Ok, I saw both this and Michael's response. I will add more
weight to the consideration.
Note that lack ofbreakout of the deletions (and the
undeletes for that matter) weren't a function of what MS was doing with the ds*
tools. It was my consideration of the operation and whether or not it
What is the best
tool out there that checks and verifies proxyaddresses are good (format and
info)and not duplicated in a forest? I have a perl script to do it, but
would like something faster and don't really want to write it but will if I have
to.
You are verifying
your proxyaddresses
I've only seen this type of verification with provisioning systems that were developed
in-house. Well, that and the Exchange 5.5 Admin program that does a syntax check and
finds any duplicates. The standard AD UI tools are not so fussy and appear to let you
add duplicates.
MIIS might offer
Hi to all from Darkest Africa!!
Can anyone assist me with a scripting issue?
Ive generated a list of the groups in my
AD by using dsquery. I have a text file as output. Ive been able read
this into a file and extract some information. However my management wants a
list of all the
Return Receipt
Your [ActiveDir] Write Cache Enabled
document
:
If anyone here is interested, I have been able to nail the issue.
After deeper investigation, I found that moving the W2K3 servers into client's OU
(different GPOs that force the client to Send NTLMv2 response only) resolved the
issue.
The problem was caused by domain member servers of
Here's
but two possible ways that sprung to mind.
Returns security groups only
-
dsquery * domainroot -filter
"((objectcategory=group)(!sAMAccountType:1.2.840.113556.1.4.803:=1))"
Return DLs only -
dsquery * domainroot -filter
Not being nearly as prolific a coder as other folks on this list, Access is
a pretty nifty tool for this. Macroing a directory dump into a linked table
and then doing various queries is simple enough even for me to figure out.
On 11/3/04 7:01 AM, Tony Murray [EMAIL PROTECTED] wrote:
I've only
When you say verify, what do you mean exactly. That means multiple things
to me, such as whether one was created, whether there are dups, whether it
conforms to the naming standards, and so on. Can you provide some
boundaries?
Personally, I haven't seen anything that does this as a tool.
No,
had I read your question more thoroughly I'd have known that was useful to you
;) It currently differentiates the group types by querying
on the bit used by AD to maintain the difference. Proxy address doesn't
come into play.
Maybe
this will do as you ask -
dsquery * domainroot
Just one last question before this string goes away:
Has anyone joined a Windows 98 machine to a Native Windows 2003 AD Domain
that was not upgraded from an NT domain before? All of the responses I have
seen have only been for a Windows 2000 AD and I'm wondering if a new
security enhancement
dsquery * domainroot -filter
((objectcategory=group)(!sAMAccountType:1.2.840.113556.1.4.803:=1))
Would return security groups regardless if they are also DG's.
What might be easier is to use a filter that looks for legacyExchangeDN
which must exist in order for it to be an Exchange object. In
SMB signing (as mentioned in the thread) prevents 9x gaining access to the
NETLOGON share in order to apply policy and get logon scripts.
--
Dean Wells
MSEtechnology
* Email: [EMAIL PROTECTED]
http://msetechnology.com
-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL
Hi Dean
It would seem to. I can then drop the
created file into my script and see what I get. Thanks a lot. Ill get
back to you with some news.
Regards
Peter Johnson
From:
[EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Dean Wells
Sent: 03 November 2004 16:47
Yes, as I mentioned in another post: when Windows 2003 AD came out it
included 2 new security mechanisms that are required for authentication.
Downlevel clients (WfW, Win9x and WinNT) are not capable of
communicating with those security mechanisms unless they are upgraded
(WfW) or have the DS
Not sure why yours wouldn't take when set.
NOTE: You want to be careful mucking about at that level with a production
machine as you want to ensure that you aren't going to cause any low-level
issues when making changes.
Check with your hardware vendor to find out what is needed to disable
Thanks Al.
I'm learning one hell of lot but the learning curve is almost an
overhang :) :)
Regards
Peter
-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Mulnick, Al
Sent: 03 November 2004 16:52
To: [EMAIL PROTECTED]
Subject: RE: [ActiveDir] Scripting
I will second the thanks to Al for great answer.
I'm not an expert in this field but just as addon - according to MS docs on
this matter the reason this event is appearing at every boot is that not all
HDDs have NVRAM to save changes to Write Cache settings. So this setting
falls to HDD's default
To answer the question:
http://www.petri.co.il/extract_specific_tools_from_adminpak_msi.htm
Al.
-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Aaron Seet
Sent: Wednesday, October 13, 2004 8:58 AM
To: [EMAIL PROTECTED]
Subject: [ActiveDir]
Return Receipt
Your RE: [ActiveDir] easiest way to move Distribution Lists
document across dom ains. hoping for quick response ;)
:
We're porting our old intranet (NT4/IIS4) to a new server (W2K3/IIS6)
and have run into an authentication issue that I need some help with.
There's a legacy code chunk that does a net send command to create a
popup on a user's PC to tell them a new request has come in that they
need to deal with.
Hi Group,
I have already delved into the archives and I couldn't find quite what I was looking for. It is very possible
that I looked over it, and if I did I apologize in advance. Now, to my
question: We are a fairly small shop here
(about 40 users) and the traditional way of
doing a
~
I would like to have the user's change their own passwords, but I
would also like to be able to know their new passwords.
~
ALARM! ALARM!!
I don't *ever* want to know someone else's password. I don't *ever*
want someone else to
In order to meet your
requirement of being able to login as the user with their
profile, why not just login to the DC as admin, reset the password on
that user account so you can login and then when the user gets back have them
change it? You have a small enough shop where this would
I don't think there is such tool natively. I imagine that you could put a web
interface on a vbscript where you direct your users to go to when they need
to change their passwords. In the code, you will then put in a routine that
grabs the value they type in and email it to you.
Now, I will get
Omg, Deji...here we go
mc
-Original Message-
From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of
[EMAIL PROTECTED]
Sent: Wednesday, November 03, 2004 1:50 PM
To: [EMAIL PROTECTED]
Subject: RE: [ActiveDir] Notification containing new password
I don't think there is such tool
Yup, you brought it on Deji. :)
To add to the fodder:
Keep in mind that passwords are stored in a way that prevents you from
getting them back out without cracking them. That's not a foolproof way to
gather the data you want.
I agree it is a bad idea to do that. However, if you wanted to
As a security feature on w2k3, the IUSR_ user id has no permissions to
any files (including net.exe).
Either give the IUSR_ account permissions to net.exe, or configure the
web site to run under a user id that has permission.
-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL
Not to mention illegal, if you're under Sarbanes-Oxley controls, right?
mc
-Original Message-
From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of
Mulnick, Al
Sent: Wednesday, November 03, 2004 2:09 PM
To: [EMAIL PROTECTED]
Subject: RE: [ActiveDir] Notification containing new
Try this:
dim oWSH, msg
Set oWSH = CreateObject(WScript.Shell)
msg = %comspec% /c net send sendto description
oWSH.Run msg
Rick
-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Charlie Kaiser
Sent:
Oops had one too many after the sendto... sorry about that.
note to self read msg before sending...
Rick T. Dale, Computer Services
General Council Credit Union
-Original Message-
From: Dale, Rick
Sent: Wednesday, November 03, 2004 1:41 PM
To: '[EMAIL PROTECTED]'
Subject: RE:
Yeah; that's kinda what I ran into. Two things...
One, if we provide access to net.exe to the IUSR account, how ugly is
that hole? If they can run net send, they can run net anything, right?
Not sure I like that, but I'm not sure how ugly it really is. Two, how
do we provide the perms on net.exe?
Return Receipt
Your RE: [ActiveDir] Scripting question - Net Send command
document:
I'll go along with ASB and say that it's a bad idea.
That being said, rainbow crack and ophcrack take about 30 GB of disk space for the
crack files (a full set) and can crack several hundred passwords an hour. There are
online websites that present these interfaces, as long as you know the
I noticed the Canadian domain though and figure he has other issues to
contend with. EU and US rules and regs aren't likely high among them yet
(ofa.on.ca is the senders domain).
But that would likely be true for that and many other regulations around the
world.
-Original Message-
We do our own stuff here too. We have
some custom S.DS applications that we use to try to find and fix. Sorry, but I
cant share. We also use web apps or other custom code to control what
proxyAddresses get set on users, groups and contacts, and thus try to ensure
that we dont screw things
Many Canadian companies are affected by stuff like Sarbanes-Oxley, although granted a
small shop here in Ontario probably isn't.
Phil
-Original Message-
From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Mulnick, Al
Sent: Wednesday, November 03, 2004 2:55 PM
To: [EMAIL
A small Canadian lobby organization likely won't have that issue unless they
lobby in the US, right? Or is there something that says a Canadian org
needs to comply with US regulations even if they don't do business with a US
company?
Al
-Original Message-
From: [EMAIL PROTECTED]
We tried that, too. Still chokes on the WSH.Run line... Same error...
Unless the script can run with elevated privileges, it can't run the net
command. I'm thinking maybe there's a way to have the script call
something else that runs under elevated privileges...
**
Charlie
Hi All,
Me again (the original poster). I wanted to thank you all for
backing up what I already believe. I have already asked in the past to
abolish the old system, but as of yet that hasn't happened. Also of note is
the fact that the password list isn't centralized. For the most part I
You are correct. Canadian companies doing business in the US (and some doing business
with US companies) will have to comply with Sarbanes-Oxley. A Canadian company only
doing business in Canada won't.
Phil
-Original Message-
From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf
That was my thought; I'd prefer not to have IUSR running that type of executable. Any
pointers towards how we could run it in another account context? I thought about
RunAs, but didn't want to pass pwds in an asp script...
Thanks!
**
Charlie Kaiser
MCSE, CCNA
Systems
Create a virtual directory for the web page, and configure it to run as the local or
domain user of your choice.
-Original Message-
From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Charlie Kaiser
Sent: Wednesday, November 03, 2004 4:16 PM
To: [EMAIL PROTECTED]
Subject: RE:
The issue was one of time. The workstations were setting their clocks
via one server and the servers another. They got out of sync enough
that workstations were using cached creds. Running the scripts off of
the netlogon share worked fine.
Once we had everyone syncing from the same place all was
Thanks Al, thought I was doing it correctly and had spoken to the company
that the Server was brought off and whom set it up. They stated it should be
like I have done, just as you have.
A long shot, but it would not have anything to do with having to be disabled
before I made it a DC would it?
I wouldn't think it has to be disabled prior. I honestly don't know the
answer to that though.
Al
-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Rodney Gardiner
Sent: Wednesday, November 03, 2004 5:16 PM
To: [EMAIL PROTECTED]
Subject: RE:
Dragging out obligatory stick Whap whap whap whap.
There is no good reason to do this. Honestly. If you really need it you can
crack most passwords very quickly with rainbow tables but you really don't
need it if you are the admin, you reset the password. That way, anyone you
tag knows you
They used to track passwords here at a time before my arrival. And most
users had the same 4 character password! Needless to say there is now a
password policy that encourages the use of passphrases (passwords are bad,
evil things). With the minimum password length we have set, users have to
Those popups are simply mailslot messages. You might be able to find a bit
of perl or (doubtfully) vbscript to do that directly.
The one thing I really wanted to say is that those messages aren't
guaranteed, you might push in that direction to your management. If it is
important for the people
mutter Someday I'll learn to type in complete sentences.
They can remember My dog's name is Red Rover easily and no amount of
current computing power can crack it even with rainbow tables.
- Original Message -
From: Doug Hampshire [EMAIL PROTECTED]
To: [EMAIL PROTECTED]
Sent:
Verify as in verify that garbage isn't in the proxyaddresses field. What
does that mean to me?
Things I have commonly seen
1. Values that mean nothing (i.e. value but no label), like say the whole
value is @domain.com or alice or something else silly.
2. A label but no value, like SMTP: or
I would sort of a agree on the rainbow table unless someone builds some
tables where the tokens are words instead of characters. Some of the recent
chatter on FD makes me wonder if someone is going to start doing that. Of
course the intermixing of CAPS helps tremendously. I would still recommend
BTW, I loved this piece:
them that if they do I will logon as them and send an eMail to the entire
company (as them) inviting everyone to an adult toy party at their house
this Friday night.
-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Doug
Well runas doesn't script well but obviously you could use cpau or something
else like that. However, MS did some funky things around that so if the
context that would fire it is localsystem, it will fail due to how MS
Implemented the backend of the API.
joe
-Original Message-
From:
Cool thanks for the update.
joe
_
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Guy Teverovsky
Sent: Wednesday, November 03, 2004 6:19 AM
To: [EMAIL PROTECTED]
Subject: RE: [ActiveDir] RESOLVED: A weird one (or Joeware vs. MS)
If anyone here is interested, I have
Two Wins servers, 10 subnets, all clients point to both Wins
servers, mix of Windows clients
Is there an issue with disabling the Computer Browser
service on all clients (assuming they are all Wins clients)?
Theoretically speaking, however, I'm a bit unsure.
Also, would turning off
WINS is name resolution. The browser service doesn't do
name resolution, it is a directory of NetBIOS resources and machine names. The
services aren't the same, WINS is used to resolve names that the browser service
maintains.
For your specific question, you can disable browser
everywhere
csvde is a nifty utility for exporting a wide
variety of data, munching with access databases, pulling in external data
sources and then updating via script. I had the lovely chore of writing a
process to keep distribution lists and membership in sync between GroupWise and
Exchange 2003.
Yes this I know about WINS and browser service
being different. My first question is, is it OK to shutdown browser
service on domain controllers and WINS servers and not affect WINS and DC
functionality? I realize it is an obscure question but it was posed to me
and I am not sure how to
Hello
Folks,
Greetings.
I have a deployment
of ADS using Windows 2000 SP4.
There are around
300 Security groups in the ADS. Each group has around 20-25 users, some are
unique to each group and some have membership to more the two
groups.
I have been
assigned the task to enumerate the
60 matches
Mail list logo