Thanks Kevin
[ActiveDir] Securing AD Best Practices Paper
I have downloaded the Best Practice Guide for Securing Active Directory Installations and Day-to-Day Operations: Part I document from MS. Does anyone know if there is a Part 2? I have a project to secure the AD and need as much backup info as I can get. John F. Hann, MCP BancorpSouth 662.678.7179 attachment: winmail.dat
RE: [ActiveDir] Email notification of Event Log items
MS Operations Manager can do this $350/CPU But you could use the event to trap translator within W2K to send SNMP traps on your events evntwin Many other options out thereCheck http://www.sunbelt-software.com/ -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]]On Behalf Of Luis Aguilera Sent: Tuesday, December 03, 2002 10:14 AM To: [EMAIL PROTECTED] Subject: [ActiveDir] Email notification of Event Log items Hello all, I'm sure I'm not the first one to come up with this question/problem... I'm currently managing several Win2k servers -- domain controllers, exchange, file servers, web servers, sql, etc. -- and would like to figure out a way to receive email notification of error and warning messages from the Event Logs (Application, Security, System, DNS, File replication, etc) of each of these servers. Does anyone know how to accomplish this? I'm hoping to move away from having to check each servers logs to spot a (potential or existing) problem. Any help, as always, is much appreciated. Luis Aguilera IT Manager BaseSix List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
RE: [ActiveDir] How to make a Domain group local administrator on workstations
Title: Message I did this for our NAV servers...All the servers in question were in the given OU VBS Scrript: On Error Resume NextSet myComputer = GetObject("LDAP://OU=NAV Servers,DC=my,DC=domain,DC=com")For Each member In myComputerServer = member.cn Wscript.Echo ServerSet grp = GetObject("WinNT://" Server "/Administrators,group")grp.Add ("WinNT://BANK/ProjMgmt,group")WScript.Echo(Err.number)NextSet myComputer = Nothing -Original Message-From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]]On Behalf Of Byrne, SteveSent: Wednesday, November 27, 2002 2:20 PMTo: '[EMAIL PROTECTED]'Subject: [ActiveDir] How to make a Domain group local administrator on workstations How do I make a domain group or user a local admin on 100 Workstations?
[ActiveDir] Folder Redirection
We used Folder Redirection on My Documents and have moved away from it. Does anyone know of a way via command line or script method to tell My Documents to revert to default settings? You can do this from the properties of My Documents, but I need a way to do this enterprise-wide. John F. Hann, MCP BancorpSouth Network Services - Administration Infrastructure Management 662.678.7179 attachment: winmail.dat
RE: [ActiveDir] AD and Network Core Services Anti-Virus
Title: AD and Network Core Services & Anti-Virus We had real FRS replication issues previous to SP3 and NAV version 7.51.848. NAV modified the security descriptor on files during a real-time scan and caused every file that was accessed to get replicated because it was viewed as a change. I ended up with a 26GB SYSVOL. NAV 7.51.854 fixed this and has not caused an issue since. We did disable real-time scanning on the SYSVOL, but scheduled scans run in the early morning. -Original Message-From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]]On Behalf Of Myrick, Todd (NIH/CIT)Sent: Thursday, November 14, 2002 2:54 PMTo: '[EMAIL PROTECTED]'Subject: [ActiveDir] AD and Network Core Services Anti-Virus I have a quick question, Our operating procedures for Core Network Service (AD DCs, WINS, DDNS, CA, Exchange (Antigen), DHCP) servers has been not to run with Anti-Virus protection on them. We feel that the potential for scanner code to conflict with the network service is higher if we do, and since we don't execute man applications from the server unless they are scanned we don't feel we are at much risk. What I would like to know is, what does everyone on this list feel an is a good strategy when it comes to these types of services and anti-virus product? Thanks in Advance, Todd
RE: [ActiveDir] REPOST: AD Integrated DNS Name Servers After Demotion
Well, I cannot say that all 233 DCs that were demoted are in the Name Server list on the surviving DCs lists. But, a great portion of them are. When we demoted the DCs, we did not remove DNS for fear that some workstation somewhere was still using the demoted DC for DNS. So I just am not sure what to do about the reminents. Also, have you noticed that after a demotion, FRS retains some settings in the registry under HKLC\SYSTEM\CCS\Services\NTFRS? Check out a member server that does not run FRS to notice what is left behind. -Original Message- From: [EMAIL PROTECTED] [mailto:ActiveDir-owner;mail.activedir.org] Sent: Thursday, November 14, 2002 5:44 PM To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] REPOST: AD Integrated DNS Name Servers After Demotion John, I haven't seen this behavior, though I don't doubt that it exists for you. If I can relate back to you what you've said, to make sure that I understand: You've demoted a number of DCs, and the appropriate entries have been removed from AD, including the SYSVOL and the object in the DC OU. But, the DC are still listed in the domain as a name server on an AD-Integrated DNS that still hosts the namespace. If this is the case, I can say that I haven't seen this in our environment. We're in the middle of a cross forest migration, and I've demoted about 30 DCs and moved them to another forest - and the NS records and name listings are not on the DNS in the old forest. Re-direct me if this is not an accurate representation. Rick Kingslan MCSE, MCSA, MCT Microsoft MVP - Active Directory Associate Expert Expert Zone - www.microsoft.com/windowsxp/expertzone -Original Message- From: [EMAIL PROTECTED] [mailto:ActiveDir-owner;mail.activedir.org] Sent: Thursday, November 14, 2002 1:19 PM To: [EMAIL PROTECTED] Subject:RE: [ActiveDir] REPOST: AD Integrated DNS Name Servers After Demotion No need to repost, John. -Original Message- From: [EMAIL PROTECTED] [mailto:ActiveDir-owner;mail.activedir.org] Sent: Wednesday, November 13, 2002 13:57 To: ActiveDir List Subject:[ActiveDir] REPOST: AD Integrated DNS Name Servers After Demotion -Original Message- From: [EMAIL PROTECTED] [mailto:ActiveDir-owner;mail.activedir.org] Sent: Tuesday, November 12, 2002 7:29 PM To: ActiveDir List Subject:[ActiveDir] AD Integrated DNS Name Servers After Demotion Last weekend, we demoted 233 DCs. We went from a branch deployment to a region deployment of DCs. I noticed to today that although the DCs demoted, removed the computer accounts from the DC OU, removed the entry in the SYSTEM folder under the SYSVOL FRS volumes, the demoted DCs did not remove themselves as Name Servers for the AD Integrated zones. The demoted DCs are still running DNS, but do not have any zones. Why are these servers still listed in the properties of the zones as Name Servers when they do not have the zones in their DNS server service? John F. Hann, MCP BancorpSouth Network Services - Administration Infrastructure Management 662.678.7179 attachment: winmail.dat
RE: [ActiveDir] Replication Satellite Links
Title: Message I had 240 branches over 256K and latency was around 45 minutes...But I did have replication at every 30 minutes over the 256K links. When we started we were at 2hrs for replication and that was not a good scenario. -Original Message-From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]]On Behalf Of David RudolphSent: Thursday, November 14, 2002 4:58 PMTo: '[EMAIL PROTECTED]'Subject: [ActiveDir] Replication Satellite Links Our company is considering options for supporting a new branch office location. Connectivity to the office can only be accomplished via a satellite link. I'm aware of the problems of RPC-based replication over high latency links. SMTP-based replication is not an option. The link in question would be 512K. My question is does anybody know the threshold where latency will begin to adversely affect replication? I'd like to be able to tell management that we could live with x latency but nothing more. Thanks in advance. David Rudolph Anadarko Petroleum Corporation
RE: [ActiveDir] Scripting and ADSI
http://cwashington.netreach.net/depo/default.asp?topic=repositoryScriptType=vbscript http://dev.coadmin.dk/Resources/ADSI%20SDK%205%20HTML/default.htm -Original Meshttp://dev.coadmin.dk/Resources/ADSI%20SDK%205%20HTML/default.htmsage-From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]]On Behalf Of Bombardi,Marco,GLENDALE,GC AMS - eMADSent: Wednesday, November 13, 2002 10:46 AMTo: [EMAIL PROTECTED]Subject: [ActiveDir] Scripting and ADSI Does anyone have a suggestion of good websites to get information and samples for ADSI scripting ? I'll be scripting Active Directory and perhaps Exchange related tasks. I'm searching the net for it but was wondering if you'd have something you use frequently and would highly recommend. Thank you, I appreciate it. Marco Bombardi Globe Center AMS Infrastructure Technology [EMAIL PROTECTED] Office: +1 818 549.6153
[ActiveDir] REPOST: AD Integrated DNS Name Servers After Demotion
-Original Message- From: [EMAIL PROTECTED] [mailto:ActiveDir-owner;mail.activedir.org] Sent: Tuesday, November 12, 2002 7:29 PM To: ActiveDir List Subject: [ActiveDir] AD Integrated DNS Name Servers After Demotion Last weekend, we demoted 233 DCs. We went from a branch deployment to a region deployment of DCs. I noticed to today that although the DCs demoted, removed the computer accounts from the DC OU, removed the entry in the SYSTEM folder under the SYSVOL FRS volumes, the demoted DCs did not remove themselves as Name Servers for the AD Integrated zones. The demoted DCs are still running DNS, but do not have any zones. Why are these servers still listed in the properties of the zones as Name Servers when they do not have the zones in their DNS server service? John F. Hann, MCP BancorpSouth Network Services - Administration Infrastructure Management 662.678.7179 attachment: winmail.dat
[ActiveDir] AD Integrated DNS Name Servers After Demotion
Last weekend, we demoted 233 DCs. We went from a branch deployment to a region deployment of DCs. I noticed to today that although the DCs demoted, removed the computer accounts from the DC OU, removed the entry in the SYSTEM folder under the SYSVOL FRS volumes, the demoted DCs did not remove themselves as Name Servers for the AD Integrated zones. The demoted DCs are still running DNS, but do not have any zones. Why are these servers still listed in the properties of the zones as Name Servers when they do not have the zones in their DNS server service? John F. Hann, MCP BancorpSouth Network Services - Administration Infrastructure Management 662.678.7179 attachment: winmail.dat
[ActiveDir] GPO Restricted Groups Question
Can you use Restricted Groups to set additional membership for the local Administrator group on workstations (W2K Pro and XP) and member servers? John F. Hann, MCP BancorpSouth Network Services - Administration Infrastructure Management 662.678.7179 attachment: winmail.dat