Title: Group Policy Utility?
I personally recommend Quest's (Fastlane)
ActiveRoles tool. I am working with it now and it is awesome.
- Original Message -
From:
Alexander,
Phillip
To: '[EMAIL PROTECTED]'
Sent: Tuesday, January 15, 2002 11:22
PM
Subject: RE:
I have two forests that I need to create a trust relationship between. Do I
have to do a zone transfer of their respective zones to gain name resolution
to the other domain or do I need to create a lmhost record for the netbios
name of the domain?? Also, there is a very tight firewall policy
I posted this question a couple of days ago and received no responses.
Hopefully someone today is familiar with the process. Thx again.
I have two forests that I need to create a trust relationship between. Do I
have to do a zone transfer of their respective zones to gain name resolution
to
address or to a different domain controller.
Thx again, Joe
- Original Message -
From:
Hayes,
Shawn
To: [EMAIL PROTECTED]
Sent: Thursday, June 06, 2002 8:03
AM
Subject: RE: [ActiveDir] Where should DNS
point?
Active Directory Sites and services, add subnets
Anyone know what the ntds.pat fileis used
for? Located in the same directory as log file edb.log.
Thx, Joe
of the name table though it
has worked fine for me in the past on workstations and member/standalone
servers.
From: Pelle, Joe
Subject: [ActiveDir] AD DNS: CNAME/Alias
Date: Fri, 06 Jun 2003 02:28:15 -0700
Hello! You all have been very helpful
with all of the certified drivers and antivirus
software so we don't want anyone deploying anything on it because anything they
deploy we know will have to be revisited and is a possible breeding ground of
viri, worm's, and support issues with no escalation paths.
Tough
love I guess.
joe
And you must be in native mode for the domain otherwise the domain local
groups have the same scope as they do in NT4.
Note that I think some of the other notes captured this but some
security pickers do not correctly allow you to select domain local
groups on member machines, the most notable
cts at the very end of the
run.
SorryI didn't postscript code, shouldn't be hard to put it
together though if you understand the concepts I am trying to propose. Should be
a ton of stuff you can leverage at the script center or in
microsoft.public.adsi.general that you can convert.
joe
--
www.jo
Title: Message
Rick
was the distaste DFS or FRS? If FRS, I have to say that I too have not been as
thrilled as one could possibly be and that is simply in terms of policy and
netlogon share replication, I am shellshocked from it now. However it's all
fixed in the next hotfix or SP though...
paths.
Tough love I guess.
joe
-Original Message-From:
[EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Rick
KingslanSent: Wednesday, June 11, 2003 7:24 PMTo:
[EMAIL PROTECTED]Subject: RE: [ActiveDir] Installing
Windows 2003
love those
tools.
joe
-Original Message-From:
[EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Rick
KingslanSent: Wednesday, June 11, 2003 10:41 PMTo:
[EMAIL PROTECTED]Subject: RE: [ActiveDir] [OT]
Installing Windows 2003 servers
Title: Message
Thought so. FRS always meant bad day when I had to change a GPO or
something in netlogon share. Makes me itch every time I hear I have to make a
change and this is simple stuff. I haven't had anything fail in a long time but
then I haven't changed anything in a really long
and start arguing opinions because you know there is
going to be some seriously good fighting. :o)
joe
-Original Message-From:
[EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]
On Behalf Of Rick KingslanSent: Thursday, June 12, 2003 1:02
AMTo: [EMAIL PROTECTED]Subject: RE
pretty hard. I also finally killed the midi's that everyone
bitched about. I started seeing how much bandwidth those little things were
taking up and decided I didn't like them that much either.
eg
Anyway, thanks for the welcome. Hopefully I can contribute my share.
:o)
joe
-Original
that touches it and I won't argue this point.
You can do simple things simply and bigger things with a little more work and
you don't have to keep going back to a book for objectclass references. Once
simple webreference page will generally do the trick.
Hope it is
helpful.
joe
Usage
Title: Message
Oh
yeah I should have shown a sample output. Here is what it looks like with
verbose option:
F:\LAPTOP\F\Work\Office\pc\Dev\CMPACCperlchksec.pl dc=joehome,dc=com
/verbose
PerlChkSec V01.00.00pl Joe Richards ([EMAIL PROTECTED]) June 2002
Control :
33796
to Windows
2 000 Domain
Welcome, Joe. I am one of the biggest joeware leaches. On top of that, I
get to brag that I know you personally :)
Dèjì Akómöláfé, MCSE MCSA MCP+I
www.akomolafe.com
www.iyaburo.com
Do you now realize that Today is the Tomorrow you were worried about
Yesterday? -anon
to Windows
2 000 Domain
Deji,
You've got that over a lot of MVPs. I've been waiting two years to meet
Joe face to face - and the one function that I can't go to, he goes.
Can he go to Summit? No Can he go to Win2k3 Server Launch? No
I'm beginning to get a complex. Well, OK - I've
Title: Message
I
actually use adfind and do it from the command line. Adfind is a tool I wrote
you will find at www.joeware.net on the
free win32 tools page.
C:\WINDOWSadfind -gc -b "" -f name=joe
AdFind
V01.12.00cpp Joe Richards ([EMAIL PROTECTED])
May 2003
Using
server
:
[ActiveDir] Active Directory Query Permission
I have an LDAP
query (see below and thanks Joe).
Runs fine when _I_
run it under my account. When I put it into an SMTP event sink (Ex2K sp3) - I
get zero results. I presume it's a permissions issue. How do I fix this
intelligently
Title: Message
Assume
the account is always locked and write a 0 to lockoutTime attribute. That will
force it unlocked.
-Original Message-From:
[EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]
On Behalf Of Raymond McClinnisSent: Friday, June 13, 2003
6:50 PMTo: [EMAIL
Well thanks for the compliment. :o)
-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of deji
Sent: Friday, June 13, 2003 7:25 PM
To: [EMAIL PROTECTED]
Subject: RE: [ActiveDir] [OT] Installing Windows 2003 servers to Windows
2 000 Domain
Don't worry, Joe
Title: Message
NOD
Make
sure you delegate WP for that attribute to the help desk folks via some group...
-Original Message-From:
[EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]
On Behalf Of Dave MillsSent: Friday, June 13, 2003 7:47
PMTo: [EMAIL PROTECTED]Subject: Re:
Without hacking into LSASS this isn't possible except for being able to
write a 0 or -1 which will set or clear the password must be changed on
next logon flag.
What you may consider doing is setting your test lab password policy to
about 1 or 2 days and then you don't have to wait an exceedingly
and more unfeasible as it
will involve rebuilding your DC's that have been migrated to W2K.
joe
-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of rick reynolds
Sent: Thursday, June 19, 2003 9:29 AM
To: [EMAIL PROTECTED]
Subject: Re: [ActiveDir] A number
Define your troubles. My guess would would be name res issues because
people start to forget about WINS once they move to AD and W2K Machines.
I have tens of thousands of Win9x and NT4 clients and hundreds of NT4
Servers that are functioning well in a Native mode domain environments
and have
be set up
to take advantage of things you know are set up in specific ways in your
environment.
joe
-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Free, Bob
Sent: Thursday, June 19, 2003 6:02 PM
To: [EMAIL PROTECTED]
Subject: RE: [ActiveDir
are NOT EVEN gonna get this started again! Huh-uh!
;-D
Rick Kingslan MCSE, MCSA, MCT
Microsoft MVP - Active Directory
Associate Expert
Expert Zone - www.microsoft.com/windowsxp/expertzone
-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Joe
Sent: Thursday, June
_on_ my desk or in the car, that's as high of a tribute as I can
pay to any book.
In all honesty, I must admit to being veyy envious of Rick and Joe who
have already seen Robbie's new book. The rest of us mere mortals must
wait till it's published. I knew I should have kissed up to Robbie at
DEC
. Seielstad - MTS MCSE MS-MVP
Sr. Systems Administrator
Inovis Inc.
-Original Message-
From: Joe [mailto:[EMAIL PROTECTED]
Sent: Thursday, June 19, 2003 9:00 PM
To: [EMAIL PROTECTED]
Subject: RE: [ActiveDir] suggestions for OU delegation
information sources
Bob: I agree on the book
Shawn, I didn't catch that drift personally from what people were
saying. I saw the Premier announcement this morning myself and went onto
the next email, didn't even think about clicking on the link.
Most of your Premier customers are big customers and the chance that
they are just going to go
Title: Message
You
probably want to look at the microsoft.public.sharepoint.* and
microsoft.public.sharepointportalserver.* newsgroups through your local News
Server or news.microsoft.com for suggestions/help on that product.
joe
-Original Message-From:
[EMAIL
the official IT and probably has more money
to spend because it is all of these different pockets of business. They are
slowly coming into the fold as we find them because they come to us because of
some major failure they had but it is still pretty wild west.
Thanks
for the insights.
joe
Active Directory. Enough of that though...
joe
-Original Message-From:
[EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]
On Behalf Of Glenn CorbettSent: Sunday, June 29, 2003 7:17
AMTo: [EMAIL PROTECTED]Subject: Re:
[ActiveDir] MMS 2003 and ADAM 2003
Rick,
Agreed, VMware
You can check it from the command line with
Net user userid /domain
Or
Getuserinfo domain\userid
Getuserinfo you can find on the free win32 tools page of www.joeware.net
Obviously you could script something as well.
Ex:
F:\Dev\cpp\CPAUnet user joe /domain
The request will be processed
Programming by Gil Kirkpatrick.
joe
-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Reva S
Sent: Sunday, June 29, 2003 6:31 PM
To: [EMAIL PROTECTED]
Subject: [ActiveDir] LDAP API
Hi,
Does anyone know how to bind to RootDSE object of a server
the returned values or if you know
specific ones you want pull them directly. Gil's book will walk you
through this very simply and is a good reference.
joe
-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Reva S
Sent: Monday, June 30, 2003 6:21 PM
Title: Message
How
are they planning on doing those tests? If they just want to test the password
complexity/strength it isn't required to give them a whole DC, only a hash dump
of the password in the DIT which can be done via pwdump3. Then they can use
lc3/4 to go through the text file
Also note that there is another D.O.S. capable bug that SP4 fixes if I
recall correctly. It was something with referrals.
Note that there are several things that can be done to W2K AD by a
bright programmer with internal access who has had a chance to sit back
and think about it that can hurt AD.
check
tools, it is hacking. Treat the admins accordingly.
joe
-Original Message-From:
[EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]
On Behalf Of GRILLENMEIER,GUIDO (HP-Germany,ex1)Sent:
Monday, July 07, 2003 9:41 AMTo:
[EMAIL PROTECTED]Subject: RE: [ActiveDir] Taking DC
Title: Message
I
agree 110%.
But
then thereall sorts of bad security ideas out in the field because that is
the only way people know how to do certain things.
-Original Message-From:
[EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]
On Behalf Of Roger SeielstadSent: Monday,
calls though it would slow the program
down a bit.
-Original Message-From:
[EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]
On Behalf Of Simpsen, Paul A. (HSC)Sent: Monday, July 07,
2003 4:09 PMTo: [EMAIL PROTECTED]Subject: RE:
[ActiveDir] Taking DC Offline
Hey Joe
Title: Message
As it
should be. All of the advanced view everything features should be enabled on
servers and any workstations that get admin tools installed on them. I don't
understand the MS thought to hide things from admin level users in the gui's and
making them learn enough to turn
a script or unfortunately TS into a machine that is part of the domain
in question.
joe
-Original Message-From:
[EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]
On Behalf Of Pelle, JoeSent: Thursday, July 10, 2003 8:59
AMTo: ActiveDir ([EMAIL PROTECTED])Subject:
[ActiveDir
computing resources. Have they placed any boundaries on how long they
will plug away at the security database before declaring that a
passwordis deemed to be secure enough?
Glenn
- Original Message -
From:
Joe
To: [EMAIL PROTECTED]
Sent: Tuesda
-Original Message-From: Joe
[mailto:[EMAIL PROTECTED] Sent: 07 July 2003
20:26To: [EMAIL PROTECTED]Subject: RE:
[ActiveDir] Taking DC Offline
Check out unlock at www.joeware.net. Its free, its fast. Will
display locked accounts or unlock them. Saves you the sc
]Subject: RE: [ActiveDir] Taking DC
Offline
nice
tool Joe, but you should add a time filter. In an attack-scenario (be it
hacker or auditors), you don't necessarily want to unlock all the locked
accounts you find - instead you want to unlock the ones that were locked after
a specific
:-)
Steve
-Original Message-From: Joe
[mailto:[EMAIL PROTECTED] Sent: 07 July 2003
20:26To: [EMAIL PROTECTED]Subject: RE:
[ActiveDir] Taking DC Offline
Check out unlock at www.joeware.net. Its free, its fast.
Will display locke
: Joe
[mailto:[EMAIL PROTECTED] Sent: Thursday, July 10, 2003 8:08
AMTo: [EMAIL PROTECTED]Subject: [OT]: RE:
[ActiveDir] Finding things in the AD Users/Computers
As
it should be. All of the advanced view everything features should be enabled
on servers and any
to keep the Identity portion in place.
c) Nope - see D
d)ADAM - Active Directory Application Mode.
Synching available, greater level with MMS (MIIS??) multiple instances and
truly designed for the application depository
e) Joe is going to be the man to answer this - he's been
doing
the data into the config or domain
partitions.
joe
-Original Message-
From: deji Agba [mailto:[EMAIL PROTECTED] On Behalf Of
[EMAIL PROTECTED]
Sent: Monday, July 14, 2003 4:19 PM
To: [EMAIL PROTECTED]
Subject: RE: [ActiveDir] Quick AD integrated DNS question :)
Yes, you did
over your core security (authentication/authorization)
infrastructure.
falls off soapbox
I
think if I had to sit in your shoes I would be relegating that admin to guest
level access and giving him a 1MB email quota so he can't hurt himself as well
as anyone else.
good luck, joe
a few more. J
-Original
Message-From: Joe
[mailto:[EMAIL PROTECTED] Sent: Monday, July 14,
2003 9:22
PMTo:
[EMAIL PROTECTED]Subject: RE: [ActiveDir] Quick AD
integrated DNS question :)
Hey
Deji, slap a smiley face on that postor a disclaimer about sarcasm
for kicking off such a storm. My keyboard is now
reprogrammed to detect and insert my smileys appropriately.
So, Gil, it's MY BAD. Brian, I'm sorry.
Thanks for the clarification and education, Joe. I know I can always count
on you to get me out of a jam :). It made sense to call it a GC-Less config
to leave...
Ok. I feel better now. :)
Thanks again!
Jenn
-Original Message-
From: Joe [mailto:[EMAIL PROTECTED]
Sent: Tue 7/15/2003 9:16 PM
To: [EMAIL PROTECTED]
Cc:
Subject: RE: [ActiveDir] Service pack 4 and DCs
Jenn,
I expect you will be ok. The biggest issue I can think of would
inherited perms for them. Heck while I'm at
it... I want operatingSystemHotfix to be updated on computer objects
automatically (and make it multivalued)or at least someone to publish the
format it will be using when it is published so I can write something to do it
in the meanwhile... As joe patche
Title: Message
Alternatively reduce the value of ms-DS-MachineAccountQuota to zero. This
is easily scripted if you have to manipulate more than one domain.
-Original Message-From:
[EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]
On Behalf Of GRILLENMEIER,GUIDO
Title: Message
Oops I
missed that piece. TelephoneNumber is type 2.5.5.12 which is case insensitive
unicode string. You need that because people want to put in () and -.
unfortunately they can also add other letters/characters.
-Original Message-From:
[EMAIL PROTECTED]
with business rules?
-Original Message-From:
[EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]
On Behalf Of Hazelman, DougSent: Friday, July 18, 2003 4:29
AMTo: [EMAIL PROTECTED]Subject: RE:
[ActiveDir] Locking Down User Information Fields in AD
Joe,
There are plug third party tools
in AD
Lock things down and only allow updates through
interfaces with business rules.
-doug
From: Joe [mailto:[EMAIL PROTECTED]
Sent: Friday, July 18, 2003 7:31 PMTo:
[EMAIL PROTECTED]Subject: RE: [ActiveDir] Locking Down
User Information Fields in AD
True
to your
Unfortunately this won't work for reasons discussed in other threads
recently. The people who are domain admins will still be able to muck up
AD.
A lot of permissions granted to admins and domain admins in Active
Directory is through direct explicit ACE's. Inherited DENY ACE's will
bounce off of
)...we couldn't justify the cost.
-Original
Message-From: Joe
[mailto:[EMAIL PROTECTED] Sent: Friday, July 18, 2003 11:31
AMTo:
[EMAIL PROTECTED]Subject: RE: [ActiveDir] Locking Down
User Information Fields in AD
True to
your overall statement, if you lock
Title: Message
Nope,
this is not possible. The granularity only extends to WP (write property) for
the members attribute which does no verification of what you are writing so you
could clear values or add new values.
In
order to do this you would need to set up some sort of proxy method
permissions.
(Now, Joe - what am I missing...?? ;0) )
Rick Kingslan MCSE, MCSA, MCT
Microsoft MVP - Active Directory
Associate Expert
Expert Zone - www.microsoft.com/windowsxp/expertzone
List info : http://www.activedir.org/mail_list.htm
List FAQ: http://www.activedir.org/list_faq.htm
List
I would look at the SID History attribute on the accounts. Most likely
you migrated the users with some tool that knows how to populate SID
history and that is being resoved into group memberships.
You can use ldp and I believe it will decode SIDHistory to readable
SID's, if not you can use
.
joe
-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Rick Kingslan
Sent: Monday, July 21, 2003 9:24 AM
To: [EMAIL PROTECTED]
Subject: RE: [ActiveDir] Installation Priviledges only on a DC
Yep - makes sense. But, I'll have to test this, as I'm not sure
of hundred thousand or million userids.
Here
is a quick example of finding users whom have been created since a fixed USN
value:
G:\joeware.netadfind -default -f
"(objectcategory=person)(objectclass=user)(usncreated=1163453)"
usncreated
AdFind
V01.12.00cpp Joe Richards ([EMAIL
Errr check your admin group, who is listed there. Either everyone that
is connecting to that box is an admin on that box or someone has
modified your rdp permissions. I would most likely expect the former
versus the latter.
-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL
/expertzone
-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Joe
Sent: Monday, July 21, 2003 6:32 PM
To: [EMAIL PROTECTED]
Subject: RE: [ActiveDir] Installation Priviledges only on a DC
LOL. You kill me Rick...
I haven't heard of anyone yet who has cracked
First off, it is a SID translation not a GUID translation, retry your
searches based on that as I'm sure that confused the matter.
How many security principals do you have in the ACL chain? If it is
greater than 6 or 7 you probably need to start looking at a better
security structure utilizing
. an OU only enterprise admins have access to and wipe the ACL
on the server object and disable it. It prevents them from using it and
reusing the name. Also if we find workstations not following the
standards we jail them as well.
joe
-Original Message-
From: [EMAIL PROTECTED]
[mailto
for doing it! :-D
But, I still LIKE IT!
Rick Kingslan MCSE, MCSA, MCT
Microsoft MVP - Active Directory
Associate Expert
Expert Zone - www.microsoft.com/windowsxp/expertzone
-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Joe
Sent: Friday, July 25, 2003
I personally just recommend changing ms-ds-machineaccountquota. You can
script the change so if dealing with multiple domains it is easy, plus
you don't have to dork around with a GPO.
-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of David Adner
Sent:
connection to a given machine without a
corresponding interactive logon will most likely not spawn a session on
a DC.
Here is an example of netsess run against one of my test DC's at home:
F:\Dev\cpp\NetSessnetsess \\wserver1
NetSess V01.01.00cpp Joe Richards ([EMAIL PROTECTED]) October 2002
No offense taken, I'm not average. I'm one of the worst users you know.
:oP
Heh. Couldn't resist. Happy Tuesday.
joe
-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Rick Kingslan
Sent: Monday, July 28, 2003 10:44 PM
To: [EMAIL PROTECTED]
Subject: RE
You can do it with a computer start up script GPO option that executes a
simple net localgroup command; it will work fine because that script
executes as local system. The restricted groups GPO option will
definitely overwrite though.
-Original Message-
From: [EMAIL PROTECTED]
By any chance is this product called PSYNC from MTEC? I have worked with
them for a couple of years on various things, if so you can email me
separately and we can chat... [EMAIL PROTECTED] If it isn't, consider it
as they are doing a decent job now and I am sure there are some people
who watch
-on user, who does not
have the privilege to add him/herself to the admin group - otherwise there
would be no need for a script in the first place.
bragging rights
Finally found an interesting puzzle that will likely stump Joe :)
/bragging rights
Sincerely,
Dèjì Akómöláfé, MCSE MCSA MCP+I
ill likely stump Joe :)
/bragging
rights
Sincerely,Dèjì Akómöláfé,
MCSE MCSA
MCP+Iwww.akomolafe.comwww.iyaburo.comDo you now realize that Today is
the Tomorrow you were worried about Yesterday?
-anon
From:
[EMAIL
Just install 812499 and get away from the whole silly notion of having to
figure out which DC you need to do the set at. MS was silly for ever
requiring that in the first place.
-Original Message-
From: deji Agba [mailto:[EMAIL PROTECTED] On Behalf Of
[EMAIL PROTECTED]
Sent: Wednesday,
. We have since
done it the old-school way - sneakernet.
Sincerely,
Dèjì Akómöláfé, MCSE MCSA MCP+I
www.akomolafe.com
www.iyaburo.com
Do you now realize that Today is the Tomorrow you were worried about
Yesterday? -anon
_
From: [EMAIL PROTECTED] on behalf of Joe
Sent: Wed 7/30/2003 2
Yes replication is USN based. However if you make a change to an
attribute normally that is the same exact value, AD tricks you and
responds to the request like it made the change but doesn't really
update anything. I haven't tested that with the password fields but
would expect that it works the
(on purpose !), so I'm hoping not to implement that
feature. Dave
-Original Message-
From: Joe [mailto:[EMAIL PROTECTED]
Sent: Wednesday, July 30, 2003 4:20 PM
To: [EMAIL PROTECTED]
Subject: RE: [ActiveDir] Simultaneous password change on multiple DCs
By any chance is this product called PSYNC from
Title: Message
http://www.psynch.com/
The
self-help reset stuff is very nice to have.
-Original Message-From:
[EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]
On Behalf Of Mayet, Yusuf YSent: Thursday, July 31, 2003
12:14 PMTo: '[EMAIL PROTECTED]'Subject: RE:
PROTECTED] On Behalf Of Joe
Sent: Thursday, July 31, 2003 9:44 PM
To: [EMAIL PROTECTED]
Subject: RE: [ActiveDir] how to re-establish a w2k trust after offline
for more than 60 days?
Don't do it. Wipe the machine and manually remove from AD. You run the
chance of resurrecting dead objects because
There are only a few pieces of critical security data that should
replicate faster than a majority of the data and that really is only
within a site unless you have enabled change notification between sites.
Changes still queue up on bridgehead and replicate out to other sites
through them during
The changes are all passed immediately to the PDC FSMO holder (assuming
the mastering DC can reach it) and then the changes replicate out from
both places slowly converging around the domain. If you change on
multiple domain controllers all of those would be passed to the PDC FSMO
and then the
it would be good to hear from Dave again as well.
Thanks.
joe
-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Rick Kingslan
Sent: Friday, August 01, 2003 9:20 AM
To: [EMAIL PROTECTED]
Subject: RE: [ActiveDir] Simultaneous password change
-
From: Joe [mailto:[EMAIL PROTECTED]
Sent: Thursday, July 31, 2003 11:11 PM
To: [EMAIL PROTECTED]
Subject: RE: [ActiveDir] Simultaneous password change on multiple DCs
Yes replication is USN based. However if you make a change to an
attribute normally that is the same exact value, AD
Yeah who needs comments for something like:
while (1) {print Robbie Allen is cool\n};
snicker
Love ya Robbie!
joe
P.S. For those who don't grok perl but recall BASIC
10 PRINT Robbie Allen is Cool
20 GOTO 10
-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED
Title: Message
OT
but
So the question is, are you
that good!
Dean is really really really really good. Not a fortune
teller, but if it is all based on technology, he is the man.
joe
-Original Message-From:
[EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]
On Behalf
Get Q812499 or SP4.
joe
-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Carr, Jonathan
(OFT)
Sent: Thursday, August 07, 2003 7:06 AM
To: [EMAIL PROTECTED]
Subject: [ActiveDir] Password change issue
OK here it is...
PDC emulator at a central site
Title: Message
I
believe that is hard coded functionality as it does get locked out for network
ops just not local interactive console logons.
joe
-Original
Message-From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Roger
SeielstadSent: Friday, August 08, 2003 7:11
Title: Message
Unfortunately this is not possible from anything I have ever seen.
Be
tricky and try to figure out how to make the service *safely* use the machine
account (but not on a DC)... I don't think those can be locked out (though that
is me guessing).
-Original
Try coming up in AD Restore Mode. If the problem is an AD problem it
shouldn't reboot then because you will be in single user mode with AD
off line.
-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Richard
Sumilang
Sent: Sunday, August 10, 2003 7:40 PM
1154 2001-03-24
00:15:461 dc
Caching GUIDs.
..
-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Joe
Sent: Monday, August 11, 2003 9:06 AM
To: [EMAIL PROTECTED]
Subject: RE: [ActiveDir] how to identify what got changed in a user's
account
Check out gettype from the reskit. It will return a string and an
errorlevel based on the OS.
joe
-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Graham Turner
Sent: Thursday, August 14, 2003 7:09 AM
To: [EMAIL PROTECTED]
Subject: [ActiveDir] os
In case you been sleeping on the RPC DCOM hole (MS03-26), the time to
patch was a couple of weeks ago, but if you still didn't... Duck... No
actually patch! Now is not the time for your company to discover that a
firewall doesn't protect all entrances to your network.
.
There
are some third party tools out there but I have never investigated them to see
how good they are. Note that they tend to be licensed by both number of users
and number of domain controllers because the DLL must be loaded on every DC.
joe
-Original Message-From:
[EMAIL
1 - 100 of 3993 matches
Mail list logo