Re: [ActiveDir] Filter out a certain group of users from the GAL
I think, it might due to placement of your specific filter, if you are placing it among OR filters, some other filter might come true and return the users. Instead put your specific filter out of OR and along with AND. So you might want to try it like this.. your current one is : (X) (| (Y) (Z) (W))) so here if your specific condition is say W then it won't help as, users you want to filter, may be included in Y or Z. You may want to convert it to : (X) (W) (| (Y) (Z)) -- Kamlesh ~ You teach best what you most need to learn. ~ On 12/21/06, Victor W. [EMAIL PROTECTED] wrote: Thanks, this got me closer to the correct query. It sure saved me a lot of tries, trying to get the query right using (!attr=val), instead of using (!(attr=val). I however did not get to managed to get it working completely. Even with the (!(attr=val) The query outputs exactly the same. The query below does perhaps look more complex than it in fact is. It is in fact the Default GAL from Exchange as it comes out of the box. I have been trying to filter out a certain group from appearing in this GAL. -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of joe Sent: Tuesday, December 19, 2006 8:27 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Filter out a certain group of users from the GAL I didn't look it over completely to see what you are doing but noticed the (!attr=val) and wanted to comment on that specific piece... When making AL filters, Exchange is picky and if you put in a ! you need to do use long form of (!(attr=val)) and not (!attr=val). While AD will not have a problem with the filter, AD isn't interpreting that filter, Exchange is pulling everything from AD and doing the filtering itself. That is why ESM will show you one result and what you really get could be something completely different. I once got a crap answer from a Alliance Exchange PSS that someone made up about the RFC standards etc but that reason was, as I said, crap. It is just something you have to be aware of when working with those filters. joe -- O'Reilly Active Directory Third Edition - http://www.joeware.net/win/ad3e.htm -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of [EMAIL PROTECTED] Sent: Tuesday, December 19, 2006 11:03 AM To: ActiveDir@mail.activedir.org Subject: [ActiveDir] Filter out a certain group of users from the GAL I have been trying to filter out a certain group of users from the GAL, these users should not appear in the GAL. I have used the ! sign but it looks simpler than it infact is. This is the Default GAL: ( (mailnickname=*) (| ((objectCategory=person)(objectClass=user)(! (homeMDB=*))(!(msExchHomeServerName=*)))((objectCategory=person) (objectClass=user)(|(homeMDB=*)(msExchHomeServerName=*)))( (objectCategory=person)(objectClass=contact))(objectCategory=group) (objectCategory=publicFolder) (objectCategory=msExchDynamicDistributionList) )) I want to exclude people who are a member of a group called XYZ Users and thought about doing it with: (!memberOf=CN=XYZ Users,OU=XYZ,OU=First,DC=nl,DC=test,DC=gbl) The complete query is now: ( (mailnickname=*) (| ((objectCategory=person)(!memberOf=CN=XYZ Users,OU=XYZ,OU=First,DC=nl,DC=test,DC=gbl)(objectClass=user)(! (homeMDB=*))(!(msExchHomeServerName=*)))((objectCategory=person) (objectClass=user)(|(homeMDB=*)(msExchHomeServerName=*)))( (objectCategory=person)(objectClass=contact))(objectCategory=group) (objectCategory=publicFolder) (objectCategory=msExchDynamicDistributionList) )) The above query outputs exactly the same objects as the first query, the one of the Default GAL. So somehow the group is not being filtered out. Probably just me overlooking something. Cheers, Victor List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir@mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir@mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir@mail.activedir.org/
[ActiveDir] Automatic user disable based on criteria
Hi All, DFL FFL : Win2k-Native DCs : Win2k3-SP1 User accounts are automatically provisioned as enabled with Change Password at Next logon. And management wants to disable new accounts which have not logged into domain within next 7 days of creation. And they want it to happen automatically. I have problem at hand as I can't use LastLogonTimeStamp as DFL is not supportive. I can't connect to each DC and search for lastlogon as number of DCs are too large, can't go by whenchanged, as that is generic attribute, which could get changed for any other attribute also. Any other attribute would help me? Currently LDAP filter checks for account created on specific day (say current day - 7) and whose Change Password at next logon is still ticked i.e. pwdlastset=0 But this doesn't take care of scenario, where users are created on that same day (current - 7) and logged into network, changed their password, but around the time of running script, had forgotten password and helpdesk had resetted their password and set Change Password at next logon I hope I am not confusing you all. :-) I know, simple solution would be to change criteria to say 15 days, raise DFL and use LLTS, but I am taking this as a scripting challenge at Win2k-native DFL. Hey joe, is there a way to see replication meta data using adfind? ;-) If yes, I could take a peek at originating date/time for attributes. -- Kamlesh ~ You teach best what you most need to learn. ~
Re: [ActiveDir] Automatic user disable based on criteria
Thats what I am using right now... :-) but that doesn't take care of scenario, I described. Let me give an example, UserA created on Day1 with Change Password on next logon UserA logs in on Day3 and changes password. UserA forgets the password on Day7 and asks help desk to reset password Help desk resets the password and sets Change Password on next logon Now, around this time, before user logs in again, If scheduled script runs, it will pickup this user as never logged on and disable it, as it fulfills both criteria of filter. Now this could be very small number of users, but when you have 500 accounts created daily, even if 25 are affected and help desk can't help them, as help desk don't have rights to enable/disable. User have to go through quite a few hoops to get it enabled again. So Idea was just save those guys unnecessary hassle, if it can be handled at script level. -- Kamlesh On 12/18/06, Brian Desmond [EMAIL PROTECTED] wrote: *If whenCreated 7 days and pwdLastSet = 0 then they haven't logged in yet…* * * *Thanks,* *Brian Desmond* [EMAIL PROTECTED] * * *c - 312.731.3132* * * *From:* [EMAIL PROTECTED] [mailto: [EMAIL PROTECTED] *On Behalf Of *Kamlesh Parmar *Sent:* Monday, December 18, 2006 12:19 PM *To:* ActiveDir@mail.activedir.org *Subject:* [ActiveDir] Automatic user disable based on criteria Hi All, DFL FFL : Win2k-Native DCs : Win2k3-SP1 User accounts are automatically provisioned as enabled with Change Password at Next logon. And management wants to disable new accounts which have not logged into domain within next 7 days of creation. And they want it to happen automatically. I have problem at hand as I can't use LastLogonTimeStamp as DFL is not supportive. I can't connect to each DC and search for lastlogon as number of DCs are too large, can't go by whenchanged, as that is generic attribute, which could get changed for any other attribute also. Any other attribute would help me? Currently LDAP filter checks for account created on specific day (say current day - 7) and whose Change Password at next logon is still ticked i.e. pwdlastset=0 But this doesn't take care of scenario, where users are created on that same day (current - 7) and logged into network, changed their password, but around the time of running script, had forgotten password and helpdesk had resetted their password and set Change Password at next logon I hope I am not confusing you all. :-) I know, simple solution would be to change criteria to say 15 days, raise DFL and use LLTS, but I am taking this as a scripting challenge at Win2k-native DFL. Hey joe, is there a way to see replication meta data using adfind? ;-) If yes, I could take a peek at originating date/time for attributes. -- Kamlesh ~ You teach best what you most need to learn. ~ -- ~ You teach best what you most need to learn. ~
[ActiveDir] Can't validate trust
In a small R D setup of one group, having two domains and two way trust between them. xyz (win2k3) and abc.com (win2k) While verifying a trust from xyz PDC, we got error that, domain controller can't make a RPC call to PDC of domain abc.com. And in network trace of it, it gives a SMB errors as STATUS_CANNOT_IMPERSONATE Has anyone seen this error? We verified that, 1) DNS is working for both domains. 2) SMB signing parameters are matching. 3) Lmcompatibilitylevel registry key is matching. 4) restrictanonymous is set to 0 (just as a precaution) -- Kamlesh ~ You teach best what you most need to learn. ~
Re: [ActiveDir] Join a Domain
From Google search's top 10 result.. :-) How to Verify the Creation of SRV Records for a Domain Controller http://support.microsoft.com/kb/241515 SRV Records Missing After Implementing Active Directory and Domain Name System http://support.microsoft.com/kb/241505 What DNS entries (SRV Records) does Windows 2000/2003 add when you create a domain? http://www.petri.co.il/active_directory_srv_records.htm To verify the DNS resource records needed to join an Active Directory domain using nslookup http://technet2.microsoft.com/WindowsServer/en/library/70919369-262d-491d-89d9-c45d7654b32c1033.mspx?mfr=true -- Kamlesh On 12/12/06, Al Mulnick [EMAIL PROTECTED] wrote: Based on that, you *should* have other issues going on with your domain controllers. That SRV record is a way for the client (your workstation you're trying to join) to find the domain controllers in it's site. But it's not finding them as expected, and therefore is unable to contact the domain. You'll want to check your DNS server and a) make sure you're using the proper one and b) ensure that the domain controllers are registering their records properly. Al On 12/11/06, John [EMAIL PROTECTED] wrote: There was an error in my one client machine to join a domain. Below are: An error occurred when DNS was queried for the service location (SRV) resource record used to locate a domain controller for domain server-2.blackstallions.com.sa. The error was: No records found for given DNS query. (error code 0x251D DNS_INFO_NO_RECORDS) The query was for the SRV record for _ldap._tcp.dc._msdcs.server- 2.blackstallions.com.sa What does this SRV record means? There is something I need to re-configure in the server? Let me know expert. Thanks. John -- Everyone is raving about the all-new Yahoo! Mail beta. http://us.rd.yahoo.com/evt=45083/*http://advision.webevents.yahoo.com/mailbeta -- ~ You teach best what you most need to learn. ~
Re: [ActiveDir] Renaming sites
We just did it, In transition period, we saw clients wandering over WAN links, and not connecting to DC in same renamed site, after restarting the DC, clients returned back to renamed site DC.[1] Procedure: 1. Rename the site 2. Verify it is replicated to all DCs in that site 3. Restart DCs one by one, 4) After restart verify that DC is publishing the SRV records under new sitename, and has changed its sitename, (DynamicSiteName value in registry), or nltest /dsgetsite 5. And if needed restart all the machines in that site. -- Kamlesh [1] No this is not the issue, for which I have a open question in the list. On 12/5/06, Huber, Rob (HNI Corp) [EMAIL PROTECTED] wrote: Does anyone know of any issue with renaming sites? For example, if we change the site call Chicago to ChicagoIL, what issues could arise? I expect that since the GUID is not changes that there will not be a problem. How about if we use SMS?? -- ~ You teach best what you most need to learn. ~
Re: [ActiveDir] OT: Possible Security Hole in RDP?
If server and clients are in domain, you can disable the feature using group policies. Computer configuration Administrative Templates Windows Components Terminal Services Client / Server data redirection Do not allow drive redirection -- Kamlesh On 10/10/06, Dan DeStefano [EMAIL PROTECTED] wrote: I should have mentioned that my RDP connection to the TS was as a normal user as well. Dan DeStefano Info-lution Corporation [EMAIL PROTECTED] http://www.info-lution.com Office: 727 546-9143 FAX: 727 541-5888 -- *From:* [EMAIL PROTECTED] [mailto: [EMAIL PROTECTED] *On Behalf Of *Peter Johnson *Sent:* Tuesday, October 10, 2006 8:40 AM *To:* ActiveDir@mail.activedir.org *Subject:* RE: [ActiveDir] OT: Possible Security Hole in RDP? If the RDP session is being created to the target server with Admin privileges and that account also has admin privileges on your machine then I would suspect that this is what happening here. I.E. the connection is back to your PC from the server, under the credentials you logged in with, and not from your PC to the server under your local credentials. Anyone else got any ideas?? *From:* [EMAIL PROTECTED] [mailto: [EMAIL PROTECTED] *On Behalf Of *Dan DeStefano *Sent:* 10 October 2006 14:10 *To:* ActiveDir@mail.activedir.org *Cc:* [EMAIL PROTECTED] *Subject:* [ActiveDir] OT: Possible Security Hole in RDP? I have noticed something with Terminal Services and RDP that is concerning. I am using a notebook on which I am just a normal user (I do not log on as administrator unless absolutely necessary). I create an RDP connection to a WS2k3 terminal server and choose to make the notebook's local disks available on the terminal server. I can then browse through my notebook's hard drive with impunity. I can access all files and folders to which I should not have any access at all, including the administrator profile. However, it does take very long to open these files/folders. I am sure this is a known issue, I just haven't read about it anywhere. Does anyone know if there is a way to mitigate this other than setting group policy to not allow local disks to connect to the terminal server? Dan DeStefano *Info-lution Corporation* [EMAIL PROTECTED] http://www.info-lution.com Office: 727 546-9143 FAX: 727 541-5888 If you have received this message in error please notify the sender, disregard any content and remove it from your possession. *Disclaimer:* The Development Bank of Southern Africa exercises no control over information contained in any e-mail message originating from within the organisation. The Bank makes no representation relating to the completeness or accuracy and accepts no responsibility for any loss, damage or liability that is incurred by reliance on the content hereof by the recipient or any other party. Each page attached hereto must also be read in conjunction with any disclaimer, which forms part of it. *Confidentiality:* The e-mail is privileged and confidential and for use of the addressee only. Should you have received this e-mail in error, please return it to [EMAIL PROTECTED][EMAIL PROTECTED]. Dissemination, disclosure, copying or any similar actions of the content of this e-mail is strictly prohibited. Dan DeStefano *Info-lution Corporation* [EMAIL PROTECTED] http://www.info-lution.com Office: 727 546-9143 FAX: 727 541-5888 If you have received this message in error please notify the sender, disregard any content and remove it from your possession. -- ~ You teach best what you most need to learn. ~
Re: [ActiveDir] Bulk of client going to PDC
:-), I forgot to mention, the desktops on which I checked, site DC is always listed as first choice in DFS. So I have to guess feature is already enabled. Also, that KB says, it is applicable to Windows 2003 gold , and we have SP1 on all servers. That also would mean that feature is already included in SP1 and is enabled. -- Kamlesh On 12/2/06, David Cliffe [EMAIL PROTECTED] wrote: Understood :-) But what about the feature that can be used with the more recent versions? It's described at the bottom of the article (you'd have to modify the registry on each applicable DC). I wonder if that would help in your case? -DaveC -- *From:* [EMAIL PROTECTED] [mailto: [EMAIL PROTECTED] *On Behalf Of *Kamlesh Parmar *Sent:* Friday, December 01, 2006 12:29 PM *To:* ActiveDir@mail.activedir.org *Subject:* Re: [ActiveDir] Bulk of client going to PDC I checked the file version of dfssvc.exe and dfs.sys on my site DCs, they are higher than the one mentioned in the KB article. So point in looking at that fix. -- Kamlesh On 12/1/06, David Cliffe [EMAIL PROTECTED] wrote: Hi Kamlesh, I'm not necessarily recommending this as a fix, but wondering if you've seen it yet and if would apply? http://support.microsoft.com/kb/831201/en-us -DaveC -- *From:* [EMAIL PROTECTED] [mailto: [EMAIL PROTECTED] *On Behalf Of *Kamlesh Parmar *Sent:* Thursday, November 30, 2006 2:51 PM *To:* ActiveDir@mail.activedir.org *Subject:* [ActiveDir] Bulk of client going to PDC Hi Guys, We are facing some strange issue, randomly clients from some sites are going to PDCe for group policy refresh,along with screensaver and wallpaper stored in netlogon. Clients are ignoring their nearest DC, and approaching PDCe. All DCs : Win2k3 SP1 All Clients: XP SP2 I verified, 1) DNS entries for site DC are correct. 2) Netlogon and Sysvol folder of site DC are accessible. 3) Verified the clients are authenticating with site DC by : nltest.exe /sc_query:DOMAIN 4) Verified DFS info for netlogon and sysvol on clients is correct : dfsutil.exe /pktinfo I am clueless where else, should I look? -- Kamlesh ~ You teach best what you most need to learn. ~ This email was sent to you by Reuters, the global news and information company. To find out more about Reuters visit www.about.reuters.com Any views expressed in this message are those of the individual sender, except where the sender specifically states them to be the views of Reuters Ltd. -- ~ You teach best what you most need to learn. ~ This email was sent to you by Reuters, the global news and information company. To find out more about Reuters visit www.about.reuters.com Any views expressed in this message are those of the individual sender, except where the sender specifically states them to be the views of Reuters Ltd. -- ~ You teach best what you most need to learn. ~
Re: [ActiveDir] Bulk of client going to PDC
Am sorry, I didn't follow what you are asking.. could you be more specific. On 12/2/06, Al Mulnick [EMAIL PROTECTED] wrote: How are your clients connected? Site definitions? On 12/1/06, Kamlesh Parmar [EMAIL PROTECTED] wrote: Appreciate the efforts taken. AFAIK, this would be more of a DFS issue then authentication, as clients are pulling policies and files from PDCe. When I look into details of DFS link targets for sysvol or netlogon, PDCe is listed as distance 9th in the list of servers which clients should contact in case there primary link target failed. And this happens so randomly, from clients that I am not able to setup a network trace also. -- Kamlesh On 12/1/06, Thomas Michael Heß [EMAIL PROTECTED] wrote: Hi Kamlesh, first of all, iwould enable the logging of the Netlogon Service. I ve found an article in the WindowsITPro *The Netlogon service is one of the key Local Security Authority (LSA) processes that run on every Windows domain controller. When you troubleshoot authentication problems, analyzing the Netlogon service log files can be useful. How do I turn Netlogon service logging on and off, and how do I analyze the content of the Netlogon log files? * To turn on Netlogon service logging, type the following Nltest command at the command line: *nltest /dbflag:2080* Enabling Netlogon service logging requires that you restart the Netlogon service. To do so, use the Net Stop Netlogon and Net Start Netlogon commands. To disable netlogon service logging, type: *nltest /dbflag:0* Then, restart the Netlogon service again. The Netlogon service stores log data in a special log file called netlogon.log, in the %Windir%\debug folder. Two utilities are useful in querying the Netlogon log files: Nlparse.exe and Findstr.exe. Nlparse.exe is a GUI tool that comes with Microsoft Account Lockout tools. You can download Account Lockout tools for free from the Microsoft Web site as part of the Account Lockout and Management Tools ALTools.exe file at http://www.microsoft.com/downloads/details.aspx?FamilyID=7AF2E69C-91F3-4E63-8629-B999ADDE0B9Edisplaylang=en. Figure 1 http://www.winnetmag.com/Files/42850/Figure_01.gif shows the Nlparse GUI, which contains the most common Netlogon error codes and their meaning. Nlparse stores the output of its queries in two files in the %Windir%\debug folder: netlogon.log-out.scv and netlogon.log-summaryout.txt. *. . .* HtH Thomas -- *Von:* [EMAIL PROTECTED] [mailto: [EMAIL PROTECTED] * Im Auftrag von *Kamlesh Parmar *Gesendet:* Donnerstag, 30. November 2006 20:51 *An:* ActiveDir@mail.activedir.org *Betreff:* [ActiveDir] Bulk of client going to PDC Hi Guys, We are facing some strange issue, randomly clients from some sites are going to PDCe for group policy refresh,along with screensaver and wallpaper stored in netlogon. Clients are ignoring their nearest DC, and approaching PDCe. All DCs : Win2k3 SP1 All Clients: XP SP2 I verified, 1) DNS entries for site DC are correct. 2) Netlogon and Sysvol folder of site DC are accessible. 3) Verified the clients are authenticating with site DC by : nltest.exe /sc_query:DOMAIN 4) Verified DFS info for netlogon and sysvol on clients is correct : dfsutil.exe /pktinfo I am clueless where else, should I look? -- Kamlesh ~ You teach best what you most need to learn. ~ -- ~ You teach best what you most need to learn. ~ -- ~ You teach best what you most need to learn. ~
Re: [ActiveDir] Bulk of client going to PDC
Yes checked the correct subnets are attached to correct sites. All clients are connected via Ethernet 100/Full Duplex. Its like mass exodus of swarm of computers, going to PDCe, and in turn choking the WAN links. It happened like once a day.. and everyday it would be random site. Have asked different site people to install netmon on some PCs and keep it running..on Monday..hoping that one of those sites.. and in them.. one of those PCs misbehaves. Anything else, I should look at? -- Kamlesh On 12/2/06, Al Mulnick [EMAIL PROTECTED] wrote: Site definitions - are your site definitions up to date? How are your clients connected - Are they ethernet, 802.11x, tokenring, ?? On 12/2/06, Kamlesh Parmar [EMAIL PROTECTED] wrote: Am sorry, I didn't follow what you are asking.. could you be more specific. On 12/2/06, Al Mulnick [EMAIL PROTECTED] wrote: How are your clients connected? Site definitions? On 12/1/06, Kamlesh Parmar [EMAIL PROTECTED] wrote: Appreciate the efforts taken. AFAIK, this would be more of a DFS issue then authentication, as clients are pulling policies and files from PDCe. When I look into details of DFS link targets for sysvol or netlogon, PDCe is listed as distance 9th in the list of servers which clients should contact in case there primary link target failed. And this happens so randomly, from clients that I am not able to setup a network trace also. -- Kamlesh On 12/1/06, Thomas Michael Heß [EMAIL PROTECTED] wrote: Hi Kamlesh, first of all, iwould enable the logging of the Netlogon Service. I ve found an article in the WindowsITPro *The Netlogon service is one of the key Local Security Authority (LSA) processes that run on every Windows domain controller. When you troubleshoot authentication problems, analyzing the Netlogon service log files can be useful. How do I turn Netlogon service logging on and off, and how do I analyze the content of the Netlogon log files? * To turn on Netlogon service logging, type the following Nltest command at the command line: *nltest /dbflag:2080* Enabling Netlogon service logging requires that you restart the Netlogon service. To do so, use the Net Stop Netlogon and Net Start Netlogon commands. To disable netlogon service logging, type: *nltest /dbflag:0* Then, restart the Netlogon service again. The Netlogon service stores log data in a special log file called netlogon.log, in the %Windir%\debug folder. Two utilities are useful in querying the Netlogon log files: Nlparse.exe and Findstr.exe. Nlparse.exe is a GUI tool that comes with Microsoft Account Lockout tools. You can download Account Lockout tools for free from the Microsoft Web site as part of the Account Lockout and Management Tools ALTools.exe file at http://www.microsoft.com/downloads/details.aspx?FamilyID=7AF2E69C-91F3-4E63-8629-B999ADDE0B9Edisplaylang=en. Figure 1 http://www.winnetmag.com/Files/42850/Figure_01.gif shows the Nlparse GUI, which contains the most common Netlogon error codes and their meaning. Nlparse stores the output of its queries in two files in the %Windir%\debug folder: netlogon.log-out.scv and netlogon.log-summaryout.txt. *. . .* HtH Thomas -- *Von:* [EMAIL PROTECTED] [mailto: [EMAIL PROTECTED] * Im Auftrag von *Kamlesh Parmar *Gesendet:* Donnerstag, 30. November 2006 20:51 *An:* ActiveDir@mail.activedir.org *Betreff:* [ActiveDir] Bulk of client going to PDC Hi Guys, We are facing some strange issue, randomly clients from some sites are going to PDCe for group policy refresh,along with screensaver and wallpaper stored in netlogon. Clients are ignoring their nearest DC, and approaching PDCe. All DCs : Win2k3 SP1 All Clients: XP SP2 I verified, 1) DNS entries for site DC are correct. 2) Netlogon and Sysvol folder of site DC are accessible. 3) Verified the clients are authenticating with site DC by : nltest.exe /sc_query:DOMAIN 4) Verified DFS info for netlogon and sysvol on clients is correct : dfsutil.exe /pktinfo I am clueless where else, should I look? -- Kamlesh ~ You teach best what you most need to learn. ~ -- ~ You teach best what you most need to learn. ~ -- ~ You teach best what you most need to learn. ~ -- ~ You teach best what you most need to learn. ~
Re: [ActiveDir] Bulk of client going to PDC
on PDCe I am looking at sessions and open files in fsmgmt.msc, which lists down the client machines with IP, then I am verifying the site of each connecting IP using ATSN.exe from joeware. Also, our network team had complained that network link is getting choked, and as a proof gave list of source and destination IPs with ports. This list contains the remote site client IPs and PDCe IP communicating to each other. ~~ Kamlesh On 12/1/06, David Adner [EMAIL PROTECTED] wrote: How are you determining the clients are utilizing the PDCE for these activities? A network trace from the client may prove useful. From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Kamlesh Parmar Sent: Thursday, November 30, 2006 1:51 PM To: ActiveDir@mail.activedir.org Subject: [ActiveDir] Bulk of client going to PDC Hi Guys, We are facing some strange issue, randomly clients from some sites are going to PDCe for group policy refresh,along with screensaver and wallpaper stored in netlogon. Clients are ignoring their nearest DC, and approaching PDCe. All DCs : Win2k3 SP1 All Clients: XP SP2 I verified, 1) DNS entries for site DC are correct. 2) Netlogon and Sysvol folder of site DC are accessible. 3) Verified the clients are authenticating with site DC by : nltest.exe /sc_query:DOMAIN 4) Verified DFS info for netlogon and sysvol on clients is correct : dfsutil.exe /pktinfo I am clueless where else, should I look? -- Kamlesh ~ You teach best what you most need to learn. ~ -- ~ You teach best what you most need to learn. ~ List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir@mail.activedir.org/
Re: [ActiveDir] Bulk of client going to PDC
I checked the file version of dfssvc.exe and dfs.sys on my site DCs, they are higher than the one mentioned in the KB article. So point in looking at that fix. -- Kamlesh On 12/1/06, David Cliffe [EMAIL PROTECTED] wrote: Hi Kamlesh, I'm not necessarily recommending this as a fix, but wondering if you've seen it yet and if would apply? http://support.microsoft.com/kb/831201/en-us -DaveC -- *From:* [EMAIL PROTECTED] [mailto: [EMAIL PROTECTED] *On Behalf Of *Kamlesh Parmar *Sent:* Thursday, November 30, 2006 2:51 PM *To:* ActiveDir@mail.activedir.org *Subject:* [ActiveDir] Bulk of client going to PDC Hi Guys, We are facing some strange issue, randomly clients from some sites are going to PDCe for group policy refresh,along with screensaver and wallpaper stored in netlogon. Clients are ignoring their nearest DC, and approaching PDCe. All DCs : Win2k3 SP1 All Clients: XP SP2 I verified, 1) DNS entries for site DC are correct. 2) Netlogon and Sysvol folder of site DC are accessible. 3) Verified the clients are authenticating with site DC by : nltest.exe /sc_query:DOMAIN 4) Verified DFS info for netlogon and sysvol on clients is correct : dfsutil.exe /pktinfo I am clueless where else, should I look? -- Kamlesh ~ You teach best what you most need to learn. ~ This email was sent to you by Reuters, the global news and information company. To find out more about Reuters visit www.about.reuters.com Any views expressed in this message are those of the individual sender, except where the sender specifically states them to be the views of Reuters Ltd. -- ~ You teach best what you most need to learn. ~
Re: [ActiveDir] Bulk of client going to PDC
Appreciate the efforts taken. AFAIK, this would be more of a DFS issue then authentication, as clients are pulling policies and files from PDCe. When I look into details of DFS link targets for sysvol or netlogon, PDCe is listed as distance 9th in the list of servers which clients should contact in case there primary link target failed. And this happens so randomly, from clients that I am not able to setup a network trace also. -- Kamlesh On 12/1/06, Thomas Michael Heß [EMAIL PROTECTED] wrote: Hi Kamlesh, first of all, iwould enable the logging of the Netlogon Service. I ve found an article in the WindowsITPro *The Netlogon service is one of the key Local Security Authority (LSA) processes that run on every Windows domain controller. When you troubleshoot authentication problems, analyzing the Netlogon service log files can be useful. How do I turn Netlogon service logging on and off, and how do I analyze the content of the Netlogon log files?* To turn on Netlogon service logging, type the following Nltest command at the command line: *nltest /dbflag:2080* Enabling Netlogon service logging requires that you restart the Netlogon service. To do so, use the Net Stop Netlogon and Net Start Netlogon commands. To disable netlogon service logging, type: *nltest /dbflag:0* Then, restart the Netlogon service again. The Netlogon service stores log data in a special log file called netlogon.log, in the %Windir%\debug folder. Two utilities are useful in querying the Netlogon log files: Nlparse.exeand Findstr.exe. Nlparse.exe is a GUI tool that comes with Microsoft Account Lockout tools. You can download Account Lockout tools for free from the Microsoft Web site as part of the Account Lockout and Management Tools ALTools.exe file at http://www.microsoft.com/downloads/details.aspx?FamilyID=7AF2E69C-91F3-4E63-8629-B999ADDE0B9Edisplaylang=en. Figure 1 http://www.winnetmag.com/Files/42850/Figure_01.gif shows the Nlparse GUI, which contains the most common Netlogon error codes and their meaning. Nlparse stores the output of its queries in two files in the %Windir%\debug folder: netlogon.log-out.scv and netlogon.log-summaryout.txt. *. . .* HtH Thomas -- *Von:* [EMAIL PROTECTED] [mailto: [EMAIL PROTECTED] *Im Auftrag von *Kamlesh Parmar *Gesendet:* Donnerstag, 30. November 2006 20:51 *An:* ActiveDir@mail.activedir.org *Betreff:* [ActiveDir] Bulk of client going to PDC Hi Guys, We are facing some strange issue, randomly clients from some sites are going to PDCe for group policy refresh,along with screensaver and wallpaper stored in netlogon. Clients are ignoring their nearest DC, and approaching PDCe. All DCs : Win2k3 SP1 All Clients: XP SP2 I verified, 1) DNS entries for site DC are correct. 2) Netlogon and Sysvol folder of site DC are accessible. 3) Verified the clients are authenticating with site DC by : nltest.exe /sc_query:DOMAIN 4) Verified DFS info for netlogon and sysvol on clients is correct : dfsutil.exe /pktinfo I am clueless where else, should I look? -- Kamlesh ~ You teach best what you most need to learn. ~ -- ~ You teach best what you most need to learn. ~
[ActiveDir] Bulk of client going to PDC
Hi Guys, We are facing some strange issue, randomly clients from some sites are going to PDCe for group policy refresh,along with screensaver and wallpaper stored in netlogon. Clients are ignoring their nearest DC, and approaching PDCe. All DCs : Win2k3 SP1 All Clients: XP SP2 I verified, 1) DNS entries for site DC are correct. 2) Netlogon and Sysvol folder of site DC are accessible. 3) Verified the clients are authenticating with site DC by : nltest.exe /sc_query:DOMAIN 4) Verified DFS info for netlogon and sysvol on clients is correct : dfsutil.exe /pktinfo I am clueless where else, should I look? -- Kamlesh ~ You teach best what you most need to learn. ~
Re: [ActiveDir] splitting a domain into two
Thanks, I have already been suggested that option in a private mail... and I think, it might be way more feasible than earlier adventurous idea. :-)Just in case, someone needs it, here is the link, for AD replication over VPN http://www.microsoft.com/technet/prodtechnol/windows2000serv/technologies/activedirectory/deploy/depovg/advpnddd.mspx --KamleshOn 9/18/06, Rich Milburn [EMAIL PROTECTED] wrote: You said both sites have Internet connectivity, can you not configure replication through a VPN between the sites? A lot of implementations have replication across firewalls in that manner. And if not, what about dial-up between them? 700 users to what, maybe 2000 objects – that's not a lot of replication traffic to keep the DCs in the two sites in sync. I'd surely think that would be easier to work out than breaking up your domain and dealing with the aftermath… Rich From: [EMAIL PROTECTED] [mailto: [EMAIL PROTECTED]] On Behalf Of Al Mulnick Sent: Saturday, September 16, 2006 8:34 PM To: ActiveDir@mail.activedir.org Subject: Re: [ActiveDir] splitting a domain into two Yeah. See the problem with that policy concept is that in your environment you've already noticed that good ideas are seldom given a chance to live long enough to make it to your level :) That said, I would think it's extremely dangerous to try and break it like that. Although, it could work, the risk is pretty high that your networks will be connected long before you have a chance to decommission the domains leaving you with a potentially difficult name resolution issue to resolve. There would likely be much wailing and gnashing of teeth as well. I think in this case, option 3 would be preferred: 3) Leave the domains alone and allow the break of network to occur. When the WAN links are created to the central hub, migrate as fast as your legs will carry you. Remember that at that time, your replication will likely resume. Try to keep a change freeze as long as you can if the networks will be able to see each other. It might not be a bad idea to check on the tombstone time and raise that if you can. WAN links are known to take longer to bring up than any planning might assume. Put another way, network folks tend to be overly optimistic when it comes to timing of WAN link configurations. Be sure to communicate as much as possible about the risks and tradeoffs. That way you can stick your tongue out later and sing, I told ya so! at the top of your lungs (likely after work and out of earshot of those that might take offense, but you can at least do so with a clear conscience.) My $0.04 (USD) anyway. Al On 9/16/06, Kamlesh Parmar [EMAIL PROTECTED] wrote: Well :-) I suppose, you are looking at tiny figure of 300 users and why not choosing option 1 straight away. If only every IT manager was as forceful and articulate about danger of short term decisions as you are. About migrating to corporate domain, that is achievable as both sites are not going to get links simultaneously so who ever gets link first, it gets migrated first with security translation as preferred method, and we basically have a policy to remove sidhistory along withdemotion of old domain. And here it will be serialized migration one after another rather than simultaneous. Assumption here being, once the trust with one domain is established, machines migrated, trust broken. I suppose creating trust again with same domain name at different site should not be a issue. -- Kamlesh On 9/16/06, joe [EMAIL PROTECTED] wrote: First impression: Yuck. The main thing that caught my attention is the migrate into a corporate domain at a later time. I assume you mean both of these separated domains would be migrated? If so, how do you plan to do the migration? You won't be able to have name res for the trusts, even if you could you would most likely run into SID issues if you maintained SID History. -- O'Reilly Active Directory Third Edition - http://www.joeware.net/win/ad3e.htm From: [EMAIL PROTECTED] [mailto: [EMAIL PROTECTED]] On Behalf Of Kamlesh Parmar Sent: Friday, September 15, 2006 4:57 PM To: ActiveDir@mail.activedir.org Subject: [ActiveDir] splitting a domain into two Dear All, Scenario : Single regional domain , two sites , both sites having separate links to Internet and direct WAN connectivity with each other. AD Integrated DNS site1: 300 users site2: 400 users Now, due to restructuring, they have decided to get rid of WAN link joining the two sites immediately, as both sites will have separate individual WAN connectivity with some corporate hub site. And this domain will be migrated to corporate domain in due course. Problem here is the WAN connectivity to hub site will be commissioned at different times (one month apart) and they want
Re: [ActiveDir] Block Inheritance on DC OU
Agreed,And I don't believe somehow policies become easier to troubleshoot with exclusions, specially in a very large environment with high level of delegation coupled with varying level of skill sets. In fact the way Enforced or Block Policy are visually marked in GPMC console, I wish there was something to visually point atparticular policywith explicit exclusions. or it would have been easier if they had given anotherArea on Scope tab between security filtering and WMI Filtering stating the explicit exclusions. -- Kamlesh On 9/16/06, Darren Mar-Elia [EMAIL PROTECTED] wrote: Yes, but there are times when you want to affect all machines or users in a domain and its a pain to have to link those policies to every OU. Domain-linked GPOs are useful but you do have to be explicitly aware of what you're targeting. That's why I like using explicit security group filtering rather than implicit blocking or enforcing. Its easier to troubleshoot (esp. on Win2K without RSOP). Darren From: [EMAIL PROTECTED] [mailto: [EMAIL PROTECTED]] On Behalf Of Derek HarrisSent: Friday, September 15, 2006 3:14 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Block Inheritance on DC OU It seems to me that a better solution is to only put the password policy into the default domain GPO, and create a separate GPO for any other settings to apply to the OUs. From: [EMAIL PROTECTED] [mailto: [EMAIL PROTECTED]] On Behalf Of Kamlesh ParmarSent: Friday, September 15, 2006 2:38 PMTo: ActiveDir@mail.activedir.orgSubject: Re: [ActiveDir] Block Inheritance on DC OU Well at one of the customers, they have around 10 to 15 GPOs applied at domain level, for various purposes ranging from software deployment to other settings.So they didn't wanted many of those GPOs to be applied to domain controllers. Above that, they have block inheritance enabled at various sub-OU levels.So only thing we could come up with to achieve what we wanted was to.1) Block policy at DC OU2) Create Password Policy at Domain level and enforce it. This helped for keeping a consistent password policy across all OUs and Domain.And also saving DCs from domain level general purpose GPOs.Long term, soln is to rethink the OU structure. Kamlesh On 9/13/06, Darren Mar-Elia [EMAIL PROTECTED] wrote: Well, the obvious effect is that it prevents domain-linked policies from being delivered correctly, including password policy. This is probably not desirable. I can't think of a good scenario where this would be useful. Darren From: [EMAIL PROTECTED] [mailto: [EMAIL PROTECTED]] On Behalf Of WATSON, BENSent: Wednesday, September 13, 2006 9:37 AMTo: ActiveDir@mail.activedir.orgSubject: [ActiveDir] Block Inheritance on DC OU The company I am currently working for has block inheritance enabled for the Domain Controller's OU and apparently whoever enabled this setting is no longer with the company (or they won't fess up to why they did this). Although I am curious, what sort of ramifications does enabling block inheritance on the Domain Controller's OU pose? And what reason would you have to enable this setting on the Domain Controller's OU? With any other OU, it would be fairly obvious, but being that these are the Domain Controllers it would seem to be a unique situation. Thanks as always for your input, ~Ben -- ~Short-term actions X time = long-term accomplishments.~ -- ~Short-term actions X time = long-term accomplishments.~
Re: [ActiveDir] splitting a domain into two
Well :-) I suppose, you are looking at tiny figure of 300 users and why not choosing option 1 straight away. If only every IT manager was as forceful and articulate about danger of short term decisions as you are. About migrating to corporate domain, that is achievable as both sites are not going to get links simultaneously so who ever gets link first, it gets migrated first with security translation as preferred method, and we basically have a policy to remove sidhistory along withdemotion of old domain. And here it will be serialized migration one after another rather than simultaneous. Assumption here being, once the trust with one domain is established, machines migrated, trust broken. I suppose creating trust again with same domain name at different site should not be a issue. -- Kamlesh On 9/16/06, joe [EMAIL PROTECTED] wrote: First impression: Yuck. The main thing that caught my attention is the migrate into a corporate domain at a later time. I assume you mean both of these separated domains would be migrated? If so, how do you plan to do the migration? You won't be able to have name res for the trusts, even if you could you would most likely run into SID issues if you maintained SID History. -- O'Reilly Active Directory Third Edition - http://www.joeware.net/win/ad3e.htm From: [EMAIL PROTECTED] [mailto: [EMAIL PROTECTED]] On Behalf Of Kamlesh ParmarSent: Friday, September 15, 2006 4:57 PMTo: ActiveDir@mail.activedir.orgSubject: [ActiveDir] splitting a domain into two Dear All,Scenario : Single regional domain , two sites , both sites having separate links to Internet and direct WAN connectivity with each other.AD Integrated DNSsite1: 300 userssite2: 400 users Now, due to restructuring, they have decided to get rid of WAN link joining the two sites immediately, as both sites will have separate individual WAN connectivity with some corporate hub site. And this domain will be migrated to corporate domain in due course. Problem here is the WAN connectivity to hub site will be commissioned at different times (one month apart) and they want to get rid of WAN link joining site1 with site2 NOW. Other problems like mail access and stuff will be handled thru' Internet link. Now issue is, what to do about AD Domain? as DCs will lose the direct network connectivity.Solution we are looking at is 1) Migrate one of the locations into separate domain, and thus break the dependence of both sites on single domain. 2) Just break the network link as requested and here comes the crummy part :) instead of migrating one of the site to new domain, you just split the domain into two isolated networks, where each site DC will think it is the only DC handling all the stuff for that domain. Basically, 1) break the link 2) Point DC to themselves for DNS 3) seize all the roles 4) do meta data DNS cleanup of other DCnet result : each DC believes they own the domain. Just make sure they don't talk to each other directly ever. Now, Any foreseeable issues with 2nd approach.Please don't include layer 8 issues ;), I am purely looking at technical feasibility and precautions if we go ahead.-- Kamlesh~ Short-term actions X time = long-term accomplishments.~ -- ~Short-term actions X time = long-term accomplishments.~
Re: [ActiveDir] Block Inheritance on DC OU
Well at one of the customers, they have around 10 to 15 GPOs applied at domain level, for various purposes ranging from software deployment to other settings.So they didn't wanted many of those GPOs to be applied to domain controllers. Above that, they have block inheritance enabled at various sub-OU levels.So only thing we could come up with to achieve what we wanted was to.1) Block policy at DC OU2) Create Password Policy at Domain level and enforce it. This helped for keeping a consistent password policy across all OUs and Domain.And also saving DCs from domain level general purpose GPOs.Long term, soln is to rethink the OU structure. KamleshOn 9/13/06, Darren Mar-Elia [EMAIL PROTECTED] wrote: Well, the obvious effect is that it prevents domain-linked policies from being delivered correctly, including password policy. This is probably not desirable. I can't think of a good scenario where this would be useful. Darren From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]] On Behalf Of WATSON, BENSent: Wednesday, September 13, 2006 9:37 AMTo: ActiveDir@mail.activedir.orgSubject: [ActiveDir] Block Inheritance on DC OU The company I am currently working for has "block inheritance" enabled for the Domain Controller's OU and apparently whoever enabled this setting is no longer with the company (or they won't fess up to why they did this). Although I am curious, what sort of ramifications does enabling "block inheritance" on the Domain Controller's OU pose? And what reason would you have to enable this setting on the Domain Controller's OU? With any other OU, it would be fairly obvious, but being that these are the Domain Controllers it would seem to be a unique situation. Thanks as always for your input, ~Ben -- ~Short-term actions X time = long-term accomplishments.~
[ActiveDir] splitting a domain into two
Dear All,Scenario : Single regional domain , two sites , both sites having separate links to Internet and direct WAN connectivity with each other.AD Integrated DNSsite1: 300 userssite2: 400 users Now, due to restructuring, they have decided to get rid of WAN link joining the two sites immediately, as both sites will have separate individual WAN connectivity with some corporate hub site. And this domain will be migrated to corporate domain in due course. Problem here is the WAN connectivity to hub site will be commissioned at different times (one month apart) and they want to get rid of WAN link joining site1 with site2 NOW. Other problems like mail access and stuff will be handled thru' Internet link. Now issue is, what to do about AD Domain? as DCs will lose the direct network connectivity.Solution we are looking at is 1) Migrate one of the locations into separate domain, and thus break the dependence of both sites on single domain. 2) Just break the network link as requested and here comes the crummy part :) instead of migrating one of the site to new domain, you just split the domain into two isolated networks, where each site DC will think it is the only DC handling all the stuff for that domain. Basically, 1) break the link 2) Point DC to themselves for DNS 3) seize all the roles 4) do meta data DNS cleanup of other DCnet result : each DC believes they own the domain. Just make sure they don't talk to each other directly ever. Now, Any foreseeable issues with 2nd approach.Please don't include layer 8 issues ;), I am purely looking at technical feasibility and precautions if we go ahead.-- Kamlesh~ Short-term actions X time = long-term accomplishments.~
Re: [ActiveDir] Migration without domain admin rights possible?
Thanks Guido, Really appreciate the time you have taken to write that systematic plan. :-) -- Kamlesh~Never confuse movement with action.~ On 7/28/06, Grillenmeier, Guido [EMAIL PROTECTED] wrote: If the unit is this strongly separated from the rest of your forest and you have little dependencies on apps, this should be a fairly easy / straight forward migration. You should be able to achieve all steps with ADMT: The re-ACLing (= security translation) is actually a very straight forward process – this is how I would go at it: 1. Create some test accounts in source domain that you put into group used by the users to be migrated a. Log on to a few test clients in source domain so as to create user source domain profiles (make some changes so that you can differentiate the profile from a default profile) 2. Migrate the units groups and users, but leave the users in the target domain disabled (except for some of the test-users) a. Users still logon to source domain 3. With the trusts between source and target still in place, migrate the resources (servers) a. Users still logon to source domain and access resources across trust, using SIDs from source domain 4. Perform 1st security translation on all resources (servers) a. Choose to ADD permissions b. Users still logon to source domain and access resources across trust, using SIDs from source domain c. Logon to a test computer in target domain with some of your test-accounts and check they also have access to servers (now using SIDs from target domain) d. If everything works, you are ready for activation of the target user accounts – ideally the next two steps would be coordinated that you only enable the users whose workstations you are migrating at the time (but often difficult to match user to workstation…) 5. Perform security translation AND profile updates on all workstations in unit – again, use ADD permissions a. I personally prefer to do this prior to enabling the users and prior to migrating the computers – this way this step can be performed in the "background" without any direct impact on the users b. This also allows you (or them) to monitor how well they can reach their clients, check access issues etc. c. Ensure that the computer updates – especially profile updates – have worked by using some of your test accounts on clients in the source domain: let them logon with the target domain's account = they should at this point get the same user profile as before AND have access to the target servers 6. Once a critical mass of computers has been updated, you are ready to enable your users in the target domain 7. Now migrate the computers to target domain (those, where security translation has already been performed successfully) a. At this time there will be an impact to the users, since machines need to be rebooted – which is why you should communicate these activities to your users prior to performing this step b. After the computer migration, ADMT will have changed the default logon domain to the target domain c. Users will now logon to the target domain and access resources with the new SIDs d. Add extra time for troubleshooting and fixing access issues… 8. After all computers have been migrated, and all users of the unit logon to the target domain, you are ready to do the cleanup steps a. Cut the trusts between the domains (if this is what you want to achieve) b. Perform another security translation on all resources (servers and workstations) in the target domain = this time choose the REPLACE option 9. Done – enjoy some champagne… /Guido From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]] On Behalf Of Kamlesh ParmarSent: Thursday, July 27, 2006 4:57 PM To: ActiveDir@mail.activedir.org Subject: Re: [ActiveDir] Migration without domain admin rights possible? Appreciate the quick response, I was able to migrate groups, users without sIDhistory to target. I also tried using clonepr.vbs, it also asks for admin rights on source. And reading further, it made it clear that, can't populate sIDhistory through legitimate APIs without having admin rights on source domain. So, now my hopes are based on security translation at each and every to be migrated resource. I will read up about PES service, so that if possible passwords also can be migrated without admin rights. In this case, no AD dependant app like exchange comes into picture. :-) this is more of completely independent unit with their own groups, users and computers contained within one OU. So group membership related stuff won't be problematic. (at least it seems on initial inspection) Anyway to make 2nd approach you mentioned more systematic and less painless? subinacl? ADMT security translation wizard? Thanks once again for your response, -- Kamlesh~Never confuse movement with action.~
[ActiveDir] Migration without domain admin rights possible?
Hi Guys, We have a peculiar requirement, that one of the small group of around 300 users will be parting from corporate AD and will be setting up there own forest. We will be using ADMT 3.0 for migration. source DFL FFL : windows 2000 native Target DFL FFL : Windows 2003 Two way trust between domains. We would be givingFULL controlrights over those 300 users and their computers account to new admins of new forest. also, they are added to local admins of those computers to be migrated. They have domain admins rights in Target domain. We don't want to add them into administrators group on source domains (i.e. corporate AD) Is it possible to migrate, users,groups and computers? What will break, in migration? I can think of, we will not be installing PES as a result so, NO password migration. anything else? Thanking you in advance,-- Kamlesh~Never confuse movement with action.~
Re: [ActiveDir] Migration without domain admin rights possible?
Main point of migration is they don't want to lose their current workstation profile settings, and network share permission. I have setup a test network, and without giving admin rights on source, I am able to migrate groups, users without sidHistory.I checked clonepr.vbs and stuff, but that also demands admin rights on source domain. Without sidHistory, I am not sure, during transition, they will be able to access non-migrated server resources like file shares. Yes, trust, and sidHistory will not be there after migration. -- Kamlesh~Never confuse movement with action.~ On 7/27/06, Al Mulnick [EMAIL PROTECTED] wrote: Just curious, but what was the point of migration? Why not create new in the target and have them adhere to your new company standards? As for what would break. Hmm not sure you'd be able to read the information needed to perform the migration. At a minimum you would want to grant them the full rights to the user account OU but without testing, I couldn't say for sure what would or would not break. I don't think that's something I would even recommend given a similar situation. I mean, what would they need sidHistory for anyway? The trust is going to likely go away, so they would access?? Al On 7/27/06, Kamlesh Parmar [EMAIL PROTECTED] wrote: Hi Guys, We have a peculiar requirement, that one of the small group of around 300 users will be parting from corporate AD and will be setting up there own forest. We will be using ADMT 3.0 for migration. source DFL FFL : windows 2000 native Target DFL FFL : Windows 2003 Two way trust between domains. We would be givingFULL controlrights over those 300 users and their computers account to new admins of new forest. also, they are added to local admins of those computers to be migrated. They have domain admins rights in Target domain. We don't want to add them into administrators group on source domains (i.e. corporate AD) Is it possible to migrate, users,groups and computers? What will break, in migration? I can think of, we will not be installing PES as a result so, NO password migration. anything else? Thanking you in advance,-- Kamlesh~Never confuse movement with action.~
Re: [ActiveDir] Migration without domain admin rights possible?
Appreciate the quick response, I was able to migrate groups, users without sIDhistory to target. I also tried using clonepr.vbs, it also asks for admin rights on source. And reading further, it made it clear that, can't populate sIDhistory through legitimate APIs without having admin rights on source domain. So, now my hopes are based on security translation at each and every to be migrated resource. I will read up about PES service, so that if possible passwords also can be migrated without admin rights. In this case, no AD dependant app like exchange comes into picture. :-) this is more of completely independent unit with their own groups, users and computers contained within one OU. So group membership related stuff won't be problematic. (at least it seems on initial inspection) Anyway to make 2nd approach you mentioned more systematic and less painless? subinacl? ADMT security translation wizard? Thanks once again for your response, -- Kamlesh~Never confuse movement with action.~ On 7/27/06, Grillenmeier, Guido [EMAIL PROTECTED] wrote: you can migrate most objects from the source even without admin rights to them - the default auth. user already has plenty of permissions to read most attributes you would care to migrate. You could still setup passwords migration without giving themdomain admin privs to your source domain - you would install the PES server for them instead on one of your DCs (you'd need to exchange the PES key ofcourse). Migrating SID history on the other hand, requires admin privs on the source domain = while you can delegate SIDhistory migration to the target, I've always complained that you can't delegate it on the source. Full control on the respective Users OU in your source domain is not enough. But if they do their part right (i.e. reacl all their resources in a two step approach 1st add new acls prior to activating the target accounts, 2nd remove old acls after all users use the new accounts),they don't really need SIDhistory and can spare themselves from having to clean it up later. You'll still have the same challenges with apps as you always do and if you also use exchange, then migrating their mailboxes is a totally different story. Another special challenge in your scenario is group migration = depending on how your security model is setup, they may very likel need to migrate groups that don't belong to them, but that they need to have access to their resources (and allowing to re-acl them). This doesn't mean that they need to migrate the members that don't belong to their unit, but they do need read permissions on most of your groups (which most users have by default anyways...). /Guido From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] ] On Behalf Of Kamlesh ParmarSent: Thursday, July 27, 2006 9:27 AMTo: ActiveDir@mail.activedir.orgSubject: [ActiveDir] Migration without domain admin rights possible? Hi Guys, We have a peculiar requirement, that one of the small group of around 300 users will be parting from corporate AD and will be setting up there own forest. We will be using ADMT 3.0 for migration. source DFL FFL : windows 2000 native Target DFL FFL : Windows 2003 Two way trust between domains. We would be givingFULL controlrights over those 300 users and their computers account to new admins of new forest. also, they are added to local admins of those computers to be migrated. They have domain admins rights in Target domain. We don't want to add them into administrators group on source domains (i.e. corporate AD) Is it possible to migrate, users,groups and computers? What will break, in migration? I can think of, we will not be installing PES as a result so, NO password migration. anything else? Thanking you in advance,-- Kamlesh~Never confuse movement with action.~
Re: [ActiveDir] Object Auditing
You will find this blog entry by ericfitz helpful.http://blogs.msdn.com/ericfitz/archive/2006/03/07/545726.aspx On 7/14/06, Matt Hargraves [EMAIL PROTECTED] wrote: Well, you could always ACL your AD better and make it where only a small number (2 or 3 accounts) of users can make AD organizational changes. Moving, creating and deleting OUs isn't necessary that often to where it's really all that necessary of a right for most admins. I think that in our environment (with a very large number of OUs), I have only had maybe 1 or 2 occasions to ever move an OU, if that. That being said... mistakes happen and these things are going to occur. Hopefully very, very infrequently.There are tools out there to monitor AD for changes like this, I guess the question is whether it's worth the money or not. It's possible that you might want to get them just so you can start monitoring and auditing your environment (which many organizations don't do). On 7/13/06, Myrick, Todd (NIH/CC/DCRI) [E] [EMAIL PROTECTED] wrote: You best bet to learn how to audit changes is to standup a Virtual AD turn on Directory auditing, and Make the changes you would like to track to see what event ID and messages are generated. Then you can use Microsofts Eventcombmt tool to search your DC's for the information. We use the Quest Intrust product here for Monitoring and Auditing… At the parent level they used Netpro for AD monitoring and Intrust for auditing, I think they want to switch to using the NETPRO product for auditing though. Both companies offer very good solutions. It is pretty hard to make a bad decision here. There are some advantages with regards to cross platform support with Intrust, but that has nothing to do with AD. The shop I am in now uses several platforms, so that is what drove our decision. Todd From: Grillenmeier, Guido [mailto:[EMAIL PROTECTED] ] Sent: Thursday, July 13, 2006 3:23 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Object Auditing I'd have to check out myself if an OU move is possible to audit with the built-in auditing events - I'm pretty sure though it is possbile with AD specific auditing software such as NetPro's ChangeAuditor AD and Quest's Intrust for AD. you may also want to disable drag drop in your forest, simply by configuring the following (works for Win2003 SP1 - a pre-SP1 fix should be available as well): o use ADSIEDIT, LDPor equivalent tool o locate flags attribute of DisplaySpecifiers container in config. NC · set bit 0 to 1 o drag and drop now disabled /Guido From: [EMAIL PROTECTED] [mailto: [EMAIL PROTECTED] ] On Behalf Of Clay, Justin (ITS) Sent: Donnerstag, 13. Juli 2006 20:25 To: ActiveDir@mail.activedir.org Subject: [ActiveDir] Object Auditing Is it possible to audit the creation/deletion and more importantly, the movement of OUs? One of our admins dragged and dropped an entire OU into another OU that had a desktop lockdown GPO linked to it, thereby locking down the PCs of a bunch of important people, and making them very upset. I have Account Management and Object Access auditing on, but I don't see anything on any of our DCs that show anything about the OU or any of its objects moving. Is there something else I need to enable to audit these types of events? Is it even possible? Thanks, Justin Clay ITS Enterprise Services Metropolitan Government of Nashville and Davidson County Howard School Building Phone: (615) 880-2573 ITS ENTERPRISE SERVICES EMAIL NOTICE The information contained in this email and any attachments is confidential and may be subject to copyright or other intellectual property protection. If you are not the intended recipient, you are not authorized to use or disclose this information, and we request that you notify us by reply mail or telephone and delete the original message from your mail system. -- ~Be the change you want to see in the World~
Re: [ActiveDir] OT: Changing OEM to VLK productID - really really impossible?
I Have info for XP Try this...http://support.microsoft.com/default.aspx?scid=kb;en-us;Q328874 http://www.microsoft.com/genuine/purchase/UpdateInstructions.aspxOr try this 3rd party stuffhttp://www.magicaljellybean.com/keyfinder.shtml --KamleshOn 6/4/06, Freddy HARTONO [EMAIL PROTECTED] wrote: Hi guys, Just realised some of the DCs in my environment is built with OEM version and now am having problem upgrading them to R2 using vlk keys... is there any way at all to change it to vlk, unsupported way maybe? Any help at all would be nice otherwise had to wiped out and rebuild 12 DCs because of this :( Thank you and have a splendid day! Kind Regards, Freddy Hartono Group Support Engineer InternationalSOS Pte Ltd mail: [EMAIL PROTECTED] phone: (+65) 6330-9785 -- ~Be the change you want to see in the World~
Re: [ActiveDir] view only rights on ADI DNS Zone
:-) well... actually a debate is going about dynamic updates and scavenging and stuff...and what will happen to static records...etc.This is with junior admins, who are made administrators for particular site or OU. Now, I don't have time to verify each and every important record (static or dynamic), so I wanted to give read permission on zone and let them verify it on their own.On 5/25/06, Al Mulnick [EMAIL PROTECTED] wrote: That's a first for me: a user that needs that information. Admins I can understand and I can see forcing an admin to use a command line or to look for employment elsewhere. Unfortunately, much of that particular information used for reporting is stored as a blob, IIRC. Curious though, if they find this information what do they do with it? On 5/25/06, Kamlesh Parmar [EMAIL PROTECTED] wrote: well.. need to verify information like... Record time stamp and Delete this record when it becomes stale check boxnslookup doesn't give me this information.Also, users are weary of using command line... :-( On 5/24/06, Al Mulnick [EMAIL PROTECTED] wrote: You'll need a description of the rights needed to open the tool in this case, as everyone has read access by default. IIRC, the Windows 2000 DNS white paper describes how to delegate rights etc. using tools such as ADSIEDIT or DSACLS. Curious though: why bother? Read access to a DNS zone? Has the user ever used NSLOOKUP or DIG? You can read the zone records using these tools quite easily and it'll tell you just about everything you want to know about the RR. Is there a different requirement in this? Al On 5/24/06, Kamlesh Parmar [EMAIL PROTECTED] wrote: Is it possible to give normal domain account rights to view ADI DNS zonein console ? I tried to give normal account a rights to READ thru ACL on zone, but it didn't help. Only otherway, I know is to create a secondary for that zone, on that users machine. but thats overkilll :)-- Kamlesh~Be the change you want to see in the World~ -- ~Be the change you want to see in the World~ -- ~Be the change you want to see in the World~
Re: [ActiveDir] view only rights on ADI DNS Zone
well.. need to verify information like... Record time stamp and Delete this record when it becomes stale check boxnslookup doesn't give me this information.Also, users are weary of using command line... :-( On 5/24/06, Al Mulnick [EMAIL PROTECTED] wrote: You'll need a description of the rights needed to open the tool in this case, as everyone has read access by default. IIRC, the Windows 2000 DNS white paper describes how to delegate rights etc. using tools such as ADSIEDIT or DSACLS. Curious though: why bother? Read access to a DNS zone? Has the user ever used NSLOOKUP or DIG? You can read the zone records using these tools quite easily and it'll tell you just about everything you want to know about the RR. Is there a different requirement in this? Al On 5/24/06, Kamlesh Parmar [EMAIL PROTECTED] wrote: Is it possible to give normal domain account rights to view ADI DNS zonein console ? I tried to give normal account a rights to READ thru ACL on zone, but it didn't help. Only otherway, I know is to create a secondary for that zone, on that users machine. but thats overkilll :)-- Kamlesh~Be the change you want to see in the World~ -- ~Be the change you want to see in the World~
Re: [ActiveDir] Is there a way to force users to logon to domain?
If you still want to set it via GPO... set allow logon locally to Administrators , domain\domain users This will ensure that, local accounts doesn't get right to logon, unless they are member of Administrators group -- Kamlesh~Be the change you want to see in the World~ On 5/16/06, Joe Lagreca [EMAIL PROTECTED] wrote: Sergio,That is the approach we are going to take.Write a script to run atstart up to delete all local accounts, except administrator, which only we should know the password for.Do you have any ideas on how to change local account passwords via GPOor remotely?We would like to change the administrator passwordsinitially, and probably like to change it on a continual basis. Thank you.JoeOn 5/16/06, Olivarez, Sergio J Mr CTNOSC/GD-NS[EMAIL PROTECTED] wrote: Yeah, disregard what I said about just leaving Admins on the allow logon locally setting, that's my bad.I guess best thing to do would be delete all existing local user accounts. -Sergio -Original Message- From: Joe Lagreca [mailto: [EMAIL PROTECTED]] Sent: Monday, May 15, 2006 7:33 PM To: ActiveDir@mail.activedir.org Subject: Re: [ActiveDir] Is there a way to force users to logon to domain? Al and others, We are retrofitting previously deployed workstations.Some have local logins, while others do not.I was just wondering if there is a way, via GPO, to force all users to log into the domain, instead of giving them the option to log into their local machine. I have been told that In a GPO set the cached logon setting to 0 and make sure allow logon locally is only set to Admins. will not work.However I still need to test this myself.I was told allow logon locally will make it so all unlisted users will not be able to login from that workstation, whether its locally or to the domain. I realize their profiles wouldn't copy, and we can deal with that afterwards. Thanks. Joe On 5/15/06, Al Mulnick [EMAIL PROTECTED] wrote: I think you've seen several ways of achieving something similar to what you've asked for.But I'm curious as to what you really want to accomplish.You've put something very specific, but what makes you want to force the logon?What's the backstory? Al On 5/15/06, Joe Lagreca [EMAIL PROTECTED] wrote: Is there a way to force users to logon to domain, or to disable loging into local computer accounts via GPO? Thanks.List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/List info : http://www.activedir.org/List.aspxList FAQ: http://www.activedir.org/ListFAQ.aspxList archive: http://www.mail-archive.com/activedir%40mail.activedir.org/-- ~Be the change you want to see in the World~
[ActiveDir] view only rights on ADI DNS Zone
Is it possible to give normal domain account rights to view ADI DNS zonein console ? I tried to give normal account a rights to READ thru ACL on zone, but it didn't help. Only otherway, I know is to create a secondary for that zone, on that users machine. but thats overkilll :)-- Kamlesh~Be the change you want to see in the World~
Re: [ActiveDir] Cleanup of AD accounts
I suppose you can use DN from that modified file and feed it to dsmod.exe or admod.exeOn 4/28/06, Rimmerman, Russ [EMAIL PROTECTED] wrote: Joe - I sent you an e-mail, I figured maybe going to this list might get more input on this question as well: If I wanted to run an oldcmp -report 120 -users -sort cn -f ((objectcategory=person)(objectclass=user)) -format csv -delim , and then send it out to our remote administrators to 'remove any accounts you don't want disabled' and then take the final list and disable all remaining accounts that they didn't flag as still being used, how would I accomplish that? Is there a way to have oldcmp use a modified file as an import file for the accounts to disable? Our problem is we don't want to disable any service accounts that are actively being used, but we have a LOT of cleanup to do. How does everyone else handle this? Thanks a bunch, Russ ~~ This e-mail is confidential, may contain proprietary information of the Cooper Cameron Corporation and its operating Divisions and may be confidential or privileged. This e-mail should be read, copied, disseminated and/or used only by the addressee. If you have received this message in error please delete it, together with any attachments, from your system. ~~ -- ~Be the change you want to see in the World~
Re: [ActiveDir] copy with permissions
The best one i know is... robocopy.exe I have done hundreds of desktop migrations using that.free tool from microsoft resource kit tools http://www.microsoft.com/downloads/details.aspx?FamilyID=9d467a69-57ff-4ae7-96ee-b18c4790cffdDisplayLang=en-- Kamlesh~Be the change you want to see in the World ~ --On 4/26/06, [EMAIL PROTECTED] [EMAIL PROTECTED] wrote: Is there a way to copy all my file server folders to another server with permissions? I need to change the Hard disk, but dont want to graint all permissions again. Thanks Adrião Ramos
Re: [ActiveDir] Does windows integrated authentication in IIS update lastlogon attribute?
Steve,Luckily all users, sharepoint servers are in same domain and i have only two DCs in that setup. And I have made sure that developers are looking at both DCs to find the latest lastlogon update. So I am not missing anything on that part. Problem is i dont have access to servers directly, I have to relay the information I find to them and wait for them to provide test results. In earlier article you mentioned, it was suggested that problem was with NTLM and not kerberos, so I thought lets try with kerberos and see, that also didn't help.with little digging, I found that, windows integrated authentication uses network logon, while basic authentication uses interactive login. Now I have asked them to enable audit account logon events and check for event 540 to verify that network logon is done.anything else I should check?--Kamlesh~ Be the change you want to see in the World~On 4/26/06, Steve Linehan [EMAIL PROTECTED] wrote: If you are running SharePoint and are not running Windows Server 2003 R2 with the latest version of WSS then the default behavior for SharePoint is to use NTLM, no matter what the client setting. You can change this but that is another conversation. That being said do you know what DC is actually authenticating the user? Depending on where the account resides you would be using NTLM chaining through secure channels to get to a DC in the account domain so to build that chain you can use nltest /sc_query:domain on the SharePoint server to see what DC in the domain in which the SharePoint server is located it has its secure channel with. If the user account is in the same domain as the SharePoint server you are finished if not you need to go to that DC and then run nltest /sc_query:user domain to find out who he has his secure channel setup to for that particular user domain. You would then be able to query the lastlogon attribute on that DC, since that attribute is not replicated. You can also turn up netlogon logging on the SharePoint server to log where the requests are going. The problem that you will have is if the Secure Channel changes then you would need to go to the new DC to get the lastlogin time. As you can see this is not an easy problem to solve and even if you were at Windows Server 2003 FFL and had lastlogontimestamp it is loosely replicated so you are still not going to get the behavior you want. Kerberos makes this even more difficult as the client is talking to the KDC to get the ticket and that KDC could be any DC in its domain and not predictable. As far as the types of logins that update that attribute I believe all of them do now though there may be a few that still do not I will try to work on getting a list. Thanks, -Steve From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]] On Behalf Of Kamlesh ParmarSent: Tuesday, April 25, 2006 2:58 AMTo: ActiveDir@mail.activedir.orgSubject: Re: [ActiveDir] Does windows integrated authentication in IIS update lastlogon attribute? Thanks Steve for you reply.Yes DCs are running Win2003 SP1, and webservers are win2003 sharepoint servers.If it helps : DFL is windows 2000 mixed and FFL is Windows 2000so i guess, Lastlogontimestamp is not populated and thats why we are looking at lastlogon attribute. I also checked on clients that Enable Windows integrated authentication is enabled, which would try to use kereberos first then NTLM. (as per KB problem is when NTLM is used)anything else i should check? Also, as deji requested, list of logon types which update this attribute will also be of great help.--Kamlesh~Be the change you want to see in the World~ On 4/24/06, Steve Linehan [EMAIL PROTECTED] wrote: Are you running Windows Server 2003 SP1? We fixed a number of scenarios where this attribute was not updated for other logon types in SP1. Here is just one example: http://support.microsoft.com/default.aspx?scid=kb;[LN];886705 Thanks, -Steve From: [EMAIL PROTECTED] [mailto: [EMAIL PROTECTED]] On Behalf Of Kamlesh ParmarSent: Monday, April 24, 2006 2:14 PMTo: ActiveDir@mail.activedir.orgSubject: [ActiveDir] Does windows integrated authentication in IIS update lastlogon attribute? Dear list members,My apologies if this sounds OT.We have some win2k3 web servers which use windows integrated authentication, and managers now want to display lastlogon time for all users, who use those web servers. Problem is lastlogon attribute of users is not updated when user login to those web servers, it is only updated when users do normal windows interactive logon. does anyone know what kind of user login web servers do for integrated authentication?And can it be changed such a way that, it results in lastlogon time stamp getting updated?-- Kamlesh~ Be the change you
Re: [ActiveDir] Does windows integrated authentication in IIS update lastlogon attribute?
Thanks Steve for you reply.Yes DCs are running Win2003 SP1, and webservers are win2003 sharepoint servers.If it helps : DFL is windows 2000 mixed and FFL is Windows 2000so i guess, Lastlogontimestamp is not populated and thats why we are looking at lastlogon attribute. I also checked on clients that Enable Windows integrated authentication is enabled, which would try to use kereberos first then NTLM. (as per KB problem is when NTLM is used)anything else i should check? Also, as deji requested, list of logon types which update this attribute will also be of great help.--Kamlesh~Be the change you want to see in the World ~On 4/24/06, Steve Linehan [EMAIL PROTECTED] wrote: Are you running Windows Server 2003 SP1? We fixed a number of scenarios where this attribute was not updated for other logon types in SP1. Here is just one example: http://support.microsoft.com/default.aspx?scid=kb;[LN];886705 Thanks, -Steve From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]] On Behalf Of Kamlesh ParmarSent: Monday, April 24, 2006 2:14 PMTo: ActiveDir@mail.activedir.orgSubject: [ActiveDir] Does windows integrated authentication in IIS update lastlogon attribute? Dear list members,My apologies if this sounds OT.We have some win2k3 web servers which use windows integrated authentication, and managers now want to display lastlogon time for all users, who use those web servers. Problem is lastlogon attribute of users is not updated when user login to those web servers, it is only updated when users do normal windows interactive logon. does anyone know what kind of user login web servers do for integrated authentication?And can it be changed such a way that, it results in lastlogon time stamp getting updated?-- Kamlesh~ Be the change you want to see in the World~ --
[ActiveDir] Does windows integrated authentication in IIS update lastlogon attribute?
Dear list members,My apologies if this sounds OT.We have some win2k3 web servers which use windows integrated authentication, and managers now want to display lastlogon time for all users, who use those web servers. Problem is lastlogon attribute of users is not updated when user login to those web servers, it is only updated when users do normal windows interactive logon. does anyone know what kind of user login web servers do for integrated authentication?And can it be changed such a way that, it results in lastlogon time stamp getting updated?-- Kamlesh~ Be the change you want to see in the World~
Re: [ActiveDir] Service Account Logging/Tracking
I will add something... logparser...amazing utility...(if you know little bit of scripting)http://www.logparser.comlogparser can be scripted... morover you can use parse the description field and extract the exact detail..and if you know how to use the template option of it..it could create nice html report too. and ofcourse once file is ready it can be picked up and sent to admins thru mail. -Kamlesh~Be the change you want to see in the World~On 4/22/06, Matheesha Weerasinghe [EMAIL PROTECTED] wrote: eventcombmt is OK but logparser is better as it can parse saved logs. Eventcombmt is for active logs only. M@ On 4/22/06, mike kline [EMAIL PROTECTED] wrote:You have to turn on auditing in order to track logon events. Once you turn auditing on you can then search your security event logs for that logon event. When you go to set auditingyou will see two settings. Audit account logon events and audit logon events. There is a good blog entry about the differences between the two settings and what they mean. http://blogs.msdn.com/ericfitz/archive/2005/08/04/447934.aspx We set both for success, failure (per NSA guidelines). We save our logs daily on the servers and on our workstations we overwrite older events so that disk space doesn't become a huge issue. Once you have the events in the log you can search through them using a tool like Eventcomb http://www.microsoft.com/downloads/details.aspx?FamilyId=9989D151-5C55-4BD3-A9D2-B95A15C73E92displaylang=en Eventcomb can be found within this download. You can search for EventID 528 and specify the service account to narrow the search. When you say an account with elevated privileges what kind of privilegesare youtalking about? Hopefully not a domain admin account. Thanks Mike On 4/21/06, Clay, Justin (ITS) [EMAIL PROTECTED] wrote: What's the recommended method for tracking service account logins? We keep a pretty tight reign on service accounts and their passwords, but in some cases we have to provide the passwords to our customers (in this case, customers are other government organizations that we support) for use in their applications. Essentially we just want to know if someone logs into a PC or a server with a service account. We don't want a bunch of people using a service account to gain access to resources, especially if it's an account with elevated privileges. Thanks, Justin Clay ITS Enterprise Services Metropolitan Government of Nashville and Davidson County Howard School Building Phone: (615) 880-2573 ITS ENTERPRISE SERVICES EMAIL NOTICEThe information contained in this email and any attachments is confidential and may be subject to copyright or other intellectual property protection. If you are not the intended recipient, you are not authorized to use or disclose this information, and we request that you notify us by reply mail or telephone and delete the original message from your mail system. --
Re: [ActiveDir] how to report on scheduled jobs?
If your remote machines are XP onwards...try schtasks.exe /query /S remotePCNameI am assuming current logged in user has rights to manage remotePCfor more details schtasks.exe /query /?--KamleshOn 4/18/06, Thommes, Michael M. [EMAIL PROTECTED] wrote: Is there a script to output scheduled job information?Maybe somethingI could call in a for loop driven by a list of servers.Ideally, I would like to see the job and who's credentials it is running under,with maybe the schedule.Mike ThommesList info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspxList archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
Re: [ActiveDir] Daylight savings query
For the purpose of binary settings, one can either use .REG file or usefree PolicyMaker registry CSE from desktopstandards.com http://www.desktopstandard.com/PolicyMakerRegistryExtension.aspx--Kamlesh~Be the change you want to see in the World~ On 4/4/06, [EMAIL PROTECTED] [EMAIL PROTECTED] wrote: Hi Susan,If you try using an ADM template to add the key you may have a problem since it includes binary settings that can't be set via ADM Templates. Alan Cuthbertson Policy Management Software:- http://www.sysprosoft.com/index.php?ref=activedirf=pol_summary.shtmlADM Template Editor:-http://www.sysprosoft.com/index.php?ref=activedirf=adm_summary.shtml Policy Log Reporter(Free)http://www.sysprosoft.com/index.php?ref=activedirf=policyreporter.shtml- Original Message - From: Susan Bradley, CPA aka Ebitz - SBS Rocks [MVP][EMAIL PROTECTED]To: ActiveDir@mail.activedir.org Sent: Tuesday, April 04, 2006 11:56 AMSubject: Re: [ActiveDir] Daylight savings query Yeah in hindsight I think I can achieve bon bon status but just putting the stupid key in group policy. Dean Wells wrote:I don't query the existing setting, I simply set it ... via site linkedpolicies or script or whatever's your preference -- Control.exe TIMEDATE.CPL,,/Z (GMT-08:00) Pacific Time (US Canada);Tijuanaalternatively:RUNDLL32.EXE SHELL32.DLL,Control_RunDLL TIMEDATE.CPL,,/Z (GMT-08:00) PacificTime (US Canada); Tijuana... where '(GMT-08:00) Pacific Time (US Canada); Tijuana' is thetimezonebeingset. The supplied value behind /Z is from the Display value under the registrykey -'HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Time Zones'You can also use the Std value in those registry keys as well, this is equivalentto (GMT-08:00) Pacific Time (US Canada); Tijuana:Control.exe TIMEDATE.CPL,,/Z Pacific Standard Time--Dean Wells MSEtechnology* Email: [EMAIL PROTECTED]http://msetechnology.com -Original Message-From: [EMAIL PROTECTED][mailto: [EMAIL PROTECTED]] On Behalf Of Susan Bradley,CPA aka Ebitz - SBS Rocks [MVP]Sent: Monday, April 03, 2006 9:20 PMTo: ActiveDir@mail.activedir.orgCc: Send - AD mailing listSubject: Re: [ActiveDir] Daylight savings queryWithout walking around to every stupid new desktop every year and getting mad at Dell that they aren't picking up the right timezones I want toset at my desktop eating bon bons and scan them and see if they'vescrewed up and the Secretaries will be booking appointments in the wrong time zones and the bosses will be getting mad(Bosses get the new computers.. Secretaries get the old ones that alreadyhave the time zone problem resolved) Basically I'm asking... what do you guys do in big server land to ensurethat every stupid Outlook is booking appointments in the proper zone?Dean Wells wrote: It's late so that could well be it ... but I'm afraid I'muncertain asto what it is you've not already ascertained for yourself? --Dean WellsMSEtechnology* Email: [EMAIL PROTECTED] http://msetechnology.com-Original Message-From: [EMAIL PROTECTED][mailto:[EMAIL PROTECTED]] On Behalf Of Susan Bradley,CPA aka Ebitz - SBS Rocks [MVP] Sent: Monday, April 03, 2006 8:33 PMTo: ActiveDir@mail.activedir.orgSubject: [ActiveDir] Daylight savings query (someone go pick Joe up off the floor after I post this..I'm actuallyasking about scripting) Is there a script that can be run to determine what acomputers timezone status is?Some WMI status in AD or something?It seems likeeverytime I get new computers in the office...the OEM image that we don't nuke and pake means that they do not grab the autotmaticallyadjust setting, even though it's checked, so they end upstaying onstandard time rather than flipping to daylight savings and thus causing appointments to be off an hour.Okay so the setting is underHKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\TimeZoneIn formationBut the values under there are not jumping out at me as towhich onethe machine is broadcasting?Is it Daylight Bias RegDword ffc4...as if I flip the gui onand off.. that value goes down to 0...wonder if I can group policy that reg key valuehmm How to configure daylight saving time dates for Brazil:http://support.microsoft.com/?kbid=317211 Use a script to delete DisableAutoDaylightTimeSet from the registry.When deleted 'Automatically adjust clock for daylightsavings changes' in Windows will be checked.The registry key is:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\TimeZoneIn formation --Letting your vendors set your risk analysis these days? http://www.threatcode.comList info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspxList archive: http://www.mail-archive.com/activedir%40mail.activedir.org/List info : http://www.activedir.org/List.aspxList FAQ: http://www.activedir.org/ListFAQ.aspxList archive: http://www.mail-archive.com/activedir%40mail.activedir.org/--Letting your vendors set your risk analysis these days?
Re: [ActiveDir] Script not working thru GPO
If this is the exact script then Where have you defined value of ForAppending ?? Aserror message containsinvalid argument -- Kamlesh On 3/28/06, Cothern, Jeffrey D Mr CTR USSOCOM HQ [EMAIL PROTECTED] wrote: I have a script i created in vbs. This script works when run on the machines locally but when i set it up as a machine startup script it gets this error script: path and name of script Line:13 Char: 1 Error: Invalid Procedure call or argument Code: 800A0005 Source: Microsoft _vbscript_ runtime error As I said this runs correctly when run on the machine localy but not thru GPO. I am assuming that I cannot do a objFSO.OpenTestFile thru the GPO. Is there some other way I can accomplish the write to the test file? Jeff Here is the Script Code: Dim WshShell, bKeyDim regComputerNameDim ComputerNameDim ServerlistDim objServerlistDIM objFSODIM strCurrenLineDIM intIsComment Serverlist = \\fileserver\serverlist.txtregComputerName = HKLM\SYSTEM\CurrentControlSet\Control ComputerName\ComputerName\ComputerName Set objFSO = CreateObject(Scripting.FileSystemObject)Set objServerlist = objFSO.OpenTextFile(serverlist, ForAppending) Set WshShell = WScript.CreateObject(WScript.Shell)ComputerName = objShell.RegRead(regComputerName)objfile.Write ComputerName WshShell. RegWriteHKLM\System\CurrentControlSet\Services\Eventlog\Application\AutoBackupLogFiles, 1, REG_DWORDWshShell. RegWriteHKLM\System\CurrentControlSet\Services\Eventlog\Security\AutoBackupLogFiles, 1, REG_DWORD WshShell. RegWriteHKLM\System\CurrentControlSet\Services\Eventlog\System\AutoBackupLogFiles, 1, REG_DWORD bKey = WshShell.RegRead(HKLM\System\CurrentControlSet\Services\Eventlog\Application\AutoBackupLogFiles)bKey = WshShell.RegRead(HKLM\System\CurrentControlSet\Services\Eventlog\Security\AutoBackupLogFiles) bKey = WshShell.RegRead(HKLM\System\CurrentControlSet\Services\Eventlog\System\AutoBackupLogFiles) WScript.Echo WshShell.RegRead(HKLM\System\CurrentControlSet\Services\Eventlog\Application\AutoBackupLogFiles)WScript.Echo WshShell.RegRead(HKLM\System\CurrentControlSet\Services\Eventlog\Security\AutoBackupLogFiles) WScript.Echo WshShell.RegRead(HKLM\System\CurrentControlSet\Services\Eventlog\System\AutoBackupLogFiles) -- ~Be the change you want to see in the World~
Re: [ActiveDir] Active Directory
Wouldn't it be, Default Domain Policy?? As that will apply to normal workstations. -- Kamlesh On 3/21/06, Almeida Pinto, Jorge de [EMAIL PROTECTED] wrote: Check the Default Domain Controllers policyComputer ConfigurationWindows SettingsSecurity Settings Local PoliciesSecurity optionsInteractive Logon: Prompt user to change password before expiration: 14 daysMet vriendelijke groeten / Kind regards,Ing. Jorge de Almeida PintoSenior Infrastructure Consultant MVP Windows Server - Directory ServicesLogicaCMG Nederland B.V. (BU RTINC Eindhoven)( Tel : +31-(0)40-29.57.777( Mobile : +31-(0)6-26.26.62.80* E-mail : see sender address From: [EMAIL PROTECTED] on behalf of Christine AllenSent: Tue 2006-03-21 13:31To: ActiveDir@mail.activedir.orgSubject: [ActiveDir] Active DirectorySorry for the dumb question, but I can't find any information regardingthis. =20We are running a windows 2000 domain.We have set up a password policy. Users have to change their passwords every 120 days.When will they beprompted to change it?One week before?Two weeks before?Thanks.-ChristineChristine N. AllenSystems EngineerBMC HealthNet Plan 2 Copley PlaceBoston, MA 02116617-748-6034617-293-4407[EMAIL PROTECTED]List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspxList archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ This e-mail and any attachment is for authorised use by the intended recipient(s) only. It may contain proprietary material, confidential information and/or be subject to legal privilege. It should not be copied, disclosed to, retained or used by, any other party. If you are not an intended recipient then please promptly delete this e-mail and any attachment and all copies and inform the sender. Thank you. -- ~Be the change you want to see in the World~
Re: [ActiveDir] Link single GPO to multiple OUs using script or something
Thanks for your suggestion.I wish it was that simple. :-) (not technically, but politically)Ours is very much delegated environment, spread across 50+ locations.So making sure that no single branch office admin has rights over any of the objects of other branch office is essential, thus initial design was to create separate OUs for each object type. Also, many of the policies are very much branch location specific, linking policy at higher level may not be feasible always and enforcing higher level policy to make it effective is again digging the grave little more. Creating group did occur to me, but, I can't create a single group and and give everyone rights to change membership. This will violate comfort level as people have power to remove or add members from other location, also as they will likely change membership on different DCs and since LVR is not supported in 2K native DFL, many of the membership changes will be lost. At the same time, I can't keep membership management rights with central team as this will add one another mundane routine to their already stretched task list and shift focus from larger issue.Now, it would require that I create 50+ location specific groups then assimilate these groups into one single group to which I apply policy. This approach makes sure that no one else can add or remove member laptops for other location and branch admin can make sure that right policies are applied to laptops, without requiring central team's help in managing single group. So, when I have to choose between creating 50+ groups, explaining the change in operations to 50 different branch admins, asking them to add all their laptops to these new groups while laptop OU is still present AND linking a policy to 50+ OUs.so in short-term, I chose linking a policy to 50 OUs.I do agree, that mere thought of linking a single policy to 50 OUs, did rang alarm bells in my head. I can assure you, restructuring the OUs is sure put down as a agenda point for next quarterly review meeting. I know, someone might say, pal, you have such a big environment then why don't you create provisioning website or app to take care of such delegation nightmares and make it standard, automated and accountable. I will just say Work In Progress :-) --Kamlesh~Be the change you want to see in the World~On 3/1/06, [EMAIL PROTECTED] [EMAIL PROTECTED] wrote: I may have missed earlier parts to this thread, but have you considered adding all laptops to a group and then applying a laptops GPO at some higher level in the OU hierarchy, filtered by the group just mentioned? I would also re-assess the OU hierarchy and whether it is relevant and appropriate. If you encounter the need to link the same GPO in 50+ places, then perhaps the OU hierarchy needs to be revamped / re-designed. neil From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]] On Behalf Of Ulf B. Simon-WeidnerSent: 01 March 2006 08:11To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Link single GPO to multiple OUs using script or something Should be working - just create a example OU with the specific settings, adfind gPLink and gPOptions into variables (actually gPOptions: read it once and set it statically without reading in a variable) and use admod to write the gPLink and gPOptions-attributes of the other OUs. Ulf From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]] On Behalf Of Kamlesh ParmarSent: Wednesday, March 01, 2006 8:55 AMTo: ActiveDir@mail.activedir.orgSubject: Re: [ActiveDir] Link single GPO to multiple OUs using script or something Thanx, I will test it out :-)moreover, I will see if I can create a combination of adfind and admod to achieve this.-- Kamlesh~Be the change you want to see in the World ~ On 2/28/06, Ulf B. Simon-Weidner [EMAIL PROTECTED] wrote: You can do this with a simple VBS, LDIF-Fileor whatever is convenientfor you tochange ADsince you only need to modify the gPLink- and gPOptions-Attributes. Look at the following example from the Technet Scriptcenter: http://www.microsoft.com/technet/scriptcenter/scripts/ad/ous/adouvb01.mspx Gruesse - Sincerely, Ulf B. Simon-Weidner MVP-Book Windows XP - Die Expertentipps: http://tinyurl.com/44zcz Weblog: http://msmvps.org/UlfBSimonWeidner Website: http://www.windowsserverfaq.org Profile: http://mvp.support.microsoft.com/profile=""> From: [EMAIL PROTECTED] [mailto: [EMAIL PROTECTED]] On Behalf Of Kamlesh ParmarSent: Monday, February 27, 2006 11:12 PMTo: ActiveDir@mail.activedir.orgSubject: [ActiveDir] Link single GPO to multiple OUs using script or something Basically, we have 50 Location OUs each having different sub OUs for servers, desktops, laptops.My
Re: [ActiveDir] Link single GPO to multiple OUs using script or something
Thanks I looked at the _vbscript_ code, what it does is, takes the current links into variable and appends our new link at the end and reattaches the whole new bunch to OU again.I thought since admod has a feature of append (+,++ operators), I might not have to do the read current links + append-new + reattach. just appending might work. but it turns out gplink is single-value-attribute so have to follow the same route.I have gone ahead with _vbscript_ and modified to my requirement.At the same time I have the adfind+admod script also ready ( just to learn admod.exe better)-- Kamlesh~Be the change you want to see in the World~ On 3/1/06, Ulf B. Simon-Weidner [EMAIL PROTECTED] wrote: Should be working - just create a example OU with the specific settings, adfind gPLink and gPOptions into variables (actually gPOptions: read it once and set it statically without reading in a variable) and use admod to write the gPLink and gPOptions-attributes of the other OUs. Ulf From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]] On Behalf Of Kamlesh ParmarSent: Wednesday, March 01, 2006 8:55 AM To: ActiveDir@mail.activedir.org Subject: Re: [ActiveDir] Link single GPO to multiple OUs using script or something Thanx, I will test it out :-)moreover, I will see if I can create a combination of adfind and admod to achieve this.-- Kamlesh~Be the change you want to see in the World ~ On 2/28/06, Ulf B. Simon-Weidner [EMAIL PROTECTED] wrote: You can do this with a simple VBS, LDIF-Fileor whatever is convenientfor you tochange ADsince you only need to modify the gPLink- and gPOptions-Attributes. Look at the following example from the Technet Scriptcenter: http://www.microsoft.com/technet/scriptcenter/scripts/ad/ous/adouvb01.mspx Gruesse - Sincerely, Ulf B. Simon-Weidner MVP-Book Windows XP - Die Expertentipps: http://tinyurl.com/44zcz Weblog: http://msmvps.org/UlfBSimonWeidner Website: http://www.windowsserverfaq.org Profile: http://mvp.support.microsoft.com/profile=""> From: [EMAIL PROTECTED] [mailto: [EMAIL PROTECTED]] On Behalf Of Kamlesh ParmarSent: Monday, February 27, 2006 11:12 PMTo: ActiveDir@mail.activedir.orgSubject: [ActiveDir] Link single GPO to multiple OUs using script or something Basically, we have 50 Location OUs each having different sub OUs for servers, desktops, laptops.My problem is I want to apply policy to all laptops, but I don't have all laptops with XP, some are win2K.So can't use a WMI query to filter out dekstops and servers and create single policy. So only option left is create a policy and link it to so many OUs.Is it possible to link a single GPO to multiple OUs using script or utility like admod.exeThanks in advance-- Kamlesh~Be the change you want to see in the World~
Re: [ActiveDir] Mass AD Full Name Display Name Changes - Last name, first name
Currently, I am not near a DC, to test out the exact commands... but here goes the general process..* use adfind.exe or csvde.exe to create a delimited list of current users with required attributes.* Import this file into excel * create excel formula with displayname column as input and put the desired output into another column.* Verify that the resulting displayname is what you want.* export these changed displayname along with DN to text file * use dsmod.exe or admod.exe to run through this text file and update the required attribute.This approach will allow you to verify each change before they are made. Instead of relying on logic built into script to take care of conversion. Because you never know, when you stumble across exceptional case of value in attribute you are trying to change. e.g. what if someone's current fullname contains THREE words with TWO separating spaces because it also includes their middle name. You get the drift.-- Kamlesh~Be the change you want to see in the World~ On 3/2/06, Danny [EMAIL PROTECTED] wrote: My goal is to automate a process to change Full Name and Display Namefrom John Doe to Doe, John.I am not yet familiar with VB et alscripting, so assistance would be greatly appreciated if you propose ascripting solution. Thank you!...DList info : http://www.activedir.org/List.aspxList FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
Re: [ActiveDir] Phantom Account Locks
I would rather look at Event 644 and first make sure that account lockouts are happening from same machine, you are suspecting.Then I will take a look info from this page. http://www.microsoft.com/technet/prodtechnol/windowsserver2003/technologies/security/bpactlck.mspx#ENAA--KamleshOn 2/28/06, AdamT [EMAIL PROTECTED] wrote:On 2/28/06, Susan Bradley [EMAIL PROTECTED] wrote: What's the security log say up on the server?The security log has several of these:Event ID 529Source: Security Category: Logon/LogoffType: FailureUser: NT AUTHORITY\SYSTEMComputer: SBS-DCReason: Unknown user name or bad passwordUsername: j.bloggsDomain: PC004Logon Type: 3Logon Process: NtLmSsp Authentication Package: NTLMWorkstation Name: PC004And some of these:Event ID: 681Source: SecurityCategory: Account LogonType: FailureUser: NT AUTHORITY\SYSTEMComputer: SBS-DCThe logon to account j.bloggs by:MICROSOFT_AUTHENTICATION_PACKAGE_V1_0 from workstation: PC004 failed.The error code was: 3221225578(I looked that up, and the error code apparently means 'wrong password')And some of these: Event ID: 539Source: SecurityCategory: Logon/LogoffType: FailureUser: NT AUTHORITY\SYSTEMComputer: SBS-DCReason: Account locked outUser Name: j.bloggsDomain: PC004Logon Type: 3 Logon Process: NtLmSspAuthentication Package: NTLMWorkstation Name: PC004Thanks for the mention of the lockout tools - will give them a go.Cheers,--AdamT'Thank-you for not requesting read receipts' List info : http://www.activedir.org/List.aspxList FAQ: http://www.activedir.org/ListFAQ.aspxList archive: http://www.mail-archive.com/activedir%40mail.activedir.org/-- ~ Be the change you want to see in the World~
Re: [ActiveDir] Each domain users to automatically be member of power users in their own computers
use restricted groups and make INTERACTIVE group member of power usersthat will give you desired effect.Only *Interactively* logged on user will be power user on that particular computer. Caveat: make sure you exclude domain controller from this policy. :-)--Kamlesh~Be the change you want to see in the World~ On 3/1/06, Irwan Hadi [EMAIL PROTECTED] wrote: Is there a way to make so that whenever a user logon to a computer,s/he will automatically be a member of that particular computer powerusers (or even administrators) but nobody else?The reason for this is because we have some specific applications which users will need to install in their own computer, and are notyet pushed thru group policy.I've looked at restricted group GPO, but it seems with RG GPO, eitherI will need to create individual GPO for each user, or I will need to create a group of users and put this group as power users, which thenmeans everybody will have power users access to each other computer inan organizational unit.ThanksList info : http://www.activedir.org/List.aspxList FAQ: http://www.activedir.org/ListFAQ.aspxList archive: http://www.mail-archive.com/activedir%40mail.activedir.org/--
Re: [ActiveDir] Link single GPO to multiple OUs using script or something
Thanx, I will test it out :-)moreover, I will see if I can create a combination of adfind and admod to achieve this.-- Kamlesh~Be the change you want to see in the World ~On 2/28/06, Ulf B. Simon-Weidner [EMAIL PROTECTED] wrote: You can do this with a simple VBS, LDIF-Fileor whatever is convenientfor you tochange ADsince you only need to modify the gPLink- and gPOptions-Attributes. Look at the following example from the Technet Scriptcenter: http://www.microsoft.com/technet/scriptcenter/scripts/ad/ous/adouvb01.mspx Gruesse - Sincerely, Ulf B. Simon-Weidner MVP-Book Windows XP - Die Expertentipps: http://tinyurl.com/44zcz Weblog: http://msmvps.org/UlfBSimonWeidner Website: http://www.windowsserverfaq.org Profile: http://mvp.support.microsoft.com/profile=""> From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]] On Behalf Of Kamlesh ParmarSent: Monday, February 27, 2006 11:12 PMTo: ActiveDir@mail.activedir.orgSubject: [ActiveDir] Link single GPO to multiple OUs using script or something Basically, we have 50 Location OUs each having different sub OUs for servers, desktops, laptops.My problem is I want to apply policy to all laptops, but I don't have all laptops with XP, some are win2K.So can't use a WMI query to filter out dekstops and servers and create single policy. So only option left is create a policy and link it to so many OUs.Is it possible to link a single GPO to multiple OUs using script or utility like admod.exeThanks in advance-- Kamlesh~Be the change you want to see in the World~
[ActiveDir] Link single GPO to multiple OUs using script or something
Basically, we have 50 Location OUs each having different sub OUs for servers, desktops, laptops.My problem is I want to apply policy to all laptops, but I don't have all laptops with XP, some are win2K.So can't use a WMI query to filter out dekstops and servers and create single policy. So only option left is create a policy and link it to so many OUs.Is it possible to link a single GPO to multiple OUs using script or utility like admod.exeThanks in advance-- Kamlesh~Be the change you want to see in the World~
Re: [ActiveDir] Stupid Group Policy CSE behavior
Thanx Darren for testing it out.Yes, I realize that setting deny for authenticated users stops everybody. and we want it that way, basically making hard for everyone including local administrator to play with that service. i.e. just a crude way to stop USB mass storage devices for ignorant users.Yes, it is a device driver *service*, I would have to manually edit the .inf file in sysvol to make it appear in GP Editor, plus I thought it would not make any difference, as security SCE also acts similar when encountered with problem. By the way, this is not the only setting which is changed, we try to change lot of things around usbstor service, including giving a false driver path, and since those are registry changes, it was decided to make the service config as registry change rather than putting it in system service settings. Still, I will try that option, and see the behavior of CSEs.--Kamlesh~Be the change you want to see in the World~On 2/24/06, Darren Mar-Elia [EMAIL PROTECTED] wrote: Ok. I will test that but it would be good to understand the scenario a little better. You do realize that by setting a Deny ACE for Auth. Users on the device/service, you are effectively preventing any access to that service, which would seem problematic in and of itself. The second point or question is, why would you not use the service security policy rather than registry policy to control this? I'm assuming its because you're trying to control a device rather than a real service? From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]] On Behalf Of Kamlesh ParmarSent: Thursday, February 23, 2006 2:06 PMTo: ActiveDir@mail.activedir.orgSubject: Re: [ActiveDir] Stupid Group Policy CSE behavior My point was just that particular CSE stops processing further GPs related to it, and not entire GP processing.This gives very inconsistent application of policy. One fine day, you find that all policies are working fine, and when next day you introduce new policy, which has settings no way related to earlier policies and it goes on to break unrelated policy. I will give you something to test...parent OU policy contains : DENY 'Authenticated Users' permission on one of the registry key(in my case USBSTOR service) ADM template which tries to change a value inside that registry key (making value start = 4) Child OU policy : is simply any setting from existing administrative templates (in my case WSUS policy)You would expect processing of both polices by Registry CSE, but in this case child policy won't be processed as registry CSE will fail while changing value specified in parent OU policy, due to restrictive permission. In another case it was mis-spelled file name, configured for file system security.-- Kamlesh~Be the change you want to see in the World~ On 2/23/06, Darren Mar-Elia [EMAIL PROTECTED] wrote: Well, it won't be the first time I've heard something about GP called stupid :). I suspect it depends upon how you think about this.Certain CSEs are more resilient than others. I honestly haven't come across your scenario but in a lot of cases, if a CSE fails to do something, GPprocessing will simply continue along. I will try to take a deeperlook at this and see if I can understand why that is happening. One thing I usually recommend is to stay away from using registry and/or file security policy to set perms. First of all, I find it kind of a klunky way to manage permissions. Secondly, if you do a lot of it in policy, it canreally slow down processing. I think its just better to manage security permissions on files and registry keys with a different, and more deterministic method. From: [EMAIL PROTECTED] [mailto: [EMAIL PROTECTED]] On Behalf Of Kamlesh ParmarSent: Wednesday, February 22, 2006 11:48 PMTo: ActiveDir@mail.activedir.orgSubject: [ActiveDir] Stupid Group Policy CSE behavior I had high hopes for group policy, but now it has started waning... Simply stated, what happens is ... you have different policies applying to machine. And say allpolicies contain different registry or security related settings. Now, whenat workstation registry or security CSE tries to process these settings... It willjuststop processing atfirst error itencountered and never process settings from remaining policies. so if registry CSE found that it has 10 values in registry to set and if it encountered error at5th, it will never go ahead and process 6 to 10. here is my case: I had set deny permission on one registry key in one policy and I was trying to change that setting from another policy. One would guess that, 2nd policy would simply fail and CSE would continue processing other polices which are no way related to this setting. But it
Re: [ActiveDir] Stupid Group Policy CSE behavior
My point was just that particular CSE stops processing further GPs related to it, and not entire GP processing.This gives very inconsistent application of policy. One fine day, you find that all policies are working fine, and when next day you introduce new policy, which has settings no way related to earlier policies and it goes on to break unrelated policy. I will give you something to test...parent OU policy contains : DENY 'Authenticated Users' permission on one of the registry key(in my case USBSTOR service) ADM template which tries to change a value inside that registry key (making value start = 4) Child OU policy : is simply any setting from existing administrative templates (in my case WSUS policy)You would expect processing of both polices by Registry CSE, but in this case child policy won't be processed as registry CSE will fail while changing value specified in parent OU policy, due to restrictive permission. In another case it was mis-spelled file name, configured for file system security.-- Kamlesh~Be the change you want to see in the World~ On 2/23/06, Darren Mar-Elia [EMAIL PROTECTED] wrote: Well, it won't be the first time I've heard something about GP called stupid :). I suspect it depends upon how you think about this.Certain CSEs are more resilient than others. I honestly haven't come across your scenario but in a lot of cases, if a CSE fails to do something, GPprocessing will simply continue along. I will try to take a deeperlook at this and see if I can understand why that is happening. One thing I usually recommend is to stay away from using registry and/or file security policy to set perms. First of all, I find it kind of a klunky way to manage permissions. Secondly, if you do a lot of it in policy, it canreally slow down processing. I think its just better to manage security permissions on files and registry keys with a different, and more deterministic method. From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]] On Behalf Of Kamlesh ParmarSent: Wednesday, February 22, 2006 11:48 PMTo: ActiveDir@mail.activedir.orgSubject: [ActiveDir] Stupid Group Policy CSE behavior I had high hopes for group policy, but now it has started waning... Simply stated, what happens is ... you have different policies applying to machine. And say allpolicies contain different registry or security related settings. Now, whenat workstation registry or security CSE tries to process these settings... It willjuststop processing atfirst error itencountered and never process settings from remaining policies. so if registry CSE found that it has 10 values in registry to set and if it encountered error at5th, it will never go ahead and process 6 to 10. here is my case: I had set deny permission on one registry key in one policy and I was trying to change that setting from another policy. One would guess that, 2nd policy would simply fail and CSE would continue processing other polices which are no way related to this setting. But it doesn't. I have seen this for Registry and Security CSE. Thanks for listening :-)-- Kamlesh~Be the change you want to see in the World~
[ActiveDir] Stupid Group Policy CSE behavior
I had high hopes for group policy, but now it has started waning... Simply stated, what happens is ... you have different policies applying to machine. And say allpolicies contain different registry or security related settings. Now, whenat workstation registry or security CSE tries to process these settings... It willjuststop processing atfirst error itencountered and never process settings from remaining policies. so if registry CSE found that it has 10 values in registry to set and if it encountered error at5th, it will never go ahead and process 6 to 10. here is my case: I had set deny permission on one registry key in one policy and I was trying to change that setting from another policy. One would guess that, 2nd policy would simply fail and CSE would continue processing other polices which are no way related to this setting. But it doesn't. I have seen this for Registry and Security CSE. Thanks for listening :-)-- Kamlesh~Be the change you want to see in the World~
Re: [ActiveDir] Is the Directory Infected?
I have seen that one, I would guess, it came through Shared folder having everyone full access. Blakemal virus, turn any file it finds in shared folder into EXE. So, basically, if they had taken a output of some AD query and named file as full OU path.txt virus just loaded itself into it and renamed it to EXE. If Symantec definitions are up to date, they will most likely not find that file on server. It must have been moved to quarantine. So, either be paranoid and rebuild the DC or remove sharing of that folder and do a complete thorough scan of DC with latest def files. -- Kamlesh On 2/21/06, joe [EMAIL PROTECTED] wrote: The first thing I would do is find out if there actually is or was a file by that name on my DC. If there was the second thing I would do is find out where it came from and who put it there so I could process their termination paperwork. :o) -- O'Reilly Active Directory Third Edition - http://www.joeware.net/win/ad3e.htm From: [EMAIL PROTECTED] [mailto: [EMAIL PROTECTED]] On Behalf Of Noah EigerSent: Monday, February 20, 2006 3:01 PM To: ActiveDir@mail.activedir.orgSubject: [ActiveDir] Is the Directory Infected? An associate emailed me yesterday and asked if he should be concerned about this which popped up on his DC console from Norton AV Corp Edition: "Message from DC03 to DC01 on 2/19/2006. Virus Found!Virus name: [EMAIL PROTECTED] in DC01 CN=Schema,CN=Configuration,DC=company,DC=com-DC03.exe" I said yes, looks like you have a virus on your DC. But what is actually infected here? Is the Directory infected? And why does it list that as an exe? Thanks. - nme --No virus found in this outgoing message.Checked by AVG Free Edition.Version: 7.1.375 / Virus Database: 267.15.11/264 - Release Date: 2/17/2006 -- ~Be the change you want to see in the World~
Re: [ActiveDir] Authentication for kiosk machines - straw poll
Using Autologon from http://www.sysinternals.com/Utilities/Autologon.htmlIt hides the password using some windows API--Kamlesh On 2/16/06, Laura E. Hunter [EMAIL PROTECTED] wrote: So for those of you that need to put Internet kiosks in placesomewhere in your organization, in a lobby or a dining hall orsomething, how do you handle the initial authentication when thatmachine boots up?Hardcoding the account credentials in the Registry under the ~\Winlogon key?(Clear-text embedded password. Bleach.)Ordo you use a third-party add-on to make that bit go?Just curious to see what other people are doing.- Laura E. HunterMicrosoft MVP - Windows Server NetworkingAuthor: _Active Directory Consultant's Field Guide_ (http://tinyurl.com/7f8ll)List info : http://www.activedir.org/List.aspxList FAQ: http://www.activedir.org/ListFAQ.aspxList archive: http://www.mail-archive.com/activedir%40mail.activedir.org/-- ~Be the change you want to see in the World~
Re: [ActiveDir] Permissions are resetting
Most common causehttp://support.microsoft.com/?id=817433On 2/2/06, Aguilar, Louis [EMAIL PROTECTED] wrote: Everyone, I've come across a problem with permissions in Active Directory. When Imodify a permission on a user account or when I delegate control to a user group the permission reset to the original setting. I've done some research, but have come up with nothing. Any input is appreciated. Please note that I'm running 2003 in Native Mode. Thanks, Louis NOTICE OF CONFIDENTIALITY This message, including attachments, is from Family Health Partners. This message contains information that may be confidential and protected by HIPAA Privacy Regulations. If you are not the intended recipient, promptly delete this message and notify the sender of the delivery error by return e-mail or call the FHP Compliance Department at 816-234-3946. You may not forward, print, copy, distribute or use the information in this message if you are not the intended recipient. -- ~Be the change you want to see in the World~
Re: [ActiveDir] OT: Cached credentials security
Does anyone have faster way to clean cached logon credential other than changing the value in registry for counter to 0 and restarting... --KamleshOn 2/1/06, Susan Bradley, CPA aka Ebitz - SBS Rocks [MVP] [EMAIL PROTECTED] wrote: Cached credentials security in Windows Server 2003, in Windows XP, andin Windows 2000:http://support.microsoft.com/?kbid=913485List info : http://www.activedir.org/List.aspxList FAQ: http://www.activedir.org/ListFAQ.aspxList archive: http://www.mail-archive.com/activedir%40mail.activedir.org/-- ~Be the change you want to see in the World~
Re: [ActiveDir] Active Directory Cleanup...
you can find all those server DNs in one shot using dsquery server and then remove the specific DN of your VS image and feed rest of them to ntdsutil. -- KamleshOn 1/25/06, Almeida Pinto, Jorge de [EMAIL PROTECTED] wrote: you need to clean its metadata through NTDSUTILIf the DC in the test is a W2K3 SP1 DC you can do it like: Ntdsutil metadata cleanup remove selected serverServerObjectWhen using this command, specify the distinguished name (DN) path of the server object (ServerObject) of the domain controller whose metadata you want to remove. The server object is the parent of the NTDS settings object in the configuration container. For example, for the domain controller named DC1 located in the default-first-site-name of the contoso.com forest, the DN path of the server object would be cn=DC1,cn=servers,cn=default-first-site-name ,cn=configuration,dc=contoso,dc=com. If the DN path contains any spaces, enclose the entire DN path in quotes.cheers,jorge From: [EMAIL PROTECTED] on behalf of Frank AbagnaleSent: Wed 2006-01-25 17:33To: ActiveSubject: [ActiveDir] Active Directory Cleanup... Hi,I am in the process of recreating my AD environment. I have copied my VS image over to my test server, started it and and seized the roles/installed DNS etc.When I look in the Event Viewer, I have a lot of KCC error messages, when I go into AD Sites Services I have the 50 DC's in total in their own IP site.Because I will no longer have these DC's in existance in my test environment, can I just delete them, or would I need to go through ntdsutil and remove them...if I have to do this does anyone have a script to acheive this?FrankDo you Yahoo!?With a free 1 GB, there's more in store with Yahoo! Mail. http://us.rd.yahoo.com/mail_us/taglines/mailstorage/*http://mail.yahoo.com/This e-mail and any attachment is for authorised use by the intended recipient(s) only. It may contain proprietary material, confidential information and/or be subject to legal privilege. It should not be copied, disclosed to, retained or used by, any other party. If you are not an intended recipient then please promptly delete this e-mail and any attachment and all copies and inform the sender. Thank you.-- ~Be the change you want to see in the World~
Re: [ActiveDir] [List Owner] IE7 and ActiveDir
I just installed IE7 beta on XP SP2, and guess where I went first...activedir.org, when opened in IE7, redirects me to error.aspx page,And that page also doesn't show up completely.But If I go and see the source of the page, I can see lots of code there. -- Kamlesh On 1/19/06, AdamT [EMAIL PROTECTED] wrote: On 1/16/06, Rich Milburn [EMAIL PROTECTED] wrote: Server Error in '/' Application.Might be totally unrelated, but there was something similar mentioned recently at: http://discuss.jarretthousenorth.com/newsItems/departments/Microsoft--AdamTMaidenhead is *not* in Kent List info : http://www.activedir.org/List.aspxList FAQ: http://www.activedir.org/ListFAQ.aspxList archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ -- ~Be the change you want to see in the World~
Re: [ActiveDir] OT: Gauging AD experience
Tell me about it !! Ifaced a situation where, network team proactively blocked port 139/445 for the fear of virile without any communication, and ADteam had not installed monitoring tools like sonar or ultrasoundso they were clueless how come policies are not applyinguniformly across locations. It took them some time to find out. Andthen AD teamstarted telnettingports required for AD to make sure they are open, and installed ultrasound, scheduled propagation tests to make sure it is propagating fully. But, network team was up to it, next time they rate limited 139/445 port, and graduallyAD team could seepropagation time becoming longer and longer. So, when I see Brian mention rate-limit commands for cisco,Ichuckle. :*) (Brian nothing wrong with rate-limit, just a cross-reference in my mind) -- Kamlesh On 1/21/06, Myrick, Todd (NIH/CC/DNA) [E] [EMAIL PROTECTED] wrote: In my experience, when good directories go bad, it is usually due to three things. Firewalls Firewalls Did I list firewalls? Runner ups would be ADC for Exchange, Clowns posing as Administrators, Clowns posing as DNS experts, Clowns posing as Security experts, and no disaster recovery solution. Todd Myrick Brushing off the dust of my MVP status.
Re: [ActiveDir] OT: Script Request - Restart Remote Service
Yup, SC \\remoteserver stop myservice SC \\remoteserver start myservice * Assumes user or app running SC has enought rights to manage service remotely. Note: It doesn't handle automanagement for dependent services, same as otherposted scripts I have _vbscript_ to handle dependent services as well (put somewhere, need to find) if you need it let me know -- Kamlesh On 1/20/06, Darren Mar-Elia [EMAIL PROTECTED] wrote: Sc.exe is an easy command-line utility for managing local and remoteservices. Comes with the OS. -Original Message-From: [EMAIL PROTECTED][mailto:[EMAIL PROTECTED] ] On Behalf Of Mark ParrisSent: Friday, January 20, 2006 8:06 AMTo: ActiveDir.orgSubject: [ActiveDir] OT: Script Request - Restart Remote ServiceDoes anyone have a nice applet to enable the remote manual restart of a service on a server? The service permissions have been delegated as theapp that uses it is not very good and needs to be restarted numeroustimes a day - it never hangs so the inbuilt stuff is no good.I have had a look but can find no examples to achieve my end goal. Regards,MarkList info : http://www.activedir.org/List.aspxList FAQ: http://www.activedir.org/ListFAQ.aspx List archive:http://www.mail-archive.com/activedir%40mail.activedir.org/List info : http://www.activedir.org/List.aspxList FAQ: http://www.activedir.org/ListFAQ.aspxList archive: http://www.mail-archive.com/activedir%40mail.activedir.org/-- ~Be the change you want to see in the World~
Re: [ActiveDir] WebAdmin Tool Setup
I had a fleeting look at the main.asp page. I suppose, you are trying to create a new user and getting the error. Looking at the code it seems, it is trying to set some properties of user account, without setting the password first. So, if you have password policy with non-zero password length, you might get that error. I haven't tested it yet, but you will have to shuffle some code around there to make it work. -- Kamlesh On 1/16/06, Noah Eiger [EMAIL PROTECTED] wrote: Hello: I have been playing around with the WebAdmin (Build 13) tool that was posted to the list a few months ago. While I can get the basic site to work, I get some errors when trying to actual make a change (or add, delete, etc) to an object in the domain. I seem to be getting a lot of HTTP 500 errors which when I turn off the friend errors in IE, say: error '8007001f' /webadmin/Lib/Main.asp, line 1434 My Googles for that error do not turn up anything meaningful: lots of stuff about Windows Media Player and Windows 95. Any thoughts on what might be the problem? Thanks. -- nme -- No virus found in this outgoing message. Checked by AVG Free Edition. Version: 7.1.371 / Virus Database: 267.14.18/230 - Release Date: 1/14/2006 -- ~Be the change you want to see in the World~
Re: [ActiveDir] LDAPS SRV Records?
joe, Thanks for the link. As you mentioned, adding DNS server option turned out to be quite trickier, why not one server at a time. I know it makes sense to add/delete same records on multiple servers, but who says they can't be serialized. After all, it is not that time critical operation. For CLEAR switch, I was trying to say that, someone can accidentally delete ALL the records related to domain or site and make clients who are primarily pointing at that DNS server suffer, for the time those records are re registered/replicated back again. For config file, my idea was that, if you provide a way to specify server and read SRV operations from a file. (something like ldifde.exe). I could create a config file in which I could list down all the operations/records I want to manage. of course, this can be scripted and given to DNSSrvRec as command line options, but putting all together in a file where each operation is separated on single line, would give nice readability. (something like LDF file) Also, like adfind.exe if we can define some defaults for port,weight and ttl etc. in config file which are used for same RUN of the command. Currently what I am doing is, preparing a excel sheet containing all the sites in my forest and manually defining the priority order in which clients in each site will get authenticated by DCs (like first same site DCs, then nearest site DCs, basically making sure clients never have to look for generic SRV records). Afterwards based on this sheet, I will prepare a list of SRV records to create/delete on each DNS server and push those SRV records to respective servers. -- Kamlesh On 1/16/06, joe [EMAIL PROTECTED] wrote: Hi Kamlesh, you can get the initial version at http://www.joeware.net/win/free/tools/DNSSrvRec.htm.I posted it to the site last night and announced on my blog, there are over 50 downloadsalready which surprises me a bit. The initial version does not let you specify the DNS Server to make the change in. I had started to add it and backed out as I wanted to think over the whole SOA portion of it plus if I want to handle sending to multiple servers at the same time and how to handle the errors coming back. This is all I have for specifying specific servers at the moment, a commented out insertion to validate the command. // ValidOptions.push_back(Ldnssrv); // Which DNS Server(s) Not sure what you are hoping for out of the clear option in terms of forreal. The tool doesn't look records up first and then clear then one by one. It simply sendsa singleclear command for the DNS Name, that is an option for one of the functions. Having a forreal option would only basically echo what you sent in via the parameters. I might consider having it try to pull the record first and then display what would get wiped out. But that brings up even more questions on the specifyingmultiple DNS servers thoughts. Like what kind of ops are you talking about taking from a config file? Like a script of records to add? This could be an interesting idea. A script of generic records that you specify the actual host name to resolve to on the command line with. Of course this could easily be wrapped in a script or batch file as well initially. Download it and any other thoughts about it send my way. joe From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]] On Behalf Of Kamlesh ParmarSent: Monday, January 16, 2006 1:59 AMTo: ActiveDir@mail.activedir.orgSubject: Re: [ActiveDir] LDAPS SRV Records? joe, nice work !!In fact, I was playing with dnscmd.exe for same purpose not for LDAPS but other authentication records...(If you remember the thread about custom SRV priority per dc per site basis.)I was planning for creating a HTA wrapper around dnscmd.exe for CLI-challenged. But I am not happy with the error reporting of dnscmd.exe, so was thinking of testing WMI class for DNS RR management, and now you created the utility. :-)I would like to register as pre-beta tester. :-)Looking at the current usage screen you provided, I have some queries top of my head.* Can we specify DNS server to make change on? (stupid of me to even suggest this. Just trying to make a redundant entry in your to-do list :-))* Can we have switch -FORREAL specially for clear option. (I know, DCs will recreate records in next refresh cycle, still there will be a resolution issue for a small period)* Can we have SRV operations taken from config file, like we have it for latest adfind.exe ?Just trying to participate :-)--Kamlesh On 1/15/06, joe [EMAIL PROTECTED] wrote: I couldn't sleep this evening so I decided to test the API calls below. They work fine. :o) I have a new utility that will clear, replace, delete, and add SRV records called DNSSrvRec. I need to test it a little more when I am more awake. eg F:\Dev\BDSCPP\DNSSrvRec\Debug_Buildnslookup -type=srv _ldaps._tcp.dc._msdcs.joe.comServer: 2k3dc01.joe.comAddress: 192.168.0.10
Re: [ActiveDir] LDAPS SRV Records?
joe, nice work !! In fact, I was playing with dnscmd.exe for same purpose not for LDAPS but other authentication records...(If you remember the thread about custom SRV priority per dc per site basis.) I was planning for creating a HTA wrapper around dnscmd.exe for CLI-challenged. But I am not happy with the error reporting of dnscmd.exe, so was thinking of testing WMI class for DNS RR management, and now you created the utility. :-) I would like to register as pre-beta tester. :-) Looking at the current usage screen you provided, I have some queries top of my head. * Can we specify DNS server to make change on? (stupid of me to even suggest this. Just trying to make a redundant entry in your to-do list :-)) * Can we have switch -FORREAL specially for clear option. (I know, DCs will recreate records in next refresh cycle, still there will be a resolution issue for a small period) * Can we have SRV operations taken from config file, like we have it for latest adfind.exe ? Just trying to participate :-) -- Kamlesh On 1/15/06, joe [EMAIL PROTECTED] wrote: I couldn't sleep this evening so I decided to test the API calls below. They work fine. :o) I have a new utility that will clear, replace, delete, and add SRV records called DNSSrvRec. I need to test it a little more when I am more awake. eg F:\Dev\BDSCPP\DNSSrvRec\Debug_Buildnslookup -type=srv _ldaps._tcp.dc._msdcs.joe.comServer: 2k3dc01.joe.comAddress: 192.168.0.10 *** 2k3dc01.joe.com can't find _ldaps._tcp.dc._msdcs.joe.com: Non-existent domain F:\Dev\BDSCPP\DNSSrvRec\Debug_BuildDNSSrvRec.exe /addrec _ldaps._tcp.dc._msdcs.joe.com:600:0:100:636:2k3dc02.joe.com;_ldaps._tcp.dc._msdcs.joe.com:600:0:100:636: 2k3dc01.joe.com AddSrvRec V01.00.00cpp Joe Richards ( [EMAIL PROTECTED]) January 2006 Adding _ldaps._tcp.dc._msdcs.joe.com:600:0:100:636:2k3dc02.joe.com...Success.Adding _ldaps._tcp.dc._msdcs.joe.com:600:0:100:636:2k3dc01.joe.com...Success. Results---Total Records To Update: 2Total Records Updated : 2Total Updates Failed : 0 The command completed successfully. F:\Dev\BDSCPP\DNSSrvRec\Debug_Buildnslookup -type=srv _ldaps._tcp.dc._msdcs.joe.comServer: 2k3dc01.joe.comAddress: 192.168.0.10 _ldaps._tcp.dc._msdcs.joe.com SRV service location: priority = 0 weight = 100 port = 636 svr hostname = 2k3dc02.joe.com_ldaps._tcp.dc._msdcs.joe.com SRV service location: priority = 0 weight = 100 port = 636 svr hostname = 2k3dc01.joe.com 2k3dc01.joe.com internet address = 192.168.0.10 F:\Dev\BDSCPP\DNSSrvRec\Debug_BuildDNSSrvRec.exe /delrec _ldaps._tcp.dc._msdcs.joe.com:600:0:100:636:2k3dc02.joe.com;_ldaps._tcp.dc._msdcs.joe.com:600:0:100:636: 2k3dc01.joe.com AddSrvRec V01.00.00cpp Joe Richards ([EMAIL PROTECTED] ) January 2006 Deleting _ldaps._tcp.dc._msdcs.joe.com:600:0:100:636:2k3dc02.joe.com...Success.Deleting _ldaps._tcp.dc._msdcs.joe.com:600:0:100:636:2k3dc01.joe.com...Success. Results---Total Records To Update: 2Total Records Updated : 2Total Updates Failed : 0 The command completed successfully. F:\Dev\BDSCPP\DNSSrvRec\Debug_Buildnslookup -type=srv _ldaps._tcp.dc._msdcs.joe.comServer: 2k3dc01.joe.comAddress: 192.168.0.10 *** 2k3dc01.joe.com can't find _ldaps._tcp.dc._msdcs.joe.com: Non-existent domain F:\Dev\BDSCPP\DNSSrvRec\Debug_Build Here is the current usage screen. I will relook at the API calls again tomorrow or Monday and decide if I want to add any more features. F:\Dev\BDSCPP\DNSSrvRec\Debug_BuildDNSSrvRec.exe /? AddSrvRec V01.00.00cpp Joe Richards ( [EMAIL PROTECTED]) January 2006 Usage:DNSSrvRec [switches] Switches: (designated by - or /) -clear xx Clear DNS SRV records with name xx Format xx - The format for xx is a semicolon delimited list of DNS names such as _ldaps._tcp.dom.com or _ldaps._tcp.dom.com;_ldaps._tcp.child.dom.com -replace yy Replace DNS SRV records with name yy -delrec yy Delete DNS SRV records with name yy -addrec yy Add DNS SRV records with name yy Format yy - The format for yy is a semicolon delimited list of DNS Records. Each DNS record has the format: aaa:bb:cc:dd:ee:fff aaa - DNS Name (_ldaps._tcp.dom.com) bb - TTL Value (300) cc - Priority (0) dd - Weight (100) ee - Port (636) fff - Host Name (somedc.dom.com) -delim Delimiter to separate values in DNS Record. -mrdelim Delimiter to separate multiple DNS Records. Notes: You can have multiple actions (add/delete/clear/replace) in a single command, they will be processed in the order clear, replace delete, and add. Ex1: DNSSrvRec -addrec _ldaps._tcp.dc._msdcs.joe.com:600:0:100:636:2k3dc01.joe.com Add DNS SRV Record _ldaps._tcp.dc._msdcs.joe.com with TTL=600, priority=0, weight=100, port=636, and hostname of 2k3dc01.joe.com Ex2: (command is all one line) DNSSrvRec -addrec _ldaps._tcp.dc._msdcs.joe.com:600:0:100:636:2k3dc01.joe.com; _ldaps._tcp.dc._msdcs.joe.com:600:0:100:636:2k3dc02.joe.com Add 2 DNS SRV Records for
Re: [ActiveDir] Windows 2003 Server
I guess you will have to try the process explorer from www.sysinternals.com In that you can search for handle of the file, and corresponding process which is holding that handle. Try not to give full name of pdf, just give initial few letters. I have been to able to kill even the most critical services of windows with that, till now it has never disappointed. Alsohave you checked the permission on that file. -- Kamlesh On 1/6/06, Ellis, Debbie [EMAIL PROTECTED] wrote: I had already tried that and received the same error message as I did inExplorer-Original Message- From: [EMAIL PROTECTED][mailto:[EMAIL PROTECTED]] On Behalf Of Mark Parris Sent: Thursday, January 05, 2006 3:28 PMTo: ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] Windows 2003 ServerI have had this in Explorer and I have just fired up CMD and deleted them that way - with no issue. I know it sounds simplistic but it worked.Mark-Original Message-From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]] On Behalf Of Rich MilburnSent: 05 January 2006 20:09To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Windows 2003 ServerI have seen this behavior too, but never got to the bottom of it.Iended up being pretty certain that antivirus software was locking itthough.I have also seen the OS itself lock files, when it's trying to show a preview or for other unknown reasons.Sometimes opening acommand prompt window to the file's parent folder, and then killingexplorer with task manager, enabled me to delete it.Good luckRich ---Rich MilburnMCSE, Microsoft MVP - Directory ServicesSr Network Analyst, Field Platform DevelopmentApplebee's International, Inc. 4551 W. 107th StOverland Park, KS 66207913-967-2819--I love the smell of red herrings in the morning - anonymous-Original Message- From: [EMAIL PROTECTED][mailto:[EMAIL PROTECTED]] On Behalf Of Ellis, Debbie Sent: Thursday, January 05, 2006 1:14 PMTo: ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] Windows 2003 ServerI tried all and to no avail. The process could not be found. They are allpdf files and I can make a copy of them and am able to delete themwithoutproblems. Looks like I will have to reboot-Original Message-From: [EMAIL PROTECTED][mailto:[EMAIL PROTECTED]] On Behalf Of joeSent: Thursday, January 05, 2006 11:44 AMTo: ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] Windows 2003 ServerShoot over to sysinternals and look for their handle tool that will showyouwhat processes have handles open to files. You may not have a choice but to reboot if you can't find what isholdingthe files.-Original Message-From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]] On Behalf Of Ellis, DebbieSent: Thursday, January 05, 2006 11:22 AMTo: ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] Windows 2003 ServerThanks for the info, but it did not workThe pdf files did not show upasbeing in use.-Original Message-From: [EMAIL PROTECTED][mailto:[EMAIL PROTECTED]] On Behalf Of joeSent: Thursday, January 05, 2006 10:22 AM To: ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] Windows 2003 ServerYou can try this.On the file server run the commandNET FILE Look for the files in question. Write down the IDThen when you have the IDsNET FILE ID /CLOSEDEL FILEObviously replace ID with the ID from the NET FILE enumeration. From: [EMAIL PROTECTED][mailto:[EMAIL PROTECTED] ] On Behalf Of Ellis, DebbieSent: Thursday, January 05, 2006 10:03 AMTo: ActiveDir@mail.activedir.orgSubject: [ActiveDir] Windows 2003 Server There are a few pdf files that I can not delete on my file and printserver.I have domain admin permissions and the file is not read only.It givesmethe error messages that the file is in use. I don't want to reboot the server. Has anyone else had this problem and what was the solution?List info : http://www.activedir.org/List.aspxList FAQ: http://www.activedir.org/ListFAQ.aspxList archive:http://www.mail-archive.com/activedir%40mail.activedir.org/List info : http://www.activedir.org/List.aspxList FAQ: http://www.activedir.org/ListFAQ.aspxList archive: http://www.mail-archive.com/activedir%40mail.activedir.org/List info : http://www.activedir.org/List.aspxList FAQ: http://www.activedir.org/ListFAQ.aspxList archive:http://www.mail-archive.com/activedir%40mail.activedir.org/---APPLEBEE'S INTERNATIONAL, INC. CONFIDENTIALITY NOTICE--- PRIVILEGED /CONFIDENTIAL INFORMATION may be contained in this message or anyattachments.This information is strictly confidential and may be subject toattorney-clientprivilege. This message is intended only for the use of the named addressee. Ifyou are not the intended recipient of this message, unauthorized forwarding,printing, copying, distribution, or using such information is strictlyprohibited and may be unlawful. If you have received this in
Re: [ActiveDir] Enable Windows Integrated Authentication through GPO
I was testing the integrated authentication with IIS, and even though site was is local intranet, IE prompted for username and password on some machines and on some it didn't. I checked in Local Intranet security zone for user authentication option and sure it was enabled for intranet sites. And on investigation, on all the machine where it didn't work, I found that the same Windows integrated authentication was not ticked in Advanced option. I ticked it and it worked. So just putting it in local intranet might not work for this case. My Config : Desktops are XP SP2, IE 6 IIS 6 on Win2k3 SP1 On 1/4/06, Ulf B. Simon-Weidner [EMAIL PROTECTED] wrote: The IIS site must be set up to allow windows integrated authentication and not to allow anonymous access. By default the IE Security Zone "Local Intranet" is enabled to allow Integrated Authentication (while Trusted Sites does not), if you haven't changed that you can configure the systems in question to be within the local intranet zone. I don't know if you are able to change IEs settings per GPO, propably only if you created an ADM yourself, but you may be able to change it with IEAK. But that shouldn't be necessary if you use the correct security zones, and I'd recommend not enabling it for "Trusted Sites" or other Zones which are outside your DMZ. Gruesse - Sincerely, Ulf B. Simon-Weidner MVP-Book Windows XP - Die Expertentipps: http://tinyurl.com/44zcz Weblog: http://msmvps.org/UlfBSimonWeidner Website: http://www.windowsserverfaq.org Profile: http://mvp.support.microsoft.com/profile=""> From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]] On Behalf Of Salandra, Justin A. Sent: Tuesday, January 03, 2006 8:26 PM To: [EMAIL PROTECTED]; ActiveDir@mail.activedir.org Subject: [ActiveDir] Enable Windows Integrated Authentication through GPO How does someone enable Windows Integrated Authentication through a Group Policy. You will find this on the Advanced tab of Internet Options. Justin A. Salandra MCSE Windows 2000 2003 Network and Technology Services Manager Catholic Healthcare System 646.505.3681 - office 917.455.0110 - cell [EMAIL PROTECTED] -- ~Be the change you want to see in the World~
Re: [ActiveDir] DNS SRV records
Yes ! Not only for remote site DCs but also for regional hub DCs too... -- Kamlesh On 12/31/05, Al Mulnick [EMAIL PROTECTED] wrote: If I understand you correctly, you can already control between local site and regional/central site authentication hierarchy through publication of records (as inbranch office scenario)but you want to further control which DC does authentication by controlling, in the event of failure in the local site, which hub it goes to? Is that correct? Al On 12/31/05, Kamlesh Parmar [EMAIL PROTECTED] wrote: 1) AFAIK, Site is a active directory specific concept, and AD is Directory (LDAP), Authentication server (Kerberos) etc. Theseservices are published by AD in DNS thru SRV records in _sites._msdcs for each site and it covers them all... (LDAP,DC,GC,Kerberos,Kpassword) so I was curious what applications would actually just read sitename from AD and look for a service not offered by DC in that site? AD based distributed applications (other than exchange) ? 2)DNS priorities, I know by default,its only possible per DC basis thru registry. I was hoping it was more customizable, even if it was not officially documented. Basically we do have hub and spoke stuff. We have centralhub and then at its spokes regionalhubs and at their spoke individual remote sites. (This is highly simplified,as there areload balancinglinks across regions, away from central hub, so I would say its a mashbetween center and regional sitesand than hub and spokes at region and remote sites) Now, in case of DC failure at remote site, clients would go to any regional or Central hub DC, and not necessarily its nearest regional hub DC. Withpriority only per DC basis, I would have to create mess of priorities to achieve whatI want. And it would be complex. One solution I thought was to publish regional hub DCs intheir spoke DCs with lower priority This would surely give me some control, on where remote sites go for authentication. But this would not help cover DC failure at region level. Basically, I want to totally control the list of DCs referred to clients at each site and in what order they are referred.So, per DC per Site priority setting would have been ideal. I am open toother possible solutions. -- Kamlesh On 12/31/05, Almeida Pinto, Jorge de [EMAIL PROTECTED] wrote: _sites.dc._msdcs.DNSDomainName is for locating a DC (hence the _msdcs) that hosts a certain service in a certain site _sites.DnsDomainName is for locating a SERVER (does not need to be a DC) that hosts a certain service in a certain sitefor more info on service resource records see: http://www.microsoft.com/resources/documentation/Windows/2000/server/reskit/en-us/Default.asp?url="">DNS priorities are on a per DC basis, and not on a per DC per site basis. It is not possible to configure a different priority for the same DC covering another site.Why do you want to do that?if clients cannot find a DC in a site by querying for _ldap._tcp.SiteName._sites.DnsDomainName the client will search for a DC in the domain by querying for _ldap._tcp.dc._msdcs.DnsDomainNameIf you have a hub-and-spoke site topology it is OK to configure all spoke DCs (branches) NOT to register domain wide DC locator records and only let HUB DCs register those records JorgeFrom: [EMAIL PROTECTED] on behalf of Kamlesh ParmarSent: Fri 2005-12-30 22:42To: ActiveDir@mail.activedir.org Subject: [ActiveDir] DNS SRV recordsFrom my limited knowledge of how AD uses SRV records, I have two queries.1) Why we need separate _sites.DnsDomainName child domain when we have_sites.dc._msdcs.DNSDomainName child domain populated? And I guess that only later is used by clients to find the site specific DC for authentication. Which other applications would need site specific but generic SRV records (former ones) ??2)How to publish DC1 in site1 into remote site site2 with different priority than its own site site1? i.e.DC1site1 priority=0DC1site2 priority=10DC2site1 priority=10DC2site2 priority=0By the way,Happy New Year to you all.--Kamlesh~ Be the change you want to see in the World~This e-mail and any attachment is for authorised use by the intended recipient(s) only. It may contain proprietary material, confidential information and/or be subject to legal privilege. It should not be copied, disclosed to, retained or used by, any other party. If you are not an intended recipient then please promptly delete this e-mail and any attachment and all copies and inform the sender. Thank you. -- ~Be the change you want to see in the World~ -- ~Be the change you want to see in the World~
Re: [ActiveDir] DNS SRV records
Thanks Jorge for so nicely putting it all together... This is what I was thinking as the simplest possible optimized configuration. So, thought lets put it across masters to knowall possibilities... -- Kamlesh On 1/1/06, Almeida Pinto, Jorge de [EMAIL PROTECTED] wrote: what you could do is:* make sure only the main central hub registers domain wide and site wide DC locator records * make sure regional hubs only register site wide DC locator records and NOT domain wide DC locator records* make sure remote offices only register site wide DC locator records and NOT domain wide DC locator records * Leave the priority of the central hub DCs as is* Configure a higher priority value for regional hub DCs* Leave the priority of the remote site DCs as is* Configure regional hub DCs to additionally cover the corresponding lower remote sites This way:* If regional hub DCs fail clients/servers go to the main central hub when these query for DCs in the domain* If remote site DCs fail clients/servers will first go to the corresponding upper regional hub as these also cover the remote site and second these will go to the main central hub when these query for DCs in the domain This configuration could be realized using GPOs with group filtering or SUB OUs below to the Domain Controllers OU (one OU with DCs, all remote sites, that do not register domain wide DC locator records AND one OU per regional hub with DCs that do not register domain wide DC locator records, have a highher priority for the SRV RR and additionally cover the lower remote site) or site GPOs using WMI filtering or a combination of the what is mentioned Cheers,JorgeFrom: [EMAIL PROTECTED] on behalf of Kamlesh ParmarSent: Sat 2005-12-31 13:57 To: ActiveDir@mail.activedir.orgSubject: Re: [ActiveDir] DNS SRV records1)AFAIK, Site is a active directory specific concept, and AD is Directory (LDAP), Authentication server (Kerberos) etc. These services are published by AD in DNS thru SRV records in _sites._msdcs for each site and it covers them all... (LDAP,DC,GC,Kerberos,Kpassword) so I was curious what applications would actually just read sitename from AD and look for a service not offered by DC in that site? AD based distributed applications (other than exchange) ?2)DNS priorities, I know by default, its only possible per DC basis thru registry. I was hoping it was more customizable, even if it was not officially documented.Basically we do have hub and spoke stuff. We have central hub and then at its spokes regional hubs and at their spoke individual remote sites. (This is highly simplified, as there are load balancing links across regions, away from central hub, so I would say its a mash between center and regional sites and than hub and spokes at region and remote sites) Now, in case of DC failure at remote site, clients would go to any regional or Central hub DC, and not necessarily its nearest regional hub DC.With priority only per DC basis, I would have to create mess of priorities to achieve what I want. And it would be complex. One solution I thought was to publish regional hub DCs in their spoke DCs with lower priorityThis would surely give me some control, on where remote sites go for authentication. But this would not help cover DC failure at region level. Basically, I want to totally control the list of DCs referred to clients at each site and in what order they are referred.So, per DC per Site priority setting would have been ideal.I am open to other possible solutions. --KamleshOn 12/31/05, Almeida Pinto, Jorge de [EMAIL PROTECTED] wrote: _sites.dc._msdcs.DNSDomainName is for locating a DC (hence the _msdcs) that hosts a certain service in a certain site _sites.DnsDomainName is for locating a SERVER (does not need to be a DC) that hosts a certain service in a certain site for more info on service resource records see: http://www.microsoft.com/resources/documentation/Windows/2000/server/reskit/en-us/Default.asp?url=""> DNS priorities are on a per DC basis, and not on a per DC per site basis. It is not possible to configure a different priority for the same DC covering another site. Why do you want to do that? if clients cannot find a DC in a site by querying for _ldap._tcp.SiteName._sites.DnsDomainName the client will search for a DC in the domain by querying for _ldap._tcp.dc._msdcs.DnsDomainName If you have a hub-and-spoke site topology it is OK to configure all spoke DCs (branches) NOT to register domain wide DC locator records and only let HUB DCs register those records Jorge From: [EMAIL PROTECTED] on behalf of Kamlesh Parmar Sent: Fri 2005-12-30 22:42 To: ActiveDir@mail.activedir.org Subject: [ActiveDir] DNS SRV records From my limited knowledge of how AD uses SRV records, I have two queries. 1) Why we need separate _sites.DnsDomainName child domain when we have _sites.dc._msdcs.DNSDomainName child domain populated? And I guess that only later is us
[ActiveDir] OT: Windows Server 2003 Security guide Ver 2.0
Microsoft released a updated version of Win2k3 sec guide last week, Thisupdate adds post SP1 hardening recommendations, including usage of SCW for creating role based templates etc. Windows Server 2003 Security guide Ver 2.0http://www.microsoft.com/downloads/details.aspx?FamilyID=8a2643c1-0685-4d89-b655-521ea6c7b4dbDisplayLang=en And its companion guide Threats and Countermeasures guide Ver 2.0 http://www.microsoft.com/technet/security/topics/serversecurity/tcg/tcgch00.mspx -- Kamlesh~Be the change you want to see in the World~
Re: [ActiveDir] DNS SRV records
1) AFAIK, Site is a active directory specific concept, and AD is Directory (LDAP), Authentication server (Kerberos) etc. Theseservices are published by AD in DNS thru SRV records in _sites._msdcs for each site and it covers them all... (LDAP,DC,GC,Kerberos,Kpassword) so I was curious what applications would actually just read sitename from AD and look for a service not offered by DC in that site? AD based distributed applications (other than exchange) ? 2)DNS priorities, I know by default,its only possible per DC basis thru registry. I was hoping it was more customizable, even if it was not officially documented. Basically we do have hub and spoke stuff. We have centralhub and then at its spokes regionalhubs and at their spoke individual remote sites. (This is highly simplified,as there areload balancinglinks across regions, away from central hub, so I would say its a mashbetween center and regional sitesand than hub and spokes at region and remote sites) Now, in case of DC failure at remote site, clients would go to any regional or Central hub DC, and not necessarily its nearest regional hub DC. Withpriority only per DC basis, I would have to create mess of priorities to achieve whatI want. And it would be complex. One solution I thought was to publish regional hub DCs intheir spoke DCs with lower priority This would surely give me some control, on where remote sites go for authentication. But this would not help cover DC failure at region level. Basically, I want to totally control the list of DCs referred to clients at each site and in what order they are referred.So, per DC per Site priority setting would have been ideal. I am open toother possible solutions. -- Kamlesh On 12/31/05, Almeida Pinto, Jorge de [EMAIL PROTECTED] wrote: _sites.dc._msdcs.DNSDomainName is for locating a DC (hence the _msdcs) that hosts a certain service in a certain site _sites.DnsDomainName is for locating a SERVER (does not need to be a DC) that hosts a certain service in a certain sitefor more info on service resource records see: http://www.microsoft.com/resources/documentation/Windows/2000/server/reskit/en-us/Default.asp?url="">DNS priorities are on a per DC basis, and not on a per DC per site basis. It is not possible to configure a different priority for the same DC covering another site.Why do you want to do that?if clients cannot find a DC in a site by querying for _ldap._tcp.SiteName._sites.DnsDomainName the client will search for a DC in the domain by querying for _ldap._tcp.dc._msdcs.DnsDomainNameIf you have a hub-and-spoke site topology it is OK to configure all spoke DCs (branches) NOT to register domain wide DC locator records and only let HUB DCs register those records JorgeFrom: [EMAIL PROTECTED] on behalf of Kamlesh ParmarSent: Fri 2005-12-30 22:42To: ActiveDir@mail.activedir.orgSubject: [ActiveDir] DNS SRV recordsFrom my limited knowledge of how AD uses SRV records, I have two queries.1) Why we need separate _sites.DnsDomainName child domain when we have_sites.dc._msdcs.DNSDomainName child domain populated?And I guess that only later is used by clients to find the site specific DC for authentication. Which other applications would need site specific but generic SRV records (former ones) ??2)How to publish DC1 in site1 into remote site site2 with different priority than its own site site1?i.e. DC1site1 priority=0DC1site2 priority=10DC2site1 priority=10DC2site2 priority=0By the way,Happy New Year to you all.--Kamlesh~ Be the change you want to see in the World~This e-mail and any attachment is for authorised use by the intended recipient(s) only. It may contain proprietary material, confidential information and/or be subject to legal privilege. It should not be copied, disclosed to, retained or used by, any other party. If you are not an intended recipient then please promptly delete this e-mail and any attachment and all copies and inform the sender. Thank you. -- ~Be the change you want to see in the World~
Re: [ActiveDir] WinXP activation problem
Ya, exactly... and their gmail.com account will give them nice conversational look at what they are doing. :-) By the way, I think I have seen answer for this kind of questions atMicrosoft public newsgroups at microsoft.com, look for setup and installation section in WinXP groups. -- Kamlesh On 12/31/05, [EMAIL PROTECTED] [EMAIL PROTECTED] wrote: Aha! Amit did it! Perhaps you guys want to do this in private?Sincerely,Dèjì Akómöláfé, MCSE+M MCSA+M MCT Microsoft MVP - Directory Serviceswww.readymaids.com - we know ITwww.akomolafe.comDo you now realize that Today is the Tomorrow you were worried about Yesterday?-anon-Original Message-From: [EMAIL PROTECTED][mailto:[EMAIL PROTECTED] ] On Behalf Of Ravi DograSent: Friday, December 30, 2005 2:45 PMTo: ActiveDir@mail.activedir.orgSubject: Re: [ActiveDir] WinXP activation problemThanks Amit, I remember it was You who created those images and used sysprep and all.thanks for revealing the usage of 30 day trial version installation.Hope, will get some more such expert comments from your side. Thanks and RegardsRavi DograList info : http://www.activedir.org/List.aspxList FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspxList archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ -- ~Be the change you want to see in the World~
[ActiveDir] DNS SRV records
From my limited knowledge of how AD uses SRV records, I have two queries. 1)Why we need separate _sites.DnsDomainName child domain when we have _sites.dc._msdcs.DNSDomainName child domain populated? And I guess that only later is used by clients to find the site specific DC for authentication. Which other applications would need site specific but generic SRV records (former ones)?? 2)How to publish DC1 in site1 into remote site site2 with different priority than its own site site1? i.e. DC1 site1 priority=0 DC1 site2 priority=10 DC2 site1 priority=10 DC2 site2 priority=0 By the way, Happy New Year to you all.-- Kamlesh~Be the change you want to see in the World~
Re: [ActiveDir] Display Specifier + Command Variables
If the batch file you provided is what you are using then it might not work... As ADUC will give DN of the object as command line argument to the script and iisftp.vbs requires username (samaccountname) of the user to work. so, VBS will be better in this case... ' *** Start Code Dim oUser1 Set oUser1 = getobject(wscript.arguments(0))oUser1.FTPDir = oUser1.samaccountnameoUser1.FTPRoot = \\hermes\Z Drives oUser1.SetInfo Set oUser1 = NothingSet ouserFTP = Nothing ' *** End Code -- Kamlesh On 12/24/05, Marc A. Mapplebeck [EMAIL PROTECTED] wrote: I need to propogate the FTPRoot and FTPDir fields in the user objects, they are not available through ADUC, only by using iisftp or a vbs. I am using FTP via IIS in AD Isolation Mode. From: [EMAIL PROTECTED] [mailto: [EMAIL PROTECTED]] On Behalf Of Al MulnickSent: December 23, 2005 12:17 To: ActiveDir@mail.activedir.orgSubject: Re: [ActiveDir] Display Specifier + Command Variables I'm still not clear on whether you want to do this for the homedrive attribute or if you are trying to do something else. Might just be a little dense (that sometimes happens around this time of year). You want to add a _vbscript_ to your ADUC so you can right click and enable some function that currently is not available, vs. using a script to enable it in bulk. Is that correct? I believe you want something similar to this, right? http://www.2000trainers.com/article.aspx?articleID=317page=2 On 12/23/05, Marc A. Mapplebeck [EMAIL PROTECTED] wrote: Sure, I was just using a batch file that called iisftp the context was iisftp username all Z drives are the homedir of the user stored on our hermes server in the share Z Drives, the purpose of this was to give users access to their homedir remotely. however, now that I want to use it from within AD Users Computers, I think I will have to rewrite it to set the variables using vbs. setftp.bat - IIsFtp /SetADProp %1 FTPDir %1IIsFtp /SetADProp %1 FTPRoot \\hermes\Z Drives- end I will probably end up using a .vbs that looks similar to this: setftp.vbs - Dim ouserFTPDir Dim ouserFTPDRootDim oUser1 Set oUserFTPDir = GetObject(ouser1(0)) Set oUserFTPRoot = \\hermes\Z Drives oUser1.SetInfo Set oUser1 = NothingSet ouserFTP = NothingWScript.Quit - end I'm actually teaching a class right now(yes, one of my students showed up for class the day before the holiday break starts, so I gave him a nice subnetting lab, I'm soo sadistic), so I do not have access to any of my reference/test servers, so this script will prolly crash on line 1. But, the general idea is there. From: [EMAIL PROTECTED] [mailto: [EMAIL PROTECTED]] On Behalf Of Al MulnickSent: December 23, 2005 11:23To: ActiveDir@mail.activedir.orgSubject: Re: [ActiveDir] Display Specifier + Command Variables Marc, can you post the code you're using? Cleaned up for internet consumption of course. Al On 12/23/05, Marc A. Mapplebeck [EMAIL PROTECTED] wrote: Hi all, I am working on setting up FTP in AD Isolation mode. I have writtena batch file that I run to enable a user on the FTP server, I would like to change this so that I can just right click on a user in AD Users Computersto do this, I have made the modification to the display specifier to callthe batch file, however, it is not passing what I want, does anybody know if/what the variable is for the CN of the user, or would it be just as easyto script this with VB instead? If so, does anybody already have a script ora model that can be used for this? Thanks - Marc List info : http://www.activedir.org/List.aspxList FAQ: http://www.activedir.org/ListFAQ.aspxList archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ -- ~Be the change you want to see in the World ~
[ActiveDir] computer domain join process
As we know that, when a new machine tries to join the win2k/3 domain, it will first try a SRV query for _ldap._tcp.dc._msdcs.DnsDomainName and which ever DC is first in the list, it will connect to that DC and create account there and proceed for domain joining. This order of DCs in query result is not uniform, it changes every time you query. Now, If you have geographically dispersed DCs with long enough replication delay. This approach leads into trouble, as machine might have created account on remote DC and on next reboot it will try to find its account into local site DC, where it might not be present. This is also more troublesome in the case, I want to refresh the machine using Ghost, I will delete its account in local DC and after Ghost restore it will try to join the domain by connecting to any random DC, and in this case, remote DC might/might not have account depending on replication reached it in time. So one of the solution,is to use netdom.exe to join machines to domain, where at the command line we can target specific DC for joining process. This is the command we use, where, DOM = Domain to join DOMDC1 = nearest DC for that computer DOM\siteadmin = account with rights to join computer to domain netdom.exe join %computername% /domain:DOM\DOMDC1 /UD:DOM\siteadmin /PD:* /OU:%OU-2-CREATE-ACCOUNT-IN% /Reboot Now, my question, is why can't machine itself find the nearest DC to join, based on query to configuration NC for subnet/site mapping and then DNS query for DC in that particular site. (like normal domain client would do to find its nearest DC) After all we are providing a privileged account while domain joining, which computer can use to get the pertinent info. Also, is there better way to target joining computer towards its local DC. -- Kamlesh~Be the change you want to see in the World~
Re: [ActiveDir] Win32Shutdown Method Win2003
YUP, you should add 4, Here is some code Const LOGOFF = 0Const SHUTDOWN = 1Const REBOOT = 2Const FORCE = 4Const POWEROFF = 8For Each objPC In GetObject(winmgmts:{(shutdown)}).ExecQuery(Select * from Win32_OperatingSystem) objPC.Win32Shutdown LOGOFF + FORCENext On 12/15/05, Darren Mar-Elia [EMAIL PROTECTED] wrote: Devon- Are you getting an actual error or just that it doesn't work? I ran your script on my test W2003 box and it worked just fine. I ran it as administrator at the server's console. How are you running this script? At the console or in a TS session? The latter may be problematic. Also, you might want to try: objSystem.Win32Shutdown 4 which I think is forced logoff. That would get around issues where some process is preventing the normal logoff. Darren From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]] On Behalf Of Harding, DevonSent: Wednesday, December 14, 2005 9:52 AMTo: ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] Win32Shutdown Method Win2003 Same error From: [EMAIL PROTECTED] [mailto: [EMAIL PROTECTED]] On Behalf Of Alain LissoirSent: Wednesday, December 14, 2005 11:26 AMTo: ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] Win32Shutdown Method Win2003 On 2003? Or 2000? Hmmm ... can you try with this :) objWMILocator.Security_.Privileges.AddAsString SeRemoteShutdownPrivilege, True From: [EMAIL PROTECTED] [mailto: [EMAIL PROTECTED]] On Behalf Of Harding, DevonSent: Wednesday, December 14, 2005 7:39 AMTo: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Win32Shutdown Method Win2003 I still get the same error running on a server: Generic Error It seem to be giving an error right at this point: objSystem.Win32Shutdown 0 Here is the whole script: Set objWMILocator = CreateObject (WbemScripting.SWbemLocator) objWMILocator.Security_.Privileges.AddAsString SeShutdownPrivilege, True Set objWMIServices = objWMILocator.ConnectServer(strComputerName, cWMINameSpace, strUserID, strPassword) Set objSystemSet = GetObject(winmgmts:{impersonationLevel=impersonate,(Shutdown)}).InstancesOf(Win32_OperatingSystem) For Each objSystem In objSystemSet objSystem.Win32Shutdown 0 Next From: [EMAIL PROTECTED] [mailto: [EMAIL PROTECTED]] On Behalf Of Alain LissoirSent: Wednesday, December 14, 2005 9:38 AMTo: ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] Win32Shutdown Method Win2003 Have you tried your script as a plain admin on server? I wonder if it is not a question of privileges ... Try to add to your script the following before connecting to the Root\CIMv2 namespace. Then retry ... Set objWMILocator=CreateObject (WbemScripting.SWbemLocator) objWMILocator.Security_.Privileges.AddAsString SeShutdownPrivilege, True Set objWMIServices = objWMILocator.ConnectServer(strComputerName, cWMINameSpace,strUserID, strPassword) From: [EMAIL PROTECTED] [mailto: [EMAIL PROTECTED]] On Behalf Of Harding, DevonSent: Wednesday, December 14, 2005 5:23 AMTo: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Win32Shutdown Method Win2003 This script is part of a another script that upon logon, checks certain registry values, then if the values are not set, the script then sets the value and logoff the current user. Like I said before, it works on Windows XP but not servers. Why? From: [EMAIL PROTECTED] [mailto: [EMAIL PROTECTED]] On Behalf Of Steve ShaffSent: Tuesday, December 13, 2005 7:38 PMTo: ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] Win32Shutdown Method Win2003 The shutdown command works. Give that a shot. S From: [EMAIL PROTECTED] [mailto: [EMAIL PROTECTED]] On Behalf Of Harding, DevonSent: Tuesday, December 13, 2005 2:34 PMTo: ActiveDir@mail.activedir.org Subject: [ActiveDir] Win32Shutdown Method Win2003 I'm using the following script to logoff a workstation. It works fine on XP workstations but does not seem to work on Windows 2000/2003 servers. Any Ideas? Set objSystemSet = GetObject(winmgmts:{impersonationLevel=impersonate,(Shutdown)}).InstancesOf(Win32_OperatingSystem) For Each objSystem In objSystemSet objSystem.Win32Shutdown 0 Next Devon Harding Windows Systems Engineer Southern Wine Spirits - BSG 954-602-2469 __ This message and any attachments are solely for the intended recipientand may contain confidential or privileged information. If you are notthe intended recipient, any disclosure, copying, use or distribution ofthe information included in the message and any attachments isprohibited. If you have received this communication in error, pleasenotify us by reply e-mail and immediately and permanently delete thismessage and any attachments. Thank You. -- ~Be the change you want to see in the World~
Re: [ActiveDir] csv to ldf converter
I use similar approach, Put samid and other user fields in columns, then generate other columns as needed from existing column. like Displayname from FN and LN using formula =CONCATENATE(B2, ,C2) then at the end concatenate everything into single column using * as separator formula : =CONCATENATE(A2,*,B2,*,C2,*,D2) SamID FN LN DisplayName TextToCopy user1 User 1 User 1 user1*User*1*User 1 user2 User 2 User 2 user2*User*2*User 2 user3 User 3 User 3 user3*User*3*User 3 user4 User 4 User 4 user4*User*4*User 4 user5 User 5 User 5 user5*User*5*User 5 Then once ready with data, copy the content of last column into text file.(texttocopy.txt) and run batch file something like for /F Tokens=1-4 Delims=* %%A in (TexttoCopy.txt) do ( dsquery user -samid %%A | dsmod user -fn %%B -ln %%C -Display %%D ) I hope this helps -- Kamlesh ~ Be the change you want to see in the World ~ On 12/14/05, Phil Renouf [EMAIL PROTECTED] wrote: Gotcha, too bad because doing this sort of thing with admodify is great. What I've done in the past is use some excel formulas to build a dsmod command, then just put that in a batch file to update each user. Not pretty, but it works. Phil On 12/13/05, CHIANESE, DAVID [EMAIL PROTECTED] wrote: They are all caps and I want them proper case. Or actually management wants them that way. :) We have this: On 12/13/05, CHIANESE, DAVID [EMAIL PROTECTED] wrote: We want this: On 12/13/05, Chianese, David [EMAIL PROTECTED] wrote: From: [EMAIL PROTECTED] [mailto: [EMAIL PROTECTED]] On Behalf Of Phil RenoufSent: Tuesday, December 13, 2005 2:02 PMTo: ActiveDir@mail.activedir.orgSubject: Re: [ActiveDir] csv to ldf converter How are your Display names formatted? Are they say: Firstname Lastname, or Lastname, Firstname? Are the first name and last name fields in the users populated and do they have the correct case? If so then AD Modify should fix that as you can tell it to build the Display Name from the Firstname and Lastname fields. If not then this won't help and I'll go back to what I was doing...actually either way I'll go back to what I was doing ;) Phil On 12/13/05, CHIANESE, DAVID [EMAIL PROTECTED] wrote: I just found that admodify.net cannot do what I want either. Basically if you look at my display name in e-mail here, it is all caps.. so... In a csvde directory export of all users and using a well known excel function (=proper(A1)) I am able to give proper case to each field I want to change. So I have that partdone, allDN, SN, CN and other capitalized fields have been reworked to proper case fields. The trouble I am having is converting the .csv file to .ldf so I can then modify these attributesin the directory using ldifde. If anyone would like to look at my current spreadsheet that does this conversion (well it used to anyway), I would be happy to send a copy off list. Scripting in Excel/VB is not my forte. Regards, Dave From: [EMAIL PROTECTED] [mailto: [EMAIL PROTECTED]] On Behalf Of Brian DesmondSent: Tuesday, December 13, 2005 1:10 PMTo: ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] csv to ldf converter You could just use csvde to do the import/export if that's what you're trying to do…. Thanks, Brian Desmond [EMAIL PROTECTED] c - 312.731.3132 From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]] On Behalf Of CHIANESE, DAVIDSent: Tuesday, December 13, 2005 1:05 PMTo: ActiveDir@mail.activedir.orgSubject: [ActiveDir] csv to ldf converter Would anybody have a handy csv to ldif macro for excel 2003? The one I have no longer functions. Even a .csv file to .ldf file conversion tool would help. TIA! Regards, Dave --
Fwd: [ActiveDir] csv to ldf converter
If you have already seen the attached mail, my apologies for duping. It seems, lately, gmail is creating problem, and not sending some of my replies.I have to go to, list archive and verify that, mail is sent to others, as well. -- Kamlesh -- Forwarded message --From: Kamlesh Parmar [EMAIL PROTECTED]Date: Dec 14, 2005 3:04 AM Subject: Re: [ActiveDir] csv to ldf converterTo: ActiveDir@mail.activedir.org I use similar approach, Put samid and other user fields in columns, then generate other columns as needed from existing column. like Displayname from FN and LN using formula =CONCATENATE(B2, ,C2) then at the end concatenate everything into single column using * as separator formula : =CONCATENATE(A2,*,B2,*,C2,*,D2) SamID FN LN DisplayName TextToCopy user1 User 1 User 1 user1*User*1*User 1 user2 User 2 User 2 user2*User*2*User 2 user3 User 3 User 3 user3*User*3*User 3 user4 User 4 User 4 user4*User*4*User 4 user5 User 5 User 5 user5*User*5*User 5 Then once ready with data, copy the content of last column into text file.(texttocopy.txt) and run batch file something like for /F Tokens=1-4 Delims=* %%A in (TexttoCopy.txt) do ( dsquery user -samid %%A | dsmod user -fn %%B -ln %%C -Display %%D ) I hope this helps -- Kamlesh ~ Be the change you want to see in the World ~ On 12/14/05, Phil Renouf [EMAIL PROTECTED] wrote: Gotcha, too bad because doing this sort of thing with admodify is great. What I've done in the past is use some excel formulas to build a dsmod command, then just put that in a batch file to update each user. Not pretty, but it works. Phil On 12/13/05, CHIANESE, DAVID [EMAIL PROTECTED] wrote: They are all caps and I want them proper case. Or actually management wants them that way. :) We have this: On 12/13/05, CHIANESE, DAVID [EMAIL PROTECTED] wrote: We want this: On 12/13/05, Chianese, David [EMAIL PROTECTED] wrote: From: [EMAIL PROTECTED] [mailto: [EMAIL PROTECTED]] On Behalf Of Phil RenoufSent: Tuesday, December 13, 2005 2:02 PMTo: ActiveDir@mail.activedir.orgSubject: Re: [ActiveDir] csv to ldf converter How are your Display names formatted? Are they say: Firstname Lastname, or Lastname, Firstname? Are the first name and last name fields in the users populated and do they have the correct case? If so then AD Modify should fix that as you can tell it to build the Display Name from the Firstname and Lastname fields. If not then this won't help and I'll go back to what I was doing...actually either way I'll go back to what I was doing ;) Phil On 12/13/05, CHIANESE, DAVID [EMAIL PROTECTED] wrote: I just found that admodify.net cannot do what I want either. Basically if you look at my display name in e-mail here, it is all caps.. so... In a csvde directory export of all users and using a well known excel function (=proper(A1)) I am able to give proper case to each field I want to change. So I have that partdone, allDN, SN, CN and other capitalized fields have been reworked to proper case fields. The trouble I am having is converting the .csv file to .ldf so I can then modify these attributesin the directory using ldifde. If anyone would like to look at my current spreadsheet that does this conversion (well it used to anyway), I would be happy to send a copy off list. Scripting in Excel/VB is not my forte. Regards, Dave From: [EMAIL PROTECTED] [mailto: [EMAIL PROTECTED]] On Behalf Of Brian DesmondSent: Tuesday, December 13, 2005 1:10 PMTo: ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] csv to ldf converter You could just use csvde to do the import/export if that's what you're trying to do…. Thanks, Brian Desmond [EMAIL PROTECTED] c - 312.731.3132 From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]] On Behalf Of CHIANESE, DAVIDSent: Tuesday, December 13, 2005 1:05 PMTo: ActiveDir@mail.activedir.orgSubject: [ActiveDir] csv to ldf converter Would anybody have a handy csv to ldif macro for excel 2003? The one I have no longer functions. Even a .csv file to .ldf file conversion tool would help. TIA! Regards, Dave -- -- ~Be the change you want to see in the World~
Re: [ActiveDir] VBScript help(OT)
fileexists is a method for FSO object and you are attaching it to a folder object. Try fso.fileexistsOn 12/8/05, Tom Kern [EMAIL PROTECTED] wrote: Thanks alot!! I still can't get the rename to work. the script copies a bunch of eml files from a bunch of source sub folders. in those sub folders the files have duplicate names but because they are in sub folders, it doesn't matter until they are being copied to the single target folder. So i want to rename the file(keeping the ext) when it encounters the same file in the target. Here is what i have so far- source=c:\fsotarget=c:\tom\ Set fso = CreateObject(Scripting.FileSystemObject)set root=fso.getFolder(source)set targ=fso.getFolder(target) dim full doif targ.files.count=0 then full=falseif full=false then call folderlist(root)wscript.sleep 1000loop sub folderlist(grp)call filelist(grp)if full then exit subfor each fldr in grp.subFolders set nf=fso.GetFolder(fldr.path) call folderlist(nf) set nf=nothingnextend sub sub filelist(grp)for each file in grp.files if targ.files.count=999 then full=true:exit for if lcase(fso.getextensionname(file)) = eml then if targ.FileExists(file) then file=file + cstr(int(Rnd * 1000)) end if file.move targetend if nextEnd sub I always get the error- Object doesn't support this property or method:'targ.FileExists' I'm kinda at a loss here. thanks On 12/8/05, Rich Milburn [EMAIL PROTECTED] wrote: Tom, if lcase(fso.getextensionname(file)) = eml then file.move target --- Rich Milburn MCSE, Microsoft MVP - Directory ServicesSr Network Analyst, Field Platform Development Applebee's International, Inc. 4551 W. 107th St Overland Park, KS 66207 913-967-2819 -- I love the smell of red herrings in the morning - anonymous From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]] On Behalf Of Tom KernSent: Thursday, December 08, 2005 6:33 AM To: ActiveDir@mail.activedir.org Subject: Re: [ActiveDir] _vbscript_ help(OT) isn't there a way to do it without passing the full path? i thought in my statement its implied that whatever file should be, it should look for an .eml ext. thanks On 12/8/05, Ken Schaefer [EMAIL PROTECTED] wrote: getExtensionName() requires you to pass it a filespec (a filename, or path to a file) If FSO.getExtensionName(c:\windows\clock.avi) = avi Then ' do foo Else ' do bar End If CheersKen From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]] On Behalf Of Tom KernSent: Thursday, 8 December 2005 1:48 PM To: ActiveDir@mail.activedir.orgSubject: Re: [ActiveDir] _vbscript_ help(OT) Oops, I guess i didn't check my code. before i made any changes, i get Wrong number of arguments or invalid propery assignment:'fso.getextensionname'. sorry. I wonder why that is? On 12/7/05, Ken Schaefer [EMAIL PROTECTED] wrote: At the moment you have this line which does the copy:if lcase(fso.getextensionname) = eml then file.move targetSo, instead of doing the copy, check to see if the file exists at the target, and if not do the copy. If it does exist, rename the file at the source, thendo the copy.If LCase(FSO.getExtensionName ) = eml Then If objTarg.FileExists(strSourceFileName) Then ' Rename Source File End If ' Now do the copyEnd IfCheersKenFrom: [EMAIL PROTECTED][mailto:[EMAIL PROTECTED] ] On Behalf Of Tom Kern Sent: Thursday, 8 December 2005 12:00 PMTo: ActiveDir@mail.activedir.orgSubject: Re: [ActiveDir] _vbscript_ help(OT) Thanks.My real problem is, I'm not sure where to put that in my exisiting scriptwithout screwing things upShould that be a seperate sub?Thanks againOn 12/7/05, Brian Desmond [EMAIL PROTECTED] wrote:I don't see the need for a select case, but File.Exists would help. What I would do is something like thisDim moveNamemoveName = CurrentNameOfFileWhile TargetFolder.FileExists (currentNameofFile)currentNameOfFile = currentNameofFile + Cstr(Int(Rnd * 1)) Wend'moveTheFile()Rnd*1000 will get you some random # 0 - 1000 int makes it an integer and cstrmakes it a string. Thanks,Brian Desmond [EMAIL PROTECTED]c - 312.731.3132From: [EMAIL PROTECTED][mailto:[EMAIL PROTECTED]] On Behalf Of Tom Kern Sent: Wednesday, December 07, 2005 7:01 PMTo: activedirectory Subject: [ActiveDir] _vbscript_ help(OT)I have this _vbscript_ i wrote/stole tomove all files with an .eml extensionfrom many subdirs into a folder only if the folder is empty and only to move 999 at a time. it works great except when it sees files with duplicate names it bombs outwhile moving them.i'd like it to rename the dup(maybe add some random #'s or characters to theend) and continune movingall thefiles. I think I have to use FileExists method and Select...Case but I'm notsure how.Was wondering if anyone could help me with this.Here is the
Re: [ActiveDir] VBScript help(OT)
instead of creating random, what I had done was create a for loop, say 1..1 (fairly high number to get the unique name) and append that number if file exists in target, if not exists go ahead and append that number to filename for destination and exit the loop otherwise continue to next number You will have to cut the filename into name and extension, so that u can append the number to name and keep extension. something like if FSO.FileExists(file) then for iSuff = 1 to 1 'cut filename into name and extn (can use revinstr function to find position of . searching from right) if not FSO.fileexists (name iSuff . extn) then newname = name iSuff . extn exit for end if next end if On 12/8/05, Tom Kern [EMAIL PROTECTED] wrote: Thanks alot!! Unfortuantely it only seems to work when i ran it the first time. if i kill it and run it again and it encounters a duplicate file in the source dir it throws an error-file already exisits. will it only work in one shot? thanks On 12/8/05, Rich Milburn [EMAIL PROTECTED] wrote: Replace your last sub: sub filelist(grp) for each file in grp.files if targ.files.count=999 then full=true:exit for if lcase(fso.getextensionname(file)) = eml then set objFile = fso.getfile(file) arrFileName = Split(objfile.Name,.) oldname = arrFileName(0) ext = arrFileName(1) if fso.FileExists(target objFile.Name) then newfile=oldname cstr(int(Rnd * 1000)) . ext Else newfile=objFile.Name end if wscript.echo newfile fso.MoveFile file,target newfile end if next End sub --- Rich Milburn MCSE, Microsoft MVP - Directory ServicesSr Network Analyst, Field Platform Development Applebee's International, Inc. 4551 W. 107th St Overland Park, KS 66207 913-967-2819 -- I love the smell of red herrings in the morning - anonymous From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]] On Behalf Of Tom KernSent: Thursday, December 08, 2005 9:24 AM To: ActiveDir@mail.activedir.org Subject: Re: [ActiveDir] _vbscript_ help(OT) Thanks alot!! I still can't get the rename to work. the script copies a bunch of eml files from a bunch of source sub folders. in those sub folders the files have duplicate names but because they are in sub folders, it doesn't matter until they are being copied to the single target folder. So i want to rename the file(keeping the ext) when it encounters the same file in the target. Here is what i have so far- source=c:\fsotarget=c:\tom\ Set fso = CreateObject(Scripting.FileSystemObject)set root=fso.getFolder(source)set targ=fso.getFolder(target) dim full doif targ.files.count=0 then full=falseif full=false then call folderlist(root)wscript.sleep 1000loop sub folderlist(grp)call filelist(grp)if full then exit subfor each fldr in grp.subFolders set nf=fso.GetFolder(fldr.path) call folderlist(nf) set nf=nothingnextend sub sub filelist(grp)for each file in grp.files if targ.files.count=999 then full=true:exit for if lcase(fso.getextensionname(file)) = eml then if targ.FileExists(file) then file=file + cstr(int(Rnd * 1000)) end if file.move targetend if nextEnd sub I always get the error- Object doesn't support this property or method:'targ.FileExists' I'm kinda at a loss here. thanks On 12/8/05, Rich Milburn [EMAIL PROTECTED] wrote: Tom, if lcase(fso.getextensionname(file)) = eml then file.move target --- Rich Milburn MCSE, Microsoft MVP - Directory ServicesSr Network Analyst, Field Platform Development Applebee's International, Inc. 4551 W. 107th St Overland Park, KS 66207 913-967-2819 -- I love the smell of red herrings in the morning - anonymous From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]] On Behalf Of Tom KernSent: Thursday, December 08, 2005 6:33 AM To: ActiveDir@mail.activedir.org Subject: Re: [ActiveDir] _vbscript_ help(OT) isn't there a way to do it without passing the full path? i thought in my statement its implied that whatever file should be, it should look for an .eml ext. thanks On 12/8/05, Ken Schaefer [EMAIL PROTECTED] wrote: getExtensionName() requires you to pass it a filespec (a filename, or path to a file) If FSO.getExtensionName(c:\windows\clock.avi) = avi Then ' do foo Else ' do bar End If CheersKen From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]] On Behalf Of Tom KernSent: Thursday, 8 December 2005 1:48 PM To: ActiveDir@mail.activedir.orgSubject: Re: [ActiveDir] _vbscript_ help(OT) Oops, I guess i didn't check my code. before i made any changes, i get Wrong number of arguments or invalid propery assignment:'fso.getextensionname'. sorry. I wonder why that is? On 12/7/05, Ken Schaefer [EMAIL PROTECTED] wrote:
Re: [ActiveDir] AD related? not really...
Yes it encrypts the password ! I didn't see the password I entered into registry key mentioned in KB. -- KamleshOn 12/2/05, Mitch Reid [EMAIL PROTECTED] wrote: It claims it does although I have not verified it. I suppose you could check the registry referenced in: http://support.microsoft.com/?kbid=315231 On 12/1/05, AD [EMAIL PROTECTED] wrote: Thanks Mitch, Very interesting. The source code is different then the actual executable. I sending an email to the developer. Hopefully he will reply. You wouldn't know if it encrypts the password would you? Yves From: Mitch ReidSent: Thu 01/12/2005 10:57 AMTo: ActiveDir@mail.activedir.orgSubject: Re: [ActiveDir] AD related? not really... Sysinternals has a free utility that will automate the process: http://www.sysinternals.com/Utilities/Autologon.html On 12/1/05, AD [EMAIL PROTECTED] wrote: We have workstation that are not added to the domainand are configured to autologin. The username and password are duplicated on our domain which allows the local accountto use network resources. We would like to join the workstation to the domain (to many advantages to explain why) and eliminate the local account and modify the autologin to use a domain username and password. This causes a problem as the username and password is stored in the registry as plain text. Asanyone everhad to deal withthis scenario? I have found the following articles (below) that describe that the Autologon password can either be plain text in the registry (Winlogon key) OR encrypted into a Local Security Authority (LSA) secret. Does anyone knowto use these functions to encrypt the username and passwordin the registry? http://www.microsoft.com/technet/security/tools/mbsa1/wp.mspx (Autologon section) http://msdn.microsoft.com/library/default.asp?url=""> -- ~~~Fortune and Love befriend the bold~~~
Re: [ActiveDir] FSMO role transfer
Actually, I wanted to ask, how messy it can become in a scenario where admin didn't transfer the roles, and went about maintenance, found it didn't work out and time is running out, so let me seize the role, (its only trivial command). And meanwhile, the first role holder is back into network and declaring the ownership. And this ownership war went unnoticed by admin for a day or two. What kind of trouble we can expect? anything role specific? on replication ? on authentication ? on overall health of AD? I think, asking answering questions along the same line, would surely put the decision into more perspective. - Kamlesh ~~~ Fortune and Love befriend the bold ~~~On 12/1/05, joe [EMAIL PROTECTED] wrote: I am not completely on board with a seize being trivial.Sure it is trivial in the act of doing it, but do you fully understand whatis going on under the covers? With a FSMO transfer you are going from aknown state to a known state in a controlled fashion. The new roleholder can talk to the old roleholder and understand EXACTLY what is going on so have aseamless move. A seize is going from an unknown state to a known state. Fora role that doesn't have a state to worry about which is most of them, that is fine. But the RID master definitely has state and to a lesser extent sodoes the PDC master. Seizing a role isn't just a simple matter of popping ina value into an attribute and saying Done!. Well it could be, but you could get burned if that is all you do.I agree that it will be tough to convince one group to do something theother way. I do hope though that people think about what has been writtenand don't think seizing a role is trivial because the command to do it is easy to run. I am glad it is easy, the last thing you want is for a hardprocess to be required to rescue your system when you have issues.On the comment that transferring roles isn't a normal operating procedure. Maybe not in some places but it is a perfectly normal operating procedure,certainly more standard or normal than a seize. Transferring the PDC role inNT could be a bit painful at times but it is easy as pie in AD. I recall having a couple of occasions in the very beginning (first half 2000) where Igot a trifle nervous at first from previous NT issues but quickly got overit. I don't think twice about moving roles. Heck we didn't even have to submit change control for that, we would just move the roles and send anemail to the change list saying it had been done. It was considered SOP formaintaining domain operations.Finally and the last I will say about it... for the longest time and maybe even still I haven't looked lately MS said that the seize was the course oflast resort, use it when the transfer fails. I realize MS warns about a lotof things but usually they have some basis for doing so. And if that isn't enough... if seizing roles was such a non-item, why wouldn't you just have aseize operation? Why have a transfer and a seize and cause this confusion?If they were the same, wouldn't you just have a single move the role button and no other mechanism whatsoever?-Original Message-From: [EMAIL PROTECTED][mailto: [EMAIL PROTECTED]] On Behalf Of Figueroa, JohnnySent: Wednesday, November 30, 2005 4:53 PMTo: ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] FSMO role transfer I think what was meant about the trivial part is around the seizing of theroles not the transfer. I would love to have much of the ntdsutilfunctionality built into the UI, even if at some point it requires you to reboot/restore, whatever.I don't think either camp is going to convince the other that you should orshouldn't transfer roles prior to some maintenance. It is almost apersonality thing. I prefer not to transfer the role and deal with the possibility that I may need to seize it, on the rare case that somethinggoes drastically wrong that I can not recover from before the role isactually needed. You architected the roles on specific DCs for a reason, if I forget to move it back I may end up with a DC hosting a role for a longtime that I never meant to. Also, I don't consider transferring roles aroundpart of the normal operating procedures.But that's just me. Thanks-Original Message-From: [EMAIL PROTECTED][mailto:[EMAIL PROTECTED] ] On Behalf Of Cace, AndrewSent: Wednesday, November 30, 2005 2:26 PMTo: ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] FSMO role transferIt is available in the AD snap-ins.In AD Domains Trusts, you can transfer the Domain Naming master by right-clicking the name of the snap-inin tree-view and choosing Operations Master.In ADUC, right-click the nameof the domain and choose Operations Master to transfer the RID, PDC, and Infrastructure masters.In the Schema Management snapin, you can transferthe Schema master by right-clicking Active Directory Schema and choosingOperations Master.Next question...Why isn't there a single place to click all of these?
Re: [ActiveDir] GC list
Since no one has mentioned, I will put extra one... I am a fan of DS* commands...so To find all DCs in forest dsquery server -forest -o rdn To find all GC in forest dsquery server -forest -isgc -o rdn -- Kamlesh On 11/30/05, Tomasz Onyszko [EMAIL PROTECTED] wrote: Harding, Devon wrote: What's the easiest way to get a list of ALL my DC's and GC's in my forest along with IP address?Quickest way will be to use nslookup:nslookup -q=SRV _ldap._tcp.dc._msdcs.domain - for DCs nslookup -q=SRV _ldap._tcp.gc._msdcs.domain - for GCs--Tomasz Onyszkohttp://www.w2k.plList info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspxList archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ -- ~~~Fortune and Love befriend the bold~~~
Re: [ActiveDir] Removing foreign accounts
just curious, How do we know, where that FSP is used in AD. If FSP is member of any group we can find them using memberof attribure of FSP. But, If that is not populated, it might be the case that, someone directly and stupidly gave that FSP some right somewhere. How do we find that?On 11/23/05, joe [EMAIL PROTECTED] wrote: Go into the ForeignSecurityPrincipals container and delete all of the FSPs that exist from the old NT4 domain. From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]] On Behalf Of Ahmed Al-AwahSent: Tuesday, November 22, 2005 5:30 PMTo: 'ActiveDir@mail.activedir.org'Subject: [ActiveDir] Removing foreign accounts Hello all, Until recently we had two domains, a W2K domain and a WinNT4 domain. I've managed to finally shut downthe Windows NT4 domain. However, given our previous setup and the trust relationships that existed between both domains I'm left with several users from the old domain in AD groups on our primary Windows 2K Domain. I was wondering if anyone had a script that would remove users from a particular domain fromanother domain's groups (removing all NT4 accounts from the W2K domain groups)? The reason I'd like to do this is because everytime we attempt to access a group in AD with members from the previous domain we recieve an error stating that some of the names cannot be shown in user-friendly form which is primarily due to the fact that the previous domain has been shutdown. I've searched the MS Script Repository to no avail. Any help is appreciated. Cheers,Ahmed -- ~~~Fortune and Love befriend the bold~~~
[ActiveDir] Find originating DC for password change
How do I find out, on which DC password for a particular user was changed or reset. I know, if account management auditing is enabled, I will get a event 627 or 628. But what if I have large number of DCs? and I don't have monitoring app like MOM ? Last I checked, I was not able to see any metadata info for password using repadmin Which is the first command I run for finding the originating DC for any change. I use following command repadmin /showobjmeta DCNAME UserDN-- Kamlesh~~~Be the change you want to see in the World~~~
Re: [ActiveDir] Internet Explorer Home Page Question
Nice to know, that it worked out for you. I also tried using the /delete to delete the group but if the person isnt in that group the script just hangs.I am just curious, Why would u delete the group? also why you require password in the script ? If you just give add/remove self as member accessit doesn't work thru GUI. You have to specifically go to propery level permission and assign WRITE access on members attribute,then members will be able to manage their membership of group. Give that right to SELF security principal. (I just tested that again) Also, one caveat, If you have an AD2000 forest or an AD2003 forest running on the Windows 2000 functional level, you should take into account the following warning: If you delegate group management to members, it might create problem if user update their membership on different DC.All members of a group are stored in one multivalued property. If that member list is modified on two domain controllers simultaneously (within replication latency), one of the two changes will be lost. - Kamlesh On 11/22/05, Craig Gauss [EMAIL PROTECTED] wrote: Been working on this one most of the day.have it sort of working. Needed to use CPAU from joeware, but there is one problem. The password is displayed in the batch which is pretty much unsecure and goes against any password policy. Anyways, I have it adding the user to the correct group upon logon. It takes a little while though for the user to show in the group. I also tried using the /delete to delete the group but if the person isnt in that group the script just hangs. From: [EMAIL PROTECTED] [mailto: [EMAIL PROTECTED]] On Behalf Of Micheal S. MandSent: Monday, November 21, 2005 11:46 AMTo: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Internet Explorer Home Page Question Craig, Quoting what Kamlesh said before your email: "To remove logged-in user, I would use something likeif new-users is Domain Local group then net localgroup new-users %username% /delete /domainif new-users is Domain Global group then net group new-users %username% /delete /domain" His email was sent 11/19/2005 10:37 AM. If you didn't get it I can forward that to you. Thanks, Micheal -Original Message-From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]] On Behalf Of Craig GaussSent: Monday, November 21, 2005 9:09 AM To: ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] Internet Explorer Home Page Question How would you go about removing the user from the group in a login script? From: [EMAIL PROTECTED] [mailto: [EMAIL PROTECTED]] On Behalf Of Kamlesh ParmarSent: Friday, November 18, 2005 12:11 PMTo: ActiveDir@mail.activedir.orgSubject: Re: [ActiveDir] Internet Explorer Home Page Question Building on what James said,You can make it automatic, create a group New-Users and assign the intranet homepage GPO to this group. and importantly, Allow members to remove themselves from group. When you create a new user, just make her member of this group.Make a login script, in the same GPO, which will remove the logged in user from this group. When user logs in first, time, she is member of this New-Users group, so this GPO applies and her homepage is set to intranet.At the same time, login script runs and removes user from that group. This makes sure that, this GPO is never applied again, as user no longer member of New-Users group. And intranet was set for first login only. -Kamlesh On 11/18/05, Blair, James [EMAIL PROTECTED] wrote: Michael, You could create a new user security group and a GPO for the homepage. Use security filtering so that group only gets the policy. Remove the new users from the group after x days. James From: [EMAIL PROTECTED] [mailto: [EMAIL PROTECTED]] On Behalf Of Brian DesmondSent: Friday, 18 November 2005 12:29 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Internet Explorer Home Page Question How about a logon script to take care of this? Check for a HKCU key/value. If it's not there, assume it's the first logon and set their homepage and then set the homepage. Thanks, Brian Desmond [EMAIL PROTECTED] c - 312.731.3132 From: [EMAIL PROTECTED] [mailto: [EMAIL PROTECTED]] On Behalf Of Micheal S. MandSent: Thursday, November 17, 2005 6:37 PM To: ActiveDir@mail.activedir.org Subject: [ActiveDir] Internet Explorer Home Page Question Hello, I just joined the list, so forgive me if this has been answered already. I've been put to the task of using AD to set the home page of all NEW users to our company intranet, but not override the current user's settings. We want this to happen automatically because we are usually creating new users with little notice, and very little time to make the account active. I've searched and searched all over existence for something related to this, and so far have only come up with some hacks to permanently set every user's home page the same. We want users to be able to change this home page if they wish,
Re: [ActiveDir] Internet Explorer Home Page Question
Ya, it shouldn't matter, logon / logoff ? To remove logged-in user, I would use something like if new-users is Domain Local group then net localgroup new-users %username% /delete /domain if new-users is Domain Global group then net group new-users %username% /delete /domain - Kamlesh On 11/19/05, Micheal S. Mand [EMAIL PROTECTED] wrote: I have a question: What if, instead of using a logon script, you used a logoff script? Would that affect anything? Also, does anyone know the correct syntax to remove a user from an AD group in a logon/logoff script? I'm not really a programming junkie unless it comes to the web. Thanks again, Micheal -Original Message- From: [EMAIL PROTECTED] [mailto: [EMAIL PROTECTED]] On Behalf Of Micheal S. Mand Sent: Friday, November 18, 2005 3:12 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Internet Explorer Home Page Question Thanks all. I'll try these then send you the results. One of them is bound to work. Micheal -Original Message- From: [EMAIL PROTECTED] [mailto: [EMAIL PROTECTED]] On Behalf Of Kamlesh Parmar Sent: Friday, November 18, 2005 11:11 AM To: ActiveDir@mail.activedir.org Subject: Re: [ActiveDir] Internet Explorer Home Page Question Building on what James said, You can make it automatic, create a group New-Users and assign the intranet homepage GPO to this group. and importantly, Allow members to remove themselves from group. When you create a new user, just make her member of this group. Make a login script, in the same GPO, which will remove the logged in user from this group. When user logs in first, time, she is member of this New-Users group, so this GPO applies and her homepage is set to intranet. At the same time, login script runs and removes user from that group. This makes sure that, this GPO is never applied again, as user no longer member of New-Users group. And intranet was set for first login only. - Kamlesh On 11/18/05, Blair, James [EMAIL PROTECTED] wrote: Michael, You could create a new user security group and a GPO for the homepage. Use security filtering so that group only gets the policy. Remove the new users from the group after x days. James From: [EMAIL PROTECTED] [mailto: [EMAIL PROTECTED]] On Behalf Of Brian Desmond Sent: Friday, 18 November 2005 12:29 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Internet Explorer Home Page Question How about a logon script to take care of this? Check for a HKCU key/value. If it's not there, assume it's the first logon and set their homepage and then set the homepage. Thanks, Brian Desmond [EMAIL PROTECTED] c - 312.731.3132 From: [EMAIL PROTECTED] [mailto: [EMAIL PROTECTED]] On Behalf Of Micheal S. Mand Sent: Thursday, November 17, 2005 6:37 PM To: ActiveDir@mail.activedir.org Subject: [ActiveDir] Internet Explorer Home Page Question Hello, I just joined the list, so forgive me if this has been answered already. I've been put to the task of using AD to set the home page of all NEW users to our company intranet, but not override the current user's settings. We want this to happen automatically because we are usually creating new users with little notice, and very little time to make the account active. I've searched and searched all over existence for something related to this, and so far have only come up with some hacks to permanently set every user's home page the same. We want users to be able to change this home page if they wish, without it resetting every time they log in to their machine. If they log into a new machine, we could also set the home page to the intranet, but this isn't as necessary. Has anyone even heard of doing anything like this? Is it even possible? Thanks in advance, Micheal S.Mand Network Administrator Applied Research Associates, Inc. Email: [EMAIL PROTECTED] http://www.ara.com -- ~~~ Fortune and Love befriend the bold ~~~ -- ~~~Fortune and Love befriend the bold~~~
Re: [ActiveDir] VBS script to set/clear inheritance of AD objects
Building on what Jorge provided, I have created a small batch + vbsript combo, which takes care of setting inheritance flag and admincount=0 for all unprotected accounts. My basic algorithm is, * Find out all the nested members of protected groups (protgrps.txt) * Find out all the users and groups account with admincount=1 (megalist.txt) * Remove accounts which are protected according to protgrps.txt from megalist.txt and put into needtochange.txt * Feed this needtochange.txt to _vbscript_ which will set Inheritance flag and admincount=0 I have attached both the batch file and _vbscript_ as TXT files. Feel free to test it and suggest improvements. - Kamlesh On 11/17/05, Almeida Pinto, Jorge de [EMAIL PROTECTED] wrote: As 2 forum members had questions how to script enabling inheritance on AD objects,I have put info about it on my blog - http://blogs.dirteam.com/blogs/jorge/archive/2005/11/16/86.aspxhave fun with it!Cheers,JorgeThis e-mail and any attachment is for authorised use by the intended recipient(s) only. It may contain proprietary material, confidential information and/or be subject to legal privilege. It should not be copied, disclosed to, retained or used by, any other party. If you are not an intended recipient then please promptly delete this e-mail and any attachment and all copies and inform the sender. Thank you.List info : http://www.activedir.org/List.aspxList FAQ: http://www.activedir.org/ListFAQ.aspxList archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ -- ~~~Fortune and Love befriend the bold~~~ @echo off Title Reset Unprotected groups and users... REM *** Put members of protected groups into protgrps.txt Echo Collecting Protected Group membership ... dsquery group -samid administrators | dsget group -members -expand protgrps.txt dsquery group -samid Domain Admins | dsget group -members -expand protgrps.txt dsquery group -samid Enterprise Admins | dsget group -members -expand protgrps.txt dsquery group -samid Schema Admins | dsget group -members -expand protgrps.txt dsquery group -samid Backup Operators | dsget group -members -expand protgrps.txt dsquery group -samid Server Operators | dsget group -members -expand protgrps.txt dsquery group -samid Account Operators | dsget group -members -expand protgrps.txt dsquery group -samid Print Operators | dsget group -members -expand protgrps.txt dsquery group -samid Cert Publishers | dsget group -members -expand protgrps.txt dsquery group -samid Replicator | dsget group -members -expand protgrps.txt REM *** Put TOP level protected groups into protgrps.txt REM *** user account krbtgt is also protected (KB : 817433) dsquery user -samid krbtgt protgrps.txt dsquery group -samid administrators protgrps.txt dsquery group -samid Domain Admins protgrps.txt dsquery group -samid Enterprise Admins protgrps.txt dsquery group -samid Schema Admins protgrps.txt dsquery group -samid Backup Operators protgrps.txt dsquery group -samid Server Operators protgrps.txt dsquery group -samid Account Operators protgrps.txt dsquery group -samid Print Operators protgrps.txt dsquery group -samid Cert Publishers protgrps.txt dsquery group -samid Domain Controllers protgrps.txt dsquery group -samid Replicator protgrps.txt REM *** Now find the groups and users with attribute admincount=1 into megalist.txt Echo Collecting groups and users with admincount=1 ... dsquery * -filter (|(objectcategory=user)(objectcategory=group))(admincount=1) -l -attr distinguishedname -limit 0 Megalist.txt REM *** Now search for each entry of megalist into protgrps.txt, REM *** If not found then we should reset that entry REM *** so put it in separate file : needtochange.txt Echo separating groups and users who need to be unprotected ... del needtochange.txt /q /f SETLOCAL ENABLEDELAYEDEXPANSION for /F Tokens=* skip=1 %%A in (megalist.txt) do ( find /i %%A protgrps.txt nul if !ERRORLEVEL! neq 0 echo %%A needtochange.txt ) REM *** Now we will feed this needtochange.txt to our VBScript, REM *** which will set inheritance flag and admincount=0 Echo Setting inheritance flag and admincount=0 ... cscript ResetUnprotected.vbs needtochange.txt Echo Done ' '* '* File: ResetUnprotected.vbs '* Created:November 2005 '* Version:1.0 '* '* Main Function: For all accounts specified in argument file '* enables the inheritance flag and Resets admincount to 0 '* ' Const SE_DACL_PROTECTED = 4096 On Error Resume Next '// Verify command line argument is provided If WScript.Arguments.Count 1 Then WScript.Echo ERROR: No filename specified as command line argument WScript.Quit 1 Else '// Read content of the file specified on commandline and put its content in Array Dim oFile, oFSO,ArrObjects Set
Re: [ActiveDir] Internet Explorer Home Page Question
Building on what James said, You can make it automatic, create a group New-Users and assign the intranet homepage GPO to this group. and importantly, Allow members to remove themselves from group. When you create a new user, just make her member of this group. Make a login script, in the same GPO, which will remove the logged in user from this group. When user logs in first, time, she is member of this New-Users group, so this GPO applies and her homepage is set to intranet. At the same time, login script runs and removes user from that group. This makes sure that, this GPO is never applied again, as user no longer member of New-Users group. And intranet was set for first login only. - KamleshOn 11/18/05, Blair, James [EMAIL PROTECTED] wrote: Michael, You could create a new user security group and a GPO for the homepage. Use security filtering so that group only gets the policy. Remove the new users from the group after x days. James From: [EMAIL PROTECTED] [mailto: [EMAIL PROTECTED]] On Behalf Of Brian Desmond Sent: Friday, 18 November 2005 12:29 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Internet Explorer Home Page Question How about a logon script to take care of this? Check for a HKCU key/value. If it's not there, assume it's the first logon and set their homepage and then set the homepage. Thanks, Brian Desmond [EMAIL PROTECTED] c - 312.731.3132 From: [EMAIL PROTECTED] [mailto: [EMAIL PROTECTED]] On Behalf Of Micheal S. Mand Sent: Thursday, November 17, 2005 6:37 PM To: ActiveDir@mail.activedir.org Subject: [ActiveDir] Internet Explorer Home Page Question Hello, I just joined the list, so forgive me if this has been answered already. I've been put to the task of using AD to set the home page of all NEW users to our company intranet, but not override the current user's settings. We want this to happen automatically because we are usually creating new users with little notice, and very little time to make the account active. I've searched and searched all over existence for something related to this, and so far have only come up with some hacks to permanently set every user's home page the same. We want users to be able to change this home page if they wish, without it resetting every time they log in to their machine. If they log into a new machine, we could also set the home page to the intranet, but this isn't as necessary. Has anyone even heard of doing anything like this? Is it even possible? Thanks in advance, Micheal S.Mand Network Administrator Applied Research Associates, Inc. Email: [EMAIL PROTECTED] http://www.ara.com -- ~~~Fortune and Love befriend the bold~~~
Re: [ActiveDir] [Slightly OT] Protecting objects not covered by AdminSDHolder
Got script or commands to handle that automatically ? basically, enable the inheritance and set the admincount = 0 I searched for admincount=1 in mu domain and there are couple-o-thousand entires... I guess, because we migrated large number of domains into single domain. - KamleshOn 11/16/05, Almeida Pinto, Jorge de [EMAIL PROTECTED] wrote: To make a protected member of a protected group a NON-PROTECTED object you need to: * remove his membership from the protected group* enable inheritance again on the object* set the admincount attribute to 0 or to not setWhat is said is that by removing the member from a protected group, inheritance will not be changed automatically and the admincount attribute will also not be changed automatically. All must be changed manually and when reverting the object back to a non-protected oject it is best to do all three!So, yes I also agree with those recommendationsJorgeFrom: [EMAIL PROTECTED] on behalf of David CliffeSent: Tue 11/15/2005 9:56 PMTo: ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] [Slightly OT] Protecting objects not covered by AdminSDHolder Jorge -- The group membership of a protected group is the criteria the process looks at, not the attribute value of 1. The admincount attribute is just an administrative measure for the process that says been here, nothing else.This implies that if you later go back and remove a user from any protected groups, you can then go set his ACL back to what you want, and not have to worry about the admincount attribute still having a value of 1, right?Only reason I ask is because I could have sworn I've seen recommendations on this list to set that attribute back to 0 after removing all protected group memberships, so just double checking.Maybe there were other factors involved in those previous recommendations which I didn't read close enough!Also, interesting approach to the original poster's question.Thanks!-DaveCFrom: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]] On Behalf Of Almeida Pinto, Jorge de Sent: Tuesday, November 15, 2005 3:22 PMTo: ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] Protecting objects not covered by AdminSDHolder That sounds logical. However the adminsdholder process only looks at users and groups that are defined in AD as protected objects. As mentioned in MS-KBQ817433 - Delegated permissions are not available and inheritance is automatically disabled it is possible to include or exclude some of the default admin groups (account operators, print operators ,etc.) The process that checks object against the adminSDHolder object only looks at that definition of protected objects and in case of groups it will also look at its members. It resets the DACL to match the DACL of the adminSDHolder object and sets the admincount attribute to 1. The group membership of a protected group is the criteria the process looks at, not the attribute value of 1. The admincount attribute is just an administrative measure for the process that says been here, nothing else.So, to add custom groups as protected groups in AD, MS should see if it is interesting to implement in Longhorn.There is a way however to implement your own protected groups. (I think it will work)How to do that?* Take a protected group (weakest one possible)* Create a distribution group with a name like Custom_Protected_Groups_Definition and make that a member of the actual protected group * Put all custom users and groups directly into the distribution group that need to be protected by adminSDHolderNow what will happen?The adminSDHolder process sees the memberships (transitive included) and protects them.When a user logs on, he will be a member of the distribution group Custom_Protected_Groups_Definition but the SID of the actual (security) protected group will not be in the access token of the user.If a distribution group is a member of a security group, the members of the distribution group will not be transitive security members of the security protected group as the distribution group blocks the security group membershipThere is a catch however!- DO NOT EVER CONVERT THE DISTRIBUTION GROUP TO A SECURITY GROUP! (doing this will lift the security group membership block and the users/group will suddendly get the SID of the protected security group in their access token!)I agree with Al you should be very careful changing the configuration of the DACL of the adminSDHolder object! Remember that object protects the default (very strong) users and groups!Cheers,Jorge(cool: I think I just wrote something nice for my blog)From: [EMAIL PROTECTED] on behalf of Al MulnickSent: Tue 11/15/2005 7:04 PMTo: ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] Protecting objects not covered by AdminSDHolder That's interesting.As far as I can tell, the adminsdholder is just aprocess that runs on the PDCe that wakes up and checks for all objects thathave
Re: [ActiveDir] User accounts getting locked out..
This article contains the on troubleshooting account lockout, http://www.windowsecurity.com/articles/Implementing-Troubleshooting-Account-Lockout.html plus you can look at Best practices guide for account lockout. http://www.microsoft.com/downloads/details.aspx?FamilyID=8c8e0d90-a13b-4977-a4fc-3e2b67e3748eDisplayLang=en -- KamleshOn 11/15/05, Sudhir Kaushal [EMAIL PROTECTED] wrote: Hi All, I am facing one strange issue. All of sudden my user accounts are getting locked out in certain OU's. The event logs says Event Id - 675, AUDIT FAILURE, Security, Mon Nov 14 12:50:57 2005, NT AUTHORITY\SYSTEM, Pre-authentication failed: User Name: xyz User ID: %{xyz} Service Name: krbtgt/domain name Pre-Authentication Type: 0x2 Failure Code: 0x18 Client Address: IP address. Event Id - 644, AUDIT SUCCESS, Security, Mon Nov 14 12:50:56 2005, NT AUTHORITY\SYSTEM, User Account Locked Out: Target Account Name: xyz Target Account ID: %{xyz} Caller Machine Name: Name of the machine Caller User Name: Name of the DC Caller Domain: Domain Name Caller Logon ID: (0x0,0x3E7) They also get clear after some time automatically. One reason which i figure out is that it could be related to the system time of the client machine with the system time of DC ( Related to failure of Kerberos ticket ) . Any other pointers??? Thanks in Advance. Regards, Sudhir Kaushal Systems Engineer (GIS) Computer Sciences Corporation. India - + 91 120 2582323 Ext. 2649 Denmark - + 45 70100024 Ext. 2649 "You never win Silver, You lose Gold" This is a PRIVATE message. If you are not the intended recipient, please delete without copying and kindly advise us by e-mail of the mistake in delivery. NOTE: Regardless of content, this e-mail shall not operate to bind CSC to any order or other contract unless pursuant to explicit written agreement or government initiative expressly permitting the use of e-mail for such purpose. -- ~~~Fortune and Love befriend the bold~~~
Re: [ActiveDir] Reset Domain Admin Password in Windows Server 2003 AD
its not a big secret, you go to google and search for reset domain admin password and you will get that page... On 11/4/05, Brian Desmond [EMAIL PROTECTED] wrote: He shouldn't have posted that. Thanks, Brian Desmond [EMAIL PROTECTED] c - 312.731.3132
[ActiveDir] GP version mismatch between DS SYSVOL
You know, there are some settings like, automatically detect configuration settings under IE maintenance and some certificate enrollment settings etc. Which once configured, can't be made not - configured as you can do with other settings. This values are either disable or enable, there is no option like not configured I have two or three such policies, and I want to get rid of these settings, without recreating the GPO. so I thought I would go directly in SYSVOL folder of this policies and delete the appropriate settings and UP the version number in gpt.ini so that it replicates. But, since I have not used standard group policy editor, the version in Active Directory remains old.Now it gives error in monitoring tools saying version mismatch between DS SYSVOL. So, 1) Is there better way to handle these sticky settings? other than recreating GPO. 2) Can I change the version in DS using adsiedit.msc to reflect the same as SYSVOL? will it have any effect on GP application? -- Kamlesh~~~Fortune and Love befriend the bold~~~
Re: [ActiveDir] GP version mismatch between DS SYSVOL
Darren, Try this, create one GPO at domain level, and one at OU level, configure the proxy settings at both levels. now, according to GPO processing rules, OU level GPO should win. Now, go ahead remove the proxy settings from domain level GPO. In this case also OU level GPO should win. But you will notice that domain level GPO is still mentioned as processed for proxy settings. (in the precedence tab) So, if I happen to enforce the GPO at domain level, even though I have removed proxy settings, it takes precedence and nullifies the proxy settings at OU level. So, I want to reach that stage where it was never configured at domain level GPO, so that I can enforce GPO for other settings. I hope it is clear, So one way to achieve is, create new GPO and copy settings other than proxy from old GPO and enforce this new GPO. Other is, edit at sysvol level and increment version in gpt.ini. I know, masters will recommend creating new GPO and copying settings[1], but I thought lets try something like this.[2] [1] Copying GPO using GPMC interface doesn't help as it creates the same settings, so can't revert back to stage where proxy settings were never configured. [2] I have read a KB article in which if you happen to lock yourself out of DC, due to mis-configured security options in default DC policy or something, you can edit the security INF file in sysvol and increment the version in gpt.ini to get back to functional state. -- Kamlesh On 11/3/05, Darren Mar-Elia [EMAIL PROTECTED] wrote: Kamlesh- I'm not sure I understand what you're saying about Not Configured. If I check Automatically Detect configuration settings in IE Maintenance policy, then that box is checked for all users that process the policy. If you uncheck that box, the box is unchecked for the user the next time they process the policy. What behavior are you trying to achieve? Darren From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]] On Behalf Of Kamlesh ParmarSent: Wednesday, November 02, 2005 9:33 AMTo: ActiveDir@mail.activedir.orgSubject: [ActiveDir] GP version mismatch between DS SYSVOL You know, there are some settings like, automatically detect configuration settings under IE maintenance and some certificate enrollment settings etc.Which once configured, can't be made not - configured as you can do with other settings.This values are either disable or enable, there is no option like not configuredI have two or three such policies, and I want to get rid of these settings, without recreating the GPO.so I thought I would go directly in SYSVOL folder of this policies and delete the appropriate settings and UP the version number in gpt.ini so that it replicates.But, since I have not used standard group policy editor, the version in Active Directory remains old.Now it gives error in monitoring tools saying version mismatch between DS SYSVOL.So, 1) Is there better way to handle these sticky settings? other than recreating GPO.2) Can I change the version in DS using adsiedit.msc to reflect the same as SYSVOL? will it have any effect on GP application?-- Kamlesh~~~Fortune and Love befriend the bold~~~ -- ~~~Fortune and Love befriend the bold~~~
Re: [ActiveDir] GP version mismatch between DS SYSVOL
I don't think, there is a problem with processing precedence. I have problem that, there is no easy way to revert to stage where that setting was not configured at all. Did u enforce the domain policy and check the settings in InternetOptions Problem is when you enforce it,domain policy will take precedence, and it assumes that in domain policy the proxy settings are disabled and it overrides settings in OU policy. Youdon't see proxy settings in GP editor or in GPMC, but if you go to sysvol and open the install.ins file in USER\Microsoft\IEAK folder, you will see that Proxy_Enable=0 is set, and which creates the problem when domain level or any higher level policy is enforced. Anyway, I have edited the policy in sysvoland up the version in gpt.ini and DS. Just thought, it would be helpful to someone. On 11/3/05, Darren Mar-Elia [EMAIL PROTECTED] wrote: Ok, I tested this myself. I think what is happening is that RSOP is reporting incorrectly, rather than there being something broken in policy processing precedence. For example, I set up the scenario you described below and ran GP Results from GPMC on the user logging into my test client and it showed, as you indicated, that the winning policy was the domain linked one. However, at the client, the user was receiving the OU policy as expected. Also, when I run rsop.msc from the client, it reports the correct winning GPO. So it looks like a RSOP bug. In terms of directly editing SYSVOL, I don't typically recommend it, but if you do that, and modify the gpt.ini file, you also need to update the versionNumber attribute on the GPC object in AD to have the same version number. Note that as of XP and 2003, mismatched version numbers no longer prevent the GPO from being processed, as they did in Win2K. From: [EMAIL PROTECTED] [mailto: [EMAIL PROTECTED]] On Behalf Of Kamlesh ParmarSent: Wednesday, November 02, 2005 12:14 PM To: ActiveDir@mail.activedir.orgSubject: Re: [ActiveDir] GP version mismatch between DS SYSVOL Darren,Try this,create one GPO at domain level, and one at OU level,configure the proxy settings at both levels.now, according to GPO processing rules, OU level GPO should win.Now, go ahead remove the proxy settings from domain level GPO. In this case also OU level GPO should win.But you will notice that domain level GPO is still mentioned as processed for proxy settings. (in the precedence tab)So, if I happen to enforce the GPO at domain level, even though I have removed proxy settings, it takes precedence and nullifies the proxy settings at OU level. So, I want to reach that stage where it was never configured at domain level GPO, so that I can enforce GPO for other settings.I hope it is clear,So one way to achieve is, create new GPO and copy settings other than proxy from old GPO and enforce this new GPO. Other is, edit at sysvol level and increment version in gpt.ini.I know, masters will recommend creating new GPO and copying settings[1], but I thought lets try something like this.[2][1] Copying GPO using GPMC interface doesn't help as it creates the same settings, so can't revert back to stage where proxy settings were never configured. [2] I have read a KB article in which if you happen to lock yourself out of DC, due to mis-configured security options in default DC policy or something, you can edit the security INF file in sysvol and increment the version in gpt.ini to get back to functional state.--Kamlesh On 11/3/05, Darren Mar-Elia [EMAIL PROTECTED] wrote: Kamlesh- I'm not sure I understand what you're saying about Not Configured. If I check Automatically Detect configuration settings in IE Maintenance policy, then that box is checked for all users that process the policy. If you uncheck that box, the box is unchecked for the user the next time they process the policy. What behavior are you trying to achieve? Darren From: [EMAIL PROTECTED] [mailto: [EMAIL PROTECTED]] On Behalf Of Kamlesh ParmarSent: Wednesday, November 02, 2005 9:33 AMTo: ActiveDir@mail.activedir.orgSubject: [ActiveDir] GP version mismatch between DS SYSVOL You know, there are some settings like, automatically detect configuration settings under IE maintenance and some certificate enrollment settings etc.Which once configured, can't be made not - configured as you can do with other settings. This values are either disable or enable, there is no option like not configuredI have two or three such policies, and I want to get rid of these settings, without recreating the GPO.so I thought I would go directly in SYSVOL folder of this policies and delete the appropriate settings and UP the version number in gpt.ini so that it replicates.But, since I have not used standard group policy editor, the version in Active Directory remains old.Now it gives error in monitoring tools saying version mismatch between DS SYSVOL. So, 1) Is there better way to handle these sticky settings? other than recreating GPO.2) Can I change the version in DS using
Re: [ActiveDir] Restricted Groups question
I have done this for a small site, where different machine require different user as administrator for a particular period. Say something like USER1 admin on WKS1 starting from Oct-10 to Oct-20 So, What I have done is capture this requirement in CSV file wks1,user1,2005/10/10,2005/10/20 I have written a small _vbscript_ which runs as STARTUP script on each workstation, which check this CSV file kept at network share, and finds the user who should be member of admin group on this particular day according to the CSV file, he is added, who should not be is removed. And every week, we collect the members of administrators group on all workstations to make sure that process is working as it should be. This has many advantages, * I can give rights to particular user on particular machine for specific time period and not forever. ( which is ideally what you want, if you go and find out who really needs local admin rights on their machine, you will find many misfits, anyway, we have policy for review of admin rights every quarter) * It acts as my authorized list of local admins * I have good transaction log for this process, so I know, at what period of time in past who was member of admin group on particular workstation. -- Kamlesh On 10/30/05, Susan Bradley [EMAIL PROTECTED] wrote: Oh, you mean only let that person be admin on 'that' particular machineand no other?Oh sorry I wasn't getting the limitation he was wanting here.Well IMHO, if you are already thinking that 'hey we want to limit access to just that machine' and thus already thinking of the consequences ofsecurity you might as well bite the bullet, and pull out theregmon/filemon and start yelling at your vendors. [EMAIL PROTECTED] wrote:The point is - he can't ensure that users are local admins on THEIRcomputers. Whether he uses interactive or domain users or everyone or justsimply users, what he will get is anyone who logs into this computer is an admin which means he is making users local admins on ANY computer. The sameresult is achieved using option #2. In effect, anybody can be an admin on anycomputer.In short, there is no inexpensive, magical, native way to do what he is expecting to do. It may be not very expensive in SBS land (I mean .c'mon, how tedious can adding users to groups on 75 computers - or howevermuch they let you guys have these days - be vbg?). But in non-SBS space, well do the math.So, again, the shortest (maybe most honest :)) answer (IMHO) to the questionis: You can't, at least not natively.Sincerely,Dèjì Akómöláfé, MCSE+M MCSA+M MCP+I Microsoft MVP - Directory Serviceswww.readymaids.com - we know ITwww.akomolafe.comDo you now realize that Today is the Tomorrow you were worried about Yesterday?-anonFrom: [EMAIL PROTECTED] on behalf of Susan BradleySent: Sat 10/29/2005 7:39 PM To: ActiveDir@mail.activedir.orgSubject: Re: [ActiveDir] Restricted Groups questionNow keep in mind that SBS's connection wizard does this for us and my manual memory 'how to' is a bit rustybut I think the normal processincludes creating an AD security group called Workstation Admin, andadd that group to the local admins group on each computer for existing machines. From the server... if you manage the computer add it in the localusers groups . Then you can simply add users to the AD group as needed.For existing deployed computers...this is our normal recommendation: 1)On each PC, add the INTERACTIVE group to the Administrators group.This will automatically give each user that logs in local Admin rights.Downside is that if you ever want a user to not have local admin rights, youwon't be able to restrict them as long as you have this configuration.2)Create a Security Group within AD (e.g. Local Admins).On eachworkstation, add the domain Local Admins group you created to the local Administrators group.Then on your SBS, add your existing users to theLocal Admins group, and create a new user template that includes LocalAdmins group membership.When you create a new user, use the custom template and they'll be included in the Local Admins security group, whichwill give them local admin rights on the machines where you added the LocalAdmins group to the local Administrators group. 3)Preferred solution:Don't give users local admin rights.Find yourproblem apps that don't run as a restricted user and start nagging thevendor.Ask why they find exposing your business to undue risk as a justified business practice on their part.Find what directories / regkeysthose apps want access to and tweak the permissions accordingly to allowrestricted users to be able to access those locations (and thus run the problem apps).[EMAIL PROTECTED] wrote:I'm splitting hair here, but ...What you've recommended still doesn't achieve his stated goal - to make userslocal admin rights on THEIR PCs.Sincerely,Dèjì Akómöláfé, MCSE+M MCSA+M MCP+IMicrosoft MVP - Directory Services www.readymaids.com - we know ITwww.akomolafe.comDo you now
Re: [ActiveDir] Active Directory Computer management
I would suggest scheduling excellent joeware utility oldcmp.exe[1] for this task, I follow this process, Find computers older than 60 days, move them to particular OU say - oldComps disable them, and let different location admins know, if they have problem with computer account, we move those comps to normal OU again. or special OUs which are excluded from this process. otherwise after a week time delete all comps from that OU and repeat the process again next week. Besides this oldcmp.exe has built-in safety that it NEVER touches domain controller accounts, also, u can exclude OUs from this process, so if you have many NAS,Linux,Unix boxes having computer account then u can put them in OU and exclude them from removal process. As they normally don't change their account password every 30 days. [1] source : http://www.joeware.net/win/free/tools/oldcmp.htm you will find basic example on the same page -- Kamlesh On 10/28/05, Abella Tarimo [EMAIL PROTECTED] wrote: Hello everyone, Does anyone know how I can implement a policy where a computer which has not accessed the domain for more than X number of days is automatically removed in the computer OU? Basically I need to manage my Anti-virus (McAfee) reports and currently I have set an auto-import from the AD which means the dormant machines (e.g. consultants who were here for only a week a year ago) appear and these machines would obviously never pick an agent and so my report to management always shows some non-compliant machines. Thanks in advance for all your responses. Abella -- ~~~Fortune and Love befriend the bold~~~
Re: [ActiveDir] LastLogon timestamp
I am just curious, what was the issue for that old attribute i.e. lastlogon not replicated. was it plain simple, too-much-replication-for-a-single-attribute ? or anything else?On 10/28/05, Almeida Pinto, Jorge de [EMAIL PROTECTED] wrote:Hi Russ,For that you need to query all DCs as the old attribute is not replicated between DCsThe new lastlogontimestamp attribute only is available in DFL W2K3 andis replicated between DCsIn both FLs you could use OLDCMP (with the users option) from joeware.net (http://www.joeware.net/win/free/tools/oldcmp.htm)DumpSec from SomarSoft also provides the ability to scan/query all DCssearching for the true last logon time ( http://www.somarsoft.com/)Cheers,Jorge-Original Message-From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]] On Behalf Of Rimmerman, RussSent: Friday, October 28, 2005 12:56To: ActiveDir@mail.activedir.orgSubject: [ActiveDir] LastLogon timestampWhat's the easiest way to find out the last logon time of a useraccount?And if you have 50 domain controllers, would you have to query each one for it, or is this replicated some how?We're in a nativewin2k domain with mostly win2k3 DCs.Thanks~~This e-mail is confidential, may contain proprietary information of the Cooper Cameron Corporation and its operating Divisions and may beconfidential or privileged.This e-mail should be read, copied, disseminated and/or used only by theaddressee. If you have received this message in error please delete it, together with any attachments, from your system.~~List info : http://www.activedir.org/List.aspxList FAQ: http://www.activedir.org/ListFAQ.aspxList archive:http://www.mail-archive.com/activedir%40mail.activedir.org/ This e-mail and any attachment is for authorised use by the intended recipient(s) only. It may contain proprietary material, confidential information and/or be subject to legal privilege. It should not be copied, disclosed to, retained or used by, any other party. If you are not an intended recipient then please promptly delete this e-mail and any attachment and all copies and inform the sender. Thank you.List info : http://www.activedir.org/List.aspxList FAQ: http://www.activedir.org/ListFAQ.aspxList archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ -- ~~~Fortune and Love befriend the bold~~~
Re: [ActiveDir]Group Policy Administrative Templates
I found this free registry GP CSE at http://www.desktopstandard.com/PolicyMakerRegistryExtension.aspx some of the feature it touts are * Full control over tattooing ( i.e. means each setting becomes a policy and not preference) * Registry Wizard for settings import * Per-setting filtering * integration with GPMC I will be testing this extension, :) -- Kamlesh On 10/26/05, Darren Mar-Elia [EMAIL PROTECTED] wrote: There's a few free and for pay tools to do it. Check out the following: RegtoADM: turns .reg files into ADMs. Free tool that is part of the NUTS utilities at http://yizhar.mvps.org/ ADM TEmplate Editor: This is a for pay tool found at http://www.sysprosoft.com/adm_summary.shtml Policy Template Editor: a for pay tool at http://www.tools4ever.com/products/utilities/policytemplateeditor/ From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]] On Behalf Of Sadovskiy Artem NikolaevichSent: Tuesday, October 25, 2005 7:28 PMTo: ActiveDir@mail.activedir.orgSubject: [ActiveDir]Group Policy Administrative Templates Hi! Are there any tools that can assist me to create .ADM (Group Policy Administrative Templates) files? If anybody knows, please send me a link. Regards. -- ~~~Fortune and Love befriend the bold~~~
Re: [ActiveDir] OT: Robocopy command..
does /M help, it will behave like ntbackup with incremental backup type i.e. if archive bit is set then only copy. and as we know archive bit is set for new files and changed files. On 10/25/05, Frank Abagnale [EMAIL PROTECTED] wrote: Hi. I have used robocopy tocopy an entire folder content from oldserver1 to newserver1. I want to keep this data on the newserver consistenthowever, I only want it to copyfile changesandadditional files that have been created, not the entire foldercontent. I was thinking of using robocopy d:\source d:\destination /e /IT/log:e:\log.txt /r:1 does anyone have any thoughts about the parameters I've used? thanks frank Yahoo! FareChase - Search multiple travel sites in one click. -- ~~~Fortune and Love befriend the bold~~~
Re: [ActiveDir] Need ADSI Scripting help.
I was hoping someone will direct him to dsquery :o) Assuming file containing computernames is Comps.txt put this in the batch file and keep it in same folder as comps.txt for /f %%A in (comps.txt) do ( dsquery computer -samid %%A$ | dsget computer -samid -disabled ) You should get the two column listing computername with YES or NO for disabled. - Kamlesh On 10/21/05, Jitendra Kalyankar [EMAIL PROTECTED] wrote:I know about the Oldcmp.exe, but the thing is the tool is reallypowerful and I don't want Jr. Sys. Admins doing something or deleting something that they are not suppose to. And againI will have to go through the security department route to useit. Too much hasselHope that explains my situation.Sincerely,Jitendra Kalyankar On 10/20/05, Creamer, Mark [EMAIL PROTECTED] wrote: Before you do this, see oldcmp at www.joeware.net http://www.joeware.net/win/free/index.htm mc -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]] On Behalf Of Jitendra Kalyankar Sent: Thursday, October 20, 2005 4:14 PM To: ActiveDir@mail.activedir.org Subject: [ActiveDir] Need ADSI Scripting help. I am looking for some example script and/or help for the script I am writing for my company. What I want to achieve is if I run the script against the machine list which will be in the text file, it should give me the output in the text file saying which machine account is enabled, disabled or not found. I know how to manipulate the text files using fso object but I am not sure what do I need to use to get the attributes of computer container in AD. Any help in this regard is highly appreciated and valued. Please let me know if you need more information abou this. -- Thanks, Jitendra Kalyankar List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ This e-mail transmission contains information that is intended to be confidential and privileged.If you receive this e-mail and you are not a named addressee you are hereby notified that you are not authorized to read, print, retain, copy or disseminate this communication without the consent of the sender and that doing so is prohibited and may be unlawful.Please reply to the message immediately by informing the sender that the message was misdirected.After replying, please delete and otherwise erase it and any attachments from your computer system.Your assistance in correcting this error is appreciated. List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/-- Thanks,Jitendra KalyankarList info : http://www.activedir.org/List.aspxList FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/-- ~~~ Fortune and Love befriend the bold~~~
Re: [ActiveDir] ADUC and domain controller vs. workstation or server
I always thought it was useraccountcontrol attribute, that decided the role ? Any ideas guys ?? On 10/21/05, [EMAIL PROTECTED] [EMAIL PROTECTED] wrote:I have seen LDAP searches which make use of the primaryGroupIDattribute. A value of 516 implies a DC, otherwise the machine is not a DC (i.e. it's a workstation or server)An educated guess tells me that ADUC queries for this attribute.hth,neil-Original Message-From: [EMAIL PROTECTED][mailto:[EMAIL PROTECTED]] On Behalf Of Chuck ChoppSent: 21 October 2005 14:08To: ActiveDir@mail.activedir.orgSubject: [ActiveDir] ADUC and domain controller vs. workstation orserverWhen viewing the general tab on the properties page for a computer inthe ADUC utility, the role of the computer can be listed as domain controlleror workstation or server.Since the Machine-Role attribute is missingon these computer objects in the AD tree, I would have to assume thatADUC derives this information from other sources.Since the role information that is displayed very quickly, even when the specifiedcomputer is offline, I would not expect that there's any sort of livecommunication going on where ADUC interrogates the computer to obtain the information.One remaining possibility is that the information is obtained from orinferred from the computer object's location within the domain, such asbeing under the Domain Controllers container as opposed to being in any other container or any other OU.Is this how ADUC is actually obtaining the information?Also, if the Machine-Role attribute value isn't populated by defaultwhen the computer is added to AD, then what does create this attribute and assign it a value on the computer object?I'm looking for a method to use that rapidly distinguishes betweendomain controllers, member servers and workstations that all havecomputer objects in the tree, with the desire being to eliminate workstations from a list of computer names.Making an API function calltoDsRoleGetPrimaryDomainInformation() works great to determine thecomputer's role *IF* the computer is present on the network.If the computer is not reachable for any reason, then the API function callsspends several minutes retrying it's communications attempting to reachthe RPC Server service on the specified remote system and thus the API function call doesn't return even a NAK in an acceptable period of time.--Chuck ChoppChuckChopp (at) rtfmcsi (dot) com http://www.rtfmcsi.comRTFM Consulting Services Inc. 864 801 2795 voice voicemail 103 Autumn Hill Road864 801 2774 faxGreer, SC29651Racing to save livesThe Leukemia Lymphoma Society - Team in Training http://www.active.com/donate/tntsc/tntscCChoppDo not send me unsolicited commercial email.List info : http://www.activedir.org/List.aspxList FAQ: http://www.activedir.org/ListFAQ.aspxList archive:http://www.mail-archive.com/activedir%40mail.activedir.org/ PLEASE READ: The information contained in this email is confidential andintended for the named recipient(s) only. If you are not an intendedrecipient of this email please notify the sender immediately and delete your copy from your system. You must not copy, distribute or take any furtheraction in reliance on it. Email is not a secure method of communication andNomura International plc ('NIplc') will not, to the extent permitted by law, accept responsibility or liability for (a) the accuracy or completeness of,or (b) the presence of any virus, worm or similar malicious or disablingcode in, this message or any attachment(s) to it. If verification of this email is sought then please request a hard copy. Unless otherwise statedthis email: (1) is not, and should not be treated or relied upon as,investment research; (2) contains views or opinions that are solely those of the author and do not necessarily represent those of NIplc; (3) is intendedfor informational purposes only and is not a recommendation, solicitation oroffer to buy or sell securities or related financial instruments.NIplc does not provide investment services to private customers.Authorised andregulated by the Financial Services Authority.Registered in Englandno. 1550505 VAT No. 447 2492 35.Registered Office: 1 St Martin's-le-Grand, London, EC1A 4NP.A member of the Nomura group of companies.List info : http://www.activedir.org/List.aspxList FAQ: http://www.activedir.org/ListFAQ.aspxList archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ -- ~~~Fortune and Love befriend the bold~~~
Re: [ActiveDir] Kix to VBS
I have _vbscript_s using WSH extensively for handling computer migrations . I have used WMI just for finding the serialnumber of machine, everything else is handled by WSH. And my scripts are in the range of 500 to 10 K lines, and I have done some 3000+ migrations with these scripts. So, I can say WSH is no problem if you know what you want to do. besides that, WSH will be consistent across OS version. (at least NT and above, I have tested) while WMI has different number of classes available on different OS version. (more recent OS will have more classes) so if you find a class you want to use, you have to make sure that it is supported by all the OS version you going to run the script on. Generally, If i can do a task by WSH easily, i will not use WMI. ( you will tend to know the difference as you use them more and more) Good start for you would be the Microsoft Technet Script Center. http://www.microsoft.com/technet/scriptcenter/scripts/default.mspx -- Kamlesh On 10/18/05, Alain Lissoir [EMAIL PROTECTED] wrote: If you are Windows and above and don't need REG_MULTI_SZ updates, I would gofor WSH (pretty simple model).If you need to do more complex stuffs, I would use WMI (which is actuallyused from WSH as it is the scripting engine). /Alain-Original Message-From: [EMAIL PROTECTED][mailto:[EMAIL PROTECTED] ] On Behalf Of Harding, DevonSent: Monday, October 17, 2005 9:45 AMTo: ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] Kix to VBSWhich method is preferred, WSH or WMI?
Re: [ActiveDir] OT? Remote Assistance.
First try this DCOM fix, http://searchwinsystems.techtarget.com/tip/0,289483,sid68_gci1091907,00.html then this script... @echo off Echo Stopping The Remote Assistance Service... net stop rdsessmgr sleep 5 Echo Running Fix for Remote Assistance... %systemroot%\system32\sessmgr .exe -service sleep 5 Echo Starting Remote Assistance Service... net start rdsessmgr On 10/18/05, Kennedy, Jim [EMAIL PROTECTED] wrote: Trouble getting Remote Assistance going. XP w/ SP2 in a 2K3 domain. XPfirewall disabled on both boxes.Two computers for test. Both in the same OU. GPO forces offer and inviteenabled with a group having the permissions. RSOP on both machines shows it is all taking effect. Both logged on users are local admins, and arein fact domain admins.Invitations for Assistance work fine, in bothdirections. However Offer Assistance fails with 'Permission Denied'. Been through everything here:http://support.microsoft.com/default.aspx?scid=kb;en-us;310629Simplefile sharing off and verified the groups and members are being passed down.This one does not apply, that group policy is undefined. Tried definingit with the fix anyway, no change.http://support.microsoft.com/?kbid=884910 http://support.microsoft.com/default.aspx?scid=kb;en-us;889248Even fired up all the disabled services on both machines. List info : http://www.activedir.org/List.aspxList FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/-- ~~~ Fortune and Love befriend the bold~~~
Re: [ActiveDir] RIS WinPE Question
I am running WinPE on W2k3 server, only change I have done in .SIf is OsLoadOptions = /noguiboot /fastdetect /minint imagetype = WinPE You might find great help related to WinPE on : http://www.911cd.net/forums/ -- Kamlesh On 10/16/05, Dan Holme [EMAIL PROTECTED] wrote: I hope some of you brainiacs can help me out here. I have a WinPE image loaded into a W2K3 RIS server. It launches as a standard image just fine, but creates a computer account in AD. I know that W2K3 SP1 is supposed to have the functionality where I can change the *.sif value ImageType=Flat to ImageType=WinPE and then WinPE is supposed to show up in my "TOOLS" menu, but it doesn't. It just disappears as an option altogether. I've tried various combinations of the Choice Options GPO, including Disabling all options EXCEPT Tools, at which point the PXE client just says "Can't show you anything ha ha ha." (or something evil to that effect). After 2 hours of experimentation and googling, I'm at wits end… Any help would be greatly appreciated. Dan -- ~~~Fortune and Love befriend the bold~~~