[ActiveDir] OT: Network latency on VBScript-mapped drive letters.
So I have a VBScript that I use to map a network drive to a DFS share, as follows: strDriveLetter = S: strBaseDrivePath = \\domain name\dfs root\share name\ Set objNetwork = CreateObject(WScript.Network) objNetwork.MapNetworkDrive strDriveLetter, strBaseDrivePath set objNetwork = nothing When I map the DFS root using a drive letter using this code in a login script, I get isolated-but-consistent client reports of network latency when opening or saving a file; Word/Excel/whatever will choke up for a good 5 or 6 seconds at a time. If I disconnect the script-mapped drive and access this resource from the same machine using any other method: * map the drive using the GUI, * map the drive from the CLI using 'net use', or * manually enter the UNC path from the Run line ...all latency goes away. It's not OS-specific as far as I can tell; the machines currently reporting the latency are a handful of XPSP2 and 2KSP4 machines that don't have much else unique in common. I've determined that it's not specifically DFS-related, as I've tested mapping directly to the physical servername instead of the DFS sharename and produced identical results. Neither is it relevant that the script is being run as part of a login script/GPO, as running the script manually from an affected desktop also produces the same behaviour. So it's either a VBScript thing, or it's something client-specific that I haven't isolated on the half-dozen desktops that are experiencing the issue. Google has thus far yielded no joy, has anyone run into this before? -- --- Laura E. Hunter Microsoft MVP - Windows Server Networking Author: _Active Directory Cookbook, Second Edition_ (http://tinyurl.com/z7svl) List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.activedir.org/ma/default.aspx
Re: [ActiveDir] Is ADAM free?
Free download for 2K3 or Windows XP (with some feature limitations on the latter), integrated into R2 and later. http://www.microsoft.com/downloads/details.aspx?FamilyId=9688F8B9-1034-4EF6-A3E5-2A2A57B5C8E4displaylang=en On 1/2/07, [EMAIL PROTECTED] [EMAIL PROTECTED] wrote: Is ADAM free? If not, how much does it cost? Thanks! -James List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.activedir.org/ma/default.aspx -- --- Laura E. Hunter Microsoft MVP - Windows Server Networking Author: _Active Directory Consultant's Field Guide_ (http://tinyurl.com/7f8ll) Author: _Active Directory Cookbook, Second Edition_ (http://tinyurl.com/z7svl) List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.activedir.org/ma/default.aspx
Re: [ActiveDir] OT: M$
Duro Sent: Sunday, November 12, 2006 10:27 PM To: ActiveDir@mail.activedir.org Subject: Re: [ActiveDir] OT: M$ being conciliatory is laudable, but I think you're missing the point. It's not wether anybody is offended or not -- the question is why does someone come into a peaceful gathering casting offense. Especially when it's not necessary. If someone deliberately spits on the dinner table, do you say 'oh, well, he didn't hit any plate, let's just forget it' ? or even worse, 'he hit someone else's plate -- no worries.' - Original Message - From: [EMAIL PROTECTED] To: ActiveDir@mail.activedir.org Sent: Friday, November 10, 2006 9:08 AM Subject: RE: [ActiveDir] OT: M$ I highly doubt that any MS employee takes offence at what is surely as tongue in cheek expression. Let's not get _too_ PC please :/ neil -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] Behalf Of Laura A. Robinson Sent: Thursday, November 09, 2006 6:14 PM To: ActiveDir@mail.activedir.org Subject: [ActiveDir] OT: M$ Just out of curiosity, what makes people think it's appropriate to refer to Microsoft as M$ on an MS-focused mailing list whose participants include Microsoft employees, Microsoft contractors, Microsoft MVPs and various other people who may have a relatively positive view of Microsoft? Laura From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Jitendra Kalyankar Sent: Thursday, November 09, 2006 10:16 AM To: ActiveDir@mail.activedir.org Subject: Re: [ActiveDir] Beginner's Book on Scripting - WSH or VBScript? This is the link to M$ to start with...very good info http://msdn.microsoft.com/library/default.asp?url=/library/en-us/dnanchor/html/scriptinga.asp -- Sincerely, J On 11/9/06, Stu Packett [EMAIL PROTECTED] wrote: Hello everyone. After reading through a lot of the posts on this mailing list, I realize I could make my job easier if I knew how to script. I have no experience in scripting, but would like to know what books do you recommend as a beginner's book on scripting? Also, I don't really know the difference between WSH and VBScript, so if anyone could explain that, I'd appreciate that. After browsing through Amazon, I saw several books on WSH and VBScript, but don't know where I should focus on. I'm also open to computer based training (CBT) videos of any exist. Thanks in advance. PLEASE READ: The information contained in this email is confidential and intended for the named recipient(s) only. If you are not an intended recipient of this email please notify the sender immediately and delete your copy from your system. You must not copy, distribute or take any further action in reliance on it. Email is not a secure method of communication and Nomura International plc ('NIplc') will not, to the extent permitted by law, accept responsibility or liability for (a) the accuracy or completeness of, or (b) the presence of any virus, worm or similar malicious or disabling code in, this message or any attachment(s) to it. If verification of this email is sought then please request a hard copy. Unless otherwise stated this email: (1) is not, and should not be treated or relied upon as, investment research; (2) contains views or opinions that are solely those of the author and do not necessarily represent those of NIplc; (3) is intended for informational purposes only and is not a recommendation, solicitation or offer to buy or sell securities or related financial instruments. NIplc does not provide investment services to private customers. Authorised and regulated by the Financial Services Authority. Registered in England no. 1550505 VAT No. 447 2492 35. Registered Office: 1 St Martin's-le-Grand, London, EC1A 4NP. A member of the Nomura group of companies. -- --- Laura E. Hunter Microsoft MVP - Windows Server Networking Author: _Active Directory Consultant's Field Guide_ (http://tinyurl.com/7f8ll) Author: _Active Directory Cookbook, Second Edition_ (http://tinyurl.com/z7svl) List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir@mail.activedir.org/
Re: [ActiveDir] OT: M$
As we find that, once again, the answer to all of the world's problems is Blame Laura. (Only make sure that you're blaming the -correct- Laura, as we've just learned.) ;-) - The Other Laura, wondering how on Earth she got dragged into this. :-) On 11/15/06, Rich Milburn [EMAIL PROTECTED] wrote: No you don't understand… Laura Hunter really has a web site called www.shutuplaura.com – did you click on it to see? And he was trying to be ironic, but had the wrong Laura. I admit I didn't get it at first either, I read that line and my jaw dropped a little, because I tend to agree somewhat with Laura R and respect her intensity for the subject and thus thought that was a bit harsh … but I forgot about that site and the other Laura J -- --- Laura E. Hunter Microsoft MVP - Windows Server Networking Author: _Active Directory Consultant's Field Guide_ (http://tinyurl.com/7f8ll) Author: _Active Directory Cookbook, Second Edition_ (http://tinyurl.com/z7svl) List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir@mail.activedir.org/
Re: [ActiveDir] OT: M$
You're not a fake employee, I've seen you. :-) BrettSh, too. It's that Stuart Kwan guy whose existence I'm doubting. (Come on, was that enough to inspire the rarity that is a Stuart Kwan ActiveDir post? Please? PLEASE?!?!?!?!?!?!?!?!?!?!? ;-)) On 11/9/06, Eric Fleischman [EMAIL PROTECTED] wrote: Not that I really care if people say M$ or not, but I thought I'd comment on one thing, in the name of full disclosure…. My participation on this list has __nothing__ to do with money. I don't get compensated on any level for this. Heck, I don't even work on AD anymore, so this is like 2 degrees of separation away from anything that MS compensates me for. So, is MS out to make $? Sure. Is AD part of that money-making strategy? Sure. Does that have anything to do with MS employee participation on this list? I don't think so. Others (at least those that I can recall posting here as I type this mail) on this list fall in to the same boat. A couple of them don't work on AD anymore either. Why do I hang out here? I do it because I care about customers and about AD/ADAM. It has nothing to do with my salary. It's also why I still blog about AD, answer newsgroup questions, answer internal questions (DLs, PSS, MCS, other PGs, etc.), handle direct emails from a myriad of non-MS people (some I know, some are totally out of the blue), fix code for people that ask for help, etc. I don't get paid for any of this. ~Eric Borg #145719302 Insert conspiracy theory here about how this whole mail is a lie and the man actually wrote it on behalf of the fake employee that goes by Eric Fleischman From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Vinnie Cardona Sent: Thursday, November 09, 2006 11:30 AM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] OT: M$ To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] OT: M$ I believe we all know that your statement is correct like any other big company they are out to make $, what I inferred from what she was implying (did I get that right?J) is that although we all know that Microsoft is not perfect (…anyone want to cast the first stone?)…a grey-toned comment made on this mailing list is probably not appreciated…especially when this mailing list is used to help others. I'm sure there are a myriad of other forums to take your personal opinions to. --vC From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Condra, Jerry W Mr HP Sent: Thursday, November 09, 2006 11:41 AM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] OT: M$ I have a mostly positive view of M$ and like their products. Heck, I'm certified in their products. But that doesn't make them inexpensive and like any other big company they are out to make $. J From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Laura A. Robinson Sent: Thursday, November 09, 2006 12:14 PM To: ActiveDir@mail.activedir.org Subject: [ActiveDir] OT: M$ Just out of curiosity, what makes people think it's appropriate to refer to Microsoft as M$ on an MS-focused mailing list whose participants include Microsoft employees, Microsoft contractors, Microsoft MVPs and various other people who may have a relatively positive view of Microsoft? Laura From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Jitendra Kalyankar Sent: Thursday, November 09, 2006 10:16 AM To: ActiveDir@mail.activedir.org Subject: Re: [ActiveDir] Beginner's Book on Scripting - WSH or VBScript? This is the link to M$ to start with...very good info http://msdn.microsoft.com/library/default.asp?url=/library/en-us/dnanchor/html/scriptinga.asp -- Sincerely, J On 11/9/06, Stu Packett [EMAIL PROTECTED] wrote: Hello everyone. After reading through a lot of the posts on this mailing list, I realize I could make my job easier if I knew how to script. I have no experience in scripting, but would like to know what books do you recommend as a beginner's book on scripting? Also, I don't really know the difference between WSH and VBScript, so if anyone could explain that, I'd appreciate that. After browsing through Amazon, I saw several books on WSH and VBScript, but don't know where I should focus on. I'm also open to computer based training (CBT) videos of any exist. Thanks in advance. -- --- Laura E. Hunter Microsoft MVP - Windows Server Networking Author: _Active Directory Consultant's Field Guide_ (http://tinyurl.com/7f8ll) Author: _Active Directory Cookbook, Second Edition_ (http://tinyurl.com/z7svl) List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir@mail.activedir.org/
[ActiveDir] [OT] Best. KB. Article. Ever. (done in the voice of the Simpsons comic book dude, naturally)
http://support.microsoft.com/kb/228001 Network Adapter Does Not Work if Unplugged -- --- Laura E. Hunter Microsoft MVP - Windows Server Networking Author: _Active Directory Consultant's Field Guide_ (http://tinyurl.com/7f8ll) Author: _Active Directory Cookbook, Second Edition_ (http://tinyurl.com/z7svl) List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir@mail.activedir.org/
Re: [ActiveDir] OT: TechED 2007
The transportation at Tech Ed Boston 2006 made insert name of poorly orchestrated event, take your pick, really look like a well-oiled machine. And that would be why I just booked the hotel that's directly across the street from the Orlando Convention Center. No busses for me this year, no way. - Laura On 10/19/06, Tim Vander Kooi [EMAIL PROTECTED] wrote: It was beautiful weather there for TechEd 2000. I had thought that the transportation was less than great, but after Boston this year it wasn't bad at all in retrospect. From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Akomolafe, Deji Sent: Thursday, October 19, 2006 12:35 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] OT: TechED 2007 To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] OT: TechED 2007 I hope you are kidding. Orlando was The.Worst.TechEd.Ever Muggy as hell. Sincerely, _ (, / | /) /) /) /---| (/_ __ ___// _ // _ ) /|_/(__(_) // (_(_)(/_(_(_/(__(/_ (_/ /) (/ Microsoft MVP - Directory Services www.akomolafe.com - we know IT -5.75, -3.23 Do you now realize that Today is the Tomorrow you were worried about Yesterday? -anon From: Mark Parris Sent: Thu 10/19/2006 9:49 AM To: ActiveDir.org Subject: Re: [ActiveDir] OT: TechED 2007 4-8th June Regards, Mark Parris Base IT Ltd Active Directory Consultancy Tel +44(0)7801 690596 -Original Message- From: Figueroa, Johnny [EMAIL PROTECTED] Date: Thu, 19 Oct 2006 08:38:12 To:ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] OT: TechED 2007 Any dates? -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Mark Parris Sent: Thursday, October 19, 2006 4:29 AM To: ActiveDir.org Subject: [ActiveDir] OT: TechED 2007 It's Florida ! Regards, Mark Parris Base IT Ltd Active Directory Consultancy Tel +44(0)7801 690596 List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.activedir.org/ml/threads.aspx List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.activedir.org/ml/threads.aspx [EMAIL PROTECTED]) -- --- Laura E. Hunter Microsoft MVP - Windows Server Networking Author: _Active Directory Consultant's Field Guide_ (http://tinyurl.com/7f8ll) Author: _Active Directory Cookbook, Second Edition_ (http://tinyurl.com/z7svl) [EMAIL PROTECTED] ��V�r�y���-�÷¹ï¿½ï¿½V��+�v*��
Re: [ActiveDir] [OT] Exchange 2007 Schema
Oh come on, just go ahead and stick the changes in. It's a Microsoft product, how bad could it -possibly- be? :-) On 10/6/06, joe [EMAIL PROTECTED] wrote: You are definitely funny Brett, some would just argue whether it is in the ways you think. =) I find you quite funny, I am waiting for the BrettSh T-Shirt to come out in fact. But with the crazy that can only be Brett hairdo, not the big boy hairdo. ;o) I do kind of agree with Tony though, unless you are one of the TAP folks with specific agreements with MSFT to bail you out in the event of a nasty fire, you probably shouldn't be installing heavily AD integrated beta products into your production forest. I would assume that ITG/OTG/GOaT/GIT/OA/IT/IS or whatever the name is now being used for MSFT IT have the necessary support agreements in place. :) Plus they have Brian, not much he isn't going to be able to fix by himself I think. joe -- O'Reilly Active Directory Third Edition - http://www.joeware.net/win/ad3e.htm -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Brett Shirley Sent: Thursday, October 05, 2006 11:58 PM To: ActiveDir@mail.activedir.org Cc: [EMAIL PROTECTED] Subject: Re: [ActiveDir] [OT] Exchange 2007 Schema Oh crap! Brian Puhl, you reading? Tony says E2k7 is a beta product, I hope you didn't load that schema on our main forest? Too late to get it backed out (via forest restore)? Thanks for the heads up Tony, BrettSh [msft] P.S. - Does anyone think I'm as funny as I think I am ... probably not ... On Thu, 5 Oct 2006, Tony Murray wrote: Hi all There are apparently schema changes post Beta 2 - just in case anyone was considering pre-loading the schema changes into production [1]. I don't have any further details on what the changes are. Tony [1] Which of course you wouldn't contemplate with a Beta product :-) Sent via the WebMail system at mail.activedir.org List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.activedir.org/ml/threads.aspx List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.activedir.org/ml/threads.aspx List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.activedir.org/ml/threads.aspx -- --- Laura E. Hunter Microsoft MVP - Windows Server Networking Author: _Active Directory Consultant's Field Guide_ (http://tinyurl.com/7f8ll) Author: _Active Directory Cookbook, Second Edition_ (http://tinyurl.com/z7svl) List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.activedir.org/ml/threads.aspx
Re: [ActiveDir] Groups membership question
Can memberof.exe do this? (Another joeware gem.) I've never tried to run it against multiple domain memberships, but I know it chases nested memberships beautifully - if I'm not mistaken, that's why joe originally whipped it up. - Laura On 10/11/06, Aaron Steele [EMAIL PROTECTED] wrote: I have one for you guys. I have been puzzling over for a while. Seems simple, but I haven't found a good solution. Domain A one way trusts Domain B Group in Domain A, contains members from Domain B. Enumerate groups in Domain A, include membership for all members in Domain B. Or for the real answer. Find user in Domain B, and tell me all group memberships from Domain A and Domain B. Any ideas? I've tried adfind queries, I've visited the windows scripting center and am at a loss. Thanks for your help. /aaron Aaron Steele Mobile: 773.580.8099 [EMAIL PROTECTED] Main: 312.334.1900Fax: 312.224.4789 _ pointbridge.com - Microsoft's 2005 Advanced Infrastructure Partner of the Year - Microsoft's 2005 Exchange Solution of the Year Winner -- --- Laura E. Hunter Microsoft MVP - Windows Server Networking Author: _Active Directory Consultant's Field Guide_ (http://tinyurl.com/7f8ll) Author: _Active Directory Cookbook, Second Edition_ (http://tinyurl.com/z7svl) List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.activedir.org/ml/threads.aspx
Re: [ActiveDir] OT: wikis
/threads.aspx List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.activedir.org/ml/threads.aspx List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.activedir.org/ml/threads.aspx List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.activedir.org/ml/threads.aspx List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.activedir.org/ml/threads.aspx List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.activedir.org/ml/threads.aspx -- --- Laura E. Hunter Microsoft MVP - Windows Server Networking Author: _Active Directory Consultant's Field Guide_ (http://tinyurl.com/7f8ll) Author: _Active Directory Cookbook, Second Edition_ (http://tinyurl.com/z7svl) List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.activedir.org/ml/threads.aspx
Re: [ActiveDir] OT: TechED 2007 New Orleans Cancelled ???
For no good reason other than a pure hunch, I find myself betting on Dallas. (I like Austin better as a city, but DFW provides better airport coverage.) It's been on the East Coast for 2 years running, so I would imagine it'll be somewhere Midwest-ish. (Chicago's not outside the realm in that case.) The largest planning issue in the States is the airport question - you want to be sure that it's being held in a city with a hub airport so that international attendees aren't trying to make multiple connecting flights. So think Chicago, Dallas, Raleigh-Durham, Atlanta, San Francisco, etc. On 10/10/06, Brian Desmond [EMAIL PROTECTED] wrote: Chicago is one... Thanks, Brian Desmond [EMAIL PROTECTED] c - 312.731.3132 -- --- Laura E. Hunter Microsoft MVP - Windows Server Networking Author: _Active Directory Consultant's Field Guide_ (http://tinyurl.com/7f8ll) Author: _Active Directory Cookbook, Second Edition_ (http://tinyurl.com/z7svl) List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.activedir.org/ml/threads.aspx
Re: [ActiveDir] OT: A short and sweet KB
Or a corrolary KB to that one: What you are trying to do is downright foolish. Please stop. On 10/10/06, Dmitri Gavrilov [EMAIL PROTECTED] wrote: Do you mind writing a KB with the following content: Whatever you are trying to do is not supported. It would be a great KB to refer folks to. I really need it quite often. I would memorize the KB number. Hell, I would include it into my signature. From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of joe Sent: Tuesday, October 10, 2006 2:21 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] OT: A short and sweet KB LOL that is great... I have thought about using my MVP Super Powers to write small KBs like that in the past so I could point at it for people to read when I said something simple that isn't specifically documented but they wanted to see documents on Microsoft's site stating what I said... In the end I didn't do it because, well it just doesn't seem right. ;) joe -- O'Reilly Active Directory Third Edition - http://www.joeware.net/win/ad3e.htm From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Al Mulnick Sent: Tuesday, October 10, 2006 9:37 AM To: ActiveDir@mail.activedir.org Subject: Re: [ActiveDir] OT: A short and sweet KB It's tough to decide what to do with so much information. The symptoms or introduction section really does overload one's information bucket. :) On 10/9/06, Susan Bradley, CPA aka Ebitz - SBS Rocks [MVP] [EMAIL PROTECTED] wrote: Do not run a service by using a service account that belongs to a different domain: http://support.microsoft.com/?kbid=925099 -- Letting your vendors set your risk analysis these days? http://www.threatcode.com If you are a SBSer and you don't subscribe to the SBS Blog... man ... I will hunt you down... http://blogs.technet.com/sbs List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.activedir.org/ml/threads.aspx -- --- Laura E. Hunter Microsoft MVP - Windows Server Networking Author: _Active Directory Consultant's Field Guide_ (http://tinyurl.com/7f8ll) Author: _Active Directory Cookbook, Second Edition_ (http://tinyurl.com/z7svl) List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.activedir.org/ml/threads.aspx
Re: [ActiveDir] FIle/Folder ACL's(OT)
Go to the Technet Script Repository and browse around. You'll see a number of examples of how to enumerate and loop through all disk drives on a particular system. On 9/18/06, Tom Kern [EMAIL PROTECTED] wrote: Actually, the real issue with these scripts, is that how does cacls.exe know how many drives are on each server? Say one server has a C: partition while another has a C: and E: and F:,etc. How can I accurately enumerate all perms on all folders/files on all these servers/paritions via a vbscript? Thanks again. On 9/18/06, Tom Kern [EMAIL PROTECTED] wrote: Thanks. What would be the best readable format to dump it to(for management).? On 9/18/06, Brian Desmond [EMAIL PROTECTED] wrote: The Cacls command line tool and a VBScript to walk the tree (using FileSystemObject) will do the trick. ACLs aren't really spreadsheet type data IMHO. Thanks, Brian Desmond [EMAIL PROTECTED] c - 312.731.3132 From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Tom Kern Sent: Monday, September 18, 2006 1:49 PM To: activedirectory Subject: [ActiveDir] FIle/Folder ACL's(OT) Can someone direct me to a vbscript that I can run remotely which will dump the ACl's of all file/folders on a bunch of remote servers(250) to a central Excel spreadsheet? I assume using wmi. Thanks, sorry for the bother but I can't seem to be able to google anything deifinitive on this. -- --- Laura E. Hunter Microsoft MVP - Windows Server Networking Author: _Active Directory Consultant's Field Guide_ (http://tinyurl.com/7f8ll) Author: _Active Directory Cookbook, Second Edition_ (http://tinyurl.com/z7svl) List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.activedir.org/ml/threads.aspx
Re: [ActiveDir] OT: Interview Techniques
* [EMAIL PROTECTED] wrote: I've got no second thoughts about being an asshole during a tech interview. I ask the question, you either answer it or tell me you don't know. If you choose not to tell me you don't know and demonstrate that you don't know through what you tell me instead, I'm already pretty much through. If you're arrogant like this candidate you describe, I'm likely through as well. My favorite exchange as of late goes like this: Me - Tell me a little bit about your experience migrating Exchange 5.5 orgs to 2003 Them - blah blah blah Me - Ok, can you name the three types of connection agreements in the ADC? Them - well uh blah blah well uh excuse excuse Me - other questions Me - So would you be comfortable migrating a 10K user 5.5 org to 2003? Them - Absolutely Me - How can you be comfortable doing that when you can't even explain the first step of the migration to me? In any case, others have put some really good advice here. What you want in a technical lead is someone who can get their hands dirty without getting scared or screwing up. They should also have no second thoughts about delegating work and asking their subordinates for help. That person needs to be able to deal with upper management, and they also need to make sure their self esteem is in check - none of that I did X when all they did is watch. Hiring your new manager can be a little difficult on both sides from the point of view of why wasn't someone on your team promoted to that position? __ Do You Yahoo!? Tired of spam? Yahoo! Mail has the best spam protection around http://mail.yahoo.com List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.activedir.org/ml/threads.aspx -- --- Laura E. Hunter Microsoft MVP - Windows Server Networking Author: _Active Directory Consultant's Field Guide_ (http://tinyurl.com/7f8ll) Author: _Active Directory Cookbook, Second Edition_ (http://tinyurl.com/z7svl) List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.activedir.org/ml/threads.aspx
Re: [ActiveDir] All Accounts Locket Out -- Including Domain Admin
The built-in administrator account should still be accessible (if you've renamed it, log on using the renamed friendly name) - you can log on using that to troubleshoot the issue. To quickly unlock your accounts, go download joe's unlock utility from www.joeware.net. On 7/5/06, Ravi Dogra [EMAIL PROTECTED] wrote: Hi, I have a critical situation here. Suddenly all domain accounts locked out including domain admins account. What should i do? Is there any information which could be helpful. Thanks -- Ravi List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.activedir.org/ml/threads.aspx -- --- Laura E. Hunter Microsoft MVP - Windows Server Networking Author: _Active Directory Consultant's Field Guide_ (http://tinyurl.com/7f8ll) List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.activedir.org/ml/threads.aspx
Re: [ActiveDir] Ammunition, please!
Off the top of my head, I might recommend searching the phrases physical security and domain controller on the microsoft site. The first hit returned on such a search is http://technet2.microsoft.com/WindowsServer/en/Library/05db0f72-0e18-453b-b294-49cfc8f9d6d21033.mspx?mfr=true, which includes the phrase In addition, ensure the physical security of domain controllers in hub locations so that unauthorized personnel cannot access them. Do not place domain controllers in a location in which you cannot guarantee the physical security of the domain controller. And that was just the first hit on the results page. On 6/28/06, Larry Wahlers [EMAIL PROTECTED] wrote: I am being asked to install a single server in a remote location (about 20 miles from here, 20 users) that will be a DC for our entire network, running DHCP and DNS, acting as a file server and print server for this remote location. And, this server will be in an unlocked rack in a semi-public area where literally anyone could gain physical access to the box. At the very least, the 20 employees will be walking past it every day. There are many red flags about this scenario. I can think of a few. But, what I need is documentation from an *external* source that tells management just how bad an idea this is. After all, they won't believe me, but they might believe an expert. At the very least, I would want the rack in which this server is placed to be locked 24/7. Better would be a locked room. All help welcomed with many thanks. -- Larry Wahlers Concordia Technologies The Lutheran Church - Missouri Synod mailto:[EMAIL PROTECTED] direct office line: (314) 996-1876 List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.activedir.org/ml/threads.aspx -- --- Laura E. Hunter Microsoft MVP - Windows Server Networking Author: _Active Directory Consultant's Field Guide_ (http://tinyurl.com/7f8ll) List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.activedir.org/ml/threads.aspx
Re: [ActiveDir] pw reset domain account
I don't even need to give you a black hat tool scenario, just a human one: You're checking your Event Logs one day and see that DOMAIN\SharedAccount has accessed a file share that it shouldn't have. Given the fact that everyone in your enterprise has the password for DOMAIN\SharedAccount, how are you going to determine who did it? Since there's no way to do so, you reset the SharedAccount password and re-communicate it to your userbase. (How are you doing that, by the way? The method to do so will unavoidably be either [a] awful to manage, [b] inherently insecure in itself, or more than likely both.) Then you're monitoring your log files a few days later and notice that the SharedAccount account has accessed another file share that it shouldn't have. Given the fact that everyone in your enterprise has the password for SharedAccount, how are you going to determine who did it? Since there's no way to do so, you... ...repeat until insane. I'm being humourous in my response, but please don't let that take away from the larger point, which is that that's a horribly insecure way to implement a solution like that - if that were the vendor's recommended implementation, I'm thinking I'd run -far- in the opposite direction. Don't the Quest and/or NetPro self-service password tools write a hook into the GINA to alleviate the I don't know my password, so how do I log on to reset my password? question? *waits patiently for a vendory-type person on the list to fill in details I don't have* Laura On 6/25/06, AWS [EMAIL PROTECTED] wrote: There's a proposal at my company for a self service password reset website which uses a shared domain account. It's similar to a kiosk configuration, but the intent is to publicize the account and password so that it can be used from any users' pc when needed. They have an account-specific OU/GPO configuration which locks down the typical stuff you would expect, but my position is that there are too many unknown vectors for such an account to be abused. Since I don't dabble in the various black hat utils du jour, does anyone have any thoughts on how a globally known domain account could be hacked upon? Conversely, is there any way such an account could be effectively locked down? Thanks, AW -- --- Laura E. Hunter Microsoft MVP - Windows Server Networking Author: _Active Directory Consultant's Field Guide_ (http://tinyurl.com/7f8ll) List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.activedir.org/ml/threads.aspx
Re: [ActiveDir] DC Configuration
. Any thoughts, opinions, suggestions? tia, al -- Al Lilianstrom CD/CSS/CSI [EMAIL PROTECTED] List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.activedir.org/ml/threads.aspx -- No virus found in this incoming message. Checked by AVG Free Edition. Version: 7.1.394 / Virus Database: 268.9.2/370 - Release Date: 6/20/2006 -- No virus found in this outgoing message. Checked by AVG Free Edition. Version: 7.1.394 / Virus Database: 268.9.2/370 - Release Date: 6/20/2006 List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.activedir.org/ml/threads.aspx -- --- Laura E. Hunter Microsoft MVP - Windows Server Networking Author: _Active Directory Consultant's Field Guide_ (http://tinyurl.com/7f8ll) List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.activedir.org/ml/threads.aspx
Re: [ActiveDir] Problem removing last w2k DC from a w2k3 domain
Based on the trace you posted, I'm also raising an eyebrow about your SMB signing levels. IE, you may have SMB signing mandatory on the server service on the 2K3 boxen, while SMB signing isn't enabled on the client service on the 2K box. Look for mismatches in the following two settings on both the 2K and 2K3 box: Microsoft network client: Digitally sign communications (if server agrees) Microsoft network server: Digitally sign communications (always) - Laura E. Hunter On 6/20/06, Al Mulnick [EMAIL PROTECTED] wrote: Shot in the dark, but can you reboot the 2K dc and try again/check for errors? On 6/20/06, Al Lilianstrom [EMAIL PROTECTED] wrote: Al Mulnick wrote: I'm with joe on getting that network trace. I'm curious if replication has been working and if you made any adjustments for having a windows 2000 dc in a W2K3 environment? Any other applications? Replication is working - both AD and FRS. GPOs apply. Everything seems to work except for the ability to access the admin$ share on the w2k3 DCs so that I can demote the machine cleanly and remove it from the domain. The trace is in my message sent around 11:00am Central. No other apps running. On 6/20/06, *joe* [EMAIL PROTECTED] mailto:[EMAIL PROTECTED] wrote: What do you see in the network trace? Is it attempting the connection? Is it establishing the TCP/IP connection and then blowing out in the NetBIOS handshake? Does it get through the handshake and then fail? -- O'Reilly Active Directory Third Edition - http://www.joeware.net/win/ad3e.htm -Original Message- From: [EMAIL PROTECTED] mailto:[EMAIL PROTECTED] [mailto: [EMAIL PROTECTED] mailto:[EMAIL PROTECTED]] On Behalf Of Al Lilianstrom Sent: Tuesday, June 20, 2006 10:53 AM To: ActiveDir@mail.activedir.org mailto:ActiveDir@mail.activedir.org Subject: Re: [ActiveDir] Problem removing last w2k DC from a w2k3 domain Al Mulnick wrote: Denying access? Hmm so logged on to the w2K machine you can't access the admin$ share of either of the DC's right? Correct. I can access any member server admin$ share from the w2k machine. I can access the w2k3 DC admin$ share from any other w2k3 machine in the domain. I just can't access the w2k3 DC admin$ share from the w2k DC. al On 6/20/06, *Al Lilianstrom* [EMAIL PROTECTED] mailto:[EMAIL PROTECTED] mailto:[EMAIL PROTECTED] mailto: [EMAIL PROTECTED] wrote: Robert Rutherford wrote: Hi, It does sound like our old pal DNS. If you run a dcdiag and netdiag, do they both run clean? If not then please post the results. Both clean. Every test I can think of comes up clean. The only real symtom was in the orginal message - lack of admin access to the w2k3 DCs from the w2k DC. Checking the event log on the w2k3 DC I see the computer and user log in and out successfully. Just something denying access. If all is clean and it's a test environment then pull it and clean it up with ntdsutil et al. Sounds like a fun way to spend the morning. :-) al If it's a new situation then just replicate and see if you still have the issue. I have always found a couple of hours helps many ills. BR Rob Robert Rutherford QuoStar Solutions Limited The Enterprise Pavilion Fern Barrow Wallisdown Poole Dorset BH12 5HH T: +44 (0) 8456 440 331 F: +44 (0) 8456 440 332 M: +44 (0) 7974 249 494 E:[EMAIL PROTECTED] mailto:[EMAIL PROTECTED] mailto: [EMAIL PROTECTED] mailto:[EMAIL PROTECTED] W:www.quostar.com http://www.quostar.com http://www.quostar.com -Original Message- From: [EMAIL PROTECTED] mailto: [EMAIL PROTECTED] mailto:[EMAIL PROTECTED] mailto: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] mailto: [EMAIL PROTECTED] mailto:[EMAIL PROTECTED] mailto: [EMAIL PROTECTED]] On Behalf Of Al Lilianstrom Sent: 19 June 2006 20:52 To: ActiveDir@mail.activedir.org mailto:ActiveDir@mail.activedir.org mailto: ActiveDir@mail.activedir.org mailto:ActiveDir@mail.activedir.org Subject: [ActiveDir] Problem removing
Re: [ActiveDir] Problem removing last w2k DC from a w2k3 domain
Well would you look at that? Seems that I'm moving up in the world. ;-) On 6/20/06, joe [EMAIL PROTECTED] wrote: That's scary. Laura and I agree on something. ;) -- O'Reilly Active Directory Third Edition - http://www.joeware.net/win/ad3e.htm List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.activedir.org/ml/threads.aspx
Re: [ActiveDir] RDP Over SSL (No Security tab in Client)
If you're not getting a Security tab on your clients, update their client RDP software from the 2003 R2 CD (I think that 2003 w/SP1 will do as well, but I don't have a representative box in front of me to confirm.) On 6/16/06, Ravi Dogra [EMAIL PROTECTED] wrote: Hi All, I have configured RDP Over SSL and its working fine when i tested it from my Servers using tsmmc.msc Whereas when i am trying to install a client (RDP 5.2) it is not giving me any option to select Authentication Mode (Require Authentication) in the client installed. What should i do to resolve the issue. Attached are both snapshots. I am getting it without security tab. it should be with security tab as shown in snapshots. -- Thanks and Regards Ravi Dogra 9899647200 -- --- Laura E. Hunter Microsoft MVP - Windows Server Networking Author: _Active Directory Consultant's Field Guide_ (http://tinyurl.com/7f8ll) List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.activedir.org/ml/threads.aspx
Re: [ActiveDir] OT: WMA Files
R2 gives you the new File Screen templates, which let you allow/deny users saving files of particular file extensions to network drives. You can either create a soft screen that will only log violations, or a hard screen that will actually prevent the user from saving the errant file. It's only based on the .??? file extension, so a savvy user could rename song.wma to song.txt and save it. (But if that behaviour were taking place, I would consider it more of an HR issue than a technical one.) Technet mag did a nice write-up of it in May: http://www.microsoft.com/technet/technetmag/issues/2006/05/GetControl/default.aspx On 6/16/06, Salandra, Justin A. [EMAIL PROTECTED] wrote: How can I make is to that users are unable to send WMA files to their user drives? Justin A. Salandra MCSE Windows 2000 2003 Network and Technology Services Manager Catholic Healthcare System 646.505.3681 - office 917.455.0110 - cell [EMAIL PROTECTED] -- --- Laura E. Hunter Microsoft MVP - Windows Server Networking Author: _Active Directory Consultant's Field Guide_ (http://tinyurl.com/7f8ll) List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.activedir.org/ml/threads.aspx
Re: [ActiveDir] Active Directory Cookbook 2e
Go buy the new edition, all the cool people are doing it! ;-) But seriously, folks, there's some pretty nice changes in existing content as well as a bunch of new stuffs. We tried to add at least a handful of new recipes in each chapter, as well as updating the existing recipes with command-line stuff (lots of adfind/admod) as well as fixing various errata. The new content is a chapter on Exchange (mostly courtesty of joe), a chapter on MIIS from Gil Kirkpatrick and Steven Plank, and a chapter each on ADAM, ADFS, and the new File/Print stuff in R2. I for one think that it's a substantial update to the already-wonderful 1st Edition. Robbie found me a wonderful group of reviewers - joe and Al Mulnick in particular kicked my butt from here into next week during the TR process. Also much good help from TonyM, RBuike and Rick Kingslan, and Darren Mar-elia kept us all honest on the Group Policy chapter. So anyway. Go buy it so that I can afford that new yacht I've been eyeing up lately. ;-) - Laura On 6/14/06, joe [EMAIL PROTECTED] wrote: Laura will have to stop by and explain what has really changed. However I know that the chapter I wrote for the Windows Server Cookbook for Exchange tasks got pulled into it and extended (and probably some corrections as well). That same chapter went into AD3E as well but I trimmed it down considerably for AD3E as the format didn't fit right. Obviously it fit perfectly for the AD Cookbook. I believe there is an ADAM chapter now. I am sure some errata got input as well as issues I and probably others found on the second pass that we didn't find on the first or maybe we did find on the first but for some reason or another didn't make it into the final. (that never happens smirk) Ummm I know Laura added a ton of adfind/admod examples because she would write me an email every week with a list of questions for the week and I would respond to it for her. Plus if I saw places it could be added in the chapters themselves I put in notes for her. Sheeoot. I used to know what was changed as I reviewed the darn thing and was doing Word compares between the chapters but I'll be darned if I can recall everything now... I must be gettin' old. I recall Laura was really busting ass on it. -- O'Reilly Active Directory Third Edition - http://www.joeware.net/win/ad3e.htm From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Mark Parris Sent: Wednesday, June 14, 2006 7:10 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Active Directory Cookbook 2e To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Active Directory Cookbook 2e I have had a look at the O'Reilly website and cannot see what the differences between the 1st and 2nd editions are. Is it Errata or new content? So I am now wondering – why should I buy this, apart from the Authors and the Blue Fin Tuna on the front? From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Tony Murray Sent: 14 June 2006 06:19 To: ActiveDir@mail.activedir.org Subject: [ActiveDir] Active Directory Cookbook 2e …is now out. http://www.oreilly.com/catalog/activedckbk2/ TonyThis communication, including any attachments, is confidential. If you are not the intended recipient, you should not read it - please contact me immediately, destroy it, and do not copy or use any part of this communication or disclose anything about it. Thank you. Please note that this communication does not designate an information system for the purposes of the Electronic Transactions Act 2002. -- --- Laura E. Hunter Microsoft MVP - Windows Server Networking Author: _Active Directory Consultant's Field Guide_ (http://tinyurl.com/7f8ll) List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.activedir.org/ml/threads.aspx
Re: [ActiveDir] Domain Controller - Location Move
A good place to start is the following checklist that Jorge posted awhile back: How to move a DC to another site?: http://blogs.dirteam.com/blogs/jorge/archive/2005/11/25/165.aspx There have also been a number of discussions that you can find in the list archives: http://www.activedir.org/ml/threads.aspx HTH Laura On 6/8/06, Contreras, Robert [EMAIL PROTECTED] wrote: Hello everyone, Simple question - just want to verify: Single forest\single domain comprised on 2 domain controllers physically in one location. We would like to physically move one of the domain controllers (the 2nd one promoted) to a new location (eventually both - during the complete data center relocation). The DC will most likely change IP's after the move - so configuring a site in the new location and assigning the appropriate subnets for the new location is important - anything else other than shutting it down and bringing it over? Thx! RC -- --- Laura E. Hunter Microsoft MVP - Windows Server Networking Author: _Active Directory Consultant's Field Guide_ (http://tinyurl.com/7f8ll) List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.activedir.org/ml/threads.aspx
Re: [ActiveDir] OT: Security Policy Thoughts
The thing I'm not wild about with third-party clients (OSX etc.) is that they often don't play well with security features like SMB signing - if the Macs are hitting a Windows file server, most of the Apple documentation will tell you to turn it off entirely. Similar things can also happen if you've got Windows clients needing to hit Samba shares. It's really just one of those basic tenets: complexity is the arch-enemy of security, etc. etc. - Laura On 6/8/06, Noah Eiger [EMAIL PROTECTED] wrote: Thanks, Brian. Don't you sleep? It's late in Chicago ;-) 802.1x is the direction they are heading. Right now, it is cost-prohibitive. So the question is less can I control this access but should I? Is that over-reacting? Again with the VPN. My thoughts were to push it with an MSI, so I see how to control its distribution. The question is should I limit it to just the domain computers? How big is the risk? If the risk from home computers is virus and malware, how do I justify preventing folks from running it on their home Macs? Thanks. -- nme From: Brian Desmond [mailto:[EMAIL PROTECTED] Sent: Wednesday, June 07, 2006 10:43 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] OT: Security Policy Thoughts To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] OT: Security Policy Thoughts My suggestion is that you implement 802.1x port auth to implement port based authentication. You can use this to implement guest vlans with the policy routing you describe. Isn't the Cisco VPN a MSI? Use Group Policy or SMS if you have it. You can do some NAC stuff with Cisco VPN as well as the personal firewall built into it. I don't see how you plan to prohibit OS X at least – put it on the guest vlan if you must, but, realize that the marketing, pr, etc people may live in a Mac world. Thanks, Brian Desmond [EMAIL PROTECTED] c - 312.731.3132 From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Noah Eiger Sent: Thursday, June 08, 2006 12:16 AM To: ActiveDir@mail.activedir.org Subject: [ActiveDir] OT: Security Policy Thoughts Hi: I am facing some IT policy questions and wanted to get some perspectives. In each of these areas, I am trying determine how restrictive I need to be. The client has four sites connected over high-speed links. I have good backing from management but will undoubtedly get resistance on some of these. The client is small, under 200 employees with most in one office. Some small field offices are not managed (i.e., have workgroup networks, often with a small server, but no AD). There are no SOX requirements and the data are not sensitive (e.g., no credit cards). Almost entirely Windows XP; all DC's run W2k3. Any thoughts on these topics welcome. Connecting to the wired network. They do not run any IDS or machine-based authentication. Given that, written policy carries some weight. I want to require all non-domain machines to connect only to a public VLAN that goes only to the Internet. I would apply this even to staff personal computers, those of contractors (including me), and machines from those field offices that are not on the domain. VPN. They run a Cisco VPN. I want to distribute the client only to domain-based machines. Others want the client for their home computers, etc. Other Operating Systems. I don't want to allow other OS's on the network, unless we manage them. But what is the threat posed by a Linux or OS X box on the network? As always, many thanks. -- nme -- No virus found in this outgoing message. Checked by AVG Free Edition. Version: 7.1.394 / Virus Database: 268.8.2/356 - Release Date: 6/5/2006 -- No virus found in this incoming message. Checked by AVG Free Edition. Version: 7.1.394 / Virus Database: 268.8.2/356 - Release Date: 6/5/2006 Checked by AVG Free Edition. Version: 7.1.394 / Virus Database: 268.8.2/356 - Release Date: 6/5/2006 -- No virus found in this outgoing message. Checked by AVG Free Edition. Version: 7.1.394 / Virus Database: 268.8.2/356 - Release Date: 6/5/2006 -- --- Laura E. Hunter Microsoft MVP - Windows Server Networking Author: _Active Directory Consultant's Field Guide_ (http://tinyurl.com/7f8ll) List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.activedir.org/ml/threads.aspx
Re: [ActiveDir] Machine Psswd Age
Or you could just use OLDCMP. (www.joeware.net) Why roll your own when joe's already done the work? :-) On 5/24/06, Brian Cline [EMAIL PROTECTED] wrote: So if I wanted to write a utility to seek out stale computer objects in the domain that were never properly unjoined, could I simply look at each computer's pwdLastSet attribute? And mayhaps use a value more than 30 days (as we have a few traveling laptops), perhaps 90 or 180? -- Brian Cline -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Brian Desmond Sent: Wednesday 24 May 2006 11:15 To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Machine Psswd Age 30 Days Thanks, Brian Desmond [EMAIL PROTECTED] c - 312.731.3132 -Original Message- From: [EMAIL PROTECTED] [mailto:ActiveDir- [EMAIL PROTECTED] On Behalf Of Za Vue Sent: Wednesday, May 24, 2006 11:04 AM To: ActiveDir@mail.activedir.org Subject: [ActiveDir] Machine Psswd Age Anyone know how often machine passwords are renew/reset in the domain? -Z.V. List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail- archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ -- --- Laura E. Hunter Microsoft MVP - Windows Server Networking Author: _Active Directory Consultant's Field Guide_ (http://tinyurl.com/7f8ll) List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
Re: [ActiveDir] DNS on a DC or NOT
On 5/17/06, joe [EMAIL PROTECTED] wrote: But enough about DNS, I don't speak about services that start with D. You have to draw the line somewhere. DFS, DNS, DHCP, Damn SQL Server... You get the drift. ;) Doesn't 'Exchange' start with an 'E', though? Or are we dismissing that as an Off by 1 error? Laura List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
Re: [ActiveDir][OT] DNS on a DC or NOT
BTW, anyone know what a mucker is? I am trying to figure out if I am supposed to be morally outraged. eg joe I use mucker as a compliment, but in my vernacular it's used in reference to a semi-skilled hockey player whose lack of scoring ability is balanced by his ability to check an opposing player into sometime next week. So I guess what I'm saying is...draw your own conclusions. :-) List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
[ActiveDir] Intermittent 680 events.
So this one is puzzling me. Brand new 2003 R2 AD, all XPSP2 workstations. A few user accounts are getting continually locked out with Event 680, error code 0x006a (invalid password.) The usual culprits don't seem to be at fault since there are no services or scheduled tasks running under the credentials that are getting locked out. It also doesn't seem to be workstation-specific, since the account lockouts follow these unlucky few from one workstations to another. Turning up USERENV logging to the Oh holy schnikes that's going to generate a lot of entries setting on the PDCe produces entries such as the following: 04/27 14:05:23 [LOGON] DomainNetBIOSName: SamLogon: Transitive Network logon of DomainNetBIOSName\User1 from WorkstationNetBIOSName (via MemberServerNetBIOSName) Returns 0xC06A as well as 04/27 14:06:56 [LOGON] DomainNetBIOSName: SamLogon: Network logon of DomainNetBIOSName\User2 from WorkstationsNetBIOSName Returns 0xC06A In both cases, the bad password event was generated from the correct workstations while the users were logged on interactively. The only KB I found that was even -close- to relevant (305822) talked about disabling the XP Welcome Screen, which isn't in use here. This doesn't feel like a password attack is going on, but I can't figure out where these errant bad passwords are coming from, or what else is distinguishing these few accounts from their counterparts who aren't experiencing lockout fun. -- --- Laura E. Hunter Microsoft MVP - Windows Server Networking Author: _Active Directory Consultant's Field Guide_ (http://tinyurl.com/7f8ll) List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
Re: [ActiveDir] exporting list of members of a security group
Try: dsget group GroupDN -members -expand foo.txt On 5/2/06, Antonio Aranda [EMAIL PROTECTED] wrote: Is there a way to export to text file a list of the members of a security group? Thanks Antonio List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ -- --- Laura E. Hunter Microsoft MVP - Windows Server Networking Author: _Active Directory Consultant's Field Guide_ (http://tinyurl.com/7f8ll) List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
Re: [ActiveDir] logging users out
If you're dealing with XP boxen, you can also look at the XP Shared Computing Toolkit, it has an automatic logout function as well as a logout after X minutes of idle time dealie. You can deploy it to standalone machines or to AD-joined machines using GPO. On 4/27/06, joe [EMAIL PROTECTED] wrote: Review the sysinternals EULA... It has come to my attention it has changed recently and it may make it a little more difficult to use these tools. joe -- O'Reilly Active Directory Third Edition - http://www.joeware.net/win/ad3e.htm -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Tomasz Onyszko Sent: Monday, April 24, 2006 3:26 AM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] logging users out On Mon, 24 Apr 2006 08:08:08 +0200, Ulf B. Simon-Weidner wrote Did you try shutdown.exe? The parameters /l /f /t 3600 allow you to time it for an hour after executing it, and to force a logoff. No need to script around using additional timers or scripts. Same functionality, but for me more comfortable in use - psshutdown.exe from www.sysinternals.com -- Tomasz Onyszko - [EMAIL PROTECTED] http://www.w2k.pl List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ -- --- Laura E. Hunter Microsoft MVP - Windows Server Networking Author: _Active Directory Consultant's Field Guide_ (http://tinyurl.com/7f8ll) List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
Re: [ActiveDir] List problems - resolved
Hey Tony, did you know that the list was broken for like 4 days? *runs FAR away* :-) - Laura On 4/11/06, Tony Murray [EMAIL PROTECTED] wrote: You will have noticed that messages are now coming through again. The problem has been resolved and all should be back to normal. Any emails sent to the list during the outage will not have been queued, so please send again. Thanks to the 732 of you who alerted me to the fact that the list was not operational J Tony This communication, including any attachments, is confidential. If you are not the intended recipient, you should not read it - please contact me immediately, destroy it, and do not copy or use any part of this communication or disclose anything about it. Thank you. Please note that this communication does not designate an information system for the purposes of the Electronic Transactions Act 2002. -- --- Laura E. Hunter Microsoft MVP - Windows Server Networking Author: _Active Directory Consultant's Field Guide_ (http://tinyurl.com/7f8ll) List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
Re: [ActiveDir] Where's Deji.. (was Quiet? DEC? Related?)
Hmmm, trying to figure out how to make the logistics of a Sydney junket work. The European contingent would be flying east via Heathrow/Frankfurt/deGaulle--Hong Kong--Sydney or something, while the damn Yankees would fly west via LAXI suppose we could all meet up in Hong Kong and start from there, but oh -my- would that be an exercise in herding cats. :-) As for what to talk about? It may sound like a cop-out to say The stuff you talked about in the slide deck, but it's not, really. The people who were dazed by jadonex talking a mile a minute about group caching and app partitions and what not would probably have a big collective AHA! Gestalt moment if we rolled up some corresponding VPC exercises where everyone could see the stuff in action. Example: do a lab where you actually get to see the creation of the phantom objects that are managed by the IM, and maybe you get half the room saying Wow, I've been reading about the IM/GC interaction for 3 years...but never really grokked it until now. That's just a hip-shot first thought, anyway. - Laura On 4/2/06, joe [EMAIL PROTECTED] wrote: Yes, Tony should have been there. That was part of my idea about Sydney. If he was still not present we could take a puddle jumper over to NZ and drag him out kicking and screaming. Plus I have a lot of friends I made in NZ and Australia from back when I worked with XYZ Widget company that really want me to come down for beers. I figure I could get a multimonth vacation out of it until the Aussie authorities chased me down and booted me out. :o) Would also like to see physical presence of -ajm, ~Eric, Garage Door clicker, DmitriG, and several others that I can't bring to mind this exact second. Yes tacit acceptance, that would be pretty accurate. :o) Start talking about First Class airfare, suites, and also flying in our posse's and we could move up to just about maybe[1]. BFEG Watch out Tony, Gil can certainly twist an arm, I still can't use chopsticks with my right hand thankyouverymuch and you do NOT want to see me eating with chopsticks with my left hand, Yum Talay flying all over the place g I guess that also brings up the topic of if people had Dean and I in a room together again what would you want to hear about? I saw several comments of doing the pre-session but again, what would you want to see and/or hear about? One of the big things that slowed Dean and I down on this was the fact that we couldn't think of anything we thought people would be interested in hearing about. Maybe we should just pick up with where we left of with our slide deck from this year? Seriously though, folks should be pretty familiar by now with Dean and I and what we talk about in posts etc, what things would you want to hear from us in a presentation? I think the presentation name will have to be something like Humour, Opinions, and Serious Tech 2007 but what goes into it? I expect the other speakers wouldn't mind this kind of feedback as well. Well except for maybe Wook, not sure anyone could be as creative as Wook in topic selection for his technical session. joe [1] Of course I am sort of kidding around here. :) -- List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
Re: [ActiveDir] Quiet? DEC? Related?
of it was spent showing Guido how US slot machines worked in the Belagio. $20 was spent when I was passing a $1 Wheel of Fortune progressive slot on the way to the rest room because it called out to me and said it would make me financially independent for the rest of my natural born life (it lied), and finally $20 was spent while I sat at a bar playing Jacks or Better waiting on Dean and company to go to dinner not realizing that they didn't see me sit down next to them and were waiting on me to get there. I was up $80 bucks on that thing and then gave it all back. joe (The joe of the Dean and joe show, the j in www.jadonex.com) -- O'Reilly Active Directory Third Edition - http://www.joeware.net/win/ad3e.htm -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Gil Kirkpatrick Sent: Wednesday, March 29, 2006 6:07 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Quiet? DEC? Related? Just wrapped up Day 3. 530 people. General consensus is that it was the best DEC ever. More to follow when I can type on something bigger than a credit card. -gil -Original Message- From: Ayers, Diane [EMAIL PROTECTED] To: ActiveDir@mail.activedir.org ActiveDir@mail.activedir.org Sent: 3/29/06 1:23 PM Subject: RE: [ActiveDir] Quiet? DEC? Related? Maybe we should ask a question on the merits of doubling down on an 11 when the dealer has a face card showing... :-) Diane From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Almeida Pinto, Jorge de Sent: Wednesday, March 29, 2006 9:35 AM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Quiet? DEC? Related? Don't worry we're still here.. ;-) Met vriendelijke groeten / Kind regards, Ing. Jorge de Almeida Pinto Senior Infrastructure Consultant MVP Windows Server - Directory Services LogicaCMG Nederland B.V. (BU RTINC Eindhoven) ( Tel : +31-(0)40-29.57.777 ( Mobile : +31-(0)6-26.26.62.80 * E-mail : see sender address From: [EMAIL PROTECTED] on behalf of Moon, Brendan Sent: Wed 2006-03-29 19:26 To: ActiveDir@mail.activedir.org Subject: [ActiveDir] Quiet? DEC? Related? Hmm.. everyone must be having fun at DEC... this list has been very quiet this week! - Brendan Moon List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ -- --- Laura E. Hunter Microsoft MVP - Windows Server Networking Author: _Active Directory Consultant's Field Guide_ (http://tinyurl.com/7f8ll) List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
Re: [ActiveDir] Re Service Pack Level
Note you have to use a script, it won't run by pasting it into a CMD prompt. Be sure to change the domain info listed in all caps to your respective domain. @for /f %%i in ('dsquery.exe * cn=partitions,cn=configuration,dc=SUBDOMAIN,dc=DOMAIN,dc=COM -filter ((objectcategory=crossref)(systemflags=3)) -attr nCname') do dsquery.exe * %%i -Filter ((objectCategory=computer)(objectClass=computer)(primaryGroupID=516)) -Scope Subtree -Limit 0 -Attr dnshostname operatingsystem operatingsystemservicepack | find /v /i operatingsystem DC-Inventory-OS-Version.LOG Unless I'm completely misremembering my for-do syntax, I think you can run that from a plain old command prompt by changing the '%%' instances to just '%'. List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
Re: [ActiveDir] MVP mini summit at DEC 2006
I think the statement works either with it or without it. :-) (And remember, it's in -Henderson-, not Las Vegas! No gambling, no showgirls, just a quiet little geek conference in the middle of the desert. Nothing to see here, move along. ;-)) On 2/23/06, Susan Bradley, CPA aka Ebitz - SBS Rocks [MVP] [EMAIL PROTECTED] wrote: Forgot the ;-) Susan Bradley, CPA aka Ebitz - SBS Rocks [MVP] wrote: I believe Vegas comes standard with Drugs, booze and loose women. [EMAIL PROTECTED] wrote: Daft question maybe, but is this open to MVPs only? neil -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Gil Kirkpatrick Sent: 23 February 2006 00:09 To: ActiveDir@mail.activedir.org Subject: [ActiveDir] MVP mini summit at DEC 2006 Alym has scheduled a MVP mini summit session at the conclusion of DEC 2006 in Las Vegas. We'll meet on Wednesday March 29th at 4pm in one of the DEC session rooms (tbd). Drugs, booze, and loose women will follow... or at least that's what I was led to believe. :) Alym is swamped with another project, but will be providing the official announcement in a few days. I just wanted to make MVPs aware of it in case you had scheduled a flight out on Wednesday afternoon. -gil List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ PLEASE READ: The information contained in this email is confidential and intended for the named recipient(s) only. If you are not an intended recipient of this email please notify the sender immediately and delete your copy from your system. You must not copy, distribute or take any further action in reliance on it. Email is not a secure method of communication and Nomura International plc ('NIplc') will not, to the extent permitted by law, accept responsibility or liability for (a) the accuracy or completeness of, or (b) the presence of any virus, worm or similar malicious or disabling code in, this message or any attachment(s) to it. If verification of this email is sought then please request a hard copy. Unless otherwise stated this email: (1) is not, and should not be treated or relied upon as, investment research; (2) contains views or opinions that are solely those of the author and do not necessarily represent those of NIplc; (3) is intended for informational purposes only and is not a recommendation, solicitation or offer to buy or sell securities or related financial instruments. NIplc does not provide investment services to private customers. Authorised and regulated by the Financial Services Authority. Registered in England no. 1550505 VAT No. 447 2492 35. Registered Office: 1 St Martin's-le-Grand, London, EC1A 4NP. A member of the Nomura group of companies. List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ -- --- Laura E. Hunter Microsoft MVP - Windows Server Networking Author: _Active Directory Consultant's Field Guide_ (http://tinyurl.com/7f8ll) List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
Re: [ActiveDir] repadmin info oddity
(or a scotch if you'd prefer ;o) ... Double shot of Glen Livett, a nice spritz of Sprite, inch and a half of water and a couple of ice cubes, in a highball glass. And the fact that I still remember this begs two questions: [1] What do we order if the bar doesn't have Glen Livett? and [2] What critical piece of information has -not- been encoded into my long-term memory so that I can instead remember how Dean takes his Scotch? :-) List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
[ActiveDir] Authentication for kiosk machines - straw poll
So for those of you that need to put Internet kiosks in place somewhere in your organization, in a lobby or a dining hall or something, how do you handle the initial authentication when that machine boots up? Hardcoding the account credentials in the Registry under the ~\Winlogon key? (Clear-text embedded password. Bleach.) Or do you use a third-party add-on to make that bit go? Just curious to see what other people are doing. -- --- Laura E. Hunter Microsoft MVP - Windows Server Networking Author: _Active Directory Consultant's Field Guide_ (http://tinyurl.com/7f8ll) List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
Re: [ActiveDir] Problem in assigning permissions to the user in parent domain over the shared folder in child domain
will be appreciated. Thanks Lakshmi __ Do You Yahoo!? Tired of spam? Yahoo! Mail has the best spam protection around http://mail.yahoo.com List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail- archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail- archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ -- --- Laura E. Hunter Microsoft MVP - Windows Server Networking Author: _Active Directory Consultant's Field Guide_ (http://tinyurl.com/7f8ll) List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
Re: [ActiveDir] distributing large service pack files
There's also the liability issue of I host my own copy of some bits. My copy of those bits gets hacked or otherwise b0rked. Random customer uses my bits, hoses their machine, sues Redmond. At least, that's the reasoning I encountered when I had the conversation about higher ed being able to hand out SP2 CDs. Whatever the reason, it's not kosher under any licensing terms that I'm familiar with. Based on your description of your environment, I'd definitely go the distributed WSUS route if your WAN links are getting overloaded. - L On 2/2/06, Susan Bradley, CPA aka Ebitz - SBS Rocks [MVP] [EMAIL PROTECTED] wrote: Not to mention it's my understanding that it's not legal to distribute service packs outside the MS cloud and host MS code like service packs/hotfixes like that. This is why universities cannot hand out SP cdroms and some such things. Since the Department of Justice... it's been my impression that MS tends to want to control the bits so they can yank parts if need be [see recent SP update notifications for Office due to stupid lawsuit between guy and MS on Access] WSUS had to get some eula's rewritten to allow the geeks to do allow consultants to do patching and what not. Molkentin, Steve wrote: Mark, WSUS (and SMS for that matter) uses the Background Intelligent Transfer Service (that's what it's called) to do just this on large files, in that it is smart enough to recognise downtime on your network to send files, and manages the resumption of large files if it had to stop transferring them. It is pretty seamless in my experience - all our links are less than T1 (except for the internet pipe into our head office), and we manage to push a lot of stuff around using WSUS quite well with no interruption to business. It's not hard to setup an older PC as a local WSUS cache - it needs little in the way of processor and RAM (really), and will get over any cost issue and give you the ability to distribute, etc. Additionally, it takes away all the responsibility of the staff member to install/connect/download the service pack (and don't start me on the fact that they shouldn't have admin rights to install it in the first place). My $0.02 inc GST... themolk. *From:* [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] *On Behalf Of *Creamer, Mark *Sent:* Friday, 3 February 2006 6:18 AM *To:* ActiveDir@mail.activedir.org *Subject:* [ActiveDir] distributing large service pack files The structure of our WAN is such that we have lots of small offices all over the country, each with a few to a hundred or so PCs, connected by not-so-fast links. The biggest locations have T1s, but many don't. Keeping these things patched is a nightmare. We do not have distributed servers, and really nothing except the PCs themselves to cache something for local delivery. Which brings me to my question…is it even conceivable that something like an internal-only BitTorrent could be leveraged to distribute something as large as a service pack? I think it might be more efficient than a 3^rd party patch management solution or WSUS, which I can't use because of not having distributed file caches. If this is nutty, dish out the dirt, but I'll want to understand why it's nutty too J Thanks ***Mark Creamer* *Systems Engineer* Cintas Corporation | 6800 Cintas Boulevard | Mason, OH 45040 Email: [EMAIL PROTECTED] | http://www.cintas.com This e-mail transmission contains information that is intended to be confidential and privileged. If you receive this e-mail and you are not a named addressee you are hereby notified that you are not authorized to read, print, retain, copy or disseminate this communication without the consent of the sender and that doing so is prohibited and may be unlawful. Please reply to the message immediately by informing the sender that the message was misdirected. After replying, please delete and otherwise erase it and any attachments from your computer system. Your assistance in correcting this error is appreciated. -- Letting your vendors set your risk analysis these days? http://www.threatcode.com List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ -- --- Laura E. Hunter Microsoft MVP - Windows Server Networking Author: _Active Directory Consultant's Field Guide_ (http://tinyurl.com/7f8ll)
Re: [ActiveDir] Reset Local Admin Passwords
We currently have about 4 different passwords floating around our domain and we'd like to get it down to a single standard. Any help would be appreciated. Okay, just to offer a counterpoint to your underlying plan - you do realise that by using a single local admin password across your enterprise, if even -one- of those workstations gets the admin password compromised, the attacker who did so now has local admin rights to every workstation on your network? With apologies to Jesper Johannsen[1], it's one of those How to get your network hacked in 10 easy steps things - if I've just compromised the local admin password of WorkstationA, what do you think is going to be the very first password I try when I move on to try and compromise WorkstationB? [1] And additional apologies for the fact that I'm sure I just spelled his name wrong. -- --- Laura E. Hunter Microsoft MVP - Windows Server Networking Author: _Active Directory Consultant's Field Guide_ (http://tinyurl.com/7f8ll) List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
Re: [ActiveDir] Congrat Jorge !!!!!
*throws more confetti* It's a good week for ActiveDir. :-) Congratulations, Jorge. Well-deserved. On 1/13/06, joe [EMAIL PROTECTED] wrote: Heh. I was wondering if he knew or not when I saw your blog. ;o) The program isn't always real fast at letting people know. g From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Gil Kirkpatrick Sent: Friday, January 13, 2006 4:35 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Congrat Jorge ! Amazingly I blogged this a week ago (http://www.gilsblog.com/index.cfm?commentID=44 ) How did Jorge not find out till today? Don't they have email over there? :) Congratulations Jorge, you certainly deserve it. -g From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of TIROA YANN Sent: Friday, January 13, 2006 12:00 PM To: ActiveDir@mail.activedir.org Subject: [ActiveDir] Congrat Jorge ! Just read jorge's blog @ http://blogs.dirteam.com/blogs/jorge/archive/2006/01/07/387.aspx Congrat jorge for your nomination as a MVP. :o) Will u have a microsoft professional card as the MCP/MCSE one ? Yann -- --- Laura E. Hunter Microsoft MVP - Windows Server Networking Author: _Active Directory Consultant's Field Guide_ (http://tinyurl.com/7f8ll) List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
Re: [ActiveDir] Brain Freeze - export list of mail enabled groups and memberships.
Except for the entire readership of ActiveDir, you mean. ;-) - L On 1/12/06, Mark Parris [EMAIL PROTECTED] wrote: Thanks for this, all done and nobody knows that I am hungover. -Original Message- From: joe [EMAIL PROTECTED] Date: Thu, 12 Jan 2006 08:27:11 To:ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Brain Freeze - export list of mail enabled groups and memberships. This all assumes Exchange but... Mail *should* be populated but I am not positive if there is a hard req for it. A mailenabled group won't have a homeMDB value since it isn't a mailstore but a redirection. I would key off of mailnickname or legacyExchangeDN myself. Both are singlevalued indexed attributes so should yield good speed. Also I would probably dump the mailNickname and displayname as well in the dump. Note that this will not give nested results for a group and will not tell you which members aren't mailbox/mail-enabled which affects who will receive the message. To do those things would require a script or tool that goes looking for additional things. Not sure if one has been written for Exchange 200x. joe From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of [EMAIL PROTECTED] Sent: Thursday, January 12, 2006 8:13 AM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Brain Freeze - export list of mail enabled groups and memberships. Jorge, is there any dependency on mail as a mail-enabled attribute? Maybe population of proxyaddresses may be better? Or having a homemdb value? :m:dsm:cci:mvp marcusoh.blogspot.com From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Almeida Pinto, Jorge de Sent: Thursday, January 12, 2006 8:04 AM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Brain Freeze - export list of mail enabled groups and memberships. ADFIND -GC -B -F ((objectCategory=group)(mail=*)) sAMAccountname member Jorge From: [EMAIL PROTECTED] on behalf of Mark Parris Sent: Thu 2006-01-12 13:40 To: ActiveDir.org Subject: [ActiveDir] Brain Freeze - export list of mail enabled groups and memberships. I have got a major hangover today and I have been asked to export a list of mail enabled groups and memberships. Can anyone please remind me what the utility is to do this or give me a pointer to a script. Thanks Regards Mark List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ -- --- Laura E. Hunter Microsoft MVP - Windows Server Networking Author: _Active Directory Consultant's Field Guide_ (http://tinyurl.com/7f8ll) List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
Re: [ActiveDir] [List Owner] Mailing list is 5 today!
*throws confetti* Happy Birthday to...ActiveDir Happy Birthday to...ActiveDir ...okay, I'll stop singing now. :-) - L On 1/12/06, Kat Collins [EMAIL PROTECTED] wrote: Whoo-hoo! I was there and I'm still here. This is indeed one of the best spots for AD information out there!! Congratulations Tony, and please keep up the great work you do! Kat On 1/12/06, Tony Murray [EMAIL PROTECTED] wrote: Hi all I started this list on 13th January 2001. Thanks to everyone out there for making it a great place to hang out and learn about AD (and more besides!). Tony List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ -- Kat Collins - The Email of the species is more powerful than the Mail! The human voice is the organ of the soul. Henry Wadsworth Longfellow List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ -- --- Laura E. Hunter Microsoft MVP - Windows Server Networking Author: _Active Directory Consultant's Field Guide_ (http://tinyurl.com/7f8ll) List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
Re: [ActiveDir] OU Delegation
It's a bit dated by this point, but I still consider Sanjay Tandon's delegation white paper to be one of the better treatments on the subject: http://www.microsoft.com/downloads/details.aspx?FamilyID=631747a3-79e1-48fa-9730-dae7c0a1d6d3DisplayLang=en - Laura On 1/11/06, Harding, Devon [EMAIL PROTECTED] wrote: We're in the process of consolidating 21 child domains into just one and one root. We want to separate the divisions (domains) into different OUs. Is there a guide or best practice out there on delegating admin permissions on OUs? Also, we've got Exchange permissions to deal with too. Devon Harding Windows Systems Engineer Southern Wine Spirits - BSG 954-602-2469 __ This message and any attachments are solely for the intended recipient and may contain confidential or privileged information. If you are not the intended recipient, any disclosure, copying, use or distribution of the information included in the message and any attachments is prohibited. If you have received this communication in error, please notify us by reply e-mail and immediately and permanently delete this message and any attachments. Thank You. -- --- Laura E. Hunter Microsoft MVP - Windows Server Networking Author: _Active Directory Consultant's Field Guide_ (http://tinyurl.com/7f8ll) List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
Re: [ActiveDir] OT: Prob not relevant here ...but -implement system policies in non AD
...a single Domain Controller WITH EXCHANGE RUNNING ON IT, you mean? :-) On 1/11/06, joe [EMAIL PROTECTED] wrote: BLASPHEMY! Non-AD Environments! That's almost as bad as having a single Domain Controller!!! :) -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Susan Bradley, CPA aka Ebitz - SBS Rocks [MVP] Sent: Wednesday, January 11, 2006 2:01 AM To: ActiveDir@mail.activedir.org Subject: [ActiveDir] OT: Prob not relevant here ...but -implement system policies in non AD How to implement system policies for Windows XP-based, Windows 2000-based, and Windows Server 2003-based client computers in non-Active Directory environments: http://support.microsoft.com/?kbid=910203 List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ -- --- Laura E. Hunter Microsoft MVP - Windows Server Networking Author: _Active Directory Consultant's Field Guide_ (http://tinyurl.com/7f8ll) List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
Re: [ActiveDir] Looking for group policy setting
Computer Settings\Administrative Templates\System\Logon A good resource here is the Policy Settings.xls spreadsheet downloadable from http://www.microsoft.com/downloads/details.aspx?FamilyID=7821C32F-DA15-438D-8E48-45915CD2BC14displaylang=en (watch wrapping on that URL). Gives you a list of all the GPO settings that are available, where they're located in the tree, and what OSs they are supported by. - Laura On 1/10/06, klas9574 [EMAIL PROTECTED] wrote: Does anyone here happen to know where the setting is to turn off new users on a computer getting the Getting Started popup on windows 2000? Scott Klassen -- --- Laura E. Hunter Microsoft MVP - Windows Server Networking Author: _Active Directory Consultant's Field Guide_ (http://tinyurl.com/7f8ll) List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
Re: [ActiveDir] Strange deleted object issue
You need to set the LDAP control flags in LDP to view deleted objects. (It's what the -showdel switch is doing for you in adfind.) It's under Options somewhere, look for it and you'll see it. - Laura On 1/10/06, Tom Kern [EMAIL PROTECTED] wrote: Thanks. That worked. Now my question is, why didn't LDP show that? is it because i'm running the win2k3 verison against a win2k forest? what am i doing wrong with ldp? Thanks again On 1/10/06, Coleman, Hunter [EMAIL PROTECTED] wrote: Try adfind with the -showdel flag From: [EMAIL PROTECTED] [mailto: [EMAIL PROTECTED] On Behalf Of Tom Kern Sent: Tuesday, January 10, 2006 8:11 AM To: activedirectory Subject: [ActiveDir] Strange deleted object issue I have this weird issue- A user object is missing from my win2k native mode domain. I know because this user has complained that he can't log in and i can't find the object anywhere in AD. I've checked the deleted objects container in AD with ldp and he is not in there as well. He's not in the Lost and Found container either. His exchange mailbox is oprhaned in ESM. Sometime last nite this user was deleted but i have no way of finding him. we don't have auditing turned on for that but i figured if an object was deleted it would definetely be in the deleted objects container. is there anyway to bypass that? where else can i look? Any help would be great because this is just plain bizzare. Thanks -- --- Laura E. Hunter Microsoft MVP - Windows Server Networking Author: _Active Directory Consultant's Field Guide_ (http://tinyurl.com/7f8ll) List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
Re: [ActiveDir] OT: DEC 2006
Because you knew full well that if you'd scheduled the conference on the strip, you would've had 500 geeks walk into the casino that stood between them and the conference rooms...and maybe 3 of us would've come out the other side. :-) - L On 1/10/06, Gil Kirkpatrick [EMAIL PROTECTED] wrote: Its not Vegas the Green Valley Resort is in Henderson, NV. :) Nope, nothing to see here. No gambling, no shows, no fast women. Just boring technical sessions. Move along. -gil From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Rich Milburn Sent: Tuesday, January 10, 2006 7:55 AM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] OT: DEC 2006 Ditto for me… My title doesn't start with a C _ _ so I'm afraid to even ask for a paid trip to Vegas J --- Rich Milburn MCSE, Microsoft MVP - Directory Services Sr Network Analyst, Field Platform Development Applebee's International, Inc. 4551 W. 107th St Overland Park, KS 66207 913-967-2819 -- I love the smell of red herrings in the morning - anonymous From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Jose Medeiros Sent: Monday, January 09, 2006 1:27 PM To: ActiveDir@mail.activedir.org Subject: Re: [ActiveDir] OT: DEC 2006 I would love to go, unfortunately as most people on the list unless our employeers pay for it, we just can not afford to attend. Jose - Original Message - From: McLeod, Scotty To: ActiveDir@mail.activedir.org Sent: Monday, January 09, 2006 7:45 AM Subject: RE: [ActiveDir] OT: DEC 2006 Am attending again, looking forward to it. Scotty From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Mark Parris Sent: 05 January 2006 22:17 To: ActiveDir@mail.activedir.org Subject: [ActiveDir] OT: DEC 2006 Of the list how many people are going to DEC this year? www.directoryexpertsconference.com Tomorrow is the last day for the early bird registrations if anyone wants to day some $£€'s. Mark This e-mail and any attachments may contain confidential and privileged information. If you are not the intended recipient, please notify the sender immediately by return e-mail, delete this e-mail and destroy any copies. Any dissemination or use of this information by a person other than the intended recipient is unauthorized and may be illegal. ---APPLEBEE'S INTERNATIONAL, INC. CONFIDENTIALITY NOTICE--- PRIVILEGED / CONFIDENTIAL INFORMATION may be contained in this message or any attachments. This information is strictly confidential and may be subject to attorney-client privilege. This message is intended only for the use of the named addressee. If you are not the intended recipient of this message, unauthorized forwarding, printing, copying, distribution, or using such information is strictly prohibited and may be unlawful. If you have received this in error, you should kindly notify the sender by reply e-mail and immediately destroy this message. Unauthorized interception of this e-mail is a violation of federal criminal law. Applebee's International, Inc. reserves the right to monitor and review the content of all messages sent to and from this e-mail address. Messages sent to or from this e-mail address may be stored on the Applebee's International, Inc. e-mail system. ---APPLEBEE'S INTERNATIONAL, INC. CONFIDENTIALITY NOTICE--- PRIVILEGED / CONFIDENTIAL INFORMATION may be contained in this message or any attachments. This information is strictly confidential and may be subject to attorney-client privilege. This message is intended only for the use of the named addressee. If you are not the intended recipient of this message, unauthorized forwarding, printing, copying, distribution, or using such information is strictly prohibited and may be unlawful. If you have received this in error, you should kindly notify the sender by reply e-mail and immediately destroy this message. Unauthorized interception of this e-mail is a violation of federal criminal law. Applebee's International, Inc. reserves the right to monitor and review the content of all messages sent to and from this e-mail address. Messages sent to or from this e-mail address may be stored on the Applebee's International, Inc. e-mail system. -- --- Laura E. Hunter Microsoft MVP - Windows Server Networking Author: _Active Directory Consultant's Field Guide_ (http://tinyurl.com/7f8ll)
Re: [ActiveDir] OT: DEC 2006
On 1/6/06, Ulf B. Simon-Weidner [EMAIL PROTECTED] wrote: Hope that Vegas is a more fun place – in Orlando they were shutting everything down at 1am, in Barcelona at least the Hilton did the same. Las Vegas (at least on the main strip) is a 24x7 town - the casinos intentionally crank down the air-conditioning, display no clocks, and keep the lights going full blare so that you have no way of knowing what time it is - all the better to keep you there gambling longer. A common occurence is to walk out of a casino thinking that it's around 11pm, only to find that it's more like 4am. It even happens to me, and I usually have a pretty good internal clock. :-) - L [EMAIL PROTECTED] šŠV«r¯yÊý§-Š÷�Š¾4™¨¥iËb½çb®Šà
Re: [ActiveDir] OT: adfind syntax
This may sound whacky, but did you type the command in manually, or did you copy/paste all or part from here or the joeware site? I've had adfind/admod get cranky on me when I do a copy/paste, but then work perfectly when I type in the exact same thing manually. Just a thought. - Laura On 1/6/06, Douglas M. Long [EMAIL PROTECTED] wrote: It tells me 'DC=domain,DC=com' Of course with the correct domain for domain though. From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of joe Sent: Friday, January 06, 2006 9:31 AM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] OT: adfind syntax What does the part at the bottom say... the part that says Best Match of: That will tell you how much of the DN it knows to be valid. From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Douglas M. Long Sent: Friday, January 06, 2006 9:06 AM To: ActiveDir@mail.activedir.org Subject: [ActiveDir] OT: adfind syntax Man, can someone tell me what I am doing wrong here. I just cannot figure this out. Don't laugh; I am sure it is something stupid. adfind -default -rb ou=wsusclients,ou=xpclients -f (objectcategory=computer) I assume this should search for all computer objects on ou=wsusclients,ou=xpclients,dc=domain,dc=com I am getting ldap_get_next_page_s: [dc1.domain.com] Error 0x20 (32) - No Such Object -- --- Laura E. Hunter Microsoft MVP - Windows Server Networking Author: _Active Directory Consultant's Field Guide_ (http://tinyurl.com/7f8ll) List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
Re: [ActiveDir] OT: DEC 2006
I'll be there, can't hardly wait. - Laura On 1/5/06, Kat Collins [EMAIL PROTECTED] wrote: Unfortunately, no - just speaking from past MECs and TechEds!! My attendance at morning sessions usually was obliterated by attendance at evening soirees!! Many here have been witnesses, such as the Tampa Lulu's Bait Shack and the Atlanta Hard-Rock (many years ago...) after the B-52's concert!! Ahhh - sweet memories!! :-) Kat On 1/5/06, Ulf B. Simon-Weidner [EMAIL PROTECTED] wrote: Did we meet? (Just kidding) Ulf From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Kat Collins Sent: Friday, January 06, 2006 1:19 AM To: ActiveDir@mail.activedir.org Subject: Re: [ActiveDir] OT: DEC 2006 (aka significant alcohol comsumption)!! Kat Collins On 1/5/06, Ulf B. Simon-Weidner [EMAIL PROTECTED] wrote: I'll be there. I'm looking forward to meet everyone (again) – I love those Conferences with a lot of community interaction! Gruesse - Sincerely, Ulf B. Simon-Weidner MVP-Book Windows XP - Die Expertentipps: http://tinyurl.com/44zcz Weblog: http://msmvps.org/UlfBSimonWeidner Website: http://www.windowsserverfaq.org Profile: http://mvp.support.microsoft.com/profile=35E388DE-4885-4308-B489-F2F1214C811D From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Mark Parris Sent: Thursday, January 05, 2006 11:17 PM To: ActiveDir@mail.activedir.org Subject: [ActiveDir] OT: DEC 2006 Of the list how many people are going to DEC this year? www.directoryexpertsconference.com Tomorrow is the last day for the early bird registrations if anyone wants to day some $£€'s. Mark This e-mail and any attachments may contain confidential and privileged information. If you are not the intended recipient, please notify the sender immediately by return e-mail, delete this e-mail and destroy any copies. Any dissemination or use of this information by a person other than the intended recipient is unauthorized and may be illegal. -- Kat Collins - The Email of the species is more powerful than the Mail! The human voice is the organ of the soul. Henry Wadsworth Longfellow -- Kat Collins - The Email of the species is more powerful than the Mail! The human voice is the organ of the soul. Henry Wadsworth Longfellow -- --- Laura E. Hunter Microsoft MVP - Windows Server Networking Author: _Active Directory Consultant's Field Guide_ (http://tinyurl.com/7f8ll)
Re: [ActiveDir] FSMO Role Transfer GUI
Come on, you two, can't we all just get along? ;-) On 12/17/05, joe [EMAIL PROTECTED] wrote: Bite me Wells. From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Dean Wells Sent: Saturday, December 17, 2005 3:40 PM To: Send - AD mailing list Subject: RE: [ActiveDir] FSMO Role Transfer GUI I used to use LDIFDE (I imagine that still works) ... oops, typo'd it again ... what I meant to say was I use to ADmod.exe (he's sensitive you know ;o) -- Dean Wells MSEtechnology * Email: [EMAIL PROTECTED] http://msetechnology.com From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Brian Desmond Sent: Thursday, December 15, 2005 9:05 AM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] FSMO Role Transfer GUI You can't transfer the schema or domain naming fsmo's from ADUC. Personally I just use ntdsutil and know the syntax off the top of my head, but, if you don't do this often it might be useful to have a central point of control. Thanks, Brian Desmond [EMAIL PROTECTED] c - 312.731.3132 From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of [EMAIL PROTECTED] Sent: Thursday, December 15, 2005 3:45 AM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] FSMO Role Transfer GUI What are the advantages/benefits of this UI vs UC? I can transfer all domain roles from that UI today? Thanks, neil From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of WILLIAMS, J.D. Sent: 14 December 2005 17:27 To: 'ActiveDir@mail.activedir.org' Subject: [ActiveDir] FSMO Role Transfer GUI Anyone interested in testing a FSMO Role Transfer GUI? If so, please email me at [EMAIL PROTECTED] and I'll send you a copy. Essentially a front end for the NETDOM and NTDSUTIL exe and was generally an exercise in working with external exe and discovering the McAfee sees some of the .net code as buffer overflows and keeps text from showing up in combo-boxes. That was fun. I'd rate the app towards the novelty side of the Novelty ßà Useful continuum. But hey, it's a better use of email and time than Elf Bowling! Works in both my test and production environment. Oh, also only transfers the domain roles. Does not transfer the schema owner or domain role owner, but does list the DCs holding those roles. Thanks, JD PLEASE READ: The information contained in this email is confidential and intended for the named recipient(s) only. If you are not an intended recipient of this email please notify the sender immediately and delete your copy from your system. You must not copy, distribute or take any further action in reliance on it. Email is not a secure method of communication and Nomura International plc ('NIplc') will not, to the extent permitted by law, accept responsibility or liability for (a) the accuracy or completeness of, or (b) the presence of any virus, worm or similar malicious or disabling code in, this message or any attachment(s) to it. If verification of this email is sought then please request a hard copy. Unless otherwise stated this email: (1) is not, and should not be treated or relied upon as, investment research; (2) contains views or opinions that are solely those of the author and do not necessarily represent those of NIplc; (3) is intended for informational purposes only and is not a recommendation, solicitation or offer to buy or sell securities or related financial instruments. NIplc does not provide investment services to private customers. Authorised and regulated by the Financial Services Authority. Registered in England no. 1550505 VAT No. 447 2492 35. Registered Office: 1 St Martin's-le-Grand, London, EC1A 4NP. A member of the Nomura group of companies. -- --- Laura E. Hunter Microsoft MVP - Windows Server Networking Author: _Active Directory Consultant's Field Guide_ (http://tinyurl.com/7f8ll) List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
Re: [ActiveDir] Ntds.dit file corruption
On 12/6/05, joe [EMAIL PROTECTED] wrote: LOL. I enjoyed it which means it is all good as you all exist for my personal entertainment. ;o) Well except for Laura, she exists to hound me to the end of my existence on commas. very glad that you can't throw virtual vegetables at list posters Keep it up, joe, and I'll start proofreading your activedir posts as well. (Note the appropriate comma usage.) :-) - Laura List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
Re: [ActiveDir] Knowing when users were deleted.
Various thoughts from this thread: [1] I agree with Al and Paul[1] on a desire for that sort of metadata. I'm not as convinced of the trade-off value of bloating the DIT for full undelete information, particularly in monster big environments. For my teeny-tiny single domain it probably wouldn't be that bad of a hit, but I imagine that the laws of diminishing returns would quickly set in. [2] Please finish the thought, Brett, I'm sure I'd find it helpful/enlightening/informative even if it's only speaking in hypotheticals. [3] It's Gil and Darren's turn to crack me up today, I guess joe is taking a break. [1] *waves* Hi Paul! Glad to see you alive post-Summit. - L List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
Re: [ActiveDir] LegalNoticeText maximum value
On 10/14/05, Free, Bob [EMAIL PROTECTED] wrote: you will make Penn State proud! Don't folks at the University of Pennsylvania take umbrage when you call it Penn State ?? They did when I lived there :-] /Child of 2 Penn State alums We most certainly do, that's why he does it to me. ;-) List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
Re: [ActiveDir] salary(OT)
: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Tom Kern Sent: Wednesday, October 12, 2005 9:37 PM To: activedirectory Subject: [ActiveDir] salary(OT) well, i've been consulting for 2 months full time for a company and now they want to make me an offer to work for them(yeah,i'm amazed too..) At first it was a head/senior AD position but now they want to throw in Exchange in the mix. they used to outsource all their windows infrastructure and during my tenure there, they took it back so they have no AD/Exchange people. This is a 3000 user finanical corp in Manhattan. my question is, what kind of salary would one expect for a such a position, taking into account the bussiness and location and size. thanks List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ # This communication, including any attachments, is confidential. If you are not the intended recipient, you should not read it - please contact me immediately, destroy it, and do not copy or use any part of this communication or disclose anything about it. Thank You. Please note that this communication does not designate an information system for the purposes of the NZ Electronic Transactions Act 2002. This email has been scanned for Viruses and Content and cleared by NetIQ MailMarshal at Gen-i. # List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ -- --- Laura E. Hunter Microsoft MVP - Windows Server Networking Author: _Active Directory Consultant's Field Guide_ (http://tinyurl.com/7f8ll) List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
Re: [ActiveDir] LegalNoticeText maximum value
You know, there's a reason nobody likes you, Richards. ;o) - L On 10/14/05, joe [EMAIL PROTECTED] wrote: Sounds like something you could find on www.shutuplaura.com BTW, it is annoying that I have to get an account to leave a comment. I don't need any more accounts. So congrats on signing up for the run, you will make Penn State proud! -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Laura E. Hunter Sent: Thursday, October 13, 2005 9:00 PM To: ActiveDir@mail.activedir.org Subject: [ActiveDir] LegalNoticeText maximum value Forgive me if this is an obvious thing and my Google-fu is just failing me, but can someone remind me of the maximum string length on this when running 2003? I'm finding conflicting references between 255 and 512 characters. Thanks all. - Laura -- --- Laura E. Hunter Microsoft MVP - Windows Server Networking List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ -- --- Laura E. Hunter Microsoft MVP - Windows Server Networking Author: _Active Directory Consultant's Field Guide_ (http://tinyurl.com/7f8ll) List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
[ActiveDir] LegalNoticeText maximum value
Forgive me if this is an obvious thing and my Google-fu is just failing me, but can someone remind me of the maximum string length on this when running 2003? I'm finding conflicting references between 255 and 512 characters. Thanks all. - Laura -- --- Laura E. Hunter Microsoft MVP - Windows Server Networking List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
Re: [ActiveDir] LegalNoticeText maximum value
Thanks all...I did find that KB, but thought I'd seen another reference that quoted 255. I can't find it now, though, so will assume that I was hallucinating. :-) - L On 10/13/05, Webster [EMAIL PROTECTED] wrote: -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Tony Murray Subject: RE: [ActiveDir] LegalNoticeText maximum value Laura, you probably found this anyway, but here is specifies 512. http://support.microsoft.com/?kbid=310430 And from the bottom of that KB: Note If you do not use carriage returns in your display message, the maximum number of characters that you can add to the logon box is 512. If you add carriage returns, you can and add up to 2048 characters (512 characters per line). Should have just read it and saved myself the work. Laura you owe me some Hagan Daaz in Boston next year. :) Webster -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Laura E. Hunter Subject: [ActiveDir] LegalNoticeText maximum value Forgive me if this is an obvious thing and my Google-fu is just failing me, but can someone remind me of the maximum string length on this when running 2003? I'm finding conflicting references between 255 and 512 characters. List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ -- --- Laura E. Hunter Microsoft MVP - Windows Server Networking Author: _Active Directory Consultant's Field Guide_ (http://tinyurl.com/7f8ll) List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
Re: [ActiveDir] LegalNoticeText maximum value
Ah, that's the one. The link I found wasn't the KB itself, though, but another site that had partially quoted it (without the ever-critical Applies to the following operating systems part.) Thanks for clearing up some momentary confusion, Tony. (And what's up with the list-serv, man? I'm seeing your reply to a message I sent, but haven't actually seen the message itself. (Or are you just -that- much of a mindreader? :-))) With many nested parentheses, Laura On 10/13/05, Tony Murray [EMAIL PROTECTED] wrote: This one perhaps? http://support.microsoft.com/default.aspx?kbid=225087 It's more NT-ish. Tony List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
Re: [ActiveDir] ADFIND mods
and why you would like to test it and I will put you in the hat. Oh here is what the csv output looks like at the moment F:\Dev\CPP\AdFindadfind -h 2k3dc01 -default -s one name objectclass whenchanged -csv -sort name dn,name,objectclass,whenchanged CN=Builtin,DC=joe,DC=com,Builtin,top;builtinDomain,20040625234526.0Z OU=CleanOU,DC=joe,DC=com,CleanOU,top;organizationalUnit,2005080401461 3.0Z CN=Computers,DC=joe,DC=com,Computers,top;container,20040625234526.0Z OU=contacts,DC=joe,DC=com,contacts,top;organizationalUnit,20050821222 039.0Z OU=Domain Controllers,DC=joe,DC=com,Domain Controllers,top;organizationalUnit,20040625234526.0Z OU=Exchange,DC=joe,DC=com,Exchange,top;organizationalUnit,20040625234 707.0Z CN=ForeignSecurityPrincipals,DC=joe,DC=com,ForeignSecurityPrincipals,to p;container,20040625234526.0Z CN=Infrastructure,DC=joe,DC=com,Infrastructure,top;infrastructureUpdate ,20050613155937.0Z CN=LostAndFound,DC=joe,DC=com,LostAndFound,top;lostAndFound,200406252 34526.0Z CN=Microsoft Exchange System Objects,DC=joe,DC=com,Microsoft Exchange System Objects,top;container;msExchSystemObjectsContainer,20050330022442.0Z CN=NTDS Quotas,DC=joe,DC=com,NTDS Quotas,top;msDS-QuotaContainer,20040625234526.0Z CN=Program Data,DC=joe,DC=com,Program Data,top;container,20040625234655.0Z OU=Sales,DC=joe,DC=com,Sales,top;organizationalUnit,20050920020829.0Z OU=someapp,DC=joe,DC=com,someapp,top;organizationalUnit,2005082405111 4.0Z CN=someapp2,DC=joe,DC=com,someapp2,top;person;organizationalPerson;user ,20050824051145.0Z CN=System,DC=joe,DC=com,System,top;container,20040625234526.0Z OU=TestOU,DC=joe,DC=com,TestOU,top;organizationalUnit,20050715071524. 0Z CN=Users,DC=joe,DC=com,Users,top;container,20050805051458.0Z joe [1] Yes that Jerry, Jerold Schulman, of the reghacks / JSI Inc web site. http://www.jsiinc.com/aboutJSI.htm List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ -- --- Laura E. Hunter Microsoft MVP - Windows Server Networking Author: _Active Directory Consultant's Field Guide_ (http://tinyurl.com/7f8ll) List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
Re: [ActiveDir] BlackComb Super Forest Functional Mode
://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ -- --- Laura E. Hunter Microsoft MVP - Windows Server Networking Author: _Active Directory Consultant's Field Guide_ (http://tinyurl.com/7f8ll) List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
Re: [ActiveDir] [OT] OU permissions for user object
Actually I've always done that, used to get me in trouble in high school English class. (And grey is spelled with an e, dammit!) The amusing part of Saturday's discussion, I thought, was the determination that the British Empire began losing some of its holdings because of all the time everyone was wasting writing out all of those superfluous u's. :-) On 10/5/05, Brian Desmond [EMAIL PROTECTED] wrote: You missed the discussion on Saturday. Apparently she spells everything in the ou manner now. Thanks, Brian Desmond [EMAIL PROTECTED] c - 312.731.3132 -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of joe Sent: Tuesday, October 04, 2005 10:53 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] [OT] OU permissions for user object I certainly try to. :) BTW, you are spending too much time around Dean, you spelled favorite wrong. joe -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Laura E. Hunter Sent: Wednesday, September 07, 2005 1:44 PM To: ActiveDir@mail.activedir.org Subject: Re: [ActiveDir] OU permissions for user object snip I would rather work 80 hours a week because I choose it than give out permissions that cause me to work 80 hours a week because I have to hold the environment together. / snip As joe-isms go, I think that one just became my favourite, and one to live by. Laura List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ -- --- Laura E. Hunter Microsoft MVP - Windows Server Networking Author: _Active Directory Consultant's Field Guide_ (http://tinyurl.com/7f8ll) List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
Re: [ActiveDir] AD Restore Problem
to authoritatively restore any objects, click Yes to restart the computer. The system will restart and replicate any new information that is received since the last backup with its replication partners. If you need to authoritatively restore any objects or if you need to create an LDAP Data Interchange Format (LDIF) file to restore back-links on this domain controller, click No to remain in Directory Services Restore Mode. For information about how to proceed with authoritative restore, see Performing an Authoritative Restore of Active Directory Objects. If the server fails to boot properly: Boot the computer off the Windows 2003 server CD The repair operation begins after you accept the license agreement and after the Setup program searches for previous installations of Windows to repair When the Setup program finds the damaged installation, press R to repair the installation (DO NOT USE THE RECOVERY CONSOLE) Following the onscreen steps to complete the repair. When the repair completes, reboot the server. If the server fails to boot past BIOS: Book the computer off the Windows 2003 server CD. Select the appropriate HAL option for you computer hardware. After the HAL loads, select R for the Recovery Console. Logon to the Windows directory that you need to repair by selection the appropriate number (default of 1). Logon using the DSRM password. At the command prompt type disable acpi and hit enter Make a note of the registry change. Type exit and hit enter to reboot the machine. When the machine boots, follow step 17 to complete the HAL recreation. Install the Windows 2003 Admin Pack. (You do not need to install this prior to this point as the dlls will be overwritten if you are forced to follow step 17). If you run ADUC and receive an error connecting to the active directory. Reboot the server. During the initial reboot some installation process have not yet completed so the Active Directory does not fully execute. The secondary reboot will correct this issue. Verification After a restore is completed verification must be done to ensure that it is functioning correctly. The easiest way to conduct the verification is to use a laptop that was on the network before the backup was taken. Simply connect the laptop to the switch that server is on and attempt to authenticate and access resources on the server (a file share could be placed on the restored server to ensure that the authentication process is working correction). The greatest test would be to down the server that is being restored and plug in the current machine. Although this will allow the best functional test, if something in the backup went wrong then you could possibly corrupt the production sever. You will want to test the logon scripts and a number of different users (to include administrative user accounts, delegated security user accounts and service accounts). Once you are fully satisfied with the restore process, this document should be updated and forwarded to the bank for safekeeping. -- --- Laura E. Hunter Microsoft MVP - Windows Server Networking Author: _Active Directory Consultant's Field Guide_ (http://tinyurl.com/7f8ll) List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
Re: [ActiveDir] Notes/Domino LDAP
Unless I'm misunderstanding the question, I'm going to say that that'll be a tough compare since Notes/Domino maps much more closely to Exchange and Groupwise in terms of functionality. IE, it's a groupware/messaging/collaboration environment rather than a proper directory service. In most cases, in fact, a Notes/Domino environment will run on top of AD just like Exchange does, though I think you can hook Domino into a Linux infra as well. My personal recollection of Domino, though this is from several revs ago, was that it was close-but-not-quite-so-good as Outlook in terms of being a cool messaging client, but it gave you more options in terms of collaboration apps. (Sharepoint has likely rendered this comparison obsolete in the intervening years since I was a Notes admin.) A quick Google doesn't return what I'd consider a vendor-neutral comparison of Exchange and Domino, but here's the market-speak from both sides of the house. (Maybe compare them and split the difference. :-)): http://www-03.ibm.com/servers/eserver/iseries/domino/inotes/compare.html http://www.lotus.com/lotus/offering1.nsf/wdocs/messagingcompetitive?OpenDocumentcwesite=lotusnotesdom http://www.microsoft.com/exchange/evaluation/compare/METAEx2k3vNotes.mspx - Laura On 10/5/05, Tony Murray [EMAIL PROTECTED] wrote: Can anyone point me at an independent source of information on the capabilities and limitations of the Notes/Domino directory as compared with AD? Tony -- --- Laura E. Hunter Microsoft MVP - Windows Server Networking Author: _Active Directory Consultant's Field Guide_ (http://tinyurl.com/7f8ll) List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
Re: [ActiveDir] New tool - script to count objects within a partition and provide a breakdown of their classes and the count of each
And as the guinea-pigger (is that a word? It is now), please allow me to say: What an awesome script. Thanks, Dean! - L -- --- Laura E. Hunter Microsoft MVP - Windows Server Networking Author: _Active Directory Consultant's Field Guide_ (http://tinyurl.com/7f8ll) On 9/8/05, Dean Wells [EMAIL PROTECTED] wrote: Per the subject line ... hope it proves as useful to some of you as it has been to me this week. As always, please verify its successful execution in a lab before use in a production environment. Thanks to Laura Hunter for guinea-pigging it for me! Kindest regards. Dean -- Dean Wells MSEtechnology * Email: [EMAIL PROTECTED] http://msetechnology.com List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
Re: [ActiveDir] OU permissions for user object
snip I would rather work 80 hours a week because I choose it than give out permissions that cause me to work 80 hours a week because I have to hold the environment together. / snip As joe-isms go, I think that one just became my favourite, and one to live by. Laura List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/