RE: [ActiveDir] LastlogonTimestamp Missing
Title: Re: [ActiveDir] List Groups I'm In? What is the domain mode/ forest mode? From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of WATSON, BEN Sent: Wednesday, October 25, 2006 7:00 PM To: ActiveDir@mail.activedir.org Subject: LastlogonTimestamp Missing I have a Windows 2003 R2 single domain/forest. This domain/forest was built upon Windows 2003 R2 so it has never had to go through any upgrades. I wanted to query for the true last logon time/date for various users and noticed that the LastlogonTimestamp is not an available attribute for the user accounts. The standard non-replicated LastLogon attribute is there, but I would obviously be more interested in the replicated LastlogonTimestamp. The LastlogonTimestamp schema attribute has been defined and it is listed as a systemmaycontain of the user class. C:\adfind -sc scontainsl:lastlogontimestamp user Is there any reason why the LastlogonTimestamp attribute would not be appearing for user accounts? From what I understand, the LastlogonTimestamp attribute may not be instantiated on user accounts if the user accounts have not logged on since a domain has been upgraded to Windows 2003, however since this domain/forest was built upon Windows 2003 R2 this is not the case. Any ideas on how to get this attribute instantiated properly on the user accounts? ~Ben
RE: [ActiveDir] Strange password issue
If the
Domain Controllers OU is set to block GPO inheritance, and the domain GPO that
sets the password policy isn't set for No Override, then the domain policies
might not get set properly.
-Original Message-From:
[EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED]On Behalf Of
[EMAIL PROTECTED]Sent: Friday, September 08, 2006 1:16
AMTo: ActiveDir@mail.activedir.orgSubject: RE:
[ActiveDir] Strange password issue
err, actually the password policy is stored in the
machine portion of the GPO and thus applies to all machines and therefore all
local user objects too.
neil
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Laura A.
RobinsonSent: 06 September 2006 17:27To:
ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] Strange
password issue
Impossible/irrelevant.If it's a domain account, the policy
applies regardless, because the account is stored in AD. If it's a local
account, then the policy doesn't apply regardless; domain account policies
don't apply to local accounts. Is this a local account or a domain
account?
Laura
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Tom
KernSent: Wednesday, September 06, 2006 11:44 AMTo:
ActiveDir@mail.activedir.orgSubject: Re: [ActiveDir] Strange
password issue
If you mean before the policy was set up, then, no.
This policy has been in effect for acouple ofyears and the
account was created a month ago..
Maybe the PC is not getting the Default Domain Policy?
On 9/6/06, Williams,
Robert [EMAIL PROTECTED]
wrote:
Tom,
This is just a
stab in the dark but is it possible that this user's password was set
prior to the Default Domain Policy being in effect?
Robert
Williams
From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]] On Behalf Of Tom KernSent: Wednesday, September 06, 2006
9:39 AMTo:
activedirectorySubject:
[ActiveDir] Strange password issue
I'm
having this weird issue where I have a user account who is able to
log in with a blank password.
The
Default Domain Policy is set to a min password length of 6
characters.
The
userAccountControl on the user is set to 512.
The
Domain is at win2k3 DFL and FFL.
Is
there any other way besides a migration tool like Quest that could
circumvent this policy and allow blank passwords?
Thanks
2006-09-06, 11:32:05The information contained in this e-mail
message and any attachments may be privileged and confidential. If the
reader of this message is not the intended recipient or an agent
responsible for delivering it to the intended recipient, you are hereby
notified that any review, dissemination, distribution or copying of this
communication is strictly prohibited. If you have received this
communication in error, please notify the sender immediately by replying
to this e-mail and delete the message and any attachments from your
computer.
PLEASE READ: The
information contained in this email is confidential and
intended for the
named recipient(s) only. If you are not an intended
recipient of this
email please notify the sender immediately and delete your
copy from your
system. You must not copy, distribute or take any further
action in reliance
on it. Email is not a secure method of communication and
Nomura
International plc ('NIplc') will not, to the extent permitted by law,
accept
responsibility or liability for (a) the accuracy or completeness of,
or (b) the
presence of any virus, worm or similar malicious or disabling
code in, this
message or any attachment(s) to it. If verification of this
email is sought
then please request a hard copy. Unless otherwise stated
this email: (1) is
not, and should not be treated or relied upon as,
investment
research; (2) contains views or opinions that are solely those of
the author and do
not necessarily represent those of NIplc; (3) is intended
for informational
purposes only and is not a recommendation, solicitation or
offer to buy or
sell securities or related financial instruments. NIplc
does not provide
investment services to private customers. Authorised and
regulated by the
Financial Services Authority. Registered in England
no. 1550505 VAT
No. 447 2492 35. Registered Office: 1 St Martin's-le-Grand,
London, EC1A 4NP.
A member of the Nomura group of companies.
RE: [ActiveDir] Distribution list Maintenance. Policy dilemma
I would make the manager that wants the DL maintain it. First, make sure that there is a written policy (approved by a higher management level) that specifies that the manager is responsible for updates. Then after you create each DL, set the Managed By attribute to be the appropriate manager and give them permission to make changes to it. From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Ramon Linan Sent: Tuesday, September 05, 2006 9:26 AM To: ActiveDir@mail.activedir.org Subject: [ActiveDir] Distribution list Maintenance. Policy dilemma Hi, I have Department managers asking me to create DL in exchange of people who dont work in the company There is not technical problem to do that, but I am finding out, that the previous guy was doing that via contacts in AD. The problem is that in this business, a consultant will work one day for you and next to your competitor. My question is, what is the common practice in terms DL. Does anyone know a good way of maintaining them? Most of the time, I dont get notified when we no longer work with a consultant. How do you guys deal with DL maintenance? .Any suggestion?
RE: [ActiveDir] nslookup. AD beginer question
Using the version of DCDIAG that comes with the 2003 SP1 support tools: Type: dcdiag /test:dns /e /v That will tell you what shape your DNS system is in. From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Ramon Linan Sent: Monday, August 28, 2006 11:15 AM To: ActiveDir@mail.activedir.org Subject: [ActiveDir] nslookup. AD beginer question Hi Everyone, When I do a nslookup domain.com, being domain.com my AD domain, what should I see? A list of the dns server in my domain? A list of the DC? The fact is that I am doing nslookup and I am getting, domain controllers but also a users computer Thanks
RE: [ActiveDir] sample vbs script
There are several in the TechNet Script Center http://www.microsoft.com/technet/scriptcenter/scripts/ad/users/manage/default.mspx From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Antonio Aranda Sent: Tuesday, June 06, 2006 12:29 PM To: ActiveDir@mail.activedir.org Subject: [ActiveDir] sample vbs script Could some one send me a sample vbs script that creates AD user accounts? Thanks Antonio
RE: [ActiveDir] Account policies and groups
Title: Account policies and groups But group membership can determine which GPOs get applied if you are using GPO filtering. From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Gil Kirkpatrick Sent: Thursday, February 17, 2005 6:42 AM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Account policies and groups No, group membership does not determine what policies get applied. If they did, they would be called OU policies, wouldn't they? :) -gil From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Tim Sutton Sent: Thursday, February 17, 2005 7:27 AM To: ActiveDir@mail.activedir.org Subject: [ActiveDir] Account policies and groups If a user is in an OU which has the block inheritance selected but is in member of group that's in a different OU and doesnt have block inheritance applied, will the password policy for example still apply to that user? Just curios really For Troup Bywaters + Anders Tim Sutton T: +44 (0) 113 243 2241 F: +44 (0) 113 242 4024 E: [EMAIL PROTECTED] W: www.TBandA.com Eastgate House 10 Eastgate Leeds LS2 7JL Office Location Map Groupshield 6.0 - Troup Bywaters Anders Privilege and Confidentiality Notice This email and any attachments to it are intended only for the party to whom they are addressed. They may contain privileged and / or confidential information. If you have received this transmission in error please notify the sender immediately and delete any digital copies and destroy any paper copies. Thank you.
[ActiveDir] LDAP query question
I have developed a number of applications that do various queries on AD. However, I have run into a problem with doing an LDAP query in groups that have been named with the / character in their name. Since the group was named with a /, the distinguished name for the object also has the / character. When my app tries to connect to the object using the following, an error results: Create Object(LDAP:// distinguishedname) The LDAP query is assuming that Im trying to do a query of the form LDAP://server/distinguishedname. The WINNT provider has the same issue. Any suggestions? (Besides renaming the groups?)
RE: [ActiveDir] Few quick ones on password polices
Title: Few quick ones on password polices I used to agree with Joe on topic 2 until I actually ran into a problem in my forest. I needed to make a change to the password complexity setting on one domain and the change wasnt happening. The problem was that the block inheritance setting was checked on the domain controllers OU. Once the checkbox was cleared, the new account policy took affect. This was a Windows 2000 domain. From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of joe Sent: Wednesday, February 16, 2005 10:38 AM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Few quick ones on password polices 1. Correct 2. Yes and no. Account policies as applied onto domain users can't be blocked. However you can block those policies from being applied to the local policies of member machines. I don't think you need to set user can not change password, if the person doesn't want their password changed, setting that only prevents them from doing it. joe From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Tim Sutton Sent: Wednesday, February 16, 2005 1:05 PM To: ActiveDir@mail.activedir.org Subject: [ActiveDir] Few quick ones on password polices Hey all! Can you do me a quick favour and just confirm that I'm not going mad by agreeing (or not, if I'm wrong) with these: 1) you can only apply password policies (account policies to be exact, but this is a bone of contention here at the moment) at the domain level. i.e.: if the domain is abc.com you have to apply it at that level, not below. 2) account policies cannot be blocked by using the block inheritance option? Not too sure on this one, so could do with it clearing up. As a fail safe I'm going to make sure I've got password never expires and user can not change password options selected for those people who I don't want their password changing just yet. Any answers greatly received and advice always welcome. Cheers, folks. For Troup Bywaters + Anders Tim Sutton T: +44 (0) 113 243 2241 F: +44 (0) 113 242 4024 E: [EMAIL PROTECTED] W: www.TBandA.com Eastgate House 10 Eastgate Leeds LS2 7JL Office Location Map Groupshield 6.0 - Troup Bywaters Anders Privilege and Confidentiality Notice This email and any attachments to it are intended only for the party to whom they are addressed. They may contain privileged and / or confidential information. If you have received this transmission in error please notify the sender immediately and delete any digital copies and destroy any paper copies. Thank you.
RE: [ActiveDir] Few quick ones on password polices
Title: Few quick ones on password polices That makes me feel better. Its too disruptive to my worldview when I think that Joe could be wrong grin From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of joe Sent: Wednesday, February 16, 2005 12:55 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Few quick ones on password polices Actually you still agree with me, you just state it differently. :o) In that case, the domainpolicy for the user accounts isn't being applied at all. I believe theidea of the OP sprang form the idea toblock a certain OU from having the policy impact the users in that OU. This isn't possible because the policies are actually initiating changes on the default NC of the domain controllers which are applied to all users within the domain. I.E. When you set the lockout policy for instance you impact a couple of attributes on the default NC, specifically F:\DEV\cpp\dosdadfind -schema -f ldapdisplayname=*lockout* -nodn -nolabel ldapdisplayname AdFind V01.26.00cpp Joe Richards ([EMAIL PROTECTED]) February 2005 Using server: 2k3dc01.joe.com Directory: Windows Server 2003 Base DN: CN=Schema,CN=Configuration,DC=joe,DC=com lockOutObservationWindow lockoutDuration lockoutThreshold lockoutTime 4 Objects returned From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Passo, Larry Sent: Wednesday, February 16, 2005 3:21 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Few quick ones on password polices I used to agree with Joe on topic 2 until I actually ran into a problem in my forest. I needed to make a change to the password complexity setting on one domain and the change wasnt happening. The problem was that the block inheritance setting was checked on the domain controllers OU. Once the checkbox was cleared, the new account policy took affect. This was a Windows 2000 domain. From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of joe Sent: Wednesday, February 16, 2005 10:38 AM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Few quick ones on password polices 1. Correct 2. Yes and no. Account policies as applied onto domain users can't be blocked. However you can block those policies from being applied to the local policies of member machines. I don't think you need to set user can not change password, if the person doesn't want their password changed, setting that only prevents them from doing it. joe From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Tim Sutton Sent: Wednesday, February 16, 2005 1:05 PM To: ActiveDir@mail.activedir.org Subject: [ActiveDir] Few quick ones on password polices Hey all! Can you do me a quick favour and just confirm that I'm not going mad by agreeing (or not, if I'm wrong) with these: 1) you can only apply password policies (account policies to be exact, but this is a bone of contention here at the moment) at the domain level. i.e.: if the domain is abc.com you have to apply it at that level, not below. 2) account policies cannot be blocked by using the block inheritance option? Not too sure on this one, so could do with it clearing up. As a fail safe I'm going to make sure I've got password never expires and user can not change password options selected for those people who I don't want their password changing just yet. Any answers greatly received and advice always welcome. Cheers, folks. For Troup Bywaters + Anders Tim Sutton T: +44 (0) 113 243 2241 F: +44 (0) 113 242 4024 E: [EMAIL PROTECTED] W: www.TBandA.com Eastgate House 10 Eastgate Leeds LS2 7JL Office Location Map Groupshield 6.0 - Troup Bywaters Anders Privilege and Confidentiality Notice This email and any attachments to it are intended only for the party to whom they are addressed. They may contain privileged and / or confidential information. If you have received this transmission in error please notify the sender immediately and delete any digital copies and destroy any paper copies. Thank you.
RE: [ActiveDir] LDAP query question
Thanks to all, changing / to \/ in the dn did the trick. Unfortunately, I cant get the groups renamed. Luckily, none of my users have created the groups using commas in their names. We do have numerous groups with embedded spaces and those havent caused any of my apps to fail. From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of joe Sent: Wednesday, February 16, 2005 12:44 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] LDAP query question Yep. But I would truly recommend renaming the objects. I would also kill any names with spaces in them and commas in them, those are also a pain to deal with. joe From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Dean Wells Sent: Wednesday, February 16, 2005 3:03 PM To: Send - AD mailing list Subject: RE: [ActiveDir] LDAP query question Initial thought - string substitution, escape it with (ironically) a backslash \ ?? -- Dean Wells MSEtechnology * Email: [EMAIL PROTECTED] http://msetechnology.com From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Passo, Larry Sent: Wednesday, February 16, 2005 2:05 PM To: ActiveDir@mail.activedir.org Subject: [ActiveDir] LDAP query question I have developed a number of applications that do various queries on AD. However, I have run into a problem with doing an LDAP query in groups that have been named with the / character in their name. Since the group was named with a /, the distinguished name for the object also has the / character. When my app tries to connect to the object using the following, an error results: Create Object(LDAP:// distinguishedname) The LDAP query is assuming that Im trying to do a query of the form LDAP://server/distinguishedname. The WINNT provider has the same issue. Any suggestions? (Besides renaming the groups?)
RE: [ActiveDir] OT: limiting ldap query to single domain
To do a LDAP query for the separate domains, use the form: LDAP//a/dc=a,dc=com LDAP//b/dc=b,dc=com LDAP//c/dc=c,dc=com Where a,b,c are the neBIOS names of the domains -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Jason Benway Sent: Wednesday, January 26, 2005 11:49 AM To: 'ActiveDir@mail.activedir.org' Subject: RE: [ActiveDir] OT: limiting ldap query to single domain It's a webpage ASP, since we are only reading, permissions shouldn't be a problem. jb -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Mulnick, Al Sent: Wednesday, January 26, 2005 2:39 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] OT: limiting ldap query to single domain Sure. Is this VBSCRIPT? What about permissions? Do you have to worry about that? Al -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Jason Benway Sent: Wednesday, January 26, 2005 2:20 PM To: 'ActiveDir@mail.activedir.org' Subject: RE: [ActiveDir] OT: limiting ldap query to single domain We are working on a phonelist using AD. Because we have multiple domains and domain name spaces, I want to be able to filter each search request by the domain. I want to have drop down the list the domains(a.com,b.com,c.com) they are not subdomains it is a flat forest. Right now we can use the GC and pull information from the entire forest, but we cannot get ldap to work for each domain. A quick domain list A.com Server1.a.com (DC) Server2.a.com (GC) B.com Server1.b.com (DC) Server2.b.com (GC) I need to be able to list users from each domain seperately for the phone list. Hope this clears things up a little. jb -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Mulnick, Al Sent: Wednesday, January 26, 2005 1:50 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] OT: limiting ldap query to single domain It would probably be better if you'd tell us what information you're after and how you're going about getting it in your script. If you can post the logic or the whole script that would be helpful. Keep in mind that the GC has a subset of information in it, so there are times when you may need to go to the individual DC's to get the necessary information. al -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Jason Benway Sent: Wednesday, January 26, 2005 1:36 PM To: 'ActiveDir@mail.activedir.org' Subject: [ActiveDir] OT: limiting ldap query to single domain We have a large flat AD forest, with separate name spaces (a.com,b.com,c.com,etc) I have a few script questions. First is there a way to retrieve each domain name, using winnt: doesn't work Second, if I use GC, I can read information on all objects, but how can I limit it so I can query only 1 domain at a time. If I use DC I have to query a different DC for each domain. Thanks,jb List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
RE: [ActiveDir] Trust Problems
In the lmhosts file did you: rename it to not have any extension use the #PRE and #DOM entries From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Mike Hogenauer Sent: Tuesday, January 25, 2005 8:06 AM To: ActiveDir@mail.activedir.org Subject: [ActiveDir] Trust Problems So I have a 2 way external trust from a Windows 2000 forest to a Windows 2003 forest. Im in the process of migrating the 2000 forest to the 2003 forest because of a merger. Im using NETIQs domain Migration administrator to help in the migration. Im running DNS and WINS and the WINS have the Push/pull setup between the 2 domains controllers in the 2 domains. Also I can ping both domain controllers and domain names. I also have the DNS set to forward to each other Everything was working and I was able to copy over some test accounts and groups. Today from the windows 2000 side I can verify the trust account. From the Windows 2003 trusting side I keep getting There are currently no logon servers available to service the logon request. Ive used NETDOM to Query / Verify / and reset the Trust. I still get there are currently no logon servers available to service the logon request every time from the 2003 Side. I have rebooted both domain controlled and have added each domain and domain controllers in each servers Hosts and LMHOSTS files. Any idea on where to go next would be great! Im going to break and re-setup the Trust right now. Thanks Mike
RE: [ActiveDir] Loose vs strict replication consistency
Title: Loose vs strict replication consistency w2k3 DC fresh built into existing forest: loose Not sure. If someone reading this list has such a DC (the last case I'm not sure of), he or she could check the registry value Strict Replication Consistency in HKEY_LOCAL_MACHINE, SYSTEM, CurrentControlSet, Services, NTDS, Parameters to see if it is 1 (strict) or 0 (loose). I checked two w2k3 DCs that were both fresh installs into an existing forest (same forest, two different domains) and neither one had the registry value Strict Replication Consistency present. From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Sakari Kouti Sent: Friday, January 21, 2005 7:53 AM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Loose vs strict replication consistency Hi Neil, W2K DC all SPs: loose Yes. W2K DC upgraded to W2k3: loose Yes. w2k3 DC fresh built into new forest: strict Yes. w2k3 DC fresh built into existing forest: loose Not sure. If someone reading this list has such a DC (the last case I'm not sure of), he or she could check the registry value Strict Replication Consistency in HKEY_LOCAL_MACHINE, SYSTEM, CurrentControlSet, Services, NTDS, Parameters to see if it is 1 (strict) or 0 (loose). NB. Independent of lingering object detectionand independent of the strict/loose consistency settingWindows Server 2003 always quarantines a source domain controllers partition (i.e., source replica) if replication has not succeeded for more than a tombstone lifetime (default 60 days). If you consequently use the Replicate Now operation of the Sites and Services snap-in, you will get the error cannot replicate because the time since the last replication has exceeded the tombstone lifetime. You would also probably get an error with the event ID 2042 in your event log. To recover from this error, first delete any lingering objects with repadmin /removelingeringobjects. Next, if DC2 did quarantine DC1, force the replication with a command such as the following: repadmin /repl DC2 DC1 DC=sanao,DC=com /force This fixes the problem for one partition, but when you try Replicate Now again, you may get the same error, but this time referring to the next partition. At worst, you must issue the command also for the configuration and schema partitions, ForestDnsZones and DomainDnsZones, for any other application partitions, and in the case of a global catalog server, for each other domain in the forest. There is also a registry setting to turn this check off, but it's safer to use the repadmin command, so that the next time this would happen, the protection would still be on. Yours, Sakari From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Ruston, Neil Sent: Friday, January 21, 2005 12:53 PM To: ActiveDir@mail.activedir.org Subject: [ActiveDir] Loose vs strict replication consistency OK, so I understand what loose and strict repl. consistency *mean* and how a DC behaves in both scenarios, but am unsure which default behaviour is adopted by various OS and SP levels. Is the following summary correct? - W2K DC all SPs: loose - W2K DC upgraded to W2k3: loose - w2k3 DC fresh built into existing forest: loose - w2k3 DC fresh built into new forest: strict I assume therefore, that if I demote/rebuild as w2k3/promote my w2k DCs in my forest, then they will adopt loose as the default behaviour. Lingering objects may occur and can be removed as and when detected. I referenced http://www.microsoft.com/resources/documentation/WindowsServ/2003/all/techref/en-us/Default.asp?url=""> Thanks, neil == This message is for the sole use of the intended recipient. If you received this message in error please delete it and notify us. If this message was misdirected, CSFB does not waive any confidentiality or privilege. CSFB retains and monitors electronic communications sent through its network. Instructions transmitted over this system are not binding on CSFB until they are confirmed by us. Message transmission is not guaranteed to be secure. ==
RE: [ActiveDir] Changing to Native mode and running AdPrep
Title: [ActiveDir] Changing to Native mode and running AdPrep The domain functional level may not matter but the forest functional level can have side affects. See KB 831809 http://support.microsoft.com/default.aspx?scid=kb;en-us;831809 From: Brian Desmond [mailto:[EMAIL PROTECTED] On Behalf Of Brian Desmond Sent: Wednesday, January 19, 2005 12:22 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Changing to Native mode and running AdPrep No, you can continue to operate in mixed mode and still run adprep. You only need to be in mixed mode if you have NT4 BDCs ... the functional level of the domain forest doesn't affect the operation of your clients from a user standpoint... --Brian Desmond [EMAIL PROTECTED] Payton on the web! www.wpcp.org v - 773.534.0034 x135 f - 773.534.8101 From: [EMAIL PROTECTED] on behalf of Alonzo Hess Sent: Wed 1/19/2005 1:05 PM To: ActiveDir@mail.activedir.org Subject: [ActiveDir] Changing to Native mode and running AdPrep We are planning on introducing a Win2k3 server(this at some point will become a Exchange2k3 machine) to our domain which consists of one Win2k DC that everyone uses to login to the domain. I'm assuming that I need to switch to native mode before running Adprep on the Win2k DC. Is this correct and if so will the server need to be rebooted after this? Also, after running Adprep on the Win2k DC, will this change the way that clients(WinXP Pro, Win2k Pro and Win98) login to the domain (will anything have to be changed on the clients)? Thanks, Alonzo List info : http://www.activedir.org/mail_list.htm List FAQ : http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
[ActiveDir] What GC atuthenticated me?
I can tell what DC authenticated my AD client by looking at the value of the environment variable LOGONSERVER. But there isn't an environment variable for which GC was involved. Since we have several sites that have more than one GC, I'd like to be able to tell which GC was used. Does anyone know how to tell? List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
RE: [ActiveDir] Forest trusts vs trusts within forests
In real life, you would also want to make use of SID filtering. http://www.microsoft.com/windows2000/techinfo/administration/security/si dfilter.asp While multiple forests will give you security advantages, it will also cause additional administrative overhead. -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Fugleberg, David A Sent: Thursday, January 06, 2005 12:32 PM To: activedir@mail.activedir.org Subject: [ActiveDir] Forest trusts vs trusts within forests Happy New Year ! I'm having a design discussion with myself about adding a forest vs adding a domain to an existing forest. I understand about the automatic transitive trust between domains in a forest, and how it's possible for a clever domain admin in a subdomain to compromise the entire forest. What I'm shaky on is this: If you had two single-domain forests, and established trusts in both directions between them, do you have the same issues ? I would think not, because the configuration and schema NCs are not shared between them, but I'm looking for some confirmation on that. Also, since we're talking about two single-domain forests, I'm guessing that the 'forest trusts' available in W2K3 FFL don't really come into play here, correct ? In other words, getting the first domain to W2K3 FFL doesn't buy anything with respect to this trust ? Thanks, Dave List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
RE: [ActiveDir] Script working for some users, and not for others?
Do you have a multiple domain forest? If so, the memberof attribute will not show group memberships if they are domain local groups in other domains. -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Joe L. Casale Sent: Monday, January 03, 2005 1:32 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Script working for some users, and not for others? Yes, it does have it. Its just not working for some people? They are all win2ksp4 and above. Thanks! jlc -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Passo, Larry Sent: Monday, January 03, 2005 2:29 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Script working for some users, and not for others? Do you also have Set adSysInfo = CreateObject(AdSystemInfo) before these 4 lines? Also, are the clients that are failing older than Win2k? If so, they need to have the AD client extension added. http://msdn.microsoft.com/library/default.asp?url=/library/en-us/adsi/ad si/iadsadsysteminfo.asp -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Joe L. Casale Sent: Monday, January 03, 2005 12:41 PM To: ActiveDir@mail.activedir.org Subject: [ActiveDir] Script working for some users, and not for others? Hi all, I have this in my logion script, and for some users it works, and others the echo is blank? Set CurrentUser = GetObject(LDAP://; ADSysInfo.UserName) wscript.echo ADSysInfo.UserName strGroups = LCase(Join(CurrentUser.MemberOf)) wscript.echo strGroups Is there any known reason someone might share, or a caveat to using this method? Is there a more robust way to get group membership? Thanks! jlc List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
RE: [ActiveDir] Script working for some users, and not for others?
Do you also have Set adSysInfo = CreateObject(AdSystemInfo) before these 4 lines? Also, are the clients that are failing older than Win2k? If so, they need to have the AD client extension added. http://msdn.microsoft.com/library/default.asp?url=/library/en-us/adsi/ad si/iadsadsysteminfo.asp -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Joe L. Casale Sent: Monday, January 03, 2005 12:41 PM To: ActiveDir@mail.activedir.org Subject: [ActiveDir] Script working for some users, and not for others? Hi all, I have this in my logion script, and for some users it works, and others the echo is blank? Set CurrentUser = GetObject(LDAP://; ADSysInfo.UserName) wscript.echo ADSysInfo.UserName strGroups = LCase(Join(CurrentUser.MemberOf)) wscript.echo strGroups Is there any known reason someone might share, or a caveat to using this method? Is there a more robust way to get group membership? Thanks! jlc List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
RE: [ActiveDir] Accessing resources when a domain controller is unavailable (sightly OT)
Yes, the Kerberos settings are what applies here. However, the answer also depends on when the DC goes down: 1. The DC is down when you try to log on If you have previously logged on from workstationA, you can use cached credentials to logon If you have changed your password from another workstation since you logged on to workstationA, then you will need to use the old password (since that is what is cached) While you can log on to the workstation, you will not be able to conect to any network resources until the DC comes back up By default, win2kx caches the last 10 successful logons (this can be changed via GPO) 2. You are logged on to the network and connected to network resources when the DC goes down You can remain connected to the network resources until Kerberos forces a renewal You will not be able to connect to any new network resources -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] Behalf Of Steve Sent: Tuesday, November 30, 2004 10:18 AM To: [EMAIL PROTECTED] Subject: Re: [ActiveDir] Accessing resources when a domain controller is unavailable (sightly OT) Are the Kerberos settings the one that apply to this? By default they are Maximum lifetime for a user ticket 10 hours, maximum lifetime fore a service ticket 600 minutes, and maximum lifetime for a ticket renewal 7 days. Does this mean that cached credentials will work for 10 hours or 7 days? Name resolution is not an issue on these smaller sites as each has only one subnet. Cheers On Tue, 30 Nov 2004 12:55:52 -0500, Renouf, Phil [EMAIL PROTECTED] wrote: Yes, the client will continue to use Cached Credentials to allow you to log onto your workstation. How long you can do that depends on some customizable settings that you can control with GPOs. Off the top of my head I am not sure what the defaults are, but I am sure someone less lazy than me can fill us both in. One of the main concerns in that type of centralized DC setup is name resolution. If the DCs are your DNS servers and you don't have any local name resolution methods (DNS or perhaps WINS) then you'll have issues connecting to the other local servers by name while the DCs are unavailable. Phil -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Steve Sent: Tuesday, November 30, 2004 11:59 AM To: [EMAIL PROTECTED] Subject: [ActiveDir] Accessing resources when a domain controller is unavailable (sightly OT) A question for planning placement of Domain Controllers. Windows 2003 Native mode domain in a mixed level forest Lets assume that all DC's are centralized in a central site and that there are robust high speed/high capacity lines connecting all sites. Lets further assume that each remote site has Windows 2000/XP clients and a local file server. Normally when a resource has to be contacted locally the workstation authenticates with the DC and gets granted access (too simple but for this example good enough). Now what happens when a DC is not available? Will the local file server accept Cached credentials? If so for how long? Will the workstation maintain access until the next time their kerberos ticket needs to be renewed? Is there some magic time period until the DC must be contacted again? I tested/seen how this works in practice, what I'm looking for is the actual reasons why access is granted/denied in this scenario. A link to a reference explaining this would also be great. Thanks Steve List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
RE: [ActiveDir] What can you *do* with AD??
Here is a simple example: We had several, methods of keeing track of everyone's phone number, cubicle location, office address, etc. One department kept the data in Excel, one kept it in a HTML webpage, one kept it in SQL... you get the idea. Now the only place that we keep it is in AD and wrote a few scripts to extract the data in a variety in formats for different purposes. -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] Behalf Of Mulnick, Al Sent: Monday, November 29, 2004 12:00 PM To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] What can you *do* with AD?? What you may want to consider is reversing the thought process on that. You may want to instead look at it from the business side: i.e. what business problems do I have that might be better solved with this new tool? V.s. Hey, I have this hammer and doesn't that problem look a lot like a nail? The latter will inevitably begin to happen if you look at the technology bits first prior to understanding the business problems. I realize you want to get more familiar and all, but figured I'd throw that out there. Al -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Michael Luevane Sent: Monday, November 29, 2004 2:55 PM To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] What can you *do* with AD?? Yeah, see, this is where I was going. I use it for authentication - works great. Easy to manage. Joe forgets his password (third time this week??) all I need to do is open the User and Computers, go to the users, find him, reset password tell him what I reset it to and go about my merry way. 2 minutes. But I have this feeling that there is so much more that it could do. I read some of the other responses, and I'm like yes, I'd like to do that. How? Methinks I need to do much reading. I'm sure ASB has pointers on his website. I'll check there before coming back. Thanks all! Michael Luevane Systems Analyst Quantec, LLC 6229 SE Milwaukie Ave Portland, OR 97202 http://www.quantecllc.com -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] Behalf Of Mulnick, Al Sent: Monday, November 29, 2004 11:42 AM To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] What can you *do* with AD?? Talk about a great question! If you think about it, much is written about how or what but not a lot about why. I find that a shame myself and often structure articles in light of this. I always look at it like this: I upgraded to AD because: 1) I need to maintain a supported environment and I'm mostly a Wintel shop. 2) I need better authentication mechanisms than NTLM. 3) newer hardware won't support NT or the other apps I need. That last one leads me to the other issues. Why deploy a directory service in the first place? Why is Redhat, Novell, and many others coming up with their own directory services? What's the advantage? Why put that amount of effort into something that just sits there? :) For that, you need to look back at pre-directory services in the enterprises. What were the problems? Multiple disparate directory systems that didn't talk to each other. Vendor-specific authentication and authorization techniques meant poor interoperability. Applications that stretched the entire enterprise yet you still had to enter in user data multiple times resulting in lost productivity. I.e. email systems. Remember having one logon for email, one for mainframe, one for your desktop, etc.? With a centralized directory service you can potentially do away with much of that. While we're at it, wouldn't it be nice to store some data in that directory to make it easier to manage users? Or the next step, wouldn't it be good if we could manage network resources in a way that enforces our policies? With Active Directory those things are possible. You can use group policies to enforce corporate computer policies. You can use the directory and it's open authentication mechanisms to build interoperable applications across platforms. You can write directory-aware applications that can take advantage of a central directory and can therefore do away with it's own proprietary directory and in a roundabout way keep costs down while providing easier interoperability and SSO for many apps. There's still room to go, but these things all can be done with Active Directory (or a directory service that your desktop integrates with right?). There's also more creative answers for what you can do with Active Directory, but they will mean more to you if you come up with them. Think of Active Directory as a foundation for your computing platform and the sky's the limit :) My $0.02 Al -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Michael Luevane Sent: Monday, November 29, 2004 1:54 PM To: [EMAIL PROTECTED] Subject: [ActiveDir] What can you *do* with AD?? Okay. We've got AD. Great for logins. But there's got to be *more* to it... I've got books on
RE: [ActiveDir] Which is better
You also have to look at what each method doesn't do. 1. Digital signature Proves the message was sent by you Allows anyone to read the message 2. Digital envelope Only the desired recipient can read the message Doesn't prove the message was from you A truly secure transfer requires both techniques to be used but sometimes one step is all you need. A digital signature is similar to having your signature notarized on a loan application. Also, when you download a new device driver it could be digitally signed so you can be sure that you are actually getting a driver from your hardware vendor, not a hacker. However the message is now the equivalent of a postcard or a billboard by the side of the road. If you are placing a message into a portable storage media (floppy, usb key, portable hard disk, etc) that a courier is going to hand carry to the recipient then the digital envelope would keep the courier from looking at the contents of the message. If the courier switched your message with another one, you couldn't know. -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Brian Desmond Sent: Thursday, October 28, 2004 11:53 AM To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] Which is better Well what are you trying to achieve? Digitally sign just ensures to the receiving arty that the packet has not been tampered with. Digitally encrypt ensures that nobody in between can read the contents of the packet. Thanks. --Brian Desmond [EMAIL PROTECTED] Payton on the web! www.wpcp.org v - 773.534.0034 x135 f - 773.534.8101 -Original Message- From: [EMAIL PROTECTED] [mailto:ActiveDir- [EMAIL PROTECTED] On Behalf Of Salandra, Justin A. Sent: Thursday, October 28, 2004 1:42 PM To: [EMAIL PROTECTED] Subject: [ActiveDir] Which is better Digitally sign communications Or Digitally encrypt secure channel data Justin A. Salandra, MCSE Senior Network Engineer Catholic Healthcare System 212.752.7300 - office 917.455.0110 - cell [EMAIL PROTECTED] List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
RE: [ActiveDir] Which is better
Not actually, Digital Signatures, Digital Envelopes, and Kerberos all use what Asymmetric Cryptography (aka Public/Private Keys). But the techniques are used for different purposes. The term AD Kerberos is meaningless. AD is the database that contains the actual usernames and passwords (among other data). Kerberos is the primary authentication protocol used by Windows 200x. Kerberos uses digital signatures to verify that both ends of the process are properly identified. IPSEC can be used to set up encrypted paths for data transfer. More on Kerberos: http://www.microsoft.com/technet/prodtechnol/windows2000serv/maintain/security/kerberos.mspx http://www.windowsitlibrary.com/Content/617/06/6.html More on IPSEC: http://www.techonline.com/community/tech_topic/21194 -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Salandra, Justin A. Sent: Thursday, October 28, 2004 1:25 PM To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] Which is better Ok, and from what I can figure, both utilize AD Kerberos to sign or encrypt the data right? -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Passo, Larry Sent: Thursday, October 28, 2004 3:58 PM To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] Which is better You also have to look at what each method doesn't do. 1. Digital signature Proves the message was sent by you Allows anyone to read the message 2. Digital envelope Only the desired recipient can read the message Doesn't prove the message was from you A truly secure transfer requires both techniques to be used but sometimes one step is all you need. A digital signature is similar to having your signature notarized on a loan application. Also, when you download a new device driver it could be digitally signed so you can be sure that you are actually getting a driver from your hardware vendor, not a hacker. However the message is now the equivalent of a postcard or a billboard by the side of the road. If you are placing a message into a portable storage media (floppy, usb key, portable hard disk, etc) that a courier is going to hand carry to the recipient then the digital envelope would keep the courier from looking at the contents of the message. If the courier switched your message with another one, you couldn't know. -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Brian Desmond Sent: Thursday, October 28, 2004 11:53 AM To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] Which is better Well what are you trying to achieve? Digitally sign just ensures to the receiving arty that the packet has not been tampered with. Digitally encrypt ensures that nobody in between can read the contents of the packet. Thanks. --Brian Desmond [EMAIL PROTECTED] Payton on the web! www.wpcp.org v - 773.534.0034 x135 f - 773.534.8101 -Original Message- From: [EMAIL PROTECTED] [mailto:ActiveDir- [EMAIL PROTECTED] On Behalf Of Salandra, Justin A. Sent: Thursday, October 28, 2004 1:42 PM To: [EMAIL PROTECTED] Subject: [ActiveDir] Which is better Digitally sign communications Or Digitally encrypt secure channel data Justin A. Salandra, MCSE Senior Network Engineer Catholic Healthcare System 212.752.7300 - office 917.455.0110 - cell [EMAIL PROTECTED] List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
RE: [ActiveDir] AD LDAP Data Conversion Question
Title: Message If you use the WinNT interface instead of LDAP, the LastLogin attribute does the conversion to a readable format for you. Just remember in Win2k, you need to query every DC and use the highest value. From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Ken Cornetet Sent: Wednesday, October 27, 2004 12:40 PM To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] AD LDAP Data Conversion Question It's in a format called VT_FILETIME. If memory serves, it is the number of milliseconds since some date long ago (1600 comes to mind). VB has a variant type to convert it for you. -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Menten, Jeff Sent: Wednesday, October 27, 2004 10:23 AM To: [EMAIL PROTECTED] Subject: [ActiveDir] AD LDAP Data Conversion Question All, I would like to extract the lastLogon value from AD to check for orphan workstations, etc. This attribute has an INTEGER8 format - which, as far as I can tell, is an eight-byte data structure. Does anyone know of an easy way to convert this value via VBscript to a readable format that will actually print? Thanks, - Jeff M. ___ CONFIDENTIALITY NOTICE: This e-mail message, including any attachments, is for the sole use of the intended recipient(s) and may contain confidential and privileged information. Any unauthorized review, use, disclosure or distribution is prohibited. If you are not the intended recipient, please contact the sender by reply e-mail and destroy all copies of the original message.
RE: [ActiveDir] Password policy in NT 4.0 PDC
There is no difference between user accounts and service accounts. They are both accounts subject to the domain password policy. From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Sudhir Kaushal Sent: Tuesday, October 26, 2004 7:12 AM To: [EMAIL PROTECTED] Subject: [ActiveDir] Password policy in NT 4.0 PDC Hi, Would like to know that, in NT4.0 PDC when we apply user policy for password change, does it get apply on service accounts also ? If NO, why ? Can anyone throw some light on this. Regards, Sudhir Kaushal Systems Engineer (GIS) Computer Sciences Corporation. India - + 91 120 2582323 Ext. 2649 Denmark - + 45 70100024 Ext. 2649 You never win Silver, You lose Gold This is a PRIVATE message. If you are not the intended recipient, please delete without copying and kindly advise us by e-mail of the mistake in delivery. NOTE: Regardless of content, this e-mail shall not operate to bind CSC to any order or other contract unless pursuant to explicit written agreement or government initiative expressly permitting the use of e-mail for such purpose.
RE: [ActiveDir] script logic question
I'll agree with Al that you want to make sure that your group membership cross checks. Regarding your point #1. If you have a large number of users involved, you will get better performance with a dictionary instead of an array. -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Mulnick, Al Sent: Tuesday, October 26, 2004 10:25 AM To: '[EMAIL PROTECTED]' Subject: RE: [ActiveDir] script logic question That's going to be tough. That's not indexed nor in the GC by default which may make it a little tougher/slower. However, because you need to know that the users with that attribute equal to S are in fact properly in a particular group, I don't think you meet your criteria if you instead use the group as the authoritative source of information. You pretty much have to iterate each user and if they have that attribute set to S then check their group memberships and report if a member of the particular group. Otherwise, you could get a situation where a person should be a member of the group and somehow was missed. If the reverse is true, i.e. the user is a member and shouldn't be, you'd be looking at some other authoritative source for that information anyway. Because of that last bit, you could start with a list of those that are supposed to be in that group and then look each of them up to validate the attribute value and the group membership. Again, you run the risk of having the wrong people in the group though. Al -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Creamer, Mark Sent: Tuesday, October 26, 2004 1:08 PM To: [EMAIL PROTECTED] Subject: [ActiveDir] script logic question I need to make sure all users where the value of attribute employeeType is S are members of a given group. Right now I only want to report on it, not actually change the group membership. Logically, what is the most efficient way to achieve this? 1. do I place the membership of the group into an array and then loop through all the users to see if they are in the array 2. do I loop through all the users and check each one's memberOf for the existence of the group? I think option 1 seems better than 2, but I'm willing to bet someone has a much better idea. Thanks! Mark List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
RE: [ActiveDir] New to AD
The TechNet Script Center of full of scripts: http://www.microsoft.com/technet/scriptcenter/scripts/default.mspx Also, check out the WMI Scriptomatic tool -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] Behalf Of Coleman, Hunter Sent: Thursday, October 21, 2004 6:31 PM To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] New to AD Did you want to enter a computer name and have it dump the path, or have the script dump the path for all computers in a given OU? -Original Message- From: Stauffer, Christopher [mailto:[EMAIL PROTECTED] Sent: Thursday, October 21, 2004 5:56 PM To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] New to AD Just rename .zip Directions are inside Does anybody have a script that will display a computers full OU path? Like this Cn=computername,OU=blabla,DC=com -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Rodney Gardiner Sent: Thursday, October 21, 2004 7:37 PM To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] New to AD A copy of the script could come in handy if you are willing to send me a copy. Thanks _ From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Stauffer, Christopher Sent: Friday, 22 October 2004 7:50 AM To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] New to AD Just wanted to thank everybody who added there two cents. I have a working script that does exactly what my boss wanted. It could be a little better but I'm not a coder. If anybody wants a copy let me know. _ From: Stauffer, Christopher Sent: Thursday, October 21, 2004 9:02 AM To: '[EMAIL PROTECTED]' Subject: New to AD I'm new to AD. Our network is Finally migrating to Active Directory 2000. (yeah I know 2003 is better but is isn't our call) anyway during the migration when joining new Windows XP or Windows 2000 computers to the Windows 2000 domain, the computer name appears in Active Directory but the computer description that is on the computer does not show up in AD. Why does this happen? In network places I can see the computer description, but in AD it is just blank unless I manually add it. Is there a way to pull the computer description from the local box into AD when the computer joins the domain I was told this by guys on another news group Its two separate fields. When you give a description to a computer object in AD users and computers, you are applying the description to the object, and not the computer itself. When you logon to a workstation and add a description to it, you are adding the description to the machine itself, and not the object in AD. That is why you see the different behaviors. Unfortunately the 2 fields aren't tied together. As for how to fix it, I think if a script ran that read the description from the local machine, and then connected to AD to update the computer object with the same name, you would be good to go. So i guess my question is does anybody have a script that can do this. Thanks, CHRIS STAUFFER Distributive Systems Specialist II Bureau of Information Technology ' : 1(717)783-9049 ext 244 / : [EMAIL PROTECTED] mailto:[EMAIL PROTECTED] List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
RE: [ActiveDir] groups vs attributes
Title: Re: [ActiveDir] groups vs attributes Two other questions on why it might be slower to enumerate the members of a universal group. Since UGs are kept by GCs, are your developers doing a query in a site with a GC? Are all of your DCs also GCs? From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Creamer, Mark Sent: Tuesday, October 19, 2004 7:35 AM To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] groups vs attributes Im not following Rick and Al on the security factor. Why would using the attribute method be less secure, assuming we control who can populate the attribute, the same as we control who can add members to a group? Maybe Im missing the point thoughthanks for your thoughts guys mc From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Rick Boza Sent: Tuesday, October 19, 2004 10:05 AM To: ActiveDir List Subject: Re: [ActiveDir] groups vs attributes From a Dev standpoint using attributes and requiring schema extensions is undeniably sexier. And you would be extending the schema eventually possibly for every application that you deploy. There are only so many attributes to use for this sort of thing before you start wanting your own specific one. From an administrative standpoint, Im with Al only Ill go a level further managing that would become a nightmare, and every application that gets rolled out would make things even more convoluted. There are lots of good reasons to populate attributes with different values, but circumventing AD security probably isnt one of them! (The term Recipe for Disaster comes to mind) On 10/19/04 9:36 AM, Mulnick, Al [EMAIL PROTECTED] wrote: Personally, I think they should have a look at why their queries take longer than they want. Likely they are checking the memberof attribute to find out what the group membership is, right? I think they could use an attribute, but I think that's not guaranteed to be faster either. I think they also may want to consider what the administrative and troubleshooting overhead is if they use an attribute vs. a group membership (why aren't they using Active Directory security again?). That's the way I think though :) From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Creamer, Mark Sent: Tuesday, October 19, 2004 9:21 AM To: [EMAIL PROTECTED] Subject: [ActiveDir] groups vs attributes As our developers (as well as our 3rd party vendors) continue to create apps that leverage AD, the question comes up frequently - which is a better solution...to search AD for a group membership, or for the value of a given attribute, when validating a user's access to a custom application? Our standard has been to use universal groups for this sort of thing, that is, UserA can access the application, if he is a member of the appropriate universal group. However, our developers have discovered in their ad hoc queries that returning a list of users that have a given value assigned to a custom attribute is much faster that returning a list of users that are members of a universal group. So they are asking, shouldn't we be adding a custom attribute when an application requires a validation that a user can access the application, rather than using a group membership? Any notes from the field would be much appreciated! Mark Creamer Systems Engineer Cintas Corporation The Service Professionals Sent using the Microsoft Entourage 2004 for Mac Test Drive.
RE: [ActiveDir] 2K3 documentation update? (WAS: Windows Server 2003 Security Weirdness)
I greatly value the knowledge that I've gained from this group and I love to be occasionally be able to give back. At the risk of making this seem too easy, here is the exact google query that I used: site:support.microsoft.com RestrictAnonymousSAM (without the quotes) I love the site: modifier May the google be with you g -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] Behalf Of joe Sent: Saturday, October 16, 2004 5:34 PM To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] 2K3 documentation update? (WAS: Windows Server 2003 Security Weirdness) Your google-fu appears to be very strong young one... :o) -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Passo, Larry Sent: Friday, October 15, 2004 5:18 PM To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] 2K3 documentation update? (WAS: Windows Server 2003 Security Weirdness) 823659 328459 -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Hunter, Laura E. Sent: Friday, October 15, 2004 2:07 PM To: [EMAIL PROTECTED] Subject: [ActiveDir] 2K3 documentation update? (WAS: Windows Server 2003 Security Weirdness) Remember my I'm getting hammered with brute-force attacks as if 'Do not allow enumeration of SAM' setting wasn't there even though it is problem? Found the solution today. Remember the HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\LSA\RestrictAnonymou s key in 2000, that you needed to set to 2 to do any good? Seems that's been deprecated in 2003, and the new correct value is split into 2 registry keys: ..\RestrictAnonymous=1 ..\RestrictAnonymousSAM=1 Now, I've obviously only done this on my network, but I can tell you that a setting of 2 in ..\RestrictAnonymous had me wide open and getting hammered by account enumeration attacks, whereas changing it to a 1 now has my IPC$ share behaving the way I thought it should've been. The kicker? I can't find any mention of the change in an MS Article (though Deji or someone will doubtless prove me wrong in about 5 seconds with their superior Google-fu skills :-)). And the Windows Server 2003 Deployment Kit actually references 2 as a valid entry for ..\RestrictAnonymous. Can anyone confirm or deny this before I go making a fool out of myself by submitting an incorrect or redundant KB article? Laura E. Hunter MCSE, MVP - Windows Networking University of Pennsylvania List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
RE: [ActiveDir] Deleting a subnet on a AD Site
While, in general, deleting their subnet will not prevent a client from logging on they could experience significant delays in doing so. Since the client will not be able to determine which DCs are closest, they could end up trying to be authenticated by a DC on the other end of a slow WAN connection. The purpose of a site is to let the clients know which subnets have fast connections to each other. That way a client can attempt to be authenticated by DCs that can respond quickly. If the client's subnet has been deleted, the client will randomly pick a DC. -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Brian Desmond Sent: Thursday, October 14, 2004 6:21 PM To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] Deleting a subnet on a AD Site You'll be fine. In general, deleting a client's subnet does not prevent them from logging on. Thanks. --Brian Desmond [EMAIL PROTECTED] Payton on the web! www.wpcp.org v - 773.534.0034 x135 f - 773.534.8101 -Original Message- From: [EMAIL PROTECTED] [mailto:ActiveDir- [EMAIL PROTECTED] On Behalf Of Meneses, Arturo Sent: Thursday, October 14, 2004 9:27 AM To: '[EMAIL PROTECTED]' Subject: [ActiveDir] Deleting a subnet on a AD Site I have a domain that was originally setup in a public network and then was moved to a private one. It has three public subnets and one private in the Sites and Services mmc. Are there any issues deleting the public ones? they're not being used anymore internally. Thanks, AM -Original Message- From: Mulnick, Al [mailto:[EMAIL PROTECTED] Sent: Thursday, October 14, 2004 8:08 AM To: '[EMAIL PROTECTED]' Subject: RE: [ActiveDir] Unable to Promote a 2nd DC or Access Group Policyon existing DC As you were reading this, did you check the dcpromo log on the failed promotion? Are you trying to use the same domain controller name when you promote it? Are all of these domains in the same forest? If so, how's the FRS logs? Any errors? Al P.S. GPRESULT.EXE from the reskit will tell you some information of value about the applied policies. Also, have a look at this for some other things to check http://support.microsoft.com/?kbid=830062 I don't think I'd haul off and just implement this, but it's something to consider. You'll want to test this stuff out before implementing it I'm sure. You may also do well to call Microsoft support and have a more in-depth look of your environment done. -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Rodney Gardiner Sent: Wednesday, October 13, 2004 10:58 PM To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] Unable to Promote a 2nd DC or Access Group Policy on existing DC Al, I understand the article to a degree. I understand that I am in over my head here. I understand it but just do not seem to be able to get it to work. * From the article * To fix the problem: Make sure that existing domain controllers have applied security policy and that the Enable computer and users accounts to be trusted for delegation user right has been granted to the Administrators group (Default Domain Controller Policy / Computer Configuration / Windows Settings / Security Settings / Local Policies). If a domain controller does not have this right, confirm that GPOs have replicated, and then manually apply the policy by typing the following command: secedit /refreshpolicy machine_policy NOTE: If the Application event log contains: Event ID 1704: Security Policy in the Group policy objects are applied successfully. the GPOs have been appliced. If you're in a hurry, stop the Netlogon service on the source domain controller that doesn't have this right, to discover another DC that does. How do you check what it states to do in the first paragraph of To fix the problem:? I do not believe that I can get the second part to work as I do not believe that I can replicate as there is only 1 DC so to speak. Yes, there are other BDC's but they are all WinNT4.0. Anyway, I tried the secedit /refreshpolicy machine_policy and it stated in the DOS Screen to check the app log for any errors etc. Nothing appeared in the apps event log so far and it has been about an hour so I assume that it did not work. Any further help would be appreciated AL. Rodney -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Mulnick, Al Sent: Wednesday, 13 October 2004 11:08 PM To: '[EMAIL PROTECTED]' Subject: RE: [ActiveDir] Unable to Promote a 2nd DC or Access Group Policy on existing DC Yep, it's very likely that the two are related. (here's a good reference of what's happening when and why I say the two are related: http://www.jsiinc.com/SUBG/TIP3000/rh3034.htm) You need to start by fixing the default policy issues.
RE: [ActiveDir] 2K3 documentation update? (WAS: Windows Server 2003 Security Weirdness)
823659 328459 -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Hunter, Laura E. Sent: Friday, October 15, 2004 2:07 PM To: [EMAIL PROTECTED] Subject: [ActiveDir] 2K3 documentation update? (WAS: Windows Server 2003 Security Weirdness) Remember my I'm getting hammered with brute-force attacks as if 'Do not allow enumeration of SAM' setting wasn't there even though it is problem? Found the solution today. Remember the HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\LSA\RestrictAnonymou s key in 2000, that you needed to set to 2 to do any good? Seems that's been deprecated in 2003, and the new correct value is split into 2 registry keys: ..\RestrictAnonymous=1 ..\RestrictAnonymousSAM=1 Now, I've obviously only done this on my network, but I can tell you that a setting of 2 in ..\RestrictAnonymous had me wide open and getting hammered by account enumeration attacks, whereas changing it to a 1 now has my IPC$ share behaving the way I thought it should've been. The kicker? I can't find any mention of the change in an MS Article (though Deji or someone will doubtless prove me wrong in about 5 seconds with their superior Google-fu skills :-)). And the Windows Server 2003 Deployment Kit actually references 2 as a valid entry for ..\RestrictAnonymous. Can anyone confirm or deny this before I go making a fool out of myself by submitting an incorrect or redundant KB article? Laura E. Hunter MCSE, MVP - Windows Networking University of Pennsylvania List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
RE: [ActiveDir] Getting print info from event log
dumpevt from: http://www.somarsoft.com/ It's simple and it's free! -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] Behalf Of Free, Bob Sent: Friday, October 15, 2004 4:35 PM To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] Getting print info from event log It is a little tedious to set up but it's way cheaper than the commercial products for print reporting :-) Maybe someone else has another ideagood luck in your quest -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Aaron Visser Sent: Friday, October 15, 2004 4:12 PM To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] Getting print info from event log Sorry Bob not really enjoying this log parser :( anything else? -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] Behalf Of Free, Bob Sent: Friday, October 15, 2004 3:27 PM To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] Getting print info from event log Look into logparser.exe to extract the events/fields you want. http://www.microsoft.com/downloads/details.aspx?displaylang=enfamilyid= 8cde4028-e247-45be-bab9-ac851fc166a4 -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Aaron Visser Sent: Friday, October 15, 2004 2:56 PM To: ActiveDir Subject: [ActiveDir] Getting print info from event log Does anyone have or know anyway to pull print info out of the System event logs so that it can be easily reviewed Example I need to know who, how many pages now I can go thru each event and record this info by hand but it seems rather tedious and that there should be an easier way to gather this info. Any help is appreciated, Thanks, Aaron Visser List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
RE: [ActiveDir] urgent help needed
The real issue isn't what a power failure can do to an individual box. If you had more than one DC, AD would have survived the failure of an individual DC. You might have to force the transfer of the FSMO roles, but AD would have survived and you would have had a much easier time recovering the failed box. In your situation with one DC with data files that you need to recover, you have the option to re-install Win200x from scratch. The OS files will be replaced and the data partitions shouldn't be touched (don't format them during the install). If you were using NTFS permissions to protect those files, you can take ownership with an admin account then change the permissions on them to let the original users access them. ONE WARNING: If you had been using the file encryption, then DO NOT RE-INSTALL the OS, if so, you will lose the master encryption key and YOUR DATA FILES WILL BE LOST -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Alicia Szerenyi Sent: Tuesday, August 03, 2004 7:47 AM To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] urgent help needed Thanks a lot for everyone's help... i just want to explain that i don`t have a second domain controler or backup for the database file because i am just trying AD out, and learning about it. I installed it in the laboratory server, that it is used to learn, but has other information that belongs to my work-mates... i am just worried that AD is so fragil against a power failure...that could happen again...i just have to pray that it wont? Thanks again Alicia -Mensaje original- De: joe [mailto:[EMAIL PROTECTED] Enviado el: martes, 03 de agosto de 2004 11:02 Para: [EMAIL PROTECTED] Asunto: RE: [ActiveDir] urgent help needed It doesn't have to be a fake domain, it could be your regular domain name. You just want to promote and then demote so you have the member server back at a known good point, then finally do a regular promotion back to being your DC. Make sure you promote a second DC as well so you have a backup in case of failure for next time. joe -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Alicia Szerenyi Sent: Tuesday, August 03, 2004 9:18 AM To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] urgent help needed How do i promote the DC into a fake domain? and depromote it? -Mensaje original- De: joe [mailto:[EMAIL PROTECTED] Enviado el: viernes, 30 de julio de 2004 12:51 Para: [EMAIL PROTECTED] Asunto: RE: [ActiveDir] urgent help needed Are you sure the DIT file is gone? If so and you have no systemstate backups and you don't have any other DCs for that domain your only choice is a forced demotion of the DC. See the following KB http://support.microsoft.com/default.aspx?kbid=332199 If I recall though you can't do that from single user mode so you will have to do the following unsupported hack: Go to the following registry value: hklm\system\currentcontrolset\control\productoptions\producttype Change it from WinNT to ServerNT After you do this, you will want to promote the DC into a fake domain and demote it again so that it reconfigures everything properly on the machine. It is possible to create an empty DIT file but it will do nothing for you. There is a huge difference between an empty DIT file and a properly built DIT file with no user defined objects. The former is easy, the latter is not. You have to repromote the DC to get it. I will step up on the podium for a second... 1. Always have multiple DCs. 2. If you can't follow number 1, have a systemstate backup that you know is good and still always have multiple DCs. I am wondering why you are so worried about rebuilding the DC, my guess is that you have some other app or apps loaded. It really isn't good security (or any security at all honestly) to run DCs as app servers. There are a couple of infrastructure services that are generally ok to run, but as a whole, don't run apps on DCs. joe -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Alicia Szerenyi Sent: Friday, July 30, 2004 11:38 AM To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] urgent help needed Dennis, i appreciate you're help, but the solutions that are suggested in the link you gave me wont't work...the last suggestion was to reinstall the operating system, what i am trying not to do... Does anybody have any idea how to solve my problem? When i try to boot in normal mode there is an error message saying the directory service can't be started...then, when i check the integrity of the files with ntdsutil some errors occure, the last one being E:\winnt\ntds\ntds.dit file does not exist... it must be possible to create a new empty ntds.dit file...or any other solution!! Thank you Alicia -Mensaje original- De: Depp, Dennis M. [mailto:[EMAIL PROTECTED] Enviado el: viernes, 30 de julio de 2004 11:37 Para: [EMAIL PROTECTED] Asunto:
RE: [ActiveDir] OT: Opening ports on the XP firewall
The Microsoft Scripting Guys covered that in their blog: http://blogs.msdn.com/gstemp -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of John Singler Sent: Thursday, July 29, 2004 7:41 AM To: [EMAIL PROTECTED] Subject: Re: [ActiveDir] OT: Opening ports on the XP firewall you can use netsh for this, i believe. netsh firewall Windows Firewall Basics: http://tinyurl.com/5n2vj Netsh overview: http://tinyurl.com/6t9r9 Rutherford, Robert wrote: Hi All, I'm trying to help one of the desktop guys out... and as there are some good scripters in here I thought I'd throw this one out on a line Is there a way to script the opening of ports (incoming) on an XP firewall? I know it can be done manually (_http://support.microsoft.com/default.aspx?kbid=308127_), but we'd like to link it into a startup script. ... I know it's an awful product and if I had my way I'd get SecureClient in. ... I also know that XP SP2 has a new firewall but we aren't playing with that yet. BR and Thanks. Rob This e-mail and the information it contains are confidential and may be privileged. If you have received this e-mail in error please notify the sender immediately and delete the material from any computer. Unless you are the intended recipient, you should not copy this e-mail for any purpose, or disclose its contents to any other person. The MCPS-PRS Alliance is not responsible for the completeness or accuracy of this communication as it has been transmitted over a public network. Whilst the MCPS-PRS Alliance monitors all communications for potential viruses, we accept no responsibility for any loss or damage caused by this e-mail and the information it contains. It is the recipient's responsibility to scan this e-mail and any attachments for viruses. Any e-mails sent to and from the MCPS-PRS Alliance servers may be monitored for quality control and other purposes. The MCPS-PRS Alliance Limited is a limited company registered in England under company number 03444246 whose registered office is at c/o 29-33 Berners Street, London, W1T 3AB. -- John Singler Systems Administrator School of Veterinary Medicine, University of Pennsylvania 3800 Spruce Street Philadelphia, PA 19104-6044 ph: 215.573.6525 fx: 215.573.8777 life is a killer -- John Giorno List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
RE: [ActiveDir] Renaming The Admin Account
You are confusing several different user/group objects: 1. The domain account named Administrator 2. The domain group named Domain Admins 3. The local account named Administrator 4. The local group named Administrators (note the s at the end) The security guidelines say that you should rename numbers 1 and 3 above. Default configuration for a domain has: 1. The domain account Administrator is a member of the domain group Domain Admins 2. The domain group Domain Admins is a member of the local group Administrators (with the s) on each domain member. You could then use the local group Administrators to grant the appropriate NTFS permissions to files/folders. Users that then looked at the NTFS permissions would only see the group name. However for the more technically savvy people out there, renaming the local Administrator account is not fool proof since it has a well-known SID. The built-in Administrator account is the only one that ends in -500. -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Rocky Habeeb Sent: Thursday, July 22, 2004 8:53 AM To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] Renaming The Admin Account Right! My point exactly! So if your policy is to include the Domain Admin in NTFS permissions, there's no point in renaming your Domain Admin account. Thanks Tony. RH -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] Behalf Of Tony Murray Sent: Thursday, July 22, 2004 11:25 AM To: [EMAIL PROTECTED] Subject: Re: [ActiveDir] Renaming The Admin Account The admin tools resolve the SID to the friendly name for you. In other words, you're not actually working with the friendly names when viewing or assigning permissions, but this is how it appears to you. Tony -- Original Message -- Wrom: KJVZCMHVIBGDADRZFSQHYUCDDJBLV Reply-To: [EMAIL PROTECTED] Date: Thu, 22 Jul 2004 10:25:14 -0400 People, OK, I know you guys are the Experts and I know MS says, rename it, but tell me the answer to these questions please. Let's say you run NTFS permissions on your local PCs. Lets say your standards are (for EVERY FILE/FOLDER OBJECT ON THE PC): Full Control for Local Admin, Domain Admin and System. Modify for Everyone (At least where it is not a security risk). [1] What is displayed locally to the User (for Admin accounts) when they look at NTFS permissions on their file/folder objects? [2] What do you as the Admin select in the ACL, when you set new permissions for file/folder objects? Thanks RH - Rocky Habeeb Microsoft Systems Administrator - James W. Sewall Company Old Town, Maine - 207.827.4456 habr @ jws.com www.jws.com - List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ Sent via the WebMail system at mail.activedir.org List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
RE: [ActiveDir] LastLogOn
Title: Message Bginfo will show you the logon server but it doesnt show you the last logon value. It is still subject to the requirement that you need to query the last logon time from all of the DCs in the domain. From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Rutherford, Robert Sent: Tuesday, July 20, 2004 10:24 AM To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] LastLogOn Oh yeh... that's a good idea. We have it on our servers, but yeh it would also work in the clients. I'll look into it. Cheers Tim. -Original Message- From: Tim Foster [mailto:[EMAIL PROTECTED] Sent: 20 July 2004 17:06 To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] LastLogOn BgInfo from http://www.sysinternals.com/ntw2k/freeware/bginfo.shtml may help. Tim Foster From: Durant, Ryan A [mailto:[EMAIL PROTECTED] Sent: Tuesday, July 20, 2004 11:42 AM To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] LastLogOn Query every domain controller and store those results in a database. The number of domain controllers, amount of users and link speeds will determine how fast you can collect the stats. You may only be able to collect once a day or possibly once an hour. Have a logon script query the DB for the last logon value and have it pop up on their screen. You could also query a web page to get the values if you didn't want to worry about odbc and sql calls from the client machines. But you have to be a scripter to get this done I believe. Ryan From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Rutherford, Robert Sent: Tuesday, July 20, 2004 6:26 AM To: [EMAIL PROTECTED] Subject: [ActiveDir] LastLogOn Dear All, Not in anyway being a scripter. How would I get the date and time a user last logged on to pop up on their screen at logon? I guess it would be via the 'lastlogon' attribute? Linked into a login script? Cheers, Rob This e-mail and the information it contains are confidential and may be privileged. If you have received this e-mail in error please notify the sender immediately and delete the material from any computer. Unless you are the intended recipient, you should not copy this e-mail for any purpose, or disclose its contents to any other person. The MCPS-PRS Alliance is not responsible for the completeness or accuracy of this communication as it has been transmitted over a public network. Whilst the MCPS-PRS Alliance monitors all communications for potential viruses, we accept no responsibility for any loss or damage caused by this e-mail and the information it contains. It is the recipient's responsibility to scan this e-mail and any attachments for viruses. Any e-mails sent to and from the MCPS-PRS Alliance servers may be monitored for quality control and other purposes. The MCPS-PRS Alliance Limited is a limited company registered in England under company number 03444246 whose registered office is at c/o 29-33 Berners Street, London, W1T 3AB. This e-mail and the information it contains are confidential and may be privileged. If you have received this e-mail in error please notify the sender immediately and delete the material from any computer. Unless you are the intended recipient, you should not copy this e-mail for any purpose, or disclose its contents to any other person. The MCPS-PRS Alliance is not responsible for the completeness or accuracy of this communication as it has been transmitted over a public network. Whilst the MCPS-PRS Alliance monitors all communications for potential viruses, we accept no responsibility for any loss or damage caused by this e-mail and the information it contains. It is the recipient's responsibility to scan this e-mail and any attachments for viruses. Any e-mails sent to and from the MCPS-PRS Alliance servers may be monitored for quality control and other purposes. The MCPS-PRS Alliance Limited is a limited company registered in England under company number 03444246 whose registered office is at c/o 29-33 Berners Street, London, W1T 3AB.
RE: [ActiveDir] win2k pro or server?
But you can only run bginfo on a local box, not on a remote box. He would have to termserv to the remote box to view the wallpaper that bginfo creates. I see the following possible ways to determine OS type: 1. If terminal services are activated on all servers, if the tsclient can connect to the box, it's a server 2. You can go into ADUC and view the properties of the computer account. The operating system tab will show Windows 2000 Server or Windows 2000 Professional 3. You could (via a script) connect to the computer object in AD and look at the value of the operatingSystem attribute. By default, methods 2 and 3 work for Windows 200x and Windows XP -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Tim Foster Sent: Tuesday, July 20, 2004 11:39 AM To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] win2k pro or server? OK, I know this'll sound like there's only one tool in my toolbox...but how about trying bginfo and running it on your PCs via a logon script. This will give you OS type plus a whole lot more. -Original Message- From: Kern, Tom [mailto:[EMAIL PROTECTED] Sent: Tuesday, July 20, 2004 2:30 PM To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] win2k pro or server? ha ha, i meant to query remote pcs on my network... -Original Message- From: Brown, Bill [contractor] [mailto:[EMAIL PROTECTED] Sent: Tuesday, July 20, 2004 2:21 PM To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] win2k pro or server? If you hit the start button - there is a vertical bar that displays this information... R/Bill -Original Message- From: Kern, Tom [mailto:[EMAIL PROTECTED] Sent: Tuesday, July 20, 2004 2:14 PM To: ActiveDir (E-mail) Subject:[ActiveDir] win2k pro or server? Sorry if this is really basic and covered before- but whats the quickest way(via script or gui admin tool) to tell if a particular pc/server is running win2k pro or server? thanks List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
RE: [ActiveDir] Transitive trusts between 2 forests
To establish a forest trust, the forests need to be in WIN2k3 functional mode, so all of the domains in each forest need to be in Win2k3 mode, so all of the DCs in each domain need to be Win2k3. Also, the forest trusts between each pair of forest roots are not transitive. If Forest A trusts Forest B and Forest B trusts Forest C, then all of the domains in Forest A have transitive trusts to all of the domains in Forest B but they have no trust relationship at all with the domains in Forest C. -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Kern, Tom Sent: Thursday, July 15, 2004 7:25 AM To: ActiveDir (E-mail) Subject: [ActiveDir] Transitive trusts between 2 forests Quick question- if i want a transitive trust between 2 forests(involving all child domains in both forests), do all dc's in all domains need to be win2k3 or just both roots? Thanks List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
RE: [ActiveDir] OT: Active Directory Browser History Files
Title: Message I have no idea what version of Websense you looked at but our installation of Websense Enterprise 5.2 IS on SQL. Since our database grows at least 40MB a day we didnt go with the option for MSDE. I positively love the reporting tools. Their Explorer is the main reason why I chose it over Surf Control after I did the evaluation of both products. It allows you to rapidly look at an overview of your data and then drill down on the subcategory of your choice (then to a subcategory of that subcategory.). Their Reporter give you the granular reports similar to what you get from Crystal. From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Craig Cerino Sent: Thursday, July 15, 2004 10:23 AM To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] OT: Active Directory Browser History Files The issue I had with Websense and Webtrends (and the like) are just that the time it takes to load firewall logs to do reporting and so forth. Surf Control uses SQL (or MSDE if you prefer) info is loaded almost instantly and the result sets are nearly as quick. I cant say enough (positive) about Surf Control. The canned reporting is pretty good - - and if youre running Crystal you can really get some granular result sets. From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Rutherford, Robert Sent: Thursday, July 15, 2004 1:06 PM To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] OT: Active Directory Browser History Files Websense is also a good product which I have used for many years. It will work with Checkpoint firewalls directly or you can hook it into a proxy, i.e. ISA, Squid, etc. I personally prefer it to SurfControl, but that is just my opinion. Try them out. -Original Message- From: Creamer, Mark [mailto:[EMAIL PROTECTED] Sent: 15 July 2004 17:49 To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] OT: Active Directory Browser History Files In my opinion, you need an acceptable use policy, and you need to have all the users agree to it. You then need a product like surfCONTROL. They have versions for various proxy servers as well as firewalls mc From: Edwin [mailto:[EMAIL PROTECTED] Sent: Thursday, July 15, 2004 10:44 AM To: [EMAIL PROTECTED] Subject: [ActiveDir] OT: Active Directory Browser History Files In our domain we use roaming profiles. What I would like to know is if there is an easy way to monitor the web sites that end users are looking at while at their workstations. We have users that are going to site that may offend others and this needs to be addressed. I am aware of reviewing the Firewall logs but I was hoping that there would be an easier way since all the machines are connected to the domain. Thank you all for your replies. Edwin This e-mail and the information it contains are confidential and may be privileged. If you have received this e-mail in error please notify the sender immediately and delete the material from any computer. Unless you are the intended recipient, you should not copy this e-mail for any purpose, or disclose its contents to any other person. The MCPS-PRS Alliance is not responsible for the completeness or accuracy of this communication as it has been transmitted over a public network. Whilst the MCPS-PRS Alliance monitors all communications for potential viruses, we accept no responsibility for any loss or damage caused by this e-mail and the information it contains. It is the recipient's responsibility to scan this e-mail and any attachments for viruses. Any e-mails sent to and from the MCPS-PRS Alliance servers may be monitored for quality control and other purposes. The MCPS-PRS Alliance Limited is a limited company registered in England under company number 03444246 whose registered office is at c/o 29-33 Berners Street, London, W1T 3AB.
RE: [ActiveDir] Adding a Windows 2003 server into a windows 2000 domain
You're skipping several important steps. MS has a good step by step guide at: http://support.microsoft.com/?kbid=325379 -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Pennell, Ronald B. Sent: Wednesday, July 14, 2004 9:36 AM To: [EMAIL PROTECTED] Subject: [ActiveDir] Adding a Windows 2003 server into a windows 2000 domain Quick question. I want to add a new windows 2003 server into my windows 2000 domain. I will also want to add this as an additional domain controller to start with. When do I do the dcpromo on the windows 2003 server to make it a domain controller? After I run forestprep and domainprep on my windows 2000 domain? Or after I do the dcpromo on the win 2003 server? The win2000 server is also the schemea master. Eventually, the win2003 DC will take over all the FSMO roles and the win2000 server will go away. Ron Ronald B. Pennell Senior Network Systems Analyst Institute For Defense Analyses [EMAIL PROTECTED] (703)845-2122 List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
RE: [ActiveDir] Inter-Site Transports
The IP transports use RPC. The SMTP transport can only be used if the two DCs that use it are in different domains AND different sites. See: http://www.microsoft.com/technet/prodtechnol/windows2000serv/technologie s/activedirectory/deploy/confeat/ntopt11.mspx -Original Message- From: Salandra, Justin A. [mailto:[EMAIL PROTECTED] Sent: Monday, June 28, 2004 8:47 AM To: [EMAIL PROTECTED] Subject: [ActiveDir] Inter-Site Transports It has been a while so I am asking for a little refresh. What is the different between an IP Inter-Site Transports and a SMTP Inter-Site Transports? When would you use the SMTP one? Justin A. Salandra, MCSE Senior Network Engineer Catholic Healthcare System 212.752.7300 - office 917.455.0110 - cell [EMAIL PROTECTED] List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
RE: [ActiveDir] DNS Issues - ipconfig /flushdns
Title: DNS Issues - ipconfig /flushdns When you do a ipconfig /displaydns what is the TTL for the incorrect values? From: Tashildar, Dinesh (Cognizant) [mailto:[EMAIL PROTECTED] Sent: Thursday, June 24, 2004 9:40 PM To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] DNS Issues - ipconfig /flushdns It takes 2-3 days.. From: Passo, Larry [mailto:[EMAIL PROTECTED] Sent: Thursday, June 24, 2004 8:57 PM To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] DNS Issues - ipconfig /flushdns When you say it always shows old ip address how long are you waiting? If you try to resolve the hostname immediately after the box gets a new ip, it is perfectly normal for the other boxes to have the old address cached. It can take up to 10 minutes for the local caches to flush. From: Tashildar, Dinesh (Cognizant) [mailto:[EMAIL PROTECTED] Sent: Thursday, June 24, 2004 7:15 AM To: [EMAIL PROTECTED] Subject: [ActiveDir] DNS Issues - ipconfig /flushdns When we moved desktop from one location to another location (lets say from subnet 18 to subnet 19) and if we try resolve Hostname with IP address, it always shows old Ip address. If we do ipconfig /flushdns, then only it get's new information This defiantly something wrong in DNS. Is something I need to change in DNS ? Regards, Dinesh Tashildar Cognizant Technology Solutions India Pvt. Ltd. Tel : 91-20-4062600 Extn : 3119 Vnet : 23119
RE: [ActiveDir] Enterprise Admin members
Anything that goes outside the scope of a domain 1. Authorize a DHCP server 2. Create sites 3. Create a subnet object 4. Assign subnet objects to sites Of course, the above tasks could be delegated -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] Sent: Friday, June 25, 2004 8:10 AM To: [EMAIL PROTECTED] Subject: [ActiveDir] Enterprise Admin members I'm after a list of tasks that can only be performed by an Enterprise Administrator and not by a domain admin in the forest root. eg Authorise a DHCP server. In general terms, what does everyone do with their Enterprise Admin membership? I'm wondering if it should have any members at all on a day-to-day basis and users only added temporarily when an Enterprise Admin task crops up, what do you all think? Also, is anyone aware of any application service accounts that require Enterprise Admin rights? List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
RE: [ActiveDir] DNS Issues - ipconfig /flushdns
Title: DNS Issues - ipconfig /flushdns When you say it always shows old ip address how long are you waiting? If you try to resolve the hostname immediately after the box gets a new ip, it is perfectly normal for the other boxes to have the old address cached. It can take up to 10 minutes for the local caches to flush. From: Tashildar, Dinesh (Cognizant) [mailto:[EMAIL PROTECTED] Sent: Thursday, June 24, 2004 7:15 AM To: [EMAIL PROTECTED] Subject: [ActiveDir] DNS Issues - ipconfig /flushdns When we moved desktop from one location to another location (lets say from subnet 18 to subnet 19) and if we try resolve Hostname with IP address, it always shows old Ip address. If we do ipconfig /flushdns, then only it get's new information This defiantly something wrong in DNS. Is something I need to change in DNS ? Regards, Dinesh Tashildar Cognizant Technology Solutions India Pvt. Ltd. Tel : 91-20-4062600 Extn : 3119 Vnet : 23119
RE: [ActiveDir] GPO - File and Printer Sharing.
This registry key controls the creation of the hidden, administrative shares at the root of each partition (C$, D$, E$, ...) for workstations (not servers) -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] Sent: Tuesday, June 22, 2004 11:26 AM To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] GPO - File and Printer Sharing. Hey Rick.. I'm not positive on this...but, i think this key controls that... and you could write an adm file to do it. [HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\LanmanServer\Param aters] AutoShareWks=dword:0001 Have fun, John |-+-- | | Dale, Rick | | | [EMAIL PROTECTED] | | | Sent by: | | | [EMAIL PROTECTED]| | | tivedir.org| | | | | | | | | 06/22/2004 01:19 PM| | | Please respond to | | | ActiveDir | | | | |-+-- --- -| | | | To: '[EMAIL PROTECTED]' [EMAIL PROTECTED]| | cc: | | Subject: RE: [ActiveDir] GPO - File and Printer Sharing. | --- -| Thanks guys, I have some users that are obstinate and they go in and turn off file and printer sharing which also takes the IPC$ share pipe off which then does not allow remote admin on their machine. So basically I wanted to be able to force them to have it turn on. I guess if I manually enable it then disable access to the network config that would work. Thanks again for your input. Rick -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] Sent: Tuesday, June 22, 2004 1:07 PM To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] GPO - File and Printer Sharing. Hey Rick... You can turn off the server service, even with a GPO, but then no one gets there, not even admins...as far as i know. It's a bit awkwards...but, in computer configuration/windows settings/security settings/local policies/user rights assignments/deny access to this computer from the network You can specify a global group in there.It's actually the opposite of what you want. I think they can create shares, but group members can't get to them. I really think this was an oversight from MS on the Group PoliciesI've mentioned it to them several times. I seem to remember you could do this with NT, and a system policy. John |-+-- | | Darren Mar-Elia | | | [EMAIL PROTECTED]| | | om| | | Sent by: | | | [EMAIL PROTECTED]| | | tivedir.org| | | | | | | | | 06/22/2004 12:58 PM| | | Please respond to | | | ActiveDir | | | | |-+-- --- -| | | | To: [EMAIL PROTECTED] | | cc: | | Subject: RE: [ActiveDir] GPO - File and Printer Sharing. | --- -| Rick- No way that I know of to do this from GPO. The challenge is that its a bunch of binary reg keys that get messed with when you turn this on or off--per connection. I did a quick look through netsh and didn't see any commands there, but I may have missed it. Alternatively, if you want to shut it down completely, I think you can still turn off the Server service, which was the way to do it in NT 4. Probably need to test that though. Darren From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Dale, Rick Sent: Tuesday, June 22, 2004 9:22 AM To: '[EMAIL PROTECTED]' Subject: [ActiveDir] GPO - File and Printer Sharing. Hi, I know there is a way to force enable or disable File Printer Sharing but I can not find it. How do you force that via a GPO? Thanks for the input. Rick List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List
RE: [ActiveDir] User Icons
There is even a registry value that you can configure for this: http://support.microsoft.com/default.aspx?scid=kb;en-us;281923Product=win2000 From: Lou Vega [mailto:[EMAIL PROTECTED] Sent: Monday, June 21, 2004 11:18 AM To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] User Icons I remember asking the same question myself a while back this article should shed some light on it for you: http://www.winnetmag.com/Article/ArticleID/21073/21073.html r/ Lou -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Ellis, Debbie Sent: Monday, June 21, 2004 1:55 PM To: [EMAIL PROTECTED] Subject: [ActiveDir] User Icons I am looking at group memberships in various groups in my AD structure and notice some user icons are dim or gray looking. What does this mean? Debbie Ellis Systems Administrator Viasat, Inc. 4356 Communications Drive Norcross, GA 30093 678-924-2591 image001.jpg
RE: [ActiveDir] AD DNS Question
AD Integrated zones can only be primary zones. Change the zone to be a primary zone and then you will be able to convert it to AD Integrated -Original Message- From: Puetz, Christoph [mailto:[EMAIL PROTECTED] Sent: Thursday, June 17, 2004 6:39 AM To: '[EMAIL PROTECTED]' Subject: RE: [ActiveDir] AD DNS Question Thanks for the response. I do not see an option to convert the secondary zone to an AD integrated one. Can you specify the steps needed? Christoph -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of [EMAIL PROTECTED] Sent: Wednesday, June 16, 2004 6:30 PM To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] AD DNS Question Install the DNS server (DNS serverS, for redundancy). Create your zone as secondary on the new DNS server(S), specify your existing DNS server as the Primary Let zone Transfer happen. Convert the secondary zone you created earlier to Primary (AD-Integrated, for good measure) Configure the Test clients/servers (AND the DNS servers) to point to your new DNS server(S) in TCP/IP - you can do this by script or use GPO for XP/Win2K3 clients The above should work, but. it would be best if the time between your Test and going live is very short. Short enough for you to see that it really works, and then begin moving everyone to the same DNS servers. If you this your test period will be long, it's better for you to just do this proof-of-concept in a Lab environment. This is because, during your test, using the config I outlined above, you will have 2 distinct places where your clients will be registering and looking for records. This will likely impact resolution. Since your new DNS servers are authoritative for the zone, they will not ask your legacy DNS servers for any records in that zone. The same will be true for your legacy DNS servers. Remember, you don't have to point the DNS clients to the DNS servers manually, it can be easily done via scripts or GPO, so the roll-back consideration that will usually necessitate test configuration sould not be significant. Sincerely, Dèjì Akómöláfé, MCSE MCSA MCP+I Microsoft MVP - Directory Services www.readymaids.com - we know IT www.akomolafe.com Do you now realize that Today is the Tomorrow you were worried about Yesterday? -anon From: [EMAIL PROTECTED] on behalf of Puetz, Christoph Sent: Wed 6/16/2004 2:34 PM To: '[EMAIL PROTECTED]' Subject: [ActiveDir] AD DNS Question Our AD (Win2K - mixed) mode is 3rd party DNS and WINS and it is giving us headaches all over the place. When the AD got designed Microsoft DNS was not considered an option by the engineer who made the original design. I'd like to change this. My plan is to install Microsoft's DNS on our Domain Controllers and to setup an Active Directory integrated DNS zone so that we get rid of the always ongoing problems caused by using non-Microsoft DNS in our environment. I want to set the existing DNS servers as forwarders so that all other requests are basically still being served by the 3rd party DNS. About the implementation - I want to migrate a small group of users first for testing. Will installing DNS and setting up an AD integrated zone cause any conflicts to the remaining part of my network? Only a few clients will get the different DNS server IPs assigned - everyone else stays on the other ones. Thanks for any feedback. Christoph __ This email has been scanned by the MessageLabs Email Security System. For more information please visit http://www.messagelabs.com/email __ List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ __ This email has been scanned by the MessageLabs Email Security System. For more information please visit http://www.messagelabs.com/email __ List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
RE: [ActiveDir] 2000 Domain to 2003 AD domain
http://support.microsoft.com/?kbid=325379 From: Mike Hogenauer [mailto:[EMAIL PROTECTED] Sent: Wednesday, June 16, 2004 9:54 AM To: [EMAIL PROTECTED] Subject: [ActiveDir] 2000 Domain to 2003 AD domain So, I have 2 new servers running windows 2003 and Im currently in a native 2000 AD domain. Im planning on running DCPROMO on the 2003 servers and joining them as additional domain controllers to my existing domain then demoting my 2000 servers to remove them from the domain. Does anyone see flaws in this approach? What about DNS? My 2 existing Domain controllers are running AD integrated DNS. Should I install DNS on the 2003 DCs after promotion so theyre already integrated then remove it off the 2000 servers? Thanks in advance for advice... Mike
RE: [ActiveDir] Export Permissions List
Or, DumpSec http://www.somarsoft.com/ From: Deji Akomolafe [mailto:[EMAIL PROTECTED] Sent: Monday, June 14, 2004 10:08 PM To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] Export Permissions List http://www.microsoft.com/windows2000/techinfo/reskit/tools/existing/xcacls-o.asp what, you are scared of crowbars? ;) Sincerely, Dèjì Akómöláfé, MCSE MCSA MCP+I Microsoft MVP -Directory Services www.readymaids.com - we know IT www.akomolafe.com Do you now realize that Today is the Tomorrow you were worried about Yesterday? -anon From: Noah Eiger Sent: Mon 6/14/2004 9:03 PM To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] Export Permissions List Thanks. This does not seem to be in the Windows Server 2003 RK. Know where I can get it? Or is there something else (that does not require a crowbar) to do the job? From: Deji Akomolafe [mailto:[EMAIL PROTECTED] Sent: Monday, June 14, 2004 8:29 PM To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] Export Permissions List xcacls C:\*.* /Cc:\Perm_Reports.log will create such a huge report file. depending on how many objects you have in the folder, the report may be so large you'd need a crowbar to open it. Sincerely, Dèjì Akómöláfé, MCSE MCSA MCP+I Microsoft MVP -Directory Services http://www.readymaids.com/ - we know IT www.akomolafe.com Do you now realize that Today is the Tomorrow you were worried about Yesterday? -anon From: Noah Eiger Sent: Mon 6/14/2004 5:50 PM To: Active Directory List Subject: [ActiveDir] Export Permissions List Hi- I think I saw this flash by on the list recently I am looking for a tool to create a report of the NTFS security permissions on folders on a drive. I have seen a reference to this command: CALCS C:\* /T /C C:\C Permissions.txt but that does not seem to work. Is that a Unix command? Any help appreciated. nme -- Noah M. Eiger EIS Consulting for PRBO Conservation Science 510-717-5742 [EMAIL PROTECTED]
RE: [ActiveDir] SID question
Title: Message Depending on your C++ skills, there is an API call: http://msdn.microsoft.com/library/default.asp?url=""> From: Chris Flesher [mailto:[EMAIL PROTECTED] Sent: Monday, June 14, 2004 1:31 PM To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] SID question I guess I should clarify a little better. The planner is looking to copy the SIDhistory info from the migrated account to a fresh, clean account in the root domain. So, it would be an NT4-2003 child domain migration, and then a copy of the SIDhistory info to the root domain account that is pushed over from an LDAP repository. -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Bruce Clingaman Sent: Monday, June 14, 2004 3:22 PM To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] SID question If you are talking about the user's domain account it is a guid, global unique id, the domain version of a sid. There can be only one of these in a domain. Copying it would give you two of the same at the same time: Forbidden. From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Chris Flesher Sent: Monday, June 14, 2004 3:02 PM To: [EMAIL PROTECTED] Subject: [ActiveDir] SID question Can a SID be copied from one account to another between domains in the same forest? The scenario is this: account is migrated using ADMT from NT4 domain into child domain in 2003 forest. An account with the same username is going to be copied into the root from an external LDAP source. One of the higher ups here wants to have the account in the root domain be what the user uses. So, he wants to know if the SID can be copied from the account in the child OU, and then have the child OU account deleted. I'm thinking no, but I wanted to make sure before telling him that. Thanks in advance. Chris Flesher The University of Chicago NSIT/DCS 1-773-834-8477
RE: [ActiveDir] Security
Thanks for the details, but I was hoping that Guido would provide some of the reasons whay Restricted Groups was a bad idea. Although, I would consider having all of the Domain groups be locked out to not be a graet idea. -Original Message- From: Aaron Visser [mailto:[EMAIL PROTECTED] Sent: Thursday, June 10, 2004 9:47 PM To: [EMAIL PROTECTED] Subject: Re: [ActiveDir] Security More Details Win2k Servers 1 Root Server with another one for redundancy, 1 ISA Server, 1 Server for Teacher Data, 1 Server for Student Data Win2003 Servers 1 for Office Staff And the fun begins, Well the biggest problem I am faced with is that the users (Students) ON the network are constantly trying to break in or crash the Servers, They are relentless somehow yesterday (I have no idea how) they had managed to add accounts to the Domain Admin Group, the Schema Admins and the Enterprise Admins. The accounts they have added have been removed but again today I encountered two new instances of users being added to the Domain Admin group. I am following this as closely as I can checking the groups every 10 15 minutes but that becomes very tedious and a real pain in the ...so I was wondering if I could be notified of such things happening rather than have to find out the hard way. I did the GPO thing of Restricting Groups and I restricted the mentioned groups but I am pretty sure I shouldn't have done that as now all my Admin groups are Restricted(Domain Admins, Schema Admins, Enterprise Admins) I just want to make it a few more weeks until the end of the School year so I can rebuild the entire network with new servers etc. ,(I inherited it about a month ago). Any help or insight or just thoughts on the whole situation is appreciated Thanks to everyone, Aaron Visser From: Passo, Larry [EMAIL PROTECTED] Reply-To: [EMAIL PROTECTED] Date: Thu, 10 Jun 2004 20:37:24 -0700 To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] Security I'm curious, do you have any more details? -Original Message- From: Grillenmeier, Guido [mailto:[EMAIL PROTECTED] Sent: Thursday, June 10, 2004 2:47 PM To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] Security don't use the Restricted Groups feature on domain groups, especially domain admins. This has caused various issues for companies and thus they've backed away from this approach. However, using restricted groups on member servers and clients works well. \Guido -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Passo, Larry Sent: Donnerstag, 10. Juni 2004 19:38 To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] Security If you want to make sure that no one is added to the group you could make the group a Restricted Group via a GPO. If you want to know when a user is added to the group, you could use a GPO to turn on auditing of Account Management but then you would have to search the audit logs of all of the DCs in the domain to find the activity. Or you could write a script that looked at the group membership and compared it with a pre-determined list. Then execute the script on a schedule of your choice. -Original Message- From: Aaron Visser [mailto:[EMAIL PROTECTED] Sent: Thursday, June 10, 2004 9:51 AM To: [EMAIL PROTECTED] Subject: [ActiveDir] Security I need to know when the Domain Admin Group has a user added to it or at least have that operation audited, is there anyway to perform this with GPO or something built into win2k server. Thanks, Aaron Visser List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
RE: [ActiveDir] Non DR migration of AD
But then you should clean up your production AD to remove mention of the DC that isn't there anymore. http://support.microsoft.com/?id=216498 -Original Message- From: Rutherford, Robert [mailto:[EMAIL PROTECTED] Sent: Thursday, June 10, 2004 8:21 AM To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] Non DR migration of AD Bring up a new DC.. Take it off the production domain and into the lab... Seize the roles? You will have to do some clean up but it's the easiest way if it's not going to be linked to your production domain. Rob -Original Message- From: Glenn Corbett [mailto:[EMAIL PROTECTED] Sent: 10 June 2004 16:00 To: [EMAIL PROTECTED] Subject: [ActiveDir] Non DR migration of AD All, We are in the process of constructing a Lab to mimic the production AD system as closely as possible. Doing a full DR into this environment is certainly an option, however we have been looking into simply migrating the AD structure and using this as a test bed to cleanup AD (OU's, objects, permissions, policies etc). Is anyone aware of tools or procedures to get the major AD configuration components into a lab using an approach that can be scripted / automated ? (we may want to do this every few months or so). For example, we have used LDIFDE to extract the OU structure, users and groups and re-imported these into the test lab. By and large this has worked very well (took some tweaking of the LDIFDE commands to resolve some constraint violations etc), however items such as OU security and policies is causing a bit more of a headache. Any thoughts ? TIA Glenn List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ This e-mail and the information it contains are confidential and may be privileged. If you have received this e-mail in error please notify the sender immediately and delete the material from any computer. Unless you are the intended recipient, you should not copy this e-mail for any purpose, or disclose its contents to any other person. The MCPS-PRS Alliance is not responsible for the completeness or accuracy of this communication as it has been transmitted over a public network. Whilst the MCPS-PRS Alliance monitors all communications for potential viruses, we accept no responsibility for any loss or damage caused by this e-mail and the information it contains. It is the recipient's responsibility to scan this e-mail and any attachments for viruses. Any e-mails sent to and from the MCPS-PRS Alliance servers may be monitored for quality control and other purposes. The MCPS-PRS Alliance Limited is a limited company registered in England under company number 03444246 whose registered office is at c/o 29-33 Berners Street, London, W1T 3AB. List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
RE: [ActiveDir] Security
If you want to make sure that no one is added to the group you could make the group a Restricted Group via a GPO. If you want to know when a user is added to the group, you could use a GPO to turn on auditing of Account Management but then you would have to search the audit logs of all of the DCs in the domain to find the activity. Or you could write a script that looked at the group membership and compared it with a pre-determined list. Then execute the script on a schedule of your choice. -Original Message- From: Aaron Visser [mailto:[EMAIL PROTECTED] Sent: Thursday, June 10, 2004 9:51 AM To: [EMAIL PROTECTED] Subject: [ActiveDir] Security I need to know when the Domain Admin Group has a user added to it or at least have that operation audited, is there anyway to perform this with GPO or something built into win2k server. Thanks, Aaron Visser List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
RE: [ActiveDir] Security
I'm curious, do you have any more details? -Original Message- From: Grillenmeier, Guido [mailto:[EMAIL PROTECTED] Sent: Thursday, June 10, 2004 2:47 PM To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] Security don't use the Restricted Groups feature on domain groups, especially domain admins. This has caused various issues for companies and thus they've backed away from this approach. However, using restricted groups on member servers and clients works well. \Guido -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Passo, Larry Sent: Donnerstag, 10. Juni 2004 19:38 To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] Security If you want to make sure that no one is added to the group you could make the group a Restricted Group via a GPO. If you want to know when a user is added to the group, you could use a GPO to turn on auditing of Account Management but then you would have to search the audit logs of all of the DCs in the domain to find the activity. Or you could write a script that looked at the group membership and compared it with a pre-determined list. Then execute the script on a schedule of your choice. -Original Message- From: Aaron Visser [mailto:[EMAIL PROTECTED] Sent: Thursday, June 10, 2004 9:51 AM To: [EMAIL PROTECTED] Subject: [ActiveDir] Security I need to know when the Domain Admin Group has a user added to it or at least have that operation audited, is there anyway to perform this with GPO or something built into win2k server. Thanks, Aaron Visser List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
RE: [ActiveDir] strange thing...
Do you have a GPO that is specifying that specific user right? You can check with GPRESULT.EXE -Original Message- From: Rutherford, Robert [mailto:[EMAIL PROTECTED] Sent: Wednesday, June 09, 2004 7:55 AM To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] strange thing... Just clarifying It appears that you are saying ... when you first designate the rights that members of the technician group can add wks to the domain and the next day they cannot? Are the rights still set on the next day as you defined them on the first day? Or are the reverting back? -Original Message- From: Bruyere, Michel [mailto:[EMAIL PROTECTED] Sent: 09 June 2004 15:37 To: [EMAIL PROTECTED] Subject: [ActiveDir] strange thing... Hi all, It's my first post here. I've been referred here and been told that you guys were the real gurus of AD. I have a strange thing happening and I would like to have your thoughts about it. Here is the situation, I created a group called technicians and I gave the user right add station to the domain to it. I then added the technician group to the computers OU and set the following: List contents Read all properties Read permissions Create computer objects Delete computer objects The problem is that when I set these, everything works fine. But the next day when a tech (member of the technician group) tries to join a computer to the domain he has an access denied. To fix the issue temporarily, I gave the group the perms (create all childs object and delete all childs object). I tried to remove the inheritance of the perms on this ou but it didn't help. I can't see why this is happening. Thanks Michel Bruyere Network/systems administrator CompTIA A+, Network+ The quickest way to find something is to start looking for something else. :-) List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ This e-mail and the information it contains are confidential and may be privileged. If you have received this e-mail in error please notify the sender immediately and delete the material from any computer. Unless you are the intended recipient, you should not copy this e-mail for any purpose, or disclose its contents to any other person. The MCPS-PRS Alliance is not responsible for the completeness or accuracy of this communication as it has been transmitted over a public network. Whilst the MCPS-PRS Alliance monitors all communications for potential viruses, we accept no responsibility for any loss or damage caused by this e-mail and the information it contains. It is the recipient's responsibility to scan this e-mail and any attachments for viruses. Any e-mails sent to and from the MCPS-PRS Alliance servers may be monitored for quality control and other purposes. The MCPS-PRS Alliance Limited is a limited company registered in England under company number 03444246 whose registered office is at c/o 29-33 Berners Street, London, W1T 3AB. List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
RE: [ActiveDir] strange thing...
Go to one of your DCs, then run: Start...Programs...Administrative Tools...Local Security Policies Then under: Local Policies...User Rights Assigments What is the value for the Add workstations to domain user right? If the technician group is missing, then another GPO is overriding that setting. -Original Message- From: Bruyere, Michel [mailto:[EMAIL PROTECTED] Sent: Wednesday, June 09, 2004 11:19 AM To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] strange thing... Hi, This user right has been set into the Default Domain Controller policy. I simply added the group technician in there. There was already administrators and domain admins in there. Michel Bruyere Network/systems administrator CompTIA A+, Network+ The quickest way to find something is to start looking for something else. :-) -Message d'origine- De : [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] De la part de Passo, Larry Envoyé : Wednesday, June 09, 2004 11:04 AM À : [EMAIL PROTECTED] Objet : RE: [ActiveDir] strange thing... Do you have a GPO that is specifying that specific user right? You can check with GPRESULT.EXE -Original Message- From: Rutherford, Robert [mailto:[EMAIL PROTECTED] Sent: Wednesday, June 09, 2004 7:55 AM To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] strange thing... Just clarifying It appears that you are saying ... when you first designate the rights that members of the technician group can add wks to the domain and the next day they cannot? Are the rights still set on the next day as you defined them on the first day? Or are the reverting back? -Original Message- From: Bruyere, Michel [mailto:[EMAIL PROTECTED] Sent: 09 June 2004 15:37 To: [EMAIL PROTECTED] Subject: [ActiveDir] strange thing... Hi all, It's my first post here. I've been referred here and been told that you guys were the real gurus of AD. I have a strange thing happening and I would like to have your thoughts about it. Here is the situation, I created a group called technicians and I gave the user right add station to the domain to it. I then added the technician group to the computers OU and set the following: List contents Read all properties Read permissions Create computer objects Delete computer objects The problem is that when I set these, everything works fine. But the next day when a tech (member of the technician group) tries to join a computer to the domain he has an access denied. To fix the issue temporarily, I gave the group the perms (create all childs object and delete all childs object). I tried to remove the inheritance of the perms on this ou but it didn't help. I can't see why this is happening. Thanks Michel Bruyere Network/systems administrator CompTIA A+, Network+ The quickest way to find something is to start looking for something else. :-) List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ This e-mail and the information it contains are confidential and may be privileged. If you have received this e-mail in error please notify the sender immediately and delete the material from any computer. Unless you are the intended recipient, you should not copy this e-mail for any purpose, or disclose its contents to any other person. The MCPS-PRS Alliance is not responsible for the completeness or accuracy of this communication as it has been transmitted over a public network. Whilst the MCPS-PRS Alliance monitors all communications for potential viruses, we accept no responsibility for any loss or damage caused by this e-mail and the information it contains. It is the recipient's responsibility to scan this e-mail and any attachments for viruses. Any e-mails sent to and from the MCPS-PRS Alliance servers may be monitored for quality control and other purposes. The MCPS-PRS Alliance Limited is a limited company registered in England under company number 03444246 whose registered office is at c/o 29-33 Berners Street, London, W1T 3AB. List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
RE: [ActiveDir] Complete Schema attribute guide
Also, in ADSIedit, the custom attributes are called extensionattribute. In ADUC, the same values are called custom attribute -Original Message- From: Passo, Larry Sent: Wednesday, June 09, 2004 3:02 PM To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] Complete Schema attribute guide The custom attributes are added when you do the schema upgrade for MS Exchange -Original Message- From: Steve Schofield [mailto:[EMAIL PROTECTED] Sent: Wednesday, June 09, 2004 2:18 PM To: [EMAIL PROTECTED] Subject: [ActiveDir] Complete Schema attribute guide Is there a document that shows every attribute in the Active Directory 2003 schema. I'm looking to use two custom attributes to hold specific data. These are called custom attribute 1 and custom attribute 2 and I don't see them anywhere in ADSIEDIT. Steve Schofield [EMAIL PROTECTED] List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
RE: [ActiveDir] Question on collapsing Forests
Simple answer: no You can't take an existing tree and simply move it to a different forest with the native tools. There are several third party tools that could help simplify the process. -Original Message- From: Rocky Habeeb [mailto:[EMAIL PROTECTED] Sent: Monday, June 07, 2004 7:49 AM To: [EMAIL PROTECTED] Subject: [ActiveDir] Question on collapsing Forests Dear List Members, First let me preface my remarks by telling you that I appreciate your diligence to monitor this list and your quick contributions to various problems. The information is invaluable at times as it comes from the real world. I have to collapse 5 Forests, each with a single domain, into one new empty root that will end up with five child domains. The mountain of literature I need to read is overwhelming. However, I have a simple question as I begin to scheme out my step-by-step plan. I believe the answer to this is No, it's just too simple., however, I ask it anyway. If one of my domains (a Forest root domain) is Windows 2000, and my new pristine empty root Windows 2003 native mode Forest is in place, can I simply upgrade the Windows 2000 Forest to Windows 2003 and at the same time tell it, Hey, you're now a Child Domain in this DNS namespace in this new empty Forest root? I'd appreciate your comments. Thanks. RH - Rocky Habeeb Microsoft Systems Administrator - James W. Sewall Company Old Town, Maine - 207.827.4456 habr @ jws.com www.jws.com - List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
RE: [ActiveDir] Factory monitoring pcs - preventing Account locko ut
The account policies for password complexity, age, and lockout for domain accounts can only be applied at the root of a domain and can not be changed at an OU level. If you think about it, you log into a domain, not an OU. What tends to confuse people is that you have the option of setting those settings in any GPO, even GPOs that are linked to an OU. If those settings are set in a GPO that is linked to an OU, what they will control is local accounts that are created in computers that within the scope of those OUs. Is it possible for your applications to execute with a local account instead of a domain account? If so then you could disable account lockout for those local accounts. If your application needs to access network resources, that would lead to other complications. You could try duplicated user accounts and passwords at both ends (workgroup connectivity). From: Rob Preston [mailto:[EMAIL PROTECTED] Sent: Friday, June 04, 2004 5:13 AM To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] Factory monitoring pcs - preventing Account locko ut Thanks for the reply. We're not open to changing our default domain policy, which is why I posted the question here. Is it possible, thougt for example a loopback policy, to allow a subset of PCs to utilize userids that do not lock? Perhaps that's a better summary ;) Thanks, -Rob Mulnick, Al [EMAIL PROTECTED] wrote: Account lockout is a security measure intended to protect against brute force attacks. The fewer attempts allowed before lockout, the harder it is to actually brute force an account over the network. Too low, and you risk business interruption. Too high, and you increase your attack surface (marketecturephrases being used today :) Can you do it? Of course. Would it help? Probably. No guarantee but it increases your buffer. My thoughts are that if it's important enough to warrant special attention and changing the domain policies, then it's important enough to warrant it's own domain for the factory floor. That would allow you to keep anyone from being able to muck with the accounts in any way (obviously admins from all domains could), and offers more protection for you. Also allows more flexibility for the account policies and insulation from the regular user domain outages and maintenance. al From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Rob Preston Sent: Thursday, June 03, 2004 4:18 PM To: [EMAIL PROTECTED] Subject: [ActiveDir] Factory monitoring pcs - preventing Account lockout I have a problem that I'm sure the brainpower on this list can help.We're about to refresh the hardware and upgrade from win2k to XP using an automated build process. Vendor will swap out hardware, RIS a new image down, and SMS will take over to install all the applications needed. These pcsauto login with a useridandlaunch a factory-floor monitoring application. We have several factories to deal with, and currently we maintain hundreds of ids to provide this functionality.By having all these accounts we limit the risk of an account being locked out (has happened before) and preventing crucial monitoring stations to work. The applicationsare read-only to networkresources and are in a very locked down environment. The PCS resideon a Win2ksp4 domain, and the current domain policy locks after x attempts, and resets after xxx minutes. What we would like to do is use two accounts at each factory, but to prevent locking all the PCs at each location, we would need to relax the domain policy of lockouts after xx attempts. Having a smaller number of accounts to manage makes the deployment system much simpler to accomplish. Is this in the realm of possibility without needing to purchase new hardware, for example to create a child domain)? I'm sure these questions may spark some concerns - and I'm interested in this feedback as well. Thanks all! Rob Presson
RE: [ActiveDir] Trusts between NT4 and AD
Actually, it's spelled security principal. Just remember that the princiPAL is your pal. grin -Original Message- From: Roger Seielstad [mailto:[EMAIL PROTECTED] Sent: Thursday, June 03, 2004 7:26 AM To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] Trusts between NT4 and AD The terminoligy hasn't changed. Think of it this way - thINGS trust ED. So, the trustING domain is the resource side of the equation, while the trustED side is the person[1] side of the equation. -- Roger D. Seielstad - MTS MCSE MS-MVP Sr. Systems Administrator Inovis Inc. [1] Really, the security principle side of things. But Ed is easier to envision as a person than as a security principle. -Original Message- From: Salandra, Justin A. [mailto:[EMAIL PROTECTED] Sent: Thursday, June 03, 2004 9:40 AM To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] Trusts between NT4 and AD I know the lingo is different between NT4 and AD, what are the words in NT and AD -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Passo, Larry Sent: Wednesday, June 02, 2004 5:45 PM To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] Trusts between NT4 and AD You have trusting and trusted reversed. The dropdown box in the logon screen lists trusted domains. In your case, you want: NT4 as trusted AD as trusting A one-way trust would work -Original Message- From: Salandra, Justin A. [mailto:[EMAIL PROTECTED] Sent: Wednesday, June 02, 2004 1:53 PM To: [EMAIL PROTECTED] Subject: [ActiveDir] Trusts between NT4 and AD I have a questions for everyone, if I have a computer in AD and I want to have a NT 4 domain listed in the drop down box on the login screen so that someone can use that machine to login to the NT 4 domain, would I need to setup a trust in the following fashion: One way from NT 4 to AD NT 4 is the trusting and AD is trusted domain? Basically I want people to be able to login and access resources in the NT 4 domain from a computer that is a member of the AD domain. Thanks in advance Justin List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
RE: [ActiveDir] Trusts between NT4 and AD
You have trusting and trusted reversed. The dropdown box in the logon screen lists trusted domains. In your case, you want: NT4 as trusted AD as trusting A one-way trust would work -Original Message- From: Salandra, Justin A. [mailto:[EMAIL PROTECTED] Sent: Wednesday, June 02, 2004 1:53 PM To: [EMAIL PROTECTED] Subject: [ActiveDir] Trusts between NT4 and AD I have a questions for everyone, if I have a computer in AD and I want to have a NT 4 domain listed in the drop down box on the login screen so that someone can use that machine to login to the NT 4 domain, would I need to setup a trust in the following fashion: One way from NT 4 to AD NT 4 is the trusting and AD is trusted domain? Basically I want people to be able to login and access resources in the NT 4 domain from a computer that is a member of the AD domain. Thanks in advance Justin List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
RE: [ActiveDir] GPO Question
Use the GPO to run a logon script that creates the shortcut http://msdn.microsoft.com/library/default.asp?url=/library/en-us/script5 6/html/wsconcreatingshortcut.asp -Original Message- From: Christine Easton [mailto:[EMAIL PROTECTED] Sent: Friday, May 28, 2004 11:09 AM To: '[EMAIL PROTECTED]' Subject: [ActiveDir] GPO Question Running Windows 2k AD with sp3 Hi, I'm trying to create a GPO for my users that will place a shortcut to their departmental folder that is on a NTFS network share to their desktop. Has anyone done this before? I'm not sure what GPO I should be using or what proceedure I should follow. Any help with be appriciated. Thanks! List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
RE: [ActiveDir] Users and Computers
Title: Message Install Adminpak.msi (you'll find it in the i386 folder on the Windows200x Server CD). It will install of the admin snapins Make sure that you use the 2003 version for XP clients -Original Message-From: Caple, Andrew [mailto:[EMAIL PROTECTED]Sent: Thursday, May 27, 2004 6:12 PMTo: [EMAIL PROTECTED]Subject: [ActiveDir] Users and Computers I'm sure this is an easy one I'm currently setting up some Support Desk PC's and need to give them access to Users and Computers locally (so that they don't need to RDP into a DC all the time). How do you add the snap-in into a MMC with a computer that doesn't have AD installed on it? Andrew Caple Infrastructure Engineer Phone:+61 3 9861 5425 Facsimile:+61 3 9861 5510 [EMAIL PROTECTED] 105 Camberwell Road,Hawthorn East, Vic 3123
RE: [ActiveDir] Can LDP be used to create email report of all users in AD?
If your users have more than one email address, you will also need to get the proxyAddresses attribute. -Original Message- From: Grantham, Caron [mailto:[EMAIL PROTECTED] Sent: Wednesday, May 26, 2004 7:35 AM To: [EMAIL PROTECTED] Subject: [ActiveDir] Can LDP be used to create email report of all users in AD? I'm looking for a way to get an email address report for all user objects in Active Directory. Any idea on how to do this? I see the mail attribute in LDP but how can I get just this one field filtered out into a report Thanks List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
RE: [ActiveDir] Can LDP be used to create email report of all users in AD?
csvde -s dcname -f c:\mail.csv -d dc=xx,dc=com -p subtree -r objectClass=user -l cn,mail -Original Message- From: Grantham, Caron [mailto:[EMAIL PROTECTED] Sent: Wednesday, May 26, 2004 7:55 AM To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] Can LDP be used to create email report of all users in AD? They only have one address, I'm trying to figure out the correct syntax for a CSVDE export, do you know? -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Passo, Larry Sent: Wednesday, May 26, 2004 9:45 AM To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] Can LDP be used to create email report of all users in AD? If your users have more than one email address, you will also need to get the proxyAddresses attribute. -Original Message- From: Grantham, Caron [mailto:[EMAIL PROTECTED] Sent: Wednesday, May 26, 2004 7:35 AM To: [EMAIL PROTECTED] Subject: [ActiveDir] Can LDP be used to create email report of all users in AD? I'm looking for a way to get an email address report for all user objects in Active Directory. Any idea on how to do this? I see the mail attribute in LDP but how can I get just this one field filtered out into a report Thanks List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
RE: [ActiveDir] task pads
Title: task pads If youre always going to move the computer accounts to a specific OU, you could also do a simple script. It would be simple to modify this one to include the computer name as an argument. http://www.microsoft.com/technet/community/scriptcenter/compmgmt/scrcm33.mspx From: Gasper, Rick [mailto:[EMAIL PROTECTED] Sent: Tuesday, May 25, 2004 9:18 AM To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] task pads We want to have the first level support person move the machine into an OU so that office 2003 can be installed via group policy. Rick Gasper Manager Network Services King's College Wilkes-Barre PA 18711 [EMAIL PROTECTED] PH: 570-208-5845 Fax: 570-208-6072 From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Mulnick, Al Sent: Tuesday, May 25, 2004 10:30 AM To: '[EMAIL PROTECTED]' Subject: RE: [ActiveDir] task pads ? You want to give some sort of secretary a MMC? Sure, why not? Works out well. You'll want to give permissions over computer objects as well for both the current and destination OU's it sounds like. Not sure why somebody would be moving a computer account though? Is that some sort of tracking mechanism for you? Al From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Gasper, Rick Sent: Tuesday, May 25, 2004 9:53 AM To: [EMAIL PROTECTED] Subject: [ActiveDir] task pads Hi all, I need to give a non admin IT user access to aduc. Our plan is to use gpo to push out office 2k3. The non admin IT user is to move the machine to the deployment OU. Is this possible? I am thinking creating a task pad will do this, but I have not ever done that. Rick Gasper Manager Network Services King's College Wilkes-Barre PA 18711 [EMAIL PROTECTED] PH: 570-208-5845 Fax: 570-208-6072
RE: [ActiveDir] OT : File/Folder/Storage Reporting
Title: Message Treesize Pro will do almost everything http://www.jam-software.com/treesize/ From: Rutherford, Robert [mailto:[EMAIL PROTECTED] Sent: Wednesday, May 19, 2004 2:59 AM To: [EMAIL PROTECTED] Subject: [ActiveDir] OT : File/Folder/Storage Reporting Hi All, Well I'm at that stage again - reviewing backup and data storage. I'm hunting for duplicate files, old unmodified files, greediest user, etc. I'm basically looking for some software that can report such things in one package. any experiences or recommendations? Thanks in advance. Rob The information transmitted is intended only for the person or entity to which it is addressed and may contain confidential and/or privileged material. Any use (including retransmission or copying) of this information by persons or entities other than the intended recipient is prohibited. If you are not the intended recipient of this transmission, please contact the sender and delete the material from any computer. The sender is not responsible for the completeness or accuracy of this communication as it has been transmitted over a public network. Any replies to this email may be monitored by the MCPS-PRS Alliance for quality control and other purposes.
RE: [ActiveDir] A root dc question
You have to be an enterprise admin to authorize a DHCP server or link a GPO to a site (or have those permissions delegated to you). -Original Message- From: Kern, Tom [mailto:[EMAIL PROTECTED] Sent: Wednesday, May 12, 2004 1:37 PM To: ActiveDir (E-mail) Subject: [ActiveDir] A root dc question My apologies if this seems basic and/or silly. Aside from creating new domains or modifying the schema, why would an admin need access to the root dc of a forest(the schema, domain namming master)? furthermore, why would an admin in a child domain need enterprise admin privilges? I only ask because we had issues with our test DR run wherein we didn't have access to the root domain and/or a test root domain vmware'd on a laptop and it ended miserably. i am in the process of convincing the higher ups in my corp of letting our IT dept have enterpise admin access. i'd like to make a case for us as to why we would need this accont with concrete examples(aside from the DR one). ones that a semi tech aware CIO could relate to. What other compelling reasons would one need these rights for in day to day(or not so day to day) AD administration? we are a multi-domain(14) win2k forest in mixed mode with exchange2k in native mode. Thank you in advance for any assitance. List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
[ActiveDir] Enumerating User Rights
Does anyone know how to connect to a remote machine and enumerate the User Rights that are assigned on it? I'd prefer a VBscript technique but I could use a command line utility. I already know about ntrights.exe in the Resource Kit but it only modifies selected rights it doesn't list what is there. Thanks in Advance List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
RE: [ActiveDir] Cookbook sample scripts
Unless your domain is named mydomain.com, you need to change line 11 -Original Message- From: James Payne [mailto:[EMAIL PROTECTED] Sent: Tuesday, May 11, 2004 10:41 AM To: [EMAIL PROTECTED] Subject: [ActiveDir] Cookbook sample scripts I just bought the Active Directory Cookbook and started looking at some of the sample scripts posted on the author's website. When I attempt to use this one it tells me the server is not operational, line 14 character 1. Can anyone take a look at this and let me know if you see something I have done wrong? Thanks a bunch. ' This VBScript code prints the FSMO role owners for the specified domain. ' --- ' From the book Active Directory Cookbook by Robbie Allen ' Publisher: O'Reilly and Associates ' ISBN: 0-596-00466-4 ' Book web site: http://rallenhome.com/books/adcookbook/code.html ' --- ' -- SCRIPT CONFIGURATION -- strDomain = mydomain.com ' e.g. emea.rallencorp.com ' -- END CONFIGURATION - set objRootDSE = GetObject(LDAP://; strDomain /RootDSE) strDomainDN = objRootDSE.Get(defaultNamingContext) strSchemaDN = objRootDSE.Get(schemaNamingContext) strConfigDN = objRootDSE.Get(configurationNamingContext) ' PDC Emulator set objPDCFsmo = GetObject(LDAP://; strDomainDN) Wscript.Echo PDC Emulator: objPDCFsmo.fsmoroleowner ' RID Master set objRIDFsmo = GetObject(LDAP://cn=RID Manager$,cn=system, strDomainDN) Wscript.Echo RID Master: objRIDFsmo.fsmoroleowner ' Schema Master set objSchemaFsmo = GetObject(LDAP://; strSchemaDN) Wscript.Echo Schema Master: objSchemaFsmo.fsmoroleowner ' Infrastructure Master set objInfraFsmo = GetObject(LDAP://cn=Infrastructure,; strDomainDN) Wscript.Echo Infrastructure Master: objInfraFsmo.fsmoroleowner ' Domain Naming Master set objDNFsmo = GetObject(LDAP://cn=Partitions,; strConfigDN) Wscript.Echo Domain Naming Master: objDNFsmo.fsmoroleowner List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
RE: [ActiveDir] Mac clients passwords
When you install services for Macintosh and create a Macintosh accessible volume, two files are automatically created. One is a Mac readable text file that tells you how to install the other file which is a Microsoft compatible logon module. This add-on supports LanMan style encrypted logons (14 char max). Otherwise, Macs do cleartext logons. The above is true for Macs OS versions prior to OS X Also see: http://support.microsoft.com/default.aspx?scid=kb;en-us;Q328417 From: Creamer, Mark [mailto:[EMAIL PROTECTED] Sent: Thursday, May 06, 2004 12:01 PM To: [EMAIL PROTECTED] Subject: [ActiveDir] Mac clients passwords I have zero experience with Macs, but we now have a few in our design dept. Our domain is Windows 2000, and the Macs are using only TCP/IP to participate on the network, no Appletalk. The users say they dont get notified when their AD password expires, and then when it does expire, they have to go find a Windows PC to change it. Is there software I can install on the AD and/or client side to alleviate this problem? Also, is it accurate that passwords are transmitted in clear text from a Mac client to a Windows resource? Thanks! Mark Creamer Systems Engineer Cintas Corporation Honesty and Integrity in Everything We Do
RE: [ActiveDir] OT: riddle me this
If you make a network connection to a box, both share and local NTFS permissions are enforced and your effective permissions will be the LESSER of the two. If you are logged on locally to a server, then the share permissions will be ignored and your effective permissions will be the NTFS permissions. One side point, if you are logged on locally to the server and use a shared drive that points back to the same box, then share permissions will be applied. That's an easy way to check them without needing a second box. -Original Message- From: Kern, Tom [mailto:[EMAIL PROTECTED] Sent: Wednesday, May 05, 2004 7:35 AM To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] OT: riddle me this it was share permissions. he had full control on the ntfs level, but only read on the share. my question is- i thought ntfs permissions beat out share permissions when there is a conflict? -Original Message- From: Joe Pochedley [mailto:[EMAIL PROTECTED] Sent: Tuesday, May 04, 2004 4:45 PM To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] OT: riddle me this Sounds like you've got NTFS permissions covered, but have you checked the share permissions? Joe Pochedley Weiler's Law - Nothing is impossible for the man who doesn't have to do it himself. -Original Message- From: Kern, Tom [mailto:[EMAIL PROTECTED] Sent: Tuesday, May 04, 2004 3:44 PM To: ActiveDir (E-mail) Subject: [ActiveDir] OT: riddle me this I have a devloper who is running visual source safe and has had issues since day one logging in(to VSS). The app just uses its own internal db of users for auth, not AD. However the files reside on an ntfs share. Here's my confusion- I put this devloper into the domainadmins group as a test. he cannot change the attributes of files from read-only to read. He gets an access denied error. He cannot create files in a dir he has been given explicit access(full control). still gets an access denied. I've tried from different machines from win2k sp4 to winxp sp1 and still the same issue. The files and dirs reside on a AD win2k dc. We are a win2k mixed mode domain. could an account have gotten corrupted or screwed? and how could i tell? running ethereal when he connects only gives me what I know- smb nt file access denied. what the heck is going on here? thanks List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
RE: [ActiveDir] Joining Workstations to our domain
Here is a link to a VBscript that will do this: http://www.microsoft.com/technet/community/scriptcenter/compmgmt/scrcm31.mspx As mentioned, it only works with Windows XP or Windows Server 2003 boxes. From: rpuckett [mailto:[EMAIL PROTECTED] Sent: Friday, April 30, 2004 2:07 PM To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] Joining Workstations to our domain Mark, If you boxes are working with Windows XP, there are a few scripting options available to you that can help with this. WMI's Win32_ComputerSystem class supports a method called JoinDomainOrWorkgroup, that will allow you to programmatically join systems to a target domain. You could use this function in conjunction with a validation script that a.) checks for an active network connection, b.) checks for the availability of a Domain Controller prior to activating the join process. It could even be used to send prompts to users like, hey, plug yer box in! before firing off a join request. You could also add in a few ADSI calls to add Domain groups/users to local groupsto complete the process. If you are still running Windows 2000, there are associated Win32 APIs (NetJoinDomain) that can be used with compiled languages like VB/C++ to generate simple domain join utilities that can also be leveraged by scripts or written to encompass the functions referenced above. This is what we did here to get around the remote build process/domain joindilemma. Hope this helps, Richard From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Creamer, Mark Sent: Friday, April 30, 2004 3:11 PM To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] Joining Workstations to our domain We are doing what you guys are suggesting to a point. Currently the vendor prepares the PC to the point where its ready to plug into the network at the remote location. When the end user receives it, if he follows the instruction sheet, he plugs it in to the jack and powers up. The PC gets a DHCP address, and sysprep runs a script asking for a few pieces of information that are sitting in front of the user. It then creates the PC name, joins to the domain, reboots, and comes up ready use. The problem had been that the users dont always plug in to the jack, so the script fails, and there was no loop built in if it fails, it doesnt try again. So that generates a help desk call. The goal here is to take that last piece out of the users hands and have the vendor join the PC. Then it could be not only ready to use, but could be fully patched and AVd beyond whatever is on the ghost image. I did an ethereal capture this morning, and I think I now know all of the ports Ill need (definitely not all the ports listed below as far as I can tell so far). We intend to use a firewall to limit the allowed traffic, and a Contivity VPN to manage the connection. Apparently the VPN box includes the ability to pare down the allowed times of day the PC can be connected. Thanks for the excellent suggestions and pointers to further info mc -Original Message- From: Roger Seielstad [mailto:[EMAIL PROTECTED] Sent: Friday, April 30, 2004 2:56 PM To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] Joining Workstations to our domain Problem with Sysprep is that its not ready for the user to use. That would work well, however... -- Roger D. Seielstad - MTS MCSE MS-MVP Sr. Systems Administrator Inovis Inc. From: Rich Milburn [mailto:[EMAIL PROTECTED] Sent: Friday, April 30, 2004 2:45 PM To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] Joining Workstations to our domain If you have them use sysprep with a script (sysprep.inf) and give them an account and password delegated to join the domain, then it would do what Roger suggested. It works very nicely, and it can ask the user for their name when they boot it up if you want, etc or it can be totally automated. Rich Sample code from sysprep.inf: [Identification] JoinDomain=domain.com DomainAdmin=deploy.windows DomainAdminPassword=Winq34v8%shn3AFc8$2 From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Roger Seielstad Sent: Friday, April 30, 2004 1:09 PM To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] Joining Workstations to our domain It might make more sense to do something akin to a script of an application that they add to the runonce at startup - so when the machine gets booted for the first time, it joins the domain and is rebooted, then its ready to roll. -- Roger D. Seielstad - MTS MCSE MS-MVP Sr. Systems Administrator Inovis Inc. From: Mike Hogenauer [mailto:[EMAIL PROTECTED] Sent: Friday, April 30, 2004 2:03 PM To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] Joining Workstations to our domain Mark, I personally wouldnt consider
