Are you still in Germany Webster? - WJR On Jun 18, 2013 8:01 PM, "Webster" <[email protected]> wrote:
> i have already shot down a few of the findings: > > every fsmo role needs to be on a separate dc (thanks brian for including > this non issue in your book) > must be on dfl/ffl 2008+ before you can migrate to win7 > a dc should not be virtualized (actually still fighting w/ the head of it > on this one) > and a few more stupid non issues > > this one finding of legacy members in groups is one i can't convince > them may not be worth the effort. they have many groups with many 1000s of > members, they (the consultants who did the assessment) modify group > membership frequently and believe it has a negative impact on bandwidth and > replication traffic. > > my overall task on this project is to get all 3 of their forests to > server 2012 dfl/ffl [1] satisfy the internal security team. > > webster > > 1. before i can bring the first 2012 dc online, i have to prove in their > lab that i can do a full forest recovery for all 3 forests! > > Sent from my iPad so please excuse all the typos > > On Jun 18, 2013, at 5:12 PM, "Brian Desmond" <[email protected]> > wrote: > > *I’d triage whether this is actually really necessary before you go and > do this. I’ve had customers do this before – you have to build something to > suck out the membership and then reload it. * > > * * > > *Thanks,* > > *Brian Desmond* > > *[email protected]* > > * * > > *w – 312.625.1438 | c – 312.731.3132* > > * * > > *From:* [email protected] [ > mailto:[email protected] <[email protected]>] *On > Behalf Of *Webster > *Sent:* Tuesday, June 18, 2013 6:17 PM > *To:* <[email protected]> > *Subject:* [NTSysADM] Finding AD groups with legacy members**** > > ** ** > > Current project had a consulting group come in and do an AD Assessment. > One of their findings was that they have many groups with almost 5,000 > members. Most of the groups were created and users added pre 2003 DFL/FFL > . Their conclusion was the legacy members need to be removed and readded > to the groups to enable LVR for each group member.**** > > **** > > Whether you or I agree with this conclusion, I have been tasked with > finding which of their almost 24,000 groups have Legacy members. I know I > can do this:**** > > **** > > > C:\>repadmin /showobjmeta shc-dc > "cn=administrators,cn=builtin,dc=shc,dc=org"**** > > 17 entries.**** > > **** > > <snip> > 21 entries. > Type Attribute **** > > LEGACY member > LEGACY member > LEGACY member > LEGACY member > LEGACY member > LEGACY member > LEGACY member > LEGACY member > LEGACY member > LEGACY member > LEGACY member > LEGACY member > PRESENT member**** > > PRESENT member **** > > PRESENT member **** > > PRESENT member **** > > PRESENT member **** > > PRESENT member **** > > PRESENT member **** > > PRESENT member **** > > PRESENT member **** > > > C:\>**** > > **** > > **** > > I could run that command 24,000 times but it would be nice to automate > that. BUT, all the DCs are 2003 so I don't have access to using the > Microsoft PowerShell AD stuff. My GoogleFU is failing me and I have not > found a script that finds AD Security groups with Legacy members.**** > > **** > > Any hints, clues, tips or help from the peanut gallery?**** > > **** > > Once I know all the groups with Legacy members, then my next task is the > removing of the Legacy members and adding them back in so LVR is enabled (I > did find a script for that).**** > > **** > > Once that is done, I can begin the process of moving them to Server 2012 > DCs and all those benefits.**** > > **** > > Thanks**** > > **** > > **** > > Carl Webster**** > > Consultant and Citrix Technology Professional**** > > http://www.CarlWebster.com <http://www.carlwebster.com/>**** > >
