Title: Re: [ActiveDir] List Groups I'm In?
What is the domain mode/ forest mode?
From:
[EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of WATSON, BEN
Sent: Wednesday, October 25, 2006
7:00 PM
To: ActiveDir@mail.activedir.org
Subject: LastlogonTimestamp
Missing
I
If the
Domain Controllers OU is set to block GPO inheritance, and the domain GPO that
sets the password policy isn't set for No Override, then the domain policies
might not get set properly.
-Original Message-From:
[EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED]On Behalf Of
I would make the manager that wants the DL
maintain it.
First, make sure that there is a written
policy (approved by a higher management level) that specifies that the manager
is responsible for updates. Then after you create each DL, set the Managed
By attribute to be the appropriate
Using the version of DCDIAG that comes
with the 2003 SP1 support tools:
Type: dcdiag /test:dns /e /v
That will tell you what shape your DNS
system is in.
From:
[EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Ramon Linan
Sent: Monday, August 28, 2006
11:15 AM
To:
There are several in the TechNet Script
Center
http://www.microsoft.com/technet/scriptcenter/scripts/ad/users/manage/default.mspx
From:
[EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Antonio Aranda
Sent: Tuesday, June 06, 2006 12:29
PM
To:
Title: Account policies and groups
But group membership can determine which
GPOs get applied if you are using GPO filtering.
From:
[EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Gil Kirkpatrick
Sent: Thursday, February 17, 2005
6:42 AM
To: ActiveDir@mail.activedir.org
I have developed a number of applications
that do various queries on AD. However, I have run into a problem with doing an
LDAP query in groups that have been named with the / character in
their name. Since the group was named with a /, the distinguished
name for the object also has the /
Title: Few quick ones on password polices
I used to agree with Joe on topic 2 until
I actually ran into a problem in my forest. I needed to make a change to the password
complexity setting on one domain and the change wasnt happening. The
problem was that the block inheritance setting was
=Configuration,DC=joe,DC=com
lockOutObservationWindow
lockoutDuration
lockoutThreshold
lockoutTime
4 Objects returned
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On
Behalf Of Passo, Larry
Sent: Wednesday, February 16, 2005
3:21 PM
To: ActiveDir@mail.activedir.org
Subject
substitution,
escape it with (ironically) a backslash \ ??
--
Dean Wells
MSEtechnology
* Email: [EMAIL PROTECTED]
http://msetechnology.com
From:
[EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Passo, Larry
Sent: Wednesday, February 16, 2005
2:05 PM
To: ActiveDir
To do a LDAP query for the separate domains, use the form:
LDAP//a/dc=a,dc=com
LDAP//b/dc=b,dc=com
LDAP//c/dc=c,dc=com
Where a,b,c are the neBIOS names of the domains
-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Jason Benway
Sent: Wednesday, January
In the lmhosts file did you:
rename
it to not have any extension
use
the #PRE and #DOM entries
From:
[EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Mike Hogenauer
Sent: Tuesday, January 25, 2005
8:06 AM
To: ActiveDir@mail.activedir.org
Subject:
Title: Loose vs strict replication consistency
w2k3 DC fresh built into
existing forest: loose
Not sure.
If someone reading this list has such a DC (the
last case I'm not sure of), he or she could check the registry value
Strict Replication Consistency in HKEY_LOCAL_MACHINE, SYSTEM,
Title: [ActiveDir] Changing to Native mode and running AdPrep
The domain functional level may not matter
but the forest functional level can have side affects. See KB 831809
http://support.microsoft.com/default.aspx?scid=kb;en-us;831809
From: Brian Desmond
[mailto:[EMAIL
I can tell what DC authenticated my AD client by looking at the value of
the environment variable LOGONSERVER. But there isn't an environment
variable for which GC was involved. Since we have several sites that
have more than one GC, I'd like to be able to tell which GC was used.
Does anyone know
In real life, you would also want to make use of SID filtering.
http://www.microsoft.com/windows2000/techinfo/administration/security/si
dfilter.asp
While multiple forests will give you security advantages, it will also
cause additional administrative overhead.
-Original Message-
From:
Of Passo, Larry
Sent: Monday, January 03, 2005 2:29 PM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] Script working for some users, and not for
others?
Do you also have Set adSysInfo = CreateObject(AdSystemInfo) before
these 4 lines?
Also, are the clients that are failing older than
Do you also have Set adSysInfo = CreateObject(AdSystemInfo) before
these 4 lines?
Also, are the clients that are failing older than Win2k? If so, they
need to have the AD client extension added.
http://msdn.microsoft.com/library/default.asp?url=/library/en-us/adsi/ad
si/iadsadsysteminfo.asp
Yes, the Kerberos settings are what applies here. However, the answer also
depends on when the DC goes down:
1. The DC is down when you try to log on
If you have previously logged on from workstationA, you can use cached
credentials to logon
If you have changed your password from another
Here is a simple example:
We had several, methods of keeing track of everyone's phone number, cubicle
location, office address, etc.
One department kept the data in Excel, one kept it in a HTML webpage, one kept
it in SQL... you get the idea.
Now the only place that we keep it is in AD and
You also have to look at what each method doesn't do.
1. Digital signature
Proves the message was sent by you
Allows anyone to read the message
2. Digital envelope
Only the desired recipient can read the message
Doesn't prove the message was from you
A truly
A.
Sent: Thursday, October 28, 2004 1:25 PM
To: [EMAIL PROTECTED]
Subject: RE: [ActiveDir] Which is better
Ok, and from what I can figure, both utilize AD Kerberos to sign or encrypt the data
right?
-Original Message-
From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Passo
Title: Message
If you use the WinNT interface instead of
LDAP, the LastLogin attribute does the conversion to a readable
format for you. Just remember in Win2k, you need to query every DC and use the
highest value.
From:
[EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of
There is no difference between user
accounts and service accounts. They are both accounts subject to
the domain password policy.
From:
[EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Sudhir Kaushal
Sent: Tuesday, October 26, 2004
7:12 AM
To: [EMAIL PROTECTED]
Subject:
I'll agree with Al that you want to make sure that your group membership
cross checks.
Regarding your point #1. If you have a large number of users involved,
you will get better performance with a dictionary instead of an array.
-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL
The TechNet Script Center of full of scripts:
http://www.microsoft.com/technet/scriptcenter/scripts/default.mspx
Also, check out the WMI Scriptomatic tool
-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] Behalf Of Coleman, Hunter
Sent: Thursday, October 21, 2004 6:31
Title: Re: [ActiveDir] groups vs attributes
Two other questions on why it might be slower
to enumerate the members of a universal group. Since UGs are kept by GCs, are
your developers doing a query in a site with a GC? Are all of your DCs also
GCs?
From:
[EMAIL PROTECTED]
appears to be very strong young one...
:o)
-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Passo, Larry
Sent: Friday, October 15, 2004 5:18 PM
To: [EMAIL PROTECTED]
Subject: RE: [ActiveDir] 2K3 documentation update? (WAS: Windows Server 2003
Security
While, in general, deleting their subnet will not prevent a client from logging on
they could experience significant delays in doing so. Since the client will not be
able to determine which DCs are closest, they could end up trying to be
authenticated by a DC on the other end of a slow WAN
823659
328459
-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Hunter, Laura
E.
Sent: Friday, October 15, 2004 2:07 PM
To: [EMAIL PROTECTED]
Subject: [ActiveDir] 2K3 documentation update? (WAS: Windows Server 2003
Security Weirdness)
Remember my I'm
dumpevt from: http://www.somarsoft.com/
It's simple and it's free!
-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] Behalf Of Free, Bob
Sent: Friday, October 15, 2004 4:35 PM
To: [EMAIL PROTECTED]
Subject: RE: [ActiveDir] Getting print info from event log
It is a
The real issue isn't what a power failure can do to an individual box. If you had more
than one DC, AD would have survived the failure of an individual DC. You might have to
force the transfer of the FSMO roles, but AD would have survived and you would have
had a much easier time recovering the
The Microsoft Scripting Guys covered that in their blog:
http://blogs.msdn.com/gstemp
-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of John Singler
Sent: Thursday, July 29, 2004 7:41 AM
To: [EMAIL PROTECTED]
Subject: Re: [ActiveDir] OT: Opening ports on
You are confusing several different user/group objects:
1. The domain account named Administrator
2. The domain group named Domain Admins
3. The local account named Administrator
4. The local group named Administrators (note the s at the end)
The security guidelines say that you should rename
Title: Message
Bginfo will show you the logon server but
it doesnt show you the last logon value. It is still subject to the
requirement that you need to query the last logon time from all of the DCs in
the domain.
From:
[EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of
But you can only run bginfo on a local box, not on a remote box. He
would have to termserv to the remote box to view the wallpaper that
bginfo creates.
I see the following possible ways to determine OS type:
1. If terminal services are activated on all servers, if the tsclient
can connect to the
To establish a forest trust, the forests need to be in WIN2k3 functional
mode, so
all of the domains in each forest need to be in Win2k3 mode, so
all of the DCs in each domain need to be Win2k3.
Also, the forest trusts between each pair of forest roots are not
transitive. If Forest A trusts
Title: Message
I have no idea what version of Websense
you looked at but our installation of Websense Enterprise 5.2 IS on SQL. Since
our database grows at least 40MB a day we didnt go with the option for MSDE.
I positively love the reporting tools.
Their Explorer is the main reason why
You're skipping several important steps. MS has a good step by step
guide at:
http://support.microsoft.com/?kbid=325379
-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Pennell, Ronald
B.
Sent: Wednesday, July 14, 2004 9:36 AM
To: [EMAIL PROTECTED]
The IP transports use RPC.
The SMTP transport can only be used if the two DCs that use it are in
different domains AND different sites.
See:
http://www.microsoft.com/technet/prodtechnol/windows2000serv/technologie
s/activedirectory/deploy/confeat/ntopt11.mspx
-Original Message-
From:
- ipconfig /flushdns
It takes 2-3
days..
From: Passo,
Larry [mailto:[EMAIL PROTECTED]
Sent: Thursday, June 24, 2004 8:57
PM
To: [EMAIL PROTECTED]
Subject: RE: [ActiveDir] DNS
Issues - ipconfig /flushdns
When you say it always shows old ip
address how long are you waiting? If you try
Anything that goes outside the scope of a domain
1. Authorize a DHCP server
2. Create sites
3. Create a subnet object
4. Assign subnet objects to sites
Of course, the above tasks could be delegated
-Original Message-
From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]
Sent: Friday, June
Title: DNS Issues - ipconfig /flushdns
When you say it always shows old ip
address how long are you waiting? If you try to resolve the hostname
immediately after the box gets a new ip, it is perfectly normal for the other
boxes to have the old address cached. It can take up to 10 minutes
This registry key controls the creation of the hidden, administrative
shares at the root of each partition (C$, D$, E$, ...) for workstations
(not servers)
-Original Message-
From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]
Sent: Tuesday, June 22, 2004 11:26 AM
To: [EMAIL PROTECTED]
There is even a registry value that you
can configure for this:
http://support.microsoft.com/default.aspx?scid=kb;en-us;281923Product=win2000
From: Lou Vega
[mailto:[EMAIL PROTECTED]
Sent: Monday, June 21, 2004 11:18
AM
To: [EMAIL PROTECTED]
Subject: RE: [ActiveDir] User
AD Integrated zones can only be primary zones. Change the zone to be a primary zone
and then you will be able to convert it to AD Integrated
-Original Message-
From: Puetz, Christoph [mailto:[EMAIL PROTECTED]
Sent: Thursday, June 17, 2004 6:39 AM
To: '[EMAIL PROTECTED]'
Subject: RE:
http://support.microsoft.com/?kbid=325379
From: Mike Hogenauer
[mailto:[EMAIL PROTECTED]
Sent: Wednesday, June 16, 2004
9:54 AM
To: [EMAIL PROTECTED]
Subject: [ActiveDir] 2000 Domain
to 2003 AD domain
So, I have 2
new servers running windows 2003 and Im currently in a
Or, DumpSec
http://www.somarsoft.com/
From: Deji Akomolafe [mailto:[EMAIL PROTECTED]
Sent: Monday, June 14, 2004 10:08
PM
To: [EMAIL PROTECTED]
Subject: RE: [ActiveDir] Export
Permissions List
Title: Message
Depending on your C++ skills, there is an
API call:
http://msdn.microsoft.com/library/default.asp?url="">
From: Chris Flesher
[mailto:[EMAIL PROTECTED]
Sent: Monday, June 14, 2004 1:31
PM
To: [EMAIL PROTECTED]
Subject: RE: [ActiveDir] SID
question
I
on member servers and clients works well.
\Guido
-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Passo, Larry
Sent: Donnerstag, 10. Juni 2004 19:38
To: [EMAIL PROTECTED]
Subject: RE: [ActiveDir] Security
If you want to make sure that no one
But then you should clean up your production AD to remove mention of the
DC that isn't there anymore.
http://support.microsoft.com/?id=216498
-Original Message-
From: Rutherford, Robert
[mailto:[EMAIL PROTECTED]
Sent: Thursday, June 10, 2004 8:21 AM
To: [EMAIL PROTECTED]
Subject: RE:
If you want to make sure that no one is added to the group you could
make the group a Restricted Group via a GPO.
If you want to know when a user is added to the group, you could use a
GPO to turn on auditing of Account Management but then you would have
to search the audit logs of all of the DCs
admins. This has caused various issues for companies and thus
they've backed away from this approach. However, using restricted
groups on member servers and clients works well.
\Guido
-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Passo, Larry
Sent
Do you have a GPO that is specifying that specific user right? You can
check with GPRESULT.EXE
-Original Message-
From: Rutherford, Robert
[mailto:[EMAIL PROTECTED]
Sent: Wednesday, June 09, 2004 7:55 AM
To: [EMAIL PROTECTED]
Subject: RE: [ActiveDir] strange thing...
Just clarifying
PROTECTED] De la part de Passo, Larry
Envoyé : Wednesday, June 09, 2004 11:04 AM
À : [EMAIL PROTECTED]
Objet : RE: [ActiveDir] strange thing...
Do you have a GPO that is specifying that specific user right? You can
check with GPRESULT.EXE
-Original Message-
From: Rutherford, Robert
[mailto:[EMAIL
Also, in ADSIedit, the custom attributes are called
extensionattribute. In ADUC, the same values are called custom
attribute
-Original Message-
From: Passo, Larry
Sent: Wednesday, June 09, 2004 3:02 PM
To: [EMAIL PROTECTED]
Subject: RE: [ActiveDir] Complete Schema attribute guide
Simple answer: no
You can't take an existing tree and simply move it to a different forest
with the native tools. There are several third party tools that could
help simplify the process.
-Original Message-
From: Rocky Habeeb [mailto:[EMAIL PROTECTED]
Sent: Monday, June 07, 2004 7:49 AM
The account policies for password
complexity, age, and lockout for domain accounts can only be applied at the
root of a domain and can not be changed at an OU level. If you think about it,
you log into a domain, not an OU.
What tends to confuse people is that you
have the option of
: RE: [ActiveDir] Trusts between NT4 and AD
I know the lingo is different between NT4 and AD, what are
the words in
NT and AD
-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Passo, Larry
Sent: Wednesday, June 02, 2004 5:45 PM
To: [EMAIL
You have trusting and trusted reversed. The dropdown box in the
logon screen lists trusted domains.
In your case, you want:
NT4 as trusted
AD as trusting
A one-way trust would work
-Original Message-
From: Salandra, Justin A. [mailto:[EMAIL PROTECTED]
Sent: Wednesday, June 02, 2004
Use the GPO to run a logon script that creates the shortcut
http://msdn.microsoft.com/library/default.asp?url=/library/en-us/script5
6/html/wsconcreatingshortcut.asp
-Original Message-
From: Christine Easton [mailto:[EMAIL PROTECTED]
Sent: Friday, May 28, 2004 11:09 AM
To: '[EMAIL
Title: Message
Install Adminpak.msi (you'll find it in the i386 folder on the
Windows200x Server CD). It will install of the admin snapins
Make
sure that you use the 2003 version for XP clients
-Original Message-From: Caple, Andrew
[mailto:[EMAIL PROTECTED]Sent: Thursday, May
If your users have more than one email address, you will also need to
get the proxyAddresses attribute.
-Original Message-
From: Grantham, Caron [mailto:[EMAIL PROTECTED]
Sent: Wednesday, May 26, 2004 7:35 AM
To: [EMAIL PROTECTED]
Subject: [ActiveDir] Can LDP be used to create email
of all
users in AD?
They only have one address, I'm trying to figure out the correct syntax
for a CSVDE export, do you know?
-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Passo, Larry
Sent: Wednesday, May 26, 2004 9:45 AM
To: [EMAIL PROTECTED]
Subject: RE
Title: task pads
If youre always going to move the
computer accounts to a specific OU, you could also do a simple script. It would
be simple to modify this one to include the computer name as an argument.
http://www.microsoft.com/technet/community/scriptcenter/compmgmt/scrcm33.mspx
Title: Message
Treesize Pro will do almost everything
http://www.jam-software.com/treesize/
From: Rutherford,
Robert [mailto:[EMAIL PROTECTED]
Sent: Wednesday, May 19, 2004 2:59
AM
To: [EMAIL PROTECTED]
Subject: [ActiveDir] OT :
File/Folder/Storage Reporting
Hi All,
You have to be an enterprise admin to authorize a DHCP server or link a
GPO to a site (or have those permissions delegated to you).
-Original Message-
From: Kern, Tom [mailto:[EMAIL PROTECTED]
Sent: Wednesday, May 12, 2004 1:37 PM
To: ActiveDir (E-mail)
Subject: [ActiveDir] A root dc
Does anyone know how to connect to a remote machine and enumerate the
User Rights that are assigned on it? I'd prefer a VBscript technique
but I could use a command line utility. I already know about
ntrights.exe in the Resource Kit but it only modifies selected rights it
doesn't list what is
Unless your domain is named mydomain.com, you need to change line 11
-Original Message-
From: James Payne [mailto:[EMAIL PROTECTED]
Sent: Tuesday, May 11, 2004 10:41 AM
To: [EMAIL PROTECTED]
Subject: [ActiveDir] Cookbook sample scripts
I just bought the Active Directory Cookbook and
When you install services for Macintosh
and create a Macintosh accessible volume, two files are automatically created.
One is a Mac readable text file that tells you how to install the other file
which is a Microsoft compatible logon module. This add-on supports LanMan style
encrypted
If you make a network connection to a box, both share and local NTFS
permissions are enforced and your effective permissions will be the
LESSER of the two. If you are logged on locally to a server, then the
share permissions will be ignored and your effective permissions will be
the NTFS
Here is a link to a VBscript that will do
this:
http://www.microsoft.com/technet/community/scriptcenter/compmgmt/scrcm31.mspx
As mentioned, it only works with Windows
XP or Windows Server 2003 boxes.
From: rpuckett
[mailto:[EMAIL PROTECTED]
Sent: Friday, April 30, 2004
72 matches
Mail list logo