hi friends,
I am a windows 2000 Professional edition user. I want a script that can
detect any change in one of my local directories and can perform the
corresponding operation on the remote computer kept in San Diego. The
folder on the remote computer has been mapped as a Drive on my computer.
After a few months of lurking this is my first post to this list.
Thanks to all for the great information I have picked up here.
Im currently doing some exercises in a lab environment to be able to
establish a good backup/restore plan for our future 2003 AD. When AD has
been set up we will
Thanks all for the post replies
on the reply highlighting issue of it disabling the inter-site replication
but not the intra-site replication this begs the question of how it
differentiates between the respective (inter vs intra) requests for
replication ???
duly noted on throwing (is that
If the machine in the other location is a 2000/2003 server then you can
use offline file replication.. Use something like
http://www.microsoft.com/resources/documentation/WindowsServ/2003/datace
nter/proddocs/en-us/Default.asp?url=/resources/documentation/WindowsServ
Hi folks,
Can someone please tell me what fields to check in GPO
delegation to allow specific users to reset passwords, and unlock users? My
test environment is a Windows 2003 AD.
Thanks in advance,
George
Informacija sa Opportunity International Serbia putem e-maila je bez
George Arezina wrote:
Hi folks,
Can someone please tell me what fields to check in GPO delegation to allow
specific users to reset passwords,
This task You can delegate through standard delegation Wizard
and unlock users? My test environment is
hey Rob,
Thans for a lovely response...
The remote computer is also has windows 2000 professional edition. I found
many third party applications but i am bound to use a windows utility.
the concept is that the net speed being slow its not so easy to
work with that folder on shareso
How about robocopy from the resource kit? While it is not automatic, you could run
it with a scheduled job.
Mike Thommes
-Original Message-
From: Sumit Kumar Laad [mailto:[EMAIL PROTECTED]
Sent: Fri 7/9/2004 2:10 AM
To: [EMAIL PROTECTED]
Cc:
Yes, AD could help if you had 2K/2K3 servers then you could use
something like DFS to replicate the data. Do you have any MS servers?
Does the folder contain files/folders which are edited from both sides?
With Windows2000 pro box ... If you don't want to use a 3rd party tool,
then you'll have
Hi Joe,
Thanks for your detailed email.
I want the SAP domain to have a separate security policy
than the users domain.
So I think I am going to go down to the two tree domain
road.
So within my forest I have two tree
domains.
o
/ \
/\
/
\
users.dom- sap.dom
So
Thanks Tomaz,
Two more issues need resolving; 1) able to reset user passwords 2) disabling
a user account.
Thanks in advance.
George
-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Tomasz Onyszko
Sent: Friday, July 09, 2004 12:16
To: [EMAIL PROTECTED]
Define what you mean by
want the SAP domain to have a separate
security policy than the users domain.
Using
multiple trees in asingleforest will not buy you anything that you
don't get with a child domain in terms of security.
You
have domains which are policy boundaries and you have a
Yes I "believe" an SMTP connector should do that for you
though if the MX records of the other mail domain are resolvable, I wouldn't
think you need even that.
As for the GAL, as Jerry indicated, you need something to
do the syncing. You could also look at the Identity Integration Feature
To throw the DC into the alternative site, simply configure the site and
site link (initially I would set it with a normal frequency) and then move
the DC into that site with dssite.msc. Once it is in there and replicating
fine, kick up the period to a week or less. If you have the extra hardware,
To reset passwords you need CA on Reset Password.
Disabling accounts is more difficult because when you set it disabling is
not the only thing that can be done. You have to give WP on
userAccountControl which is a bit flag for many things. See
from a Win2K to Win2003
server. Interesting,
huh?
Not
really, it may or may not be involved. What does repadmin /showreps
say?
joe
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Malachi
BurkeSent: Friday, July 02, 2004 8:58 PMTo:
[EMAIL PROTECTED]Subject:
I guessed I got confused then!
As I understand it I don't want SAP to be a child of users
as I don't want it to inherit any domain security polices like password
expiration etc. I get what you are saying with the child domain now
though.
Ad
From: [EMAIL PROTECTED]
[mailto:[EMAIL
A
child domain won't inherit the parent domain's password policy. In fact,
different security requirements are one of the primary reasons we are sometimes
forced to go with another domain.
-Original Message-From:
[EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED]On Behalf Of
Joe,
Each NT4.0 domain I have has two domain controllers, a BDC
and of 'course a PDC. When I upgrade the users domain PDC to ADS then that
will be pretty straight forward. When I upgrade the last BDC and switch to
native mode then that's if for the users domain - no going back - no problem,
ah, okay. I have just bought a book called Windows
2000 Active Directory by Alistair G. Lowe-Norris on O'Rilley press. I will
get my head around all this once I have digested that book I guess. I have
been on the ADS course, but it was a long time ago and we all know that
experience comes
Joe,
Where the heck have you been, I been waiting for this answer for like two
weeks :
I confirmed, what you reported about bringing in fresh 2K3 DC's into a 2000
domain. I know where I got my impression from now, it was because my
operations group upgraded our PDC emulator in the DOGFOOD
Sure free exists: VBSCRIPT, PERL, LDIFDE/CSVDE, etc
will all work depending on sophistication and frequency
required.
However, solutions like Simplesynch and IIFP are aimed
at solutions that need near-real-time synch vs. daily/weekly/monthly updates and
also save a boatload of dev and
You'll have to delegate userAccountControl to disable an account, which is a bunch of
other stuff, but it's a mask. If you don't want your help desk to ahve access to these
other things (many of htose checkboxes ont eh accounts tab), you'll have to use a
custom app and delegate the app rights
Hi
Joe,
The bridgehead servers are designated to satisfy my
security guys so that a minimum number of firewall conduits need to be defined
for DCs in separate sites. The recent addition of a second bridgehead
server was at the suggestion of my co-worker who likes redundancy.
8-)
Mike
I have to chime in here. Upgrading a DC from W2K to W2K3 won't pull any
FSMO roles to it. Microsoft recommends you do the PDC first because
it'll create a number of new well-known security principals which are
important in the W2K3-based domain. But you don't have to; a simple way
around this is
Title: Active Directory Sites and Services - IP Ranges for Site - SMS 2003
I have a TCP/IP question for you guys.
In Active directory Sites and Services there is a set of IP ranges that I am trying to figure out.
Here are the entries;
155.168.0.0/16 Bothell
155.168.128.0/17 Allen
I like to use this:
http://jodies.de/ipcalc
It saves a lot of eyeball crossing.
Tony
-- Original Message --
Wrom: VRESKPNKMBIPBARHDMNNSKVFVWRKJVZCMHVIBGDADRZFSQHYUCDDJBLVLMHAAL
Reply-To: [EMAIL PROTECTED]
Date: Fri, 9 Jul 2004 08:09:53 -0700
I have a
Title: Re: [ActiveDir] Active Directory Sites and Services - IP Ranges for Site - SMS 2003
What I have come up with
155.168.0.0/16 155.168.0.1 - 155.168.255.254
155.168.64.0/18 155.168.64.1 - 155.168.127.254
155.168.128.0/17 155.168.128.1 155.168.255.254
Aaron Visser
From: Jones, Rick
Title: Re: [ActiveDir] Active Directory Sites and Services - IP Ranges for Site
- SMS 2003
Well, I did have that at first, but how AD
handles that was what was confusing me. They appear to overlap but how AD
handles that has me on this list asking the question.
Rick J. Jones
Desktop
Title: Active Directory Sites and Services - IP Ranges for Site - SMS 2003
This is a very useful tool
http://www.telusplanet.net/public/sparkman/netcalc.htm
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Jones, Rick
J.(Desktop Engineering)Sent: 09 July 2004 16:10To:
I would find this really surprising too. AFAIK you still can't import
LDIF into Excel..
Paul Cotter
Microsoft MVP - MIIS 2003
-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of joe
Sent: Thursday, July 08, 2004 9:42 PM
To: [EMAIL PROTECTED]
Title: Active Directory Sites and Services - IP Ranges for Site - SMS 2003
Thanks. But that doesnt
answer the question of how AD handles that layout. They appear to overlap
and I know that can not be true unless the network guys are doing it wrong.
Rick J. Jones
Desktop
Engineering
Title: Account name as Common Name
From
Chapter 8 of my book:
Using
the createDialog Attribute
The
purpose of the createDialog attribute is not described in the Active Directory
documentation and none of the default display specifiers use it. However,
Microsoft Knowledge Base article
Title: Message
If you
specify subnets in ADSS that 'overlap', the machine will use the most
specific one that applies in order to figure out its site membership. For
example:
subnet
range
site
192.168.0.0/16 192.168.0.1 -
192.168.255.254 HUB
192.168.1.0/24 192.168.1.1 -
192.168.1.254
Title: Message
That is exactly the kind of knowledge of
how AD works on this that I needed as a clarification.
I believe it is being done that way as you
say, Catch all for those areas not specifically defined. I
just dont have the knowledge in AD sites of how that bugger works.
Rick
Grrr. See I swear I remember reading that. I was hesitant to write it which
is why I said I believe as I hadn't ever seen it (never upgraded a 2K to
K3, I just don't do that) but I swear I saw it documented somewhere... Now I
have to go find it.
I absolutely agree on your reasoning. I think any
Don't fret Joe,
I believe my impression was also colored by a MCS guy who said something to
the effect as well.
The way I plan to do my upgrade is solid now.
Todd
-Original Message-
From: joe [mailto:[EMAIL PROTECTED]
Sent: Friday, July 09, 2004 4:06 PM
To: [EMAIL PROTECTED]
I'm trying to fix up some user accounts that used to be in one of the
admin groups protected by AdminSDholder. Using Robbie's most excellent
cookbook, I wrote a script to read a list of users and for each one, do
the following:
- set AdminCount to zero
- turn on the Allow Inheritable Permissions
Only 5 user accounts exist and these have
full admin rights. These accounts are required to start the SAP
applications and are contained within the SAP app. for its built in
security.
why in the world would you want to setup a seprate
domain to manage a different PW policy for your 5
seems to disable intrasite in my test...
repadmin running command /options against server
Criscolablpr06.Stevechild.Stevedom.Stevedns.Criscolab
Current DC Options: DISABLE_OUTBOUND_REPL
---
Replicate Now
---
The following error occurred during
nope that's wrong - it is absolutely no problem to do an Auth Restore of
an object, whithout first doing a non-auth restore (e.g. from tape).
the challenge is to have a valid object in the database you're trying to
do the auth restore against... - i.e. you'll need to be sure, that the
respective
Not completely sure how to work around it, but they are different group
types. Account Operators are built-in domain local accounts whereas your
test group is not.
Curious why you want to apply this to each account vs. each OU if
inheritably permissions is in effect?
There may be something
I didn't yet do a comprehensive check against every possible attribute,
however I do know that you can't include back-linked attributes in the
tombstone (e.g. memberOf). This mainly causes issues for multi-domain
environments and even single-domain, if Win2000 AD. Likely there are
also some
What specifically?
e.g. the capability to udpate existing objects in AD...
-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of joe
Sent: Freitag, 9. Juli 2004 04:42
To: [EMAIL PROTECTED]
Subject: RE: [ActiveDir] Exporting Workstation Information
I can confirm that you have to tranfer the role manually - 2003 won't
try to do this by itself.
-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Dean Wells
Sent: Freitag, 9. Juli 2004 16:32
To: Send - AD mailing list
Subject: RE: [ActiveDir] 2003 DC Promo
I suspect that being a Built-in group has something to do with it...I'm
just looking for a way around that. Obviously that group CAN be granted
Full Control on a user, since that's the default - I just can't seem to
get the script to see it that way. Perhaps I'm using the wrong value
for the
I was going to say that is correct but now I am not so
sure. You may have issues until you chop the info back out of AD. Anyone have
experience with this?
joe
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of
knighTslayerSent: Friday, July 09, 2004 9:26 AMTo:
[EMAIL
I agree with Guido. If the reason for the two domains is
only to have completely separate admin teams, you HAVE to do two forests.
joe
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Grillenmeier,
GuidoSent: Friday, July 09, 2004 4:54 PMTo:
[EMAIL PROTECTED]Subject: RE:
Yeah, I looked around, I can't find where I might have read that and it was
a long time ago. I found a doc that I could have interpreted that way had I
been out drinking with Guido and Dean, but not sober. So either I was drunk
or the doc disappeared, though I swear I had heard this separately as
And BTW, where were all you smart guys earlier when Todd was in need of an
answer and you could have responded before I made myself look like a boob.
Oh yeah, good to see you posting again Guido.
Oh and Dean, you have been quiet lately too, but good to see you are still
watching for my dumb-a**
Title: Message
Excellent response. Exactly right. This is a common
scenario. It prevents the finding a random DC syndrome as a machine without a
defined subnet will just use any DC in the domain and when I say any, think of
the worst one it could possibly use. :o)
joe
From: [EMAIL
Except in test scenarios I don't really see a major reason to not let the
object keep a bunch of info as a tombstone. I doubt the object was deleted
because the DIT was running out of room, and if it wasn't deleted because
the DIT was running out of the room then you probably aren't going to hurt
I think you missed my point... I am talking about an open
source / free tool that does live synching. Obviously there are a ton of methods
and probably already scripts to do manual syncs as described.
If there was an open source project doing that right now I
would go see what they were
Hey, hey, hey,
As I've told you before, if I can answer a post in 30 seconds or less; I'll
take it ... :-p
--
Dean Wells
MSEtechnology
* Tel: +1 (954) 501-4307
* Email: [EMAIL PROTECTED]
http://msetechnology.com
-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On
I saw that the rebuilt Windows 2003 domain controller when joined to the
Forest root domain, did not transfer the PDC emulator role. I had to
manually transfer it.
When the boys ran through my project plan in the dogfood forest, they
decided to just upgrade the server to Windows 2003, burn it
I must not have been nice to the folks at the DEC in DC. Dean wasn't even
there though, so he doesn't have a reason to be snubbing me.
Todd
-Original Message-
From: joe [mailto:[EMAIL PROTECTED]
Sent: Friday, July 09, 2004 6:06 PM
To: 'joe'; [EMAIL PROTECTED]
Subject: RE: [ActiveDir]
Ah, so you firewall your sites. Yep, bridgeheads are needed
then. Do you guys use the internet for part pf your network or share it with
other agencies and so arefussy and firewall your internal network? I was
just chatting with some MCS friends of mine about a company they have been
But was that done because MS is moving away from CSV to LDIF for the format
or just because doing it in CSV is a more complicated? Until MS starts
supporting parsing of LDIF files in all of the products that normally take
CSV imports, I would be very surprised if they were moving from CSV format.
Nothing personal Todd ... I don't like you any less than the next person :-)
except maybe those persons who develop free Active Directory tools and
then make you wear their tee-shirts ;-)
28 seconds ... phew, I thought I was going to go over on that one!
--
Dean Wells
MSEtechnology
* Tel: +1
I have a domain controller that I need to rename (I think). This DC sits in a
separate site. Recently, networking redid the forward lookup record in the Unix DNS
server for this DC from spock.dis.anl.gov to spock.dc.anl.gov when they rebadged
the entire subnet. Now I have a child DC that
Generally you wouldn't. Though any time you stand up and say that someone in
some weird configuration will stand up and say it is the greatest thing
since sliced bread. I do not believe there are a lot of people using it due
to the constraints with it as mentioned previously, it can't be used for
Yes I believe you do need it through IIS.
joe
-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Salandra, Justin A.
Sent: Thursday, July 01, 2004 9:04 AM
To: [EMAIL PROTECTED]
Subject: RE: [ActiveDir] Inter-Site Transports
You don't need to have the
You said you bought the thong And I didn't make you!
joe
-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Dean Wells
Sent: Friday, July 09, 2004 7:16 PM
To: Send - AD mailing list
Subject: RE: [ActiveDir] 2003 DC Promo Question
Nothing
Very true on performance.
If one doesn't need real time updates though having the script just email
the info to location and then having that location insert the info into an
access database is ok. You have a single thread updating it and can save the
cost of SQL Server and the maintenance.
If I were in your shoes...
I would go into regedt32
Dig into hklm\system\ccs\services\tcpip\parameters
Put in my new dns host name into the NV Domain value.
Reboot.
This should straighten it out for you. You will want to verify the DNS
entries afterward and also verify the SPN's got updated
I'm confused, are you getting an error in dcpromo or when
using ntdsutil?
I thought that the DsRemoveDsServerW function was something
called during a normal dcpromo and fromntdsutil but your post seems to
make me think you are talking about forceremove. The idea behind forceremove is
that
IP is RPC. Why do you want to switch to SMTP?
-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Salandra, Justin A.
Sent: Monday, June 28, 2004 4:29 PM
To: [EMAIL PROTECTED]
Subject: [ActiveDir] NTDS Settings in AD Sites and Services
Everyone,
I have
H. I'm sure that would generate more than its fair share of flame mail.
I already have enough from posting on Full Disclosure lately.
joe
-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Fugleberg, David A
Sent: Thursday, June 24, 2004 9:57 AM
To:
Todd this doesn't sound like a lingering object issue. If you have the
object on DCs and GCs but GCs have different info for the attributes than
the DCs that is a replication issue.
For your second question, if the lingering object has an SPN that is valid
for some other valid object that will
Wow you are being awfully generous David, that is going to cost you a
fortune! Thanks though!
joe
-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of David Adner
Sent: Thursday, July 08, 2004 1:03 PM
To: [EMAIL PROTECTED]
Subject: RE: [ActiveDir] Question
I would take a wild guess that this is ADSI having an issue with the
built-in group. I will also guess you are running this from a member and not
from a DC so it is probably squawking because the local machine can't figure
out the SID or some such nonsense since acc ops don't exist on members...
That was me. That and the Joeware trucker hat.
:-P
-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of joe
Sent: Friday, July 09, 2004 7:38 PM
To: [EMAIL PROTECTED]
Subject: RE: [ActiveDir] 2003 DC Promo Question
You said you bought the
True, but it isn't a good way to troubleshoot either. It is just like when admins see
a problem and the first thought is REBOOT!. This stuff won't get better if people
don't take the time to troubleshoot and try to understand what the issue is. There is
a reason why Windows is known as the
I'm migrating a child domain from one win2k forest to a new one. the source forest is
running win2k3 in the root and i have a destination forest with one empty winn2k3 dc.
i'm using admt, miis feature pack and exchange migration wizard(both forests will have
exchange2k in native mode). i'm also
Title: Message
Get a network trace, see what that says. There are so many
places this could be breaking it isn't worth trying to
guess.
joe
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Jeff
SalisburySent: Tuesday, July 06, 2004 11:52 AMTo:
'[EMAIL PROTECTED]'Subject:
Even if MS agrees to fix it, which can take quite a while to get that
agreement. It could be yet another while to get the buddy drop and if your
customer isn't willing to install the buddy in production (perfectly
understandable) they get to wait even longer for the official QFE.
And what's
Todd-
Have you moved the printers from under their servers? I believe this is the scenario
when the DCs spooler is required. Search is not dependent on teh spooler - it's a
simple ldap query for printqueues.
--Brian
-Original Message-
From: Myrick, Todd (NIH/CIT)
Hmm. That seems to have backfired.
-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of joe
Sent: Friday, July 09, 2004 19:09
To: [EMAIL PROTECTED]
Subject: RE: [ActiveDir] Question on Auditing GPO Changes
Wow you are being awfully generous David,
You guys were right, and I am the first to say when I'm wrong. I appreciate the
honest feedback on this. I've also verified with our Microsoft contacts that this is
the case. It actually gives me more options than I realized I had.
Thanks for helping me clarify this, and sorry for muddying
Get a high-end DSL and host them in your house. Nothing more fun than that.
Sincerely,Dèjì Akómöláfé, MCSE MCSA MCP+I
Microsoft MVP -Directory Services
www.readymaids.com - we know ITwww.akomolafe.comDo you now realize that Today is the Tomorrow you were worried about Yesterday? -anon
80 matches
Mail list logo