Hello all,
After hard searches, I found the way php scripts can definitively
do a recursive query in AD 2003 from root domain
(dc=domain,dc=fr).
For all of you that uses php for querying AD as 90 % of the people in my
University :(, this is the way u have to do for suchquery to
Does anyone know why a group of machines in the same OU would
get the The account is not authorized to login from this station
message when attempting to map a drive to servers in another domain. The
workstations were set to use use NTLMv2 for LAN
Manager Authentication Level and refuse LM
We're having a big
discussion about users being local administrators on their PCs. We've made
them local admins in the past (on NT4 domain) because they needed to be able to
install apps, and we kept running into issues that led back to them not having
local admin rights.
Is there easy
way
It is a very poor idea to allow users
local admin privileges on their machine. First of all, it is a security
vulnerability and makes it much easier for a machine to be compromised by
malware. Also, denying admin privileges will help mitigate most Windows
vulnerabilities as most of them
Excellent points about priv. elevation.
Ill let everyone know when a day goes by and I dont learn
something here!
We use SourceSafe to deploy login script
changes. We can revert to older known good scripts quickly if a new
script causes problems or if a rouge script was placed on the
My organization has found the need to restore our root
_msdcs AD integrated zone on our forest.
I was wondering if anyone has suggestions. We are
currently looking at three options:
1) force the recreation of the
zones
2) restore a sub-root DC, backup the DNS and try to
import this
Hello,
Does is there any problem, when I want to upgrade DC W2K to
W2K3 with installed Ent. Root
CA ?
Thx
Z.
Carerros, Charles wrote:
My organization has found the need to restore our root _msdcs AD
integrated zone on our forest.
if this was deleted in DNS server and not in AD try to re-create DNS
zone in DNS server, if zone is still in D it should show up its content
If not, crete new zone and
The zone was deleted and the deletion was replicated to all sub-domains
across the globe.
We are testing that command now in our test lab, but our primary root AD
admin isn't to confident that this will work.
Thanks for the suggestion though and if this is our only option, then it is
what we
Not that I have anything to add, but you
wanted a consensus, so Ill whole heartedly vote for everything Dans
said.
From:
[EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Dan DeStefano
Sent: Thursday, June 30, 2005 8:02
AM
To: ActiveDir@mail.activedir.org
Subject: RE:
Do you have a secondary copy of this zone on a non-AD server? You could
export the zone and reload it as a primary, then convert it to an AD
integrated zone, and it will replicate.
Don
-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Carerros, Charles
If this is Windows 2003 there should be a copy of the zone in:
system32/dns/backup
Mike Tetrault
OFT
40 North Pearl St. Albany, NY
(518) 402-9300
This e-mail, including any attachments, may be confidential, privileged or
otherwise
Nope. Boy, I foresee some major changes coming about after this issue is
resolved.
He has decided to try and rebuild the zone using the netdiag command, I
believe.
If that doesn't work then we are going to have to do a non-authoritative
restore and make the
I have check this and the zone I'm looking for isn't there. I wonder if it
was removed from this location because it was deleted out of the AD. But
this does look like one directory that I should do a file level backup in
case something like this happens again.
Charlie
-Original
That only applies if the zones are DNS primary/secondary en thus not AD
integrated
Cheers
#JORGE#
-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Carerros,
Charles
Sent: donderdag 30 juni 2005 17:31
To: 'ActiveDir@mail.activedir.org'
Subject: RE:
Is it 2003, if so, ensure you restore only the relevant NC(s). In addition,
regardless of the NC, auth. stamp only the relevant sub-containers of the
MicrosoftDNS container since (and I assume you'll know whether there are)
there may be additional zones within it that you do not wish to touch.
I'm afraid only zone files are backed up with the Backup folder, AD
integrated zones are not!
--
Dean Wells
MSEtechnology
* Email: [EMAIL PROTECTED]
http://msetechnology.com
-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Tetrault, Mike
(OFT)
Sent:
That is interesting. My domain's AD integrated DNS zone (which is a
sub-domain to the one that is having issues) has a copy in this backup
folder.
-Original Message-
From: Almeida Pinto, Jorge de
[mailto:[EMAIL PROTECTED]
Sent: Thursday, June 30, 2005 10:40 AM
To:
What are your settings for Microsoft Network Server on the servers in
question? Since you've got digitally sign communications always
(enabled) on the client, if the digitally sign communications setting
doesn't match on the server, it may not work properly.
You also need to enable digitally sign
I have the backup also but the date seems to be from when the zones were
converted to AD integrated.
-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Carerros,
Charles
Sent: Thursday, June 30, 2005 8:44 AM
To: 'ActiveDir@mail.activedir.org'
Subject: RE:
What the date/time stamp?
--
Dean Wells
MSEtechnology
* Email: [EMAIL PROTECTED]
http://msetechnology.com
-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Carerros, Charles
Sent: Thursday, June 30, 2005 11:44 AM
To: 'ActiveDir@mail.activedir.org'
As expected, the Backup's content is likely useless (depending on how old it
is).
--
Dean Wells
MSEtechnology
* Email: [EMAIL PROTECTED]
http://msetechnology.com
-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Figueroa, Johnny
Sent: Thursday, June 30,
No way, no how. We don't allow users to install apps at all. All
software installs have to be done by IT and approved by the user's
manager and the IT staff. Too many people wanted to put in their little
apps and having their manager have to approve the dancing pigs stopped
most of it.
When people
To re-register multiple servers:
CHOOSE A DC (lets say it is called DC01) (other DCs are called DC02,
DC03, DC04, etc)
ON DC01 RUN: NETDIAG /TEST:DNS /V /FIX OUTPUT_NETDIAG.TXT
ON DC01 RUN: PSEXEC \\DC02,DC03,DC04,etc NETDIAG /TEST:DNS /V /FIX
OUTPUT_NETDIAG.TXT
PSEXEC is from sysinternals.
They were old ones.
Well, the rebuild of the zone seems to be working. It has already worked
for about 17 of our sites 60 more to go.
Using the information that you guys have shared we are going to develop a
better way to backup our DNS (as well as removing everyone from that
security group).
One of the app groups here told me he needed rights to see users
membership in groups throughout the forest. Ok, fine. So I go in ADUC and look
at a user which meets this criteria, and I as an ent admin only see the users
groups in the local domain. If I go look at the group in the other
Anyway to delegate the ability to click Replicate Now in ad
sites/services short of being in domain admins?
--brian
This
is expected since only the group truly knows its entire membership (with the
exception of the primary group whose relationship is expressed only by the user
object).
--Dean WellsMSEtechnology* Email: dwells@msetechnology.comhttp://msetechnology.com
From: [EMAIL PROTECTED]
IIRC,
I believe it's an ACE on the NC head, possibly "Replicate changes" or, depending
on how much more the security principal in question requires, "Manage
topology".
--Dean WellsMSEtechnology* Email: dwells@msetechnology.comhttp://msetechnology.com
From: [EMAIL PROTECTED]
Yes. The AD Best Practices doc appendix
details this.
http://www.microsoft.com/downloads/details.aspx?FamilyID=29dbae88-a216-45f9-9739-cb1fb22a0642DisplayLang=en
Start on Page 193 I think it will
get you where you want to go.
You might also look at the entire
whitepaper. Go to MS
From the delegation wp:
Replication Management Tasks
Force replication between two servers
Extended right Replication Synchronization
needed on cn=configuration, dc=forestRootDomain
Force a synchronization between two servers
Extended right
This depends
What is the group type universal? Global?
Local?
Are you looking at it on a DC or GC?
Cheers,
#JORGE#
From:
[EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Brian Desmond
Sent: donderdag 30 juni 2005 18:38
To: ActiveDir@mail.activedir.org
Subject:
Never mind what I said about the type of
group and DC/GC thing I think it is time to go home
#JORGE#
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On
Behalf Of Brian Desmond
Sent: donderdag 30 juni 2005 18:38
To: ActiveDir@mail.activedir.org
Subject: [ActiveDir] ADUC
Even more scientific: MS Word Compare
Docs grin. But it works!
Dan
From:
[EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Darren Mar-Elia
Sent: Wednesday, June 29, 2005
1:06 PM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] Compare
GPO RSOPs
There are
depends on which group-type you're using - and which
OS...
if you're connected to a GC, the Universal Group (UG)
memberships should be visible on the User - however, you'll never see the Domain
Local Group membership of a user if the group is in a different
domain.
rgd. UGs - althoughthe
$username$ is the right token... which is why it's a tricky question
grin and as you know, MS likes tricky questions grin again..
http://www.microsoft.com/technet/prodtechnol/windowsserver2003/library/S
erverHelp/8d37ecb0-ac28-4e05-aa05-da82dc36b54b.mspx
has the scoop on the syntax.
Good luck
Have you seen this article?
http://support.microsoft.com/default.aspx?scid=kb;en-us;833883
Phil
On 6/30/05, Brian Desmond [EMAIL PROTECTED] wrote:
One of the app groups here told me he needed rights to see users' membership
in groups throughout the forest. Ok, fine. So I go in ADUC and
Brian,
When you say view a users
memberships in groups does he need to do this programmatically? If his
application is already impersonating the users context then he can
simply get this from the users token. If you just want a list of groups
you can do a base search specifying the DN of
Anyone good with scripting that could help with a script to query the
servers on a subnet to determine if a registry entry is present.
Specifically looking for
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Eventlog\Applicati
on]
AutoBackupLogFiles=dword:0001
Hi,
I have a corrupt NTDS.dit file with no backup, although the windows
2003 DC starts up fine and partially replicates to my other 4 DC's. Can
someone tell me the best steps to restore this file. This particular DC is
also the FSMO holder. I was considering transferring the role
see:
http://www.microsoft.com/technet/scriptcenter/scripts/os/registry/osrgvb18.mspx
Cheers,
#JORGE#
From: [EMAIL PROTECTED] on behalf of Cothern Jeff D. Team EITC
Sent: Thu 6/30/2005 9:31 PM
To: ActiveDir@mail.activedir.org
Subject: [ActiveDir] OT - Script to
why do you say it partially replicates? what errors (event ids and sources)
are being logged in the event viewer?
#JORGE#
From: [EMAIL PROTECTED] on behalf of [EMAIL PROTECTED]
Sent: Thu 6/30/2005 6:17 PM
To: ActiveDir@mail.activedir.org
Subject: [ActiveDir]
How can I quickly change the 'extensionAttribute' of multiple users in a
domain? VBScript? ADMod?
Devon Harding
Windows Systems Engineer
Southern Wine Spirits - BSG
954-602-2469
-
__
This message and any attachments are
First, how do you define 'multiple users' ... a query of some kind, perhaps
based upon a common value or group membership?
--
Dean Wells
MSEtechnology
* Email: [EMAIL PROTECTED]
http://msetechnology.com
-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of
Admod works great with adfind or a text file with a list of dn's...
Thanks,
Brian Desmond
[EMAIL PROTECTED]
c - 312.731.3132
-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Harding, Devon
Sent: Thursday, June 30, 2005 4:01 PM
To:
I was going to suggest that deleting the OU or running DCPromo would
modify the attributes pretty quickly but somehow I don't think that's
what he is looking for
Robert Williams, MCSE NT4/2K/2K3, Security+
Infrastructure Rapid Response Engineer
Northeast Region
Microsoft Corporation
Global
Robert Williams (RRE) would like to recall the message, [ActiveDir] Modify
multiple users.
List info : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
Sorry...hit send too soon :-)
I really depends on whatever you're most comfortable with. Myself, I
haven't used admod so I would probably write a VBS script and take some
of the sample scripts located here:
http://www.microsoft.com/technet/scriptcenter/default.mspx
Then fiddle with them until
Can someone send me the Admod/Adfind syntax for this?
-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Brian Desmond
Sent: Thursday, June 30, 2005 5:13 PM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] Modify multiple users
Admod works great
Has anyone used Visio 2003 to connect to AD and get the OU structure? I
have done it using an older version of Visio but seem to be having
problems getting 2003 to do it.
Jeff
List info : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive:
I tend to not agree fully with the elevation of priv
thoughtsmentioned in this
thread.
It really depens on you delegation model and doing it right
in the first place = ofcourse you don't grant all you "OU-Level"-Admins the
rights to change all scripts in NetLogon - instead you'd create a
ADFIND -b OU=someOU,DC=DOMAIN,DC=TLD -f
((objectcategory=person)(objectclass=user)(extensionAttribute=*) -dsq |
ADMOD extensionAttribute::value
not tested this, but I think i will work
for more help see:
ADFIND /?
ADMOD /?
#JORGE#
From: [EMAIL
Microsoft removed this functionality; it is on the Vision website.
Mark
-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Cothern Jeff D.
Team EITC
Sent: 30 June 2005 22:37
To: ActiveDir@mail.activedir.org
Subject: [ActiveDir] OT - just a bit OT. Visio and
Doh so now I have to manually create the layout.
-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Mark Parris
Sent: Thursday, June 30, 2005 6:04 PM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] OT - just a bit OT. Visio and AD
Microsoft
Almeida Pinto, Jorge de wrote:
To re-register multiple servers:
(...)
So running the commands above and forcing replication should also do the
trick
This is good long description of a way which I suggested in my first
reply in this thread - IMO this should work.
--
Tomasz Onyszko
Visio 2000 enterprise has this functionality. It was also the version that
was given away on the original AD design courses and it still works I use it
regularly.
Mark
-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Cothern Jeff D.
Team EITC
Sent: 30
However there is a tool that is often used by support engineers at
Microsoft called ADMap that can produce maps of your AD including OUs.
It is however not fully supported and simply a tool that allows for easy
documentation of an environment. It will query the data from AD and
make nice Visio
I'm getting this error running replmon:
Domain Controller Name: DCHIG1
Directory Partition:DC=co,DC=slo,DC=ca,DC=us
Replication Partner:DSSPR\DCPR
Failure Code:1127
Failure Reason:
Ok I received many me to posts and since most of you are likely blocking
attachments I have simply setup a download workspace that will be
available for a day or so. As I stated below this tool comes with no
official support from Microsoft. If you want to download it please use
the following
As for how to set the variable, look at setx. It is a
reskit tool I believe though I guess it could have been moved into the support
tools at some point.
As for the mechanism, you have multiple paths you could go
down, the path I think I would choose would be a script that is fired for
I would say blow it away and re-promo it.
joe
-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of [EMAIL PROTECTED]
Sent: Thursday, June 30, 2005 6:39 PM
To: ActiveDir@mail.activedir.org
Subject: Re: RE: [ActiveDir] Corrupted NTDS.dit
I'm getting this
Hi. I have one laptop and I'm just try to install an win2k3 AD to screw around
with.
My problem is, I have no network connection where I am right now and DNS fails
to start without a network connection.
Does anyone know of a workaround to this(reg hack)?
As I said this is not a production net
I would generally have to say, no don't make them admins.
That being said, locking down workstations tends to be a trifle more challenging
than locking down servers.
Basically the question comes down to are there are any LOB
apps in your company that require admin rights? If they do, has
I've been there. It is is worth it in the long run, the environment tends to
run a lot smoother and troublefree.
I like the Supreme Overlord analogy. The only thing I would change is that
the Supreme Overlord in Windows is localsystem but an administrator and many
lower level users can get that
Thanks Steve. I expect the newer Directory Services piece
will do it since it goes straight to LDAP and bypass the ADSI middleman, not
sure on the one that stops and has coffee with ADSI
though.
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Steve
LinehanSent: Wednesday,
You could try an offline defrag first. If the corruption is in an index
then this would correct the problem without a rebuild of the server. If
the offline defrag fails then I would blow it away and rebuild.
Thanks,
-Steve
-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL
Kind of depends, like Dean asked, how do you earmark the users you want to
modify and exactly what is the modification you need. If it is on the fly
and different for each user, admod is not the answer most likely unless you
wrap in a perl script to modify the parameters sent into it.
Though I have not personally validated this have you tried installing
the MS Loopback adapter? In many cases this will work when you do not
have a real network card. If you have a network card you could also try
turning off link detection and assigning it a static IP which should
also work.
Title: [ActiveDir] Increase ICMP packet size on a PIX - GPO related
If I was looking at doing it I would have the contact send
someone email, then change the ledn and then after a bit try to respond to it
and see if it worked. If it does, you are probably ok with changing it. If not,
I would
Does the loopback adapter work to resolve this?
Alternatively use vpc/vmware and use their internal private network?
-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Kern, Tom
Sent: Thursday, June 30, 2005 7:15 PM
To: ActiveDir@mail.activedir.org
Install a loopback adapter. You do this from the Add/Remove HW wizard in
Control Panel. It's under Network Adapters/Microsoft.
Thanks,
Brian Desmond
[EMAIL PROTECTED]
c - 312.731.3132
-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Kern, Tom
Sent:
And from adfind
adfind -gc -b -f name=scheduler -owner whencreated
Output would look something like
[Thu 06/30/2005 19:29:09.67]
F:\tempadfind -gc -b -f name=someuser -owner whencreated
AdFind V01.26.00cpp Joe Richards ([EMAIL PROTECTED]) February 2005
Using server: 2k3dc01.joe.com
I think I could have called that one. ;o)
Thanks for doing that, my version was pretty old. Last time I ran it at
it generated a map that was like 14 pages wide or something like that.
Rather large but still useful.
Also since Guido hasn't mentioned it, folks may want to peek at the HP
Ok. I think I'm going stoopid. Where the heck is the loopback adapter install
again?
As I recall, it used to be in install protocol on the adapter.
But its not there.
Can you refresh my memory?
I left my vmware disk at home.
I'm at a place with no internet connection(I know, its freaking me out
I think you need to solve your business issues before your
technical issues. The technology is certainly readily available to handle this
type of work if you want to build it. However, you need to be able to feed rules
into the system to follow or else the systems no matter how complex will
I agree with JoeK, keep this info all together. I have
visualized a system that synced back and forth to AD/AM though. But that was to
set it up so that the ACL manipulations were in AD/AM and then any changes in
AD/AM were doublechecked, logged, and then shot over to AD so you knew exactly
That worked.
Thanks.
I never understood why MS didn't just enable this as a given like most *nixes
do?
Thanks a lot guys!!
--
Sent from my BlackBerry Wireless Handheld (www.BlackBerry.net)
List info : http://www.activedir.org/List.aspx
List FAQ:
I haven't seen this in practice
But if you limit the other
admins to only change their own scripts,
then even if they screw up,
it's up to them to fix it
When a
logon script fails badly the workstations tend to lock up pretty hard and all
the users know is that the typed in their
Why do you say it is not hardware? If by replacing the
backplane/harddrive, they had to copy the database / drive contents, then
it's too late the old hardware may have already corrupted the ntds.dit
file, copying a corrupted file, leaves _a corrupted file_.
When the event shows up again, is the
And if you want a handy-dandy way to do it via a script (command-line):
842561 How to install the Microsoft Loopback Adapter in Microsoft
Windows
http://support.microsoft.com/?id=842561
I like having the loopback adapter around especially if you're messing
with virtual server / vmware...I guess
I never understood why MS didn't just enable
this as a given like most *nixes do?
Doesn't fit the strategy of enable as little as possible and make the user
turn on functionality that they want. I fully agree with it and hope they go
a lot further with it.
Or to put it another way, there
Go to Start | Control Panel | Add Hardware.
In the introductory dialog box, click Next.
Select Yes, I Have Already Connected The Hardware, and click Next.
Scroll to the bottom of the Installed Hardware list box, select Add A New
Hardware Device, and
click Next.
Select the Install The
Yeah, but I always thought one of the differences in philosphy bet windows and
linux was windows turned everything on and left it up to the admin to turn
stuff off as regards security and linux had most stuff off and left it up to
the admin to turn stuff on as regards etc...
I always felt
Yep the old philosophy was everything on by default and that has changed.
Now the philosophy is to turn as much off as possible with the exception of
firewalls and other things in place to specifically protect. Look at Windows
Server 2003 and the steps necessary to spin up a web server serving ASP
I could not agree more with Joe on this
point too. We have a bunch of business rules that work really well for
us, but they definitely arent for everyone. For example, most
organizations would not allow all users to create and delete groups willy-nilly
like we do. I can actually change
Hi have you tried installing MS-Loopback adapter
instead? Disable your Local network card for some
time.
This works.
Thanks
djd
Fluent Systems.
India
Hi,
Have
--- Kern, Tom [EMAIL PROTECTED] wrote:
Hi. I have one laptop and I'm just try to install an
win2k3 AD to screw around with.
My
ADAM would have been cool if it had
existed when we built this. There are a bunch of things I would do
differently now if ADAM had been an option sooner. Our crazy certificate
system comes to mind.
I actually started off with an ACL model
for security and eventually had to ditch it as
FWIW in the latest revision of the HP OVOw tool is now called the HP
OpenView Topology Viewer or OVTV. The tool now accompanies both the AD
SPI and the Exchange SPI since it features the capability to visually
lay out both the Active Directory and the Exchange Organization. Also
the tool can now
Hi,
We are also a developementsupport firm.
But, we dont give any admin rights on the local
machine as it becomes very troublesome in later time.
For managing an user application, we install it the
first time for a user. For the user to run the
application we give proper permissions(generally
89 matches
Mail list logo