I have seen Vintela in action. It is a fantastic solution. Very easy to
implement and your *nix users are authenticating to AD. Definitely take
a look at this.
Kevin
-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Jackson Shaw
Sent: Tuesday, February
Sort of obscure reference and I havent
looked at this tool in a couple of years. To tell you the truth I dont know
if I have ever seen anyone use it in production but Microsoft has a tool
called, Eleveated Priviledges Application Launcher (EPAL). The process is
documented to allow the
Title: RE: [ActiveDir] Background
Go grab regmon from sysinternals. Run it
and change the background and it will capture what key/keys were modified.
Great tool, I havent used it in a while but am pretty confident it is
still available up there.
www.sysinternals.com
Kevin
give a
It is still not totally clear Debbie, why
do you want to import computer/user names into a text file? Or do you want to
have a file with computer/user names that can be imported into the migration
product. List based migrations and project based migrations are very popular
and allow a lot
I think Jackson bring up a great point. It is not necessarily related
just to self administration but really to anyone who has a role of 'data
administrator'. There needs to be a way to mandate data structures,
format, use of 'acceptable values' etc. Without these key components
along with very
Command line or other it is not possible. WinNT and above are required
for membership in a domain whether it is NT or AD. Win98 can 'browse' in
the domain but it can not be a security principal.
Kevin Sullivan
-Original Message-
From: Chris Blair [mailto:[EMAIL PROTECTED]
Sent:
Ordered it second hand... not a book I would give up it is a good quick
book to refer to. And who read it memorized it and sold it back already,
how exactly does that work G...
-Original Message-
From: Oliver Marshall [mailto:[EMAIL PROTECTED]
Sent: Friday, October 24, 2003 11:06 AM
To:
Not yet, I think it is a month out... Just my guess.
Kevin
-Original Message-
From: Graham Turner [mailto:[EMAIL PROTECTED]
Sent: Thursday, October 09, 2003 6:02 PM
To: [EMAIL PROTECTED]
Have come back to the list after a while away - the paper on AD
delegation
from MS looks to be of
Congratulations Robbie, you have done, once again, a fantastic job. This
book is going to be a staple for advanced AD administrator's. I have to
agree with Rick, I didn't quite realize the magnitude of what Robbie was
doing until I had the book in my hands (this afternoon!). Go get it.
Kevin
Title: [ActiveDir] Resetting Password
In addition to the script you can create a
taskpad combined with simple delegation and your teacher will only see what you
need them to see and have rights to what they need to have rights to. If W2k3
you can use Saved Queried as the launch off point
Very, very jealous... It is a horrible sound.
-Original Message-
From: Bjelke John A Contr AFRL/VSIO [mailto:[EMAIL PROTECTED]
Sent: Tuesday, August 19, 2003 2:35 PM
To: '[EMAIL PROTECTED]'
Gil,
received one screamin rubber chicken... I love it! Great sound. My
fellow sysadmins
Title: Message
Marc,
It appears that you are asking about
enforcing business rules regardless of how a user is created and doing so in a
manner that can not be circumvented. Business rules in this sense would be dont
give Allow Terminal Server, or validate naming conventions, or
mandate
Title: Message
Chris,
GPOs are not applied to Groups, they are
applied to Users and Computers. So, the fact that there are two groups that the
user is a member of existing in two different OUs is really not relevant. All
that matters is, where the Users are located and where the systems
It is permissions on the RPC connection itself via the TS manager. (I
think that is where it is). The default is Domain Admins it sounds like
someone changed the default and allowed other users to access the Server
in Administration Mode. You should still only be allowed 2 remote
connections
RDP, RPC man I keep getting TLA confusion today.
-Original Message-
From: Joe [mailto:[EMAIL PROTECTED]
Sent: Monday, July 21, 2003 7:59 PM
To: [EMAIL PROTECTED]
Errr check your admin group, who is listed there. Either everyone that
is connecting to that box is an admin on that box or
Title: Message
This should be pretty straight forward. Delegate
to the User the ability to create Computer objects in the OU then have the user
create the computer accounts. When the computer is joined to the domain it will
be associated with the pre-created account. Just give the computer
Title: Message
You dont need to give them account operator
rights. You give them specific delegated rights. There could be
some complex solutions that involve automating the process of looking through
the computers container and moving computer account to the appropriate
container (that is
Computer Objects to Add and Remove computer
objects
The problem I am experiencing is that if
the computer account already exists in the OU the error received is
access Denied
Thanks in advance
Yusuf
From: Sullivan, Kevin [mailto:[EMAIL PROTECTED]
Sent: 16 July, 2003 17:14 PM
?
From: Sullivan, Kevin [mailto:[EMAIL PROTECTED]
Sent: 16 July, 2003 18:20 PM
To: [EMAIL PROTECTED]
Hmmm, what error? When the computer joins the
domain?... I wonder if it is a permissions issue on the join domain
part. The user actually joining from the computer need to have that right
?
From: Sullivan, Kevin [mailto:[EMAIL PROTECTED]
Sent: 16 July, 2003 18:20 PM
To: [EMAIL PROTECTED]
Hmmm, what error? When the computer joins
the domain?... I wonder if it is a permissions issue on the join
domain part. The user actually joining from the computer need to have
Correct about servers but clients are really irrelevant with regards to
Native vs. Mixed mode.
-Original Message-
From: rick reynolds [mailto:[EMAIL PROTECTED]
Sent: Thursday, June 19, 2003 9:29 AM
To: [EMAIL PROTECTED]
You need to run in mixed mode until the last nt4 server or client
In Windows 2000 the Integrated zones are
in the domain naming context so this is correct. But in Windows server 2003 it
is in an application partition and you can choose replication partners
explicitly.
From: Victor Hugo
Naranjo [mailto:[EMAIL PROTECTED]
Sent: Thursday, June
Title: Please Help
I think that Anwer is correct. He was able
to add the computer account to the domain using his credentials because that
action has to go to the PDC which obviously has the account. His local BDC can
not do that and cant authenticate him because it doesnt know
about him
You can have only one Ex2000 organization per forest. Or are you talking
about Exchange 5.5?
Kevin
-Original Message-
From: Ellis, Debbie [mailto:[EMAIL PROTECTED]
Sent: Thursday, May 29, 2003 9:35 AM
To: [EMAIL PROTECTED]
Subject: [ActiveDir] AD/Exchange Question
My company is getting
Title: OT RIS ISSUE:
There is a switch in the RISetup answer
file that can be set to have a partition created on the first hard drive. I did
a quick TechNet search and couldnt find it. I will continue to look but
thought possibly someone may have the reference.
Kevin
-Original
Here is another issue that may come up when you start upgrading clients
to be aware of. If a w2k client authenticates to the NT 4 BDCs that will
work fine. The w2k client will use NTLM in the absence of AD for
authentication. But if the NT4 DC happens to be unavailable and the
client contacts a
Always a good Guinness! Easy!
-Original Message-
From: Roger Seielstad [mailto:[EMAIL PROTECTED]
Sent: Thursday, March 27, 2003 7:06 AM
To: '[EMAIL PROTECTED]'
Subject: RE: [ActiveDir] Mixed to Native
The worst part of the mixed to native mode conversion is picking which
refreshing
You can do it a few ways. One would be to assign the deny 'apply group
policy' for the given administrator... You do this on the ACL of the GPO
itself...
Kevin
-Original Message-
From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]
Sent: Wednesday, March 26, 2003 9:02 AM
To: [EMAIL
Note to self, read whole post...
I totally missed the computer config part.
-Original Message-
From: Rick Kingslan [mailto:[EMAIL PROTECTED]
Sent: Wednesday, March 26, 2003 9:18 AM
To: [EMAIL PROTECTED]
Subject: RE: [ActiveDir] GPO effect on Admin
That's a tough one. Computer policy
Title: Message
Since you are one domain the sizes should
be the same. The GC contains the partial attribute set from all domains in the
forest. Since you only have one domain you dont have anything additional
added. Also, yes the GC is a subset of all attributes for the domains which the
Title: Message
Sorry, one more point of clarification
after reading my post
A GC has the complete domain naming
context for the Domain which it directly represents. It also contains a partial
replica of the other domains in the forest
-Original Message-
From: Marc Zukerman
Engineer
Greenwich Technology Partners
- Original Message -
From: Sullivan, Kevin
To: [EMAIL PROTECTED]
Sent: Wednesday,
March 26, 2003 10:17 AM
Subject: RE:
[ActiveDir] AD synchronization
Since you are one domain
the sizes should be the same
Here is a sort of convoluted albeit possible solution to the issue. It
will be much easier to manage and design with the assistance of a
comprehensive management platform that enforces business rules and
manages access control.
The idea is to audit the contents of an OU specifically users.
Look at WinNetMag.com do a search for Replmon.
IIRC there are a lot of brief articles. It is really pretty easy to work with
just navigating
-Original Message-
From: Daniel Chaveco
[mailto:[EMAIL PROTECTED]
Sent: Tuesday, March 25, 2003
10:36 AM
To: [EMAIL PROTECTED]
Subject:
PROTECTED]
03-7522424
058-326753
From: Sullivan,
Kevin [mailto:[EMAIL PROTECTED]
Sent: Sunday, March 16, 2003 2:59
PM
To: [EMAIL PROTECTED]
If they are using W2k/XP
it should be fairly easy. Write the GPO and deploy to test client. Then use
Security Configuration and Analysis
If they are using W2k/XP it should be
fairly easy. Write the GPO and deploy to test client. Then use Security
Configuration and Analysis to analyze the client and dump the config to a file.
You should be able to use the same tool to deploy to a local security policy. I
havent done this in
I would make sure that your clients are
pointing to the DNS server and the DNS server is updated with the appropriate
SRV records. Check DNS and let us know your settings.
Kevin
-Original Message-
From: bobo sy
[mailto:[EMAIL PROTECTED]
Sent: Sunday, March 09, 2003 3:53
PM
So just curious but who is going to DEC?
Kevin Sullivan
Aelita Software
[EMAIL PROTECTED]
�
Just changes are replicated during normal replication and within the
domain. Sites can cross domains remember so cross site replication will
have to do with what domains are playing, what DC from what domains are
across sites etc. Also, the only info replicated outside of the domain
is information
You may want to look into changing the default msDS-MachineAccountQuota.
This setting allows any user to create 10 computer accounts by default.
You can change this via a script, LDP or ADSI edit. If you change the
default value to 0 then your delegation model will probably work but the
default
If you can't find the cert that encrypted them or the cert for the Data
Recovery Agent (DRA) (usually the domain admin) you are out of luck.
They key to open the data is stored in the headers of the file and it is
locked up with the private key for the user who encrypted it and the
private key
that these files were encrypted by accident by the user
by
checking the box encrypt contents while looking at the properties of the
folder. Where could I get the DRA from if the domain doesn't exist,
restore
the domain on a workstations?
-Original Message-
From: Sullivan, Kevin [mailto:[EMAIL
that this is not the location, however is there a place I
can
look thru the RK online?
-Original Message-
From: Sullivan, Kevin [mailto:[EMAIL PROTECTED]]
Sent: Monday, February 03, 2003 12:08 PM
To: [EMAIL PROTECTED]
Subject:RE: [ActiveDir] Decrypt Files from a no longer existing
domain
Perfect rebut Rick. I totally agree. Execs hate the idle threat and from my experience
they usually take it as a challenge. There are so many positives to point to when
selling the idea of Win2k/2003 that using the fact the you may lose (perceived)
support doesn't carry much weight. I do a lot
Go to HKLM/System/CCS/Services/NTDS/Diagnostics and set the Replication
Events value to 5. Then force replication. This will log all kinds of
replication info into the NTDS log that may help you to trouble shoot. I
don't have any references to the specific error off hand but thought
this may be
Definitely not the whole issue but in you code at the bottom 'Users' is
not OU=Users it is CN=Users... Also, when you say PDC, I have to assume
you are talking about PDC emulator and not a PDC but if you are looking
at an NT DC make sure you test your code with WinNT:// as well as
LDAP:// You will
I recall the ability to add a value to the NTDS\Diagnostics
registry key on a DC to be able to log information pertaining to management of
objects in AD. Of course after I told someone about this I cant seem to
find it anywhere. What I remember is it is a value that is not present by
Hello Chris,
I have recently been playing with something similar to this. I used ADSI
to iterate through an OU and find the computer objects and then use WMI
to connect to those systems and query more specific info from the WMI
repository. I can try to dig up some chicken scratch I have laying
Title: Message
I am guessing you have but just in case.
Have you looked for recommendations from the Branch Office Guide?
http://www.microsoft.com/technet/treeview/default.asp?url="/technet/prodtechnol/ad/windows2000/deploy/adguide/DEFAULT.asp
I have found it pretty helpful. I am
LDAP://cn=users,dc=ntdev3,dc-KEMET,dc=com
Users is not an OU
-Original Message-
From: Jones, Rick J.(Desktop
Engineering) [mailto:[EMAIL PROTECTED]]
Sent: Wednesday, November 13, 2002
2:34 PM
To: [EMAIL PROTECTED]
Subject: RE: [ActiveDir] AD Move
Users script
You can not
Sorry for the way off topic but I seem to receive some
responses before I get the original posts. Hours apart. Also sometimes when I
post I dont see the post for a few hours. Is anyone else experiencing
this and any suggestions?
Thanks
Sent at 1:20 PM 11/8/02
�
Title: Message
Also if they are legacy (9x) clients make
sure they have the DSClient setup. This will allow them to change PW at any DC.
Without it they need to be talking to the PDC emulator.
Kevin
-Original Message-
From: cflesher
[mailto:[EMAIL PROTECTED]]
Sent: Friday,
How about this...
Option Explicit
Dim objUser
Dim objAccountDisabled
Set objUser = GetObject(LDAP://CN=User,DC=Domain,DC=MSFT;)
If objUser.AccountDisabled = True Then
objAccountDisabled = Yes
Else objAccountDisabled = No
End If
WScript.Echo objAccountDisabled
http://www.microsoft.com/biztalk/
-Original Message-
From: Salandra, Justin A. [mailto:jasalandra;chcsnet.org]
Sent: Tuesday, November 05, 2002 4:08 PM
To: ActiveDir (E-mail)
Subject: [ActiveDir] Biztalk
What is Biztalk used for? My CIO asked me to look at it and I have
never
used it
I am not totally sure what your goal is here. But some things to think
about...
1. Off Line files (of course occasionally they will need access to the
network.
2. Write a script that does a file copy and call it from a logon script.
3. Create a .msi file with SMS Installer or WISE or WinInstall
Aelita Domain Migration Wizard... (For one)
-Original Message-
From: Salandra, Justin A. [mailto:jasalandra;chcsnet.org]
Sent: Friday, October 25, 2002 9:24 AM
To: '[EMAIL PROTECTED]'
Subject: RE: [ActiveDir] ADMT v2
Is there any migration tool that doesn't require the target be in
for the migration?
-Original Message-
From: Sullivan, Kevin [mailto:KSullivan;aelita.com]
Sent: Friday, October 25, 2002 6:50 AM
To: [EMAIL PROTECTED]
Subject: RE: [ActiveDir] ADMT v2
Aelita Domain Migration Wizard... (For one)
-Original Message-
From: Salandra, Justin
Nope...
-Original Message-
From: Salandra, Justin A. [mailto:jasalandra;chcsnet.org]
Sent: Friday, October 25, 2002 11:36 AM
To: '[EMAIL PROTECTED]'
Subject: RE: [ActiveDir] ADMT v2
Is it free?
-Original Message-
From: Sullivan, Kevin [mailto:KSullivan;aelita.com]
Sent
Trainer
MCSA, MCSE+I - Windows NT / 2000
Any sufficiently advanced technology
is indistinguishable from magic.
--- Arthur C. Clarke
-Original Message-
From: [EMAIL PROTECTED]
[mailto:ActiveDir-owner;mail.activedir.org] On Behalf Of
Sullivan, Kevin
Sent: Friday, October
the
SIDHistory update process since the published Microsoft API's are not
being utilized?
-Original Message-
From: Sullivan, Kevin [mailto:KSullivan;aelita.com]
Sent: Friday, October 25, 2002 2:06 PM
To: [EMAIL PROTECTED]
Subject: RE: [ActiveDir] ADMT v2
Not all that interesting but what I told Stuart
what different means here).
I will try to get more information and post it next week.
-Original Message-
From: Sullivan, Kevin
Sent: Friday, October 25, 2002 10:08 PM
To: [EMAIL PROTECTED]
Subject: RE: [ActiveDir] ADMT v2
This is fully supported by Microsoft.
-Original Message
Wes,
There are as many issues with an inplace upgrade as there are benefits.
The option to create a pristine AD an move everything over allows you a
lot of flexibility in cleaning up your old NT environment and making
sure you don't migrate any junk that you should get rid of anyway. So
with
-Original Message-
From: Sullivan, Kevin
[mailto:[EMAIL PROTECTED]]
Sent: Thursday, October 03, 2002 4:50 PM
To: [EMAIL PROTECTED]
Subject: RE: [ActiveDir] OT:
Unable to browse across the subnets/gateways
What are the subnets? And
what is the gateway config.
Also, When you say browse
do you
I have worked quite a bit with MSDSS. It
is really pretty straight forward. I have also done a few larger Netware 5.1 AD migrations where we used MSDSS and then used Aelitas (my company) Domain Migration Wizard to
manage the enterprise project.
Any specific questions
about MSDSS?
Title: Joining computers to a domain?
The
ms-ds-machineAccountQuota (I believe) is a per domain
setting. It allows any user in the domain to create 10 computer accounts in AD.
I also think this is possibly restricted to the default computer container but am not sure. This really helps for
I tried to post the swynk script and it didn't send. From past
experience it will probably show up in a while. Anyway, I couldn't get
the script that Tony mentioned to run. Can someone put their eyes on the
script and let me know if you see any problems or lines that I may need
to edit.
Thanks,
,
$passwd,
ADS_SECURE_AUTHENTICATION);
$DSBind-{'ms-DS-MachineAccountQuota'} = $newval;
$DSBind-SetInfo();
}
-Original Message-
From: Sullivan, Kevin [mailto:[EMAIL PROTECTED]]
Sent: Thursday, October 03, 2002 1:48 PM
();
}
--
-Original Message-
From: Sullivan, Kevin [mailto:[EMAIL PROTECTED]]
Sent: Thursday, October 03, 2002 2:54 PM
To: [EMAIL PROTECTED]
Subject: RE: [ActiveDir] Joining computers to a domain?
That's great Richard. I would still like to see
I can think of ways to run cleanup scripts on a schedule to do this. The
Universal Group is designated via a specific bit value or some other
designation. The script could look for that designation and look at the
creator/owner of the object and check against an authorized list. If the
: [ActiveDir]
Networkdrive-mapping @ logon
I would like to have one posted
The only thing I can is doing this from a
DOS-prompt L
-Original Message-
From: Sullivan, Kevin
[mailto:[EMAIL PROTECTED]]
Sent: woensdag 18 september 2002
14:22
To: [EMAIL PROTECTED]
Subject: RE: [ActiveDir
I am having a brain cramp at the moment. I am trying to send you an
example script but it is being rejected by the
[EMAIL PROTECTED]
How do I send script examples? I know it can be done.
-Original Message-
From: Salandra, Justin A. [mailto:[EMAIL PROTECTED]]
Sent: Friday, September 06,
Sorry about the formatting... I am adding _ to designate a line break.
-Original Message-
From: Sullivan, Kevin
Sent: Wednesday, September 18, 2002 10:35 AM
To: [EMAIL PROTECTED]
Subject: RE: [ActiveDir] Networkdrive-mapping @ logon
This is a pretty simple example so you could enhance
My apologies, please disregard my last message to this thread.
-Original Message-
From: Sullivan, Kevin
Sent: Wednesday, September 18, 2002 10:38 AM
To: [EMAIL PROTECTED]
Subject: RE: [ActiveDir] Network Infrastructure cause AD Security Fowl
Ups?
I am having a brain cramp at the moment
Try this...
Open ADUC and on the left hand pane right-click on the OU that you want
these admins to see... choose new window from here... Go to the windows
menu and choose the original window... Close that window... save the
.msc file out and apply NTFS permissions on the .mcs file.
74 matches
Mail list logo
