RE: [ActiveDir] Integrate Linux with AD
I have seen Vintela in action. It is a fantastic solution. Very easy to implement and your *nix users are authenticating to AD. Definitely take a look at this. Kevin -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Jackson Shaw Sent: Tuesday, February 03, 2004 11:26 AM To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] Integrate Linux with AD And, check out this product which enables single signon between *nix clients/servers and Active Directory... http://www.vintela.com/products/vas/ -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Rod Trent Sent: Tuesday, February 03, 2004 7:38 AM To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] Integrate Linux with AD Look into Microsoft's Services for Unix 3.5. http://www.microsoft.com/windows/sfu/default.asp -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Kern, Tom Sent: Tuesday, February 03, 2004 10:20 AM To: [EMAIL PROTECTED] Cc: [EMAIL PROTECTED] Subject: RE: [ActiveDir] Integrate Linux with AD this is the best link I know.- http://www.securityfocus.com/infocus/1563 -Original Message- From: Jennifer Fountain [mailto:[EMAIL PROTECTED] Sent: Tuesday, February 03, 2004 10:13 AM To: [EMAIL PROTECTED] Subject: [ActiveDir] Integrate Linux with AD Does anyone know where I can locate instructions on how to integrate Linux clients with AD? Has anyone on the list implement this successfully and would they share this information? Thank you for any information! Jennifer List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
RE: [ActiveDir]
Sort of obscure reference and I havent looked at this tool in a couple of years. To tell you the truth I dont know if I have ever seen anyone use it in production but Microsoft has a tool called, Eleveated Priviledges Application Launcher (EPAL). The process is documented to allow the administrator to allow normal domain users to gain elevated priviledges during something like and install (I believe, sorry) and the elevated priviledges are stored in AD Here is a link to some documentation on it I appologize if this is way off base but it may be worth looking into. http://www.microsoft.com/technet/treeview/default.asp?url=""> Kevin Sullivan Aelita Software From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Jerry Johnson Sent: Thursday, December 04, 2003 9:46 AM To: [EMAIL PROTECTED] Subject: [ActiveDir] Hi I have a user that needs to be able to install software on 2k and xp clients by visiting each desktop. All of our clients are setup with the same local admin password and do not want him to know that password. Is this possible? He is currently just a domain user. Thank you Jerry Scicom Data Services Minnetonka,Mn
RE: [ActiveDir] Background
Title: RE: [ActiveDir] Background Go grab regmon from sysinternals. Run it and change the background and it will capture what key/keys were modified. Great tool, I havent used it in a while but am pretty confident it is still available up there. www.sysinternals.com Kevin give a man a fish feed him for a day From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Salandra, Justin A. Sent: Friday, November 07, 2003 9:06 AM To: '[EMAIL PROTECTED]' Subject: RE: [ActiveDir] Background Can you supply me with the reg key? Also, can I do that through the GPO? -Original Message- From: marcus [mailto:[EMAIL PROTECTED] Sent: Thursday, November 06, 2003 7:58 PM To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] Background The whole idea of forcing a background seems like overkill to me. Youd think the same color cubicle walls would be depressing enough :-D. At any rate, the background is just a value in the registry, as is the ability to view the background tab. If you want to lock down the background, change the permissions of the reg key. -m From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of John McGlinchey Sent: Thursday, November 06, 2003 1:51 PM To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] Background In my login script, I copy the standard .bmp file from a network share onto the local workstation. This keeps them from replacing it for very long. I've seen some places that point directly to a shared folder for the .bmp instead of locally but I prefer to have the .bmp file local, especially when considering laptop users. John John McGlinchey Windows 2000 MCSE MCSA MCT CCNA CTT+ IMSS Senior Platform Engineer Bristol-Myers Squibb Company * email: [EMAIL PROTECTED]- ( phone: 609.818.4698 From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Salandra, Justin A. Sent: Thursday, November 06, 2003 1:15 PM To: '[EMAIL PROTECTED]' Subject: RE: [ActiveDir] Background I have done that already -Original Message- From: Raymond McClinnis [mailto:[EMAIL PROTECTED] Sent: Thursday, November 06, 2003 12:33 PM To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] Background I believe a good way to eliminating is to disable active desktop and only allow .BMP wall paper. Ive done this and a majority of my users have stopped trying J. Its worth a shot Thanks, Raymond McClinnis From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Salandra, Justin A. Sent: Thursday, November 06, 2003 8:39 AM To: '[EMAIL PROTECTED]' Subject: RE: [ActiveDir] Background Can you disable that through a GPO -Original Message- From: Celone, Mike [mailto:[EMAIL PROTECTED] Sent: Thursday, November 06, 2003 11:20 AM To: '[EMAIL PROTECTED]' Subject: RE: [ActiveDir] Background In Internet Explorer right click an image on a webpage and choose Set as Background. Maybe that's how she's doing it? -Original Message- From: Salandra, Justin A. [mailto:[EMAIL PROTECTED]] Sent: Thursday, November 06, 2003 11:07 AM To: ActiveDir (E-mail) Subject: [ActiveDir] Background How is it possible that a regular user can change her background if you disable the Background tab through a GPO to all users? I checked and she doesn't have that tab, the GPO is working correctly. Justin A. Salandra, MCSE Senior Network Engineer Catholic Healthcare System 212.752.7300 - office 917.455.0110 - cell [EMAIL PROTECTED] mailto:[EMAIL PROTECTED] List info : http://www.activedir.org/mail_list.htm List FAQ : http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
RE: [ActiveDir] Migrating Computers and Users
It is still not totally clear Debbie, why do you want to import computer/user names into a text file? Or do you want to have a file with computer/user names that can be imported into the migration product. List based migrations and project based migrations are very popular and allow a lot of flexibility, delegation, distribution of responsibilities etc. the list goes on. If I am correct in what you are trying to do you will probably need to look at some of the vendors out there who have very robust migration products (my company has one and if you want to hear about it send me a note offline). So really the big migration vendors out there are probably where you need to look. Just to get you started you probably want to look at *Aelita* (I have to give my company a little more weight g), Quest, NetIQ, BindView There are a lot of vendors out there and all will present with different focus and strengths. Kevin Sullivan Product Manger Aelita Software [EMAIL PROTECTED] From: Ellis, Debbie [mailto:[EMAIL PROTECTED] Sent: Wednesday, October 29, 2003 9:05 AM To: '[EMAIL PROTECTED]' Subject: RE: [ActiveDir] Migrating Computers and Users I was looking for something where you could import the computer or user names into a text file. I am sorry I was not clear. -Original Message- From: John Reijnders [mailto:[EMAIL PROTECTED] Sent: Wednesday, October 29, 2003 8:58 AM To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] Migrating Computers and Users I was surprised by your remark that ADMT does not let you migrate compus/users in batch style. I've been through numerous migrations that ran in batches (up to 50K users and compus) using ADMT v2.0. Maybe your definition of batches is something else than mine? I've included some quotes and linksfrom Technet that confirm that batch wise migration (as I define it)is possible using ADMT... http://www.microsoft.com/technet/treeview/default.asp?url=""> http://www.microsoft.com/technet/treeview/default.asp?url=""> http://www.microsoft.com/technet/treeview/default.asp?url=""> If you have a large number of users, groups, or computers to migrate, you can list them in an include file. For example, to create an include file for a batch of computers, create a plain text file and list the computer names, each name on a separate line. Then specify the include file name with the /F option, as follows: ADMT COMPUTER /F includefile_name /SD:source_domain /TD:target_domain /TO:target_OU Cheers! John From: Ellis, Debbie [mailto:[EMAIL PROTECTED] Sent: woensdag 29 oktober 2003 14:05 To: [EMAIL PROTECTED] Subject: [ActiveDir] Migrating Computers and Users We plan on migrating our users and computers to a new forest and new domain. I am familiar with ADMT, but it does not appear to let you migrate computers or users in batch style. Does anyone know of a script or tool that will let you migrate more than one user or computer to a new domain? NT 4.0 - Windows 2003 AD.
RE: [ActiveDir] AD Self-service User Managment
I think Jackson bring up a great point. It is not necessarily related just to self administration but really to anyone who has a role of 'data administrator'. There needs to be a way to mandate data structures, format, use of 'acceptable values' etc. Without these key components along with very granular delegation the choice would be to revert back to single point of administration being help-desk or something to that effect. This does not mitigate the opportunities to corrupt data it just centralizes the effort to corrupt the directory G. We need our ADs to be available to use as not only an authentication mechanism but a storage of data that we can rely on for application support, GAL, etc. and if we can't trust the integrity of the data it will never grow into the enterprise directory it is architected for and has the capacity for. Workflow and an approval based workflow, I think about often. We have many customers for which this is very important to them. The idea of, for example, requesting membership to a group, having the whole process of email generation and delivery and acceptance and provisioning done in the back end is great. It takes a few touches out of the scenario which makes for a cleaner environment with less 'dirty data'. For the business value it also adds to the ROI by Doing More with Less. There are lots of pieces of data that are present on the directory that I definitely do not want users having access to especially write access to. The solution needs to be flexible enough to create custom interfaces which only expose the data that you approve, have full support for enforcement of workflow rules, business rules and data structure validation rules. Simple solutions are often just that simple, the issues and pains of Active Directory administrators are not simple and they need to be addressed with solutions that can wrap around their needs. Regards, Kevin Sullivan -Original Message- From: Jackson Shaw [mailto:[EMAIL PROTECTED] Sent: Wednesday, October 29, 2003 11:09 AM To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] AD Self-service User Managment I was recently surprised by the number of customers who did not want to implement such a facility as self-service. Why? They felt that allowing the employees to change data in the directory would lead to dirty data - for example, addresses all in lowercase, using Ave. instead of Avenue, etc. Sure, a sophisticated package could probably work around all this stuff. Either way, I was surprised by the reaction. I'm curious how others feel about this kind of a tool (with or without workflow). -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Shad Gunderson Sent: Wednesday, October 29, 2003 6:30 AM To: '[EMAIL PROTECTED]' Subject: [ActiveDir] AD Self-service User Managment Hello all, I'm looking for feedback on products that may provide users a self-service application that will allow employees to register/request an Active Directory domain account and, with some workflow, those accounts will be created. Nothing beyond those specific features are required at this point (i.e. not looking for full-blown LDAP provisioning). Does anyone here use such tools or have any experience they'd care to share? Regards, Shad Gunderson List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
RE: [ActiveDir] Win98 AD from CMD Line
Command line or other it is not possible. WinNT and above are required for membership in a domain whether it is NT or AD. Win98 can 'browse' in the domain but it can not be a security principal. Kevin Sullivan -Original Message- From: Chris Blair [mailto:[EMAIL PROTECTED] Sent: Wednesday, October 29, 2003 11:28 AM To: [EMAIL PROTECTED] Subject: [ActiveDir] Win98 AD from CMD Line Is it possible to join the AD from a Windows 98 using the command line? List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
RE: [ActiveDir] Active Directory Cookbook
Ordered it second hand... not a book I would give up it is a good quick book to refer to. And who read it memorized it and sold it back already, how exactly does that work G... -Original Message- From: Oliver Marshall [mailto:[EMAIL PROTECTED] Sent: Friday, October 24, 2003 11:06 AM To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] Active Directory Cookbook Just ordered it second hand from amazon (great feature) thanks for the tip. -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] Sent: 24 October 2003 15:52 To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] Active Directory Cookbook ISBN- 0-596-00464-8 Robert Rutherford +44 (0)1305 208232 +44 (0)7970 122362 Oliver Marshall [EMAIL PROTECTED] To: [EMAIL PROTECTED] Sent by: cc: [EMAIL PROTECTED]Subject: RE: [ActiveDir] Active Directory Cookbook tivedir.org 24/10/2003 15:42 Please respond to ActiveDir Do you have the ISBN number? Sounds perfect. Olly -Original Message- From: Lou Vega [mailto:[EMAIL PROTECTED] Sent: 24 October 2003 14:38 To: [EMAIL PROTECTED] Subject: [ActiveDir] Active Directory Cookbook Received my very own copy of Mr. Robbie Allen's Tuna book last night from Amazon.com - in the first night's reading the book is already proving it's worth as I see how to do certain things much simpler than I had done them before (with regards to the VBScripts included), as well as learn new things I didn't realize could be done (in both AD2K and AD2K3). The book will be very handy as I continue to stand up my development Windows 2003 domain. To anyone else on this list who hasn't gotten it yet...it's a worthwhile addition to your Active Directory library. To Robbie (and all the others who assisted him!) - thanks for a great resource! r/ Lou List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ ** This E-mail and any files transmitted with it are in commercial confidence and intended solely for the use of the individual or entity to whom they are addressed. If you have received this E-mail in error please notify the Administrator by E-mail ([EMAIL PROTECTED]). Any views or opinions expressed are solely those of the author and do not necessarily represent those of DEK International., or its affiliates. ** This footnote also confirms that this email message has been swept by MIMEsweeper for the presence of computer viruses. www.dek.com ** List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
RE: [ActiveDir] AD delegation white paper
Not yet, I think it is a month out... Just my guess. Kevin -Original Message- From: Graham Turner [mailto:[EMAIL PROTECTED] Sent: Thursday, October 09, 2003 6:02 PM To: [EMAIL PROTECTED] Have come back to the list after a while away - the paper on AD delegation from MS looks to be of some good value - is this published yet ?? GT List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
RE: [ActiveDir] Robbie's 'Tuna' book - It's imminently available!
Congratulations Robbie, you have done, once again, a fantastic job. This book is going to be a staple for advanced AD administrator's. I have to agree with Rick, I didn't quite realize the magnitude of what Robbie was doing until I had the book in my hands (this afternoon!). Go get it. Kevin -Original Message- From: Rick Kingslan [mailto:[EMAIL PROTECTED] Sent: Friday, September 26, 2003 3:59 PM To: [EMAIL PROTECTED] All - Most of you have read the threads that have accompanied the journey that began some months ago when Robbie announced that he was writing a new book - The Active Directory Cookbook (published by O'Reilly) - which covers some very cool 'how-to' information on Windows 2000 and 2003 Active Directory (and supporting players). Some of you may also be aware that Joe Richards, Todd Myrick, Gil Kirkpatrick, Tony Murray, Kevin Sullivan, and I were invited to assist with the Technical Review of the book. I mentioned to some folks that this book is an Active Directory FAQ on steroids. I truly didn't realize the gravity of this statement until I had the book in my hands. Yes, O'Reilly kindly sent me (as well, I'm sure, the rest of the reviewers) a copy of the book. And, it now is happily bookended with the 'Cat' book - Robbie and Alistair Lowe-Norris' brilliant Active Directory 2/e and Robbie and Richard Puckett's Managing Enterprise Active Directory Services. Add to this a couple more books, and you will have a full, definitive reference on the totality of understanding, managing, designing, scripting, and generally surviving Active Directory - successfully. I admit it - I'm probably biased. But, I think that the Tuna book is due to become a classic reference for Active Directory. It has a unique and fresh approach to doing things that you're not going to find documented in one place. So, if you don't have a copy of the 'Tuna' reserved yet, Amazon is taking reservations - as well as you're local Borders or Barnes and Noble. What ARE you waiting for? ;-) Rick Kingslan MCSE, MCSA, MCT Microsoft MVP - Active Directory Associate Expert Expert Zone - www.microsoft.com/windowsxp/expertzone List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
RE: [ActiveDir] Resetting Password
Title: [ActiveDir] Resetting Password In addition to the script you can create a taskpad combined with simple delegation and your teacher will only see what you need them to see and have rights to what they need to have rights to. If W2k3 you can use Saved Queried as the launch off point for your taskpad view and only show students. I assume that there is some attribute that designates a student vs. a teacher vs. a staff member. This is a great feature of the MMC that I dont see utilized all that often. If you want total flexibility for delegation tasks and custom interfaces you probably want to look at what some third party products have to offer. Kevin Sullivan Aelita Software From: Dennis Schut [mailto:[EMAIL PROTECTED] On Behalf Of Dennis Schut Sent: Monday, September 08, 2003 7:03 AM To: [EMAIL PROTECTED] Check this link, http://www.microsoft.com/technet/treeview/default.asp?url=""> Dennis Van: [EMAIL PROTECTED] namens Marshall Moens Verzonden: ma 08-sep-03 08:57 Aan: [EMAIL PROTECTED] Onderwerp: [ActiveDir] Resetting Password Guys, I work for a high school, and want to be able to give the computer teacher, rights to reset student passwords. Does anyone have a script I can borrow, that will allow the teacher to reset student passwords? I am really uncomfortable allowing the teacher to rifle through OU's. TIA Marshall List info : http://www.activedir.org/mail_list.htm List FAQ : http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
RE: [ActiveDir] WOT Unreadable code (was Connection String)
Very, very jealous... It is a horrible sound. -Original Message- From: Bjelke John A Contr AFRL/VSIO [mailto:[EMAIL PROTECTED] Sent: Tuesday, August 19, 2003 2:35 PM To: '[EMAIL PROTECTED]' Gil, received one screamin rubber chicken... I love it! Great sound. My fellow sysadmins just might slit a throat today. It remains to be seen if it will be mine or the chicken's :^) Thanks again! -JB John A. Bjelke Unisys 505.853.6774 [EMAIL PROTECTED] If it's as difficult as pulling teeth through an elephants rump, then the approach needs to be reevaluated. -Original Message- From: Gil Kirkpatrick [mailto:[EMAIL PROTECTED] Sent: Tuesday, August 05, 2003 1:22 PM To: '[EMAIL PROTECTED]' Subject: RE: [ActiveDir] WOT Unreadable code (was Connection String) John, Stella has put the world-famous Official DEC Screaming Yellow Rubber Chicken in the mail, so you should get it by the end of the week or so. When you do get it, be sure to give it a good squeeze. When I spoke at the 2002 AFITC, a general from ACC (I've forgotten his name) told me that someone in his office had received one and the noise was driving him crazy. Scratch the chicken off the list of how to win friends and influence people. -gil -Original Message- From: Bjelke John A Contr AFRL/VSIO [mailto:[EMAIL PROTECTED] Sent: Tuesday, August 05, 2003 12:01 PM To: '[EMAIL PROTECTED]' Subject: RE: [ActiveDir] WOT Unreadable code (was Connection String) Gil, I'm not THAT old! Man, next you'll be implying that I built the DARPAnet! (and we all know it was Al Gore who's responsible for that!) *grin* Nah, I just have a fondness for old, dead languages and remembered seeing that one before. I actually had a book mark to a history of computing type doc that had this very example of MUMPS code. As for DEC Ottawa, I doubt it, times and budgets being what they are. But I'll take the chicken... sounds like cool geek-schwag :^) John A. Bjelke Unisys 505.853.6774 [EMAIL PROTECTED] Catapultam habeo. Nisi pecuniam omnem mihi dabis, ad caput tuum saxum immane mittam. -Original Message- From: Gil Kirkpatrick [mailto:[EMAIL PROTECTED] Sent: Tuesday, August 05, 2003 12:01 PM To: '[EMAIL PROTECTED]' Subject: RE: [ActiveDir] WOT Unreadable code (was Connection String) Wow John! I'm impressed. Were you at Unisys when MUMPS actually ran on Unisys minis? Or did you just get lucky with Google? :) I'm thinking that your answer deserves a world-famous Official DEC Screaming Yellow Rubber Chicken, whose hideous screech is known to strike fear in the hearts of dogs, cats, and small children. Are you coming to DEC Ottawa? I can give it to you there, along with your free beer. Otherwise, send me your shipping info offlist, and no beer for you. -gil -Original Message- From: Bjelke John A Contr AFRL/VSIO [mailto:[EMAIL PROTECTED] Sent: Tuesday, August 05, 2003 10:39 AM To: '[EMAIL PROTECTED]' Subject: RE: [ActiveDir] WOT Unreadable code (was Connection String) prints a table of primes, formatting it into columns. What's my prize :^) John A. Bjelke Unisys 505.853.6774 [EMAIL PROTECTED] If it's as difficult as pulling teeth through an elephants rump, then the approach needs to be reevaluated. -Original Message- From: Gil Kirkpatrick [mailto:[EMAIL PROTECTED] Sent: Tuesday, August 05, 2003 9:56 AM To: '[EMAIL PROTECTED]' Subject: RE: [ActiveDir] WOT Unreadable code (was Connection String) Have you ever coded in MUMPS? It doesn't matter who the programmer is; its ALWAYS unreadable. I think MUMPS programmers invented the term write-only programs. Typical MUMPS program: f p=2,3:2 s q=1 x f f=3:2 q:f*fp!'q s q=p#f w:q p,?$x\8+1*8 If anyone can guess what this code does, I'll give them a prize. -g Gil Kirkpatrick CTO, NetPro -Original Message- From: Robbie Allen [mailto:[EMAIL PROTECTED] Sent: Tuesday, August 05, 2003 6:51 AM To: '[EMAIL PROTECTED]' Subject: RE: [ActiveDir] Connection String Ha! It is not the language that makes code unreadable, it is the PROGRAMMER :-) Robbie Allen http://www.rallenhome.com/ -Original Message- From: Glenn Corbett [mailto:[EMAIL PROTECTED] Sent: Tuesday, August 05, 2003 9:38 AM To: [EMAIL PROTECTED] Subject: Re: [ActiveDir] Connection String HAHAHAPerl I like to be able to read my code and understand it again in 6 months :) Glenn - Original Message - From: Robbie Allen [EMAIL PROTECTED] To: [EMAIL PROTECTED] Sent: Tuesday, August 05, 2003 11:14 PM Subject: RE: [ActiveDir] Connection String Come over to the 'Dark Side' with VB.NET.its nice and warm here *looks at the fires of hell*. Come on guys, why go to VB.NET when you can get most of the benefits of a compiled language and a whole lot more in a lot fewer lines with Perl! muaahh...Muaahh...MUUAAAHH :-) Robbie
RE: [ActiveDir] Default User Settings
Title: Message Marc, It appears that you are asking about enforcing business rules regardless of how a user is created and doing so in a manner that can not be circumvented. Business rules in this sense would be dont give Allow Terminal Server, or validate naming conventions, or mandate certain data in certain fields based on other criteria such as location in the tree etc. There are so many reasons to enforce these types of data conventions. The reality is business rules can not be met reliably and flexibly without the support of third party administrative tools. Some of these tools will have great conventions to create and support the rule but under the hood you will find that they can not be enforced in all circumstances. Security and enforcement of data rules are paramount and choosing to go with a third part administration tool really shows your commitment to these items. Make sure if you go that route that you thoroughly test the solutions and make sure that the rules are enforceable in any manner. If you want to have a more detailed discussion about some of your options you can contact me offline and I will be more candid about the solution that we offer at Aelita. Kevin Sullivan Aelita Software From: De Schepper Marc [mailto:[EMAIL PROTECTED] Sent: Monday, July 21, 2003 8:34 AM To: [EMAIL PROTECTED] I normally use scripts to cretae my users, but the problem is that when someelse (helpdek) creates them manualy the settings are off..tried procedures but this won't work... Marc From: Gasper, Rick [mailto:[EMAIL PROTECTED] Sent: maandag 21 juli 2003 13:49 To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] Default User Settings Go to the script center at TechNet, you will find a lot of examples that you can customize. http://www.microsoft.com/technet/treeview/default.asp?url=""> Rick Gasper Manager of Network Services King's College Wilkes-Barre PA 18706 Phone: 570-208-5845 Fax: 570-208-5989 [EMAIL PROTECTED] -Original Message- From: De Schepper Marc [mailto:[EMAIL PROTECTED] Sent: Monday, July 21, 2003 5:49 AM To: [EMAIL PROTECTED] Subject: [ActiveDir] Default User Settings Hey all, Is ther e a way to chnage the default user setting? And how to chnage them. For example, I don't want to give our people the Allow Terminal Server property. or I want to set another default session setting. Marc * Dit e-mail bericht inclusief eventuele ingesloten bestanden kan informatie bevatten die vertrouwelijk is en/of beschermd door intellectuele eigendomsrechten. Dit bericht is uitsluitend bestemd voor de geadresseerde(n). Elk gebruik van de informatie vervat in dit bericht (waaronder de volledige of gedeeltelijke reproductie of verspreiding onder elke vorm) door andere personen dan de geadresseerde(n) is verboden. Indien u dit bericht per vergissing heeft ontvangen, gelieve de afzender hiervan te verwittigen en dit bericht te verwijderen. This e-mail and any attachment thereto may contain information which is confidential and/or protected by intellectual property rights and are intended for the sole use of the addressees. Any use of the information contained herein (including but not limited to total or partial reproduction or distribution in any form) by other persons than the addressees is prohibited. If you have received this e-mail in error, please notify the sender and delete its contents. *
RE: [ActiveDir] Group Policy question
Title: Message Chris, GPOs are not applied to Groups, they are applied to Users and Computers. So, the fact that there are two groups that the user is a member of existing in two different OUs is really not relevant. All that matters is, where the Users are located and where the systems that the users are logged on to are located. Have you used FAZAM or GPResult (RK) to check the RSOP info. This will tell you exactly what GPOs are affecting a given user. Good Luck, Kevin From: Chris Flesher [mailto:[EMAIL PROTECTED] Sent: Monday, July 21, 2003 2:18 PM To: [EMAIL PROTECTED] a user can be a member of more then one group. if a user is a member of two groups that are in seperate OU's, then the user can have group policy applied to two seperate groups based on ACL's within each OU? I don't need an object existing in two seperate OU's. I just need two seperate groups with a user being in each group, with each group in seperate OU's. Chris Flesher The University of Chicago NSIT/DCS 1-773-834-8477 -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Crenshaw, Jason Sent: Monday, July 21, 2003 12:38 PM To: '[EMAIL PROTECTED]' Subject: RE: [ActiveDir] Group Policy question What is group policy or a GPO? Group policy is a new Windows term for common configuration settings. An administrator can create a group policy which applies to users or computers. This group policy can set certain computer settings such as who can login to the computer or user settings such whether the user can run control panel applets. Group policy is similar to what was called policy in NT4, but there is a vastly improved performance together with a greater number of common configuration settings. A GPO, or group policy object, is a set of settings applied to a site, domain or OU container. The GPO then is applied to every machine or user object under that container. One can configure a GPO with ACLs to restrict the computers or users to which it is applied. This also suggests that it is technically impossible to do since a user object can only exist in one container or OU. Hope that this answers your question. Jason -Original Message- From: Roger Seielstad [mailto:[EMAIL PROTECTED] Sent: Monday, July 21, 2003 11:29 AM To: '[EMAIL PROTECTED]' Subject: RE: [ActiveDir] Group Policy question I believe there's nothing in TechNet on it because its technically impossible to do. You can't have an object in more than one OU. -- Roger D. Seielstad - MTS MCSE MS-MVP Sr. Systems Administrator Inovis Inc. -Original Message- From: Chris Flesher [mailto:[EMAIL PROTECTED] Sent: Monday, July 21, 2003 12:49 PM To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] Group Policy question Guido, that's not quite what I had in mind. Two OU's that are not hierarchical to each other. It could be a flat OU architecture. Two seperate OU's that have gpo's applied to a group. If a user is a member of both groups, which gpo will take precedence? Maybe it's a dumb question but it was posed to me by a higher up and I can't find anything about this scenario in technet. Chris Flesher The University of Chicago NSIT/DCS 1-773-834-8477 -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of GRILLENMEIER,GUIDO (HP-Germany,ex1) Sent: Monday, July 21, 2003 10:43 AM To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] Group Policy question I guess you're using the groups to filterfor whom a GPO is applied - but you're not applying a GPO to a group ;-)It doesn't matter which OU the group resides in, it simply matters, which OU the respective GPO is applied to. Assuming you're talking about applying two GPOs to the same OU - each with a separate Group used for filtering, then you can set the priority of the GPO processing order directly on the OU on the Group Policy tab. /Guido From: Chris Flesher [mailto:[EMAIL PROTECTED] Sent: Montag, 21. Juli 2003 17:18 To: [EMAIL PROTECTED] Scenario: a user is a member of two groups. Each group is in a seperate OU. A gpo is applied to each group. Which gpo will take precedence for that user? In other words, which will be the last to be applied and get the settings applied to that user? Chris Flesher The University of Chicago NSIT/DCS 1-773-834-8477
RE: [ActiveDir] Terminal Services Permissions
It is permissions on the RPC connection itself via the TS manager. (I think that is where it is). The default is Domain Admins it sounds like someone changed the default and allowed other users to access the Server in Administration Mode. You should still only be allowed 2 remote connections though. Kevin -Original Message- From: Richard Sumilang [mailto:[EMAIL PROTECTED] Sent: Monday, July 21, 2003 6:42 PM To: [EMAIL PROTECTED] How do I block certain users from being able to connect to my terminal server running in Remote Administration mode? I just installed it but all users can log in to the server and manage it which isn't very good :-\ List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
RE: [ActiveDir] Terminal Services Permissions
RDP, RPC man I keep getting TLA confusion today. -Original Message- From: Joe [mailto:[EMAIL PROTECTED] Sent: Monday, July 21, 2003 7:59 PM To: [EMAIL PROTECTED] Errr check your admin group, who is listed there. Either everyone that is connecting to that box is an admin on that box or someone has modified your rdp permissions. I would most likely expect the former versus the latter. -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Richard Sumilang Sent: Monday, July 21, 2003 6:42 PM To: [EMAIL PROTECTED] Subject: [ActiveDir] Terminal Services Permissions How do I block certain users from being able to connect to my terminal server running in Remote Administration mode? I just installed it but all users can log in to the server and manage it which isn't very good :-\ List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
RE: [ActiveDir] Adding machines to OU directly
Title: Message This should be pretty straight forward. Delegate to the User the ability to create Computer objects in the OU then have the user create the computer accounts. When the computer is joined to the domain it will be associated with the pre-created account. Just give the computer accounts the same name as the computer and you should be good to go. Kevin From: Chris Flesher [mailto:[EMAIL PROTECTED] Sent: Wednesday, July 16, 2003 10:33 AM To: [EMAIL PROTECTED] Is there a way to delegate to a user the right to not only add machines to a domain, but place the user into the OU of their choice? I'm looking for an easy way to allow OU administrators to add machines and then instead of having the machine going into the computers container, go directly into the OU. Maybe I'm making this too complicated.. Chris Flesher The University of Chicago NSIT/DCS 1-773-834-8477
RE: [ActiveDir] Adding machines to OU directly
Title: Message You dont need to give them account operator rights. You give them specific delegated rights. There could be some complex solutions that involve automating the process of looking through the computers container and moving computer account to the appropriate container (that is if you know the appropriate container via a name designation or something). This can be automated and scheduled but if you are too understaffed I doubt you will be able to find the time to develop this kind of solution. To have full functionality to address some of the complexities of AD management easily you will probably want to evaluate third part administrative tools. (plugOh, yeah, my company has one./plug) Kevin Sullivan Aelita Software www.aelita.com From: Chris Flesher [mailto:[EMAIL PROTECTED] Sent: Wednesday, July 16, 2003 11:07 AM To: [EMAIL PROTECTED] I saw that out on Technet. That's great as long as there is a person/group to handle that. We are understaffed and are looking for the OU admins to take care of this without giving them Account Operator rights. Chris Flesher The University of Chicago NSIT/DCS 1-773-834-8477 -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Rakes, Brandon A. NMIMC Contractor Sent: Wednesday, July 16, 2003 9:58 AM To: '[EMAIL PROTECTED]' Subject: RE: [ActiveDir] Adding machines to OU directly The way we have done it is to delegate administrative rights to the OU and then create the computer account in that OU first and then add the computer. If there is another way to automatically make it go in the desired OU I would love to hear how. Brandon -Original Message- From: Chris Flesher [mailto:[EMAIL PROTECTED] Sent: Wednesday, July 16, 2003 10:33 AM To: [EMAIL PROTECTED] Subject: [ActiveDir] Adding machines to OU directly Is there a way to delegate to a user the right to not only add machines to a domain, but place the user into the OU of their choice? I'm looking for an easy way to allow OU administrators to add machines and then instead of having the machine going into the computers container, go directly into the OU. Maybe I'm making this too complicated.. Chris Flesher The University of Chicago NSIT/DCS 1-773-834-8477
RE: [ActiveDir] Adding machines to OU directly
Title: Message Hmmm, what error? When the computer joins the domain?... I wonder if it is a permissions issue on the join domain part. The user actually joining from the computer need to have that right this can be done through GP. The right is given by default with the msDsMachineAccountQuota. Every user, by default, can add 10 computers to the domain if this has been turned off or the 10 limit has been reached you need to give the rights our for individuals to Join Computers to Domain Kevin From: Mayet, Yusuf Y [mailto:[EMAIL PROTECTED] Sent: Wednesday, July 16, 2003 12:01 PM To: '[EMAIL PROTECTED]' Well seeing this discussion has started I would like to throw a curve ball. In my environment I have chosen the route to train the junior lads into pre-creating the computer account into the relative OU. I have delegated the following permission over Computer Objects to Add and Remove computer objects The problem I am experiencing is that if the computer account already exists in the OU the error received is access Denied Thanks in advance Yusuf From: Sullivan, Kevin [mailto:[EMAIL PROTECTED] Sent: 16 July, 2003 17:14 PM To: [EMAIL PROTECTED] You don't need to give them account operator rights. You give them 'specific' delegated rights. There could be some complex solutions that involve automating the process of looking through the computers container and moving computer account to the appropriate container (that is if you know the appropriate container via a name designation or something). This can be automated and scheduled but if you are too understaffed I doubt you will be able to find the time to develop this kind of solution. To have full functionality to address some of the complexities of AD management easily you will probably want to evaluate third part administrative tools. (plugOh, yeah, my company has one./plug) Kevin Sullivan Aelita Software www.aelita.com From: Chris Flesher [mailto:[EMAIL PROTECTED] Sent: Wednesday, July 16, 2003 11:07 AM To: [EMAIL PROTECTED] I saw that out on Technet. That's great as long as there is a person/group to handle that. We are understaffed and are looking for the OU admins to take care of this without giving them Account Operator rights. Chris Flesher The University of Chicago NSIT/DCS 1-773-834-8477 -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Rakes, Brandon A. NMIMC Contractor Sent: Wednesday, July 16, 2003 9:58 AM To: '[EMAIL PROTECTED]' Subject: RE: [ActiveDir] Adding machines to OU directly The way we have done it is to delegate administrative rights to the OU and then create the computer account in that OU first and then add the computer. If there is another way to automatically make it go in the desired OU I would love to hear how. Brandon -Original Message- From: Chris Flesher [mailto:[EMAIL PROTECTED] Sent: Wednesday, July 16, 2003 10:33 AM To: [EMAIL PROTECTED] Subject: [ActiveDir] Adding machines to OU directly Is there a way to delegate to a user the right to not only add machines to a domain, but place the user into the OU of their choice? I'm looking for an easy way to allow OU administrators to add machines and then instead of having the machine going into the computers container, go directly into the OU. Maybe I'm making this too complicated.. Chris Flesher The University of Chicago NSIT/DCS 1-773-834-8477 __ For information about the Standard Bank group visit our web site www.standardbank.co.za __ Disclaimer and confidentiality note Everything in this e-mail and any attachments relating to the official business of Standard Bank Group Limited is proprietary to the group. It is confidential, legally privileged and protected by law. Standard Bank does not own and endorse any other content. Views and opinions are those of the sender unless clearly stated as being that of the group. The person addressed in the e-mail is the sole authorised recipient. Please notify the sender immediately if it has unintentionally reached you and do not read, disclose or use the content in any way. Standard Bank can not assure that the integrity of this communication has been maintained nor that it is free of errors, virus, interception or interference. ___
RE: [ActiveDir] Adding machines to OU directly
Title: Message Yes the two actions are different. Look at the following article. The article mentions the ms-DS-MAchineAccountQuota and not the giving Add Workstations to Domain right but either method should work. I wouldnt suggest adding to the ms-DS-MAchineAccoutnQuota though I am assuming, by the way, that the end users are actually joining the systems to the domain and the admin creating the computer account in AD are different people (InnerVoice never assume, never assume/InnerVoice) Q251335 From: Mayet, Yusuf Y [mailto:[EMAIL PROTECTED] Sent: Wednesday, July 16, 2003 12:27 PM To: '[EMAIL PROTECTED]' So correct me if I am wrong but what you are saying is that even though I have given them the right over the OU to add computer objects I would still have to go to the Domain Policy and specify the groups that can add workstations to the domain? From: Sullivan, Kevin [mailto:[EMAIL PROTECTED] Sent: 16 July, 2003 18:20 PM To: [EMAIL PROTECTED] Hmmm, what error? When the computer joins the domain?... I wonder if it is a permissions issue on the join domain part. The user actually joining from the computer need to have that right this can be done through GP. The right is given by default with the msDsMachineAccountQuota. Every user, by default, can add 10 computers to the domain if this has been turned off or the 10 limit has been reached you need to give the rights our for individuals to 'Join Computers to Domain'... Kevin From: Mayet, Yusuf Y [mailto:[EMAIL PROTECTED] Sent: Wednesday, July 16, 2003 12:01 PM To: '[EMAIL PROTECTED]' Well seeing this discussion has started I would like to throw a curve ball. In my environment I have chosen the route to train the junior lads into pre-creating the computer account into the relative OU. I have delegated the following permission over Computer Objects to Add and Remove computer objects The problem I am experiencing is that if the computer account already exists in the OU the error received is access Denied Thanks in advance Yusuf From: Sullivan, Kevin [mailto:[EMAIL PROTECTED] Sent: 16 July, 2003 17:14 PM To: [EMAIL PROTECTED] You don't need to give them account operator rights. You give them 'specific' delegated rights. There could be some complex solutions that involve automating the process of looking through the computers container and moving computer account to the appropriate container (that is if you know the appropriate container via a name designation or something). This can be automated and scheduled but if you are too understaffed I doubt you will be able to find the time to develop this kind of solution. To have full functionality to address some of the complexities of AD management easily you will probably want to evaluate third part administrative tools. (plugOh, yeah, my company has one./plug) Kevin Sullivan Aelita Software www.aelita.com From: Chris Flesher [mailto:[EMAIL PROTECTED] Sent: Wednesday, July 16, 2003 11:07 AM To: [EMAIL PROTECTED] I saw that out on Technet. That's great as long as there is a person/group to handle that. We are understaffed and are looking for the OU admins to take care of this without giving them Account Operator rights. Chris Flesher The University of Chicago NSIT/DCS 1-773-834-8477 -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Rakes, Brandon A. NMIMC Contractor Sent: Wednesday, July 16, 2003 9:58 AM To: '[EMAIL PROTECTED]' Subject: RE: [ActiveDir] Adding machines to OU directly The way we have done it is to delegate administrative rights to the OU and then create the computer account in that OU first and then add the computer. If there is another way to automatically make it go in the desired OU I would love to hear how. Brandon -Original Message- From: Chris Flesher [mailto:[EMAIL PROTECTED] Sent: Wednesday, July 16, 2003 10:33 AM To: [EMAIL PROTECTED] Subject: [ActiveDir] Adding machines to OU directly Is there a way to delegate to a user the right to not only add machines to a domain, but place the user into the OU of their choice? I'm looking for an easy way to allow OU administrators to add machines and then instead of having the machine going into the computers container, go directly into the OU. Maybe I'm making this too complicated.. Chris Flesher The University of Chicago NSIT/DCS 1-773-834-8477 __ For information about the Standard Bank group visit our web site www.standardbank.co.za __ Disclaimer and confidentiality note Everything in this e-mail and any attachments relating to the official business of Standard
RE: [ActiveDir] Adding machines to OU directly
Title: Message Good catch Hunter From: Coleman, Hunter [mailto:[EMAIL PROTECTED] Sent: Wednesday, July 16, 2003 2:09 PM To: '[EMAIL PROTECTED]' When your junior lads create the computer account in the correct OU, are they changing the field The following user or group can join this computer to a domain? This defaults to Domain Admins, and IIRC they'll need to change it to their own account or a security group that they're a member of. Hunter From: Mayet, Yusuf Y [mailto:[EMAIL PROTECTED] Sent: Wednesday, July 16, 2003 10:27 AM To: '[EMAIL PROTECTED]' Subject: RE: [ActiveDir] Adding machines to OU directly So correct me if I am wrong but what you are saying is that even though I have given them the right over the OU to add computer objects I would still have to go to the Domain Policy and specify the groups that can add workstations to the domain? From: Sullivan, Kevin [mailto:[EMAIL PROTECTED] Sent: 16 July, 2003 18:20 PM To: [EMAIL PROTECTED] Hmmm, what error? When the computer joins the domain?... I wonder if it is a permissions issue on the join domain part. The user actually joining from the computer need to have that right this can be done through GP. The right is given by default with the msDsMachineAccountQuota. Every user, by default, can add 10 computers to the domain if this has been turned off or the 10 limit has been reached you need to give the rights our for individuals to 'Join Computers to Domain'... Kevin From: Mayet, Yusuf Y [mailto:[EMAIL PROTECTED] Sent: Wednesday, July 16, 2003 12:01 PM To: '[EMAIL PROTECTED]' Well seeing this discussion has started I would like to throw a curve ball. In my environment I have chosen the route to train the junior lads into pre-creating the computer account into the relative OU. I have delegated the following permission over Computer Objects to Add and Remove computer objects The problem I am experiencing is that if the computer account already exists in the OU the error received is access Denied Thanks in advance Yusuf From: Sullivan, Kevin [mailto:[EMAIL PROTECTED] Sent: 16 July, 2003 17:14 PM To: [EMAIL PROTECTED] You don't need to give them account operator rights. You give them 'specific' delegated rights. There could be some complex solutions that involve automating the process of looking through the computers container and moving computer account to the appropriate container (that is if you know the appropriate container via a name designation or something). This can be automated and scheduled but if you are too understaffed I doubt you will be able to find the time to develop this kind of solution. To have full functionality to address some of the complexities of AD management easily you will probably want to evaluate third part administrative tools. (plugOh, yeah, my company has one./plug) Kevin Sullivan Aelita Software www.aelita.com From: Chris Flesher [mailto:[EMAIL PROTECTED] Sent: Wednesday, July 16, 2003 11:07 AM To: [EMAIL PROTECTED] I saw that out on Technet. That's great as long as there is a person/group to handle that. We are understaffed and are looking for the OU admins to take care of this without giving them Account Operator rights. Chris Flesher The University of Chicago NSIT/DCS 1-773-834-8477 -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Rakes, Brandon A. NMIMC Contractor Sent: Wednesday, July 16, 2003 9:58 AM To: '[EMAIL PROTECTED]' Subject: RE: [ActiveDir] Adding machines to OU directly The way we have done it is to delegate administrative rights to the OU and then create the computer account in that OU first and then add the computer. If there is another way to automatically make it go in the desired OU I would love to hear how. Brandon -Original Message- From: Chris Flesher [mailto:[EMAIL PROTECTED] Sent: Wednesday, July 16, 2003 10:33 AM To: [EMAIL PROTECTED] Subject: [ActiveDir] Adding machines to OU directly Is there a way to delegate to a user the right to not only add machines to a domain, but place the user into the OU of their choice? I'm looking for an easy way to allow OU administrators to add machines and then instead of having the machine going into the computers container, go directly into the OU. Maybe I'm making this too complicated.. Chris Flesher The University of Chicago NSIT/DCS 1-773-834-8477 __ For information about the Standard Bank group visit our web site www.standardbank.co.za __ Disclaimer and confidentiality note Everything in this e-mail and any attachments relating to the official business
RE: [ActiveDir] A number of NT4.0 to AD upgrade questions
Correct about servers but clients are really irrelevant with regards to Native vs. Mixed mode. -Original Message- From: rick reynolds [mailto:[EMAIL PROTECTED] Sent: Thursday, June 19, 2003 9:29 AM To: [EMAIL PROTECTED] You need to run in mixed mode until the last nt4 server or client leaves the network, also, if you run mixed mode, you can still roll-back, - Original Message - From: [EMAIL PROTECTED] To: [EMAIL PROTECTED] Sent: Thursday, June 19, 2003 4:21 AM Subject: RE: [ActiveDir] A number of NT4.0 to AD upgrade questions I have completed a rollback with Windows 2000 AD back to NT4 and had no problems with the W2K clients authenticating back to NT4. Maybe this was just look and something to do with the reasonings behind the rollback but thought it was worth a mention. J from:Ken Cornetet [EMAIL PROTECTED] date:Wed, 18 Jun 2003 21:42:27 to: [EMAIL PROTECTED] subject: RE: [ActiveDir] A number of NT4.0 to AD upgrade questions Comments inline -Original Message- From: Mike Baudino [mailto:[EMAIL PROTECTED] Sent: Wednesday, June 18, 2003 2:47 PM To: [EMAIL PROTECTED] Subject: [ActiveDir] A number of NT4.0 to AD upgrade questions All, I'm not convinced, after reading the Microsoft documentation, that we've all got our answers nailed down on an in-place upgrade. So, I'd like to submit these questions to you to get the real world answer. Since we lack sufficient budget to perform a proper migration we'll need to do in-place upgrades to our domains and then consolidate some of the rogue domains into our structure (as well as cleaning things up after upgrade). All domains will remain mixed mode until we're able to complete application testing. One of our main drivers is the need to consolidate domains as well as eventually eliminate our dependence on the SAM. 1. One of my concerns is following the upgrade of the PDC it will be the only AD domain controller in the domain. Our current DNS settings for servers and workstations are to our enterprise DNS servers, which are not AD-compatible. We anticipate creating a new DNS structure for AD and then using forwarders to the other DNS servers for non-AD-related address resolution. It's my expectation that NT4.0 clients w/o the AD client will not be impacted by this in any way. Is this correct? That's OK. Just make your AD DNS a subdomain of your existing DNS domain. For example, if your main DNS domain is acme.com and your NT domain is ACME, then create your AD forest as acme.acme.com. Put nameserver records in your existing DNS zone that delegates acme.acme.com to the DNS server running on your DC. Have your AD DNS server forward to your existing DNS to resolve anything not in your AD DNS domain. The only thing that will break is windows 95, which doesn't do DNS devolution (trying acme.acme.com, then acme.com). I don't know if the AD client fixes this or not. 2. It's also my expectation that the Win2k clients will be impacted depending on their configuration. For example, Win2k client that does not have the DNS domain for AD listed in the suffix for the client nor in the DNS search order would not realize that there was an AD domain controller in their midst and would continue to authenticate to the domain as they had prior to the upgrade. And Win2k clients that have the DNS domain for AD in their suffix or search order would prefferentially authenticate against the new AD DC to the extent that they would begin to ignore their local BDC. This is one area of significant concern as we don't want to overload any of the domain controllers. I thought there was a client reg entry that would eliminate this. If you put the nameserver records in your existing DNS zone, your win2k/XP clients WILL switch to AD authentication. When you convert your NT4 domain (ACME in my examples) to AD (acme.acme.com), your 2k/xp workstations will change their primary DNS domain to your AD DNS domain (acme.acme.com) regardless of what's in the interface specific DNS. They will then use your existing DNS (acme.com) to find nameservers for the AD DNS. From there, they will find the DC. 3. Should we, once we complete the upgrade of the PDC, build a new DC, move all Operations Masters roles to the new DC and rebuild the old from scratch as Win2k, so as to avoid any legacy issues? We'll also be bring up other AD DC's to split the roles up between boxes. You don't have to. Might be nice. 4. If something goes wrong and after an hour or two, or sooner, find that we need to turn off the AD DC and fire back up the offline BDC and promote it to PDC, are the Win2k clients going to be OK? I thought I remembered that if a box authenticated against the domain using Kerberos it never would go back to NTLM. w2k/xp clients will NOT go back to NTLM
RE: [ActiveDir] DNS Replication
In Windows 2000 the Integrated zones are in the domain naming context so this is correct. But in Windows server 2003 it is in an application partition and you can choose replication partners explicitly. From: Victor Hugo Naranjo [mailto:[EMAIL PROTECTED] Sent: Thursday, June 19, 2003 1:31 PM To: [EMAIL PROTECTED] Hi, DNS Zones configured as AD Integrated could not replicate between Parent and Child Domain, is it correct? Sincerely, VÃctor Naranjo MCSE, MCSA
RE: [ActiveDir] Please Help
Title: Please Help I think that Anwer is correct. He was able to add the computer account to the domain using his credentials because that action has to go to the PDC which obviously has the account. His local BDC can not do that and cant authenticate him because it doesnt know about him yet. I am guessing that this is an NT 4 domain or a mixed mode AD domain. Kevin -Original Message- From: Juan Ibarra [mailto:[EMAIL PROTECTED] Sent: Thursday, June 05, 2003 5:05 PM To: [EMAIL PROTECTED] Subject: [ActiveDir] Please Help Hello, to all, I have the following problem. I have a user in a remote office that some how manage to screw up his system running windows 2000. What I did was configure a new HD and shipped out to him. I was able to log on to the NT domain as him, configure his email and load other applications. I do this all the time and never have a problem! Also added his nt user account to the local administrators group. When he received the HD and replaced him on his computer, he is not able to log on as himself to the domain. We have a bdc on his remote office. I asked him to, and gave him permissions, to remove the machine from the domain and re add it. It will not work! He can't log in as himself, however, using his nt credentials he is able to join the computer to the domain, which proves that his credentials are correct. I have never seen this problem and can't figure out the reason for this behavior. Can you please help asap? Thanks in advance Juan �
RE: [ActiveDir] AD/Exchange Question
You can have only one Ex2000 organization per forest. Or are you talking about Exchange 5.5? Kevin -Original Message- From: Ellis, Debbie [mailto:[EMAIL PROTECTED] Sent: Thursday, May 29, 2003 9:35 AM To: [EMAIL PROTECTED] Subject: [ActiveDir] AD/Exchange Question My company is getting ready to migrate to Windows 2003 Active Directory from NT 4.0. Our design is to have separate trees in the enterprise forest. Do we have to have separate Exchange Organizations or is there a work around to still have one? List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
RE: [ActiveDir] OT RIS ISSUE:
Title: OT RIS ISSUE: There is a switch in the RISetup answer file that can be set to have a partition created on the first hard drive. I did a quick TechNet search and couldnt find it. I will continue to look but thought possibly someone may have the reference. Kevin -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] Sent: Wednesday, April 02, 2003 9:12 AM To: [EMAIL PROTECTED] Subject: [ActiveDir] OT RIS ISSUE: I am currently trying to RIS servers on a tested and am able to do so however I wish to set partition sizes so that the system partition is 10GB but RIS seems to just format and utilise ALL the available space even when I have FDISK'd and set the primary partition size. My thoughts were that if I FDISK'd and set the partition size RIS would format the partition as NTFS and away we go...any feedback would be appreciated. James �
RE: [ActiveDir] downlevel client authentication
Here is another issue that may come up when you start upgrading clients to be aware of. If a w2k client authenticates to the NT 4 BDCs that will work fine. The w2k client will use NTLM in the absence of AD for authentication. But if the NT4 DC happens to be unavailable and the client contacts a w2k DC and can authenticate using Kerberos then it will never be able to authenticate with NTLM again after that. I pulled this from memory and am a bit shaky on the details so possibly someone could clarify if I am mis-representing this. Even though it is not directly related it may be something this type of environment will encounter during its modernization effort. -Original Message- From: Rick Kingslan [mailto:[EMAIL PROTECTED] Sent: Tuesday, April 01, 2003 10:36 PM To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] downlevel client authentication When dealing with downlevel clients, a Windows 2K DC looks like an NT 4.0 BDC - hence it can authenticate the client. So, in your example of the mixed-mode site, there is no reason for a client to have to authenticate with the PDC-E. And, to further emphasize the point - if you install the DS Client, you can change passwords by contacting any Windows 2000 DC. If you will remember in Windows NT domains, the PDC was typically so busy doing everything else that was necessary for a writeable system, that the BDCs did the lion's share of the work. The PDC actually did very little authentication at all. And, to further the point one more step - in a very complex structure, having to contact the PDC-E for authentication would be very inefficient in any type of WAN environment. This might prompt many administrators to create a domain per remote site just to control authentication traffic. Fortunately, this isn't necessary, as authentication is possible at any DC. Rick Kingslan MCSE, MCSA, MCT Microsoft MVP - Active Directory Associate Expert Expert Zone - www.microsoft.com/windowsxp/expertzone -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Mike Baudino Sent: Tuesday, April 01, 2003 5:23 PM To: [EMAIL PROTECTED] All, Please help me resolve a discussion with some strong opinions on both sides of the camp. You see, our reading on the role of the PDC Emulator in regard to a mixed-mode domain with downlevel clients (we're not upgrading the NT4.0 client software) has left us with differing interpretations. We agree and understand that the PDC Emulator is contacted directlry by the downlevel clients to change their passwords. We also understand and agree that the PDC Emulator is the source of SAM replication. Our disagreement is in authentication. Some folks are reading it as all downlevel client activity, including authentication, is done at the PDC emulator. Others read this as the downlevel client is authenticated by the domain controller that responds first (or the last time the client was authenticated [we're also a bit unclear on that concept]). To me, this is very clear (but I could be the cause of the confusion). In a branch office environment running mixed mode we would have a combination of Win2k and NT4.0 domain controllers in the field offices. The NT4.0 BDC's are not aware of the fact that they're really part of an AD domain and nor would the clients. Thus, if the client's don't know about AD, and the BDC doesn't know about AD, how would the client know that it had to contact the PDC emulator to be authenticated? It wouldn't. Hence, downlevel client authentication must occur at any domain controller (again, the one that responds first [or the last one]). Please help clear this up and please include a link to something that helps clear this up. Thanks, Mike Baudino *** PLEASE NOTE *** This E-Mail/telefax message and any documents accompanying this transmission may contain privileged and/or confidential information and is intended solely for the addressee(s) named above. If you are not the intended addressee/recipient, you are hereby notified that any use of, disclosure, copying, distribution, or reliance on the contents of this E-Mail/telefax information is strictly prohibited and may result in legal action against you. Please reply to the sender advising of the error in transmission and immediately delete/destroy the message and any accompanying documents. Thank you. List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
RE: [ActiveDir] Mixed to Native
Always a good Guinness! Easy! -Original Message- From: Roger Seielstad [mailto:[EMAIL PROTECTED] Sent: Thursday, March 27, 2003 7:06 AM To: '[EMAIL PROTECTED]' Subject: RE: [ActiveDir] Mixed to Native The worst part of the mixed to native mode conversion is picking which refreshing beverage you're going to enjoy when its done. -- Roger D. Seielstad - MCSE Sr. Systems Administrator Inovis Inc. -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] Sent: Thursday, March 27, 2003 5:49 AM To: [EMAIL PROTECTED] Subject: [ActiveDir] Mixed to Native Hi All, I've finally migrated my last remote office into my 2000 domain. All of my NT BDCs are gone and I'm 100% 2000 on the DCs I still have a couple offices on NT workstations. It's been some time since I've focussed on 2000 and can't remember if there are any gotchas with the move from mixed to native? I've read back through all my documentation/notes, but that no substitute to real worl experience... Can anyone offer some guidance? Thanks and BR, Rob Robert Rutherford MIS Department - DEK +44 (0)1305 208232 +44 (0)7970 122362 This E-mail and any files transmitted with it are in commercial confidence and intended solely for the use of the individual or entity to whom they are addressed. If you have received this E-mail in error please notify the Administrator by E-mail ([EMAIL PROTECTED]). Any views or opinions expressed are solely those of the author and do not necessarily represent those of DEK International., or its affiliates. This footnote signifies that this message has been checked for viruses by MailswpUK1 List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir% 40mail.activedir.org/ List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
RE: [ActiveDir] GPO effect on Admin
You can do it a few ways. One would be to assign the deny 'apply group policy' for the given administrator... You do this on the ACL of the GPO itself... Kevin -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] Sent: Wednesday, March 26, 2003 9:02 AM To: [EMAIL PROTECTED] Subject: [ActiveDir] GPO effect on Admin Hi All, It's been some time since I studied/looked at group policy. I want to know how to stop computer config polices applying when a selected admin logs onto any computer, even if the computers have policies applied on their OU. Any guidance would be appreciated... Also, thanks for the help on my other issues. BR, Rob Robert Rutherford This E-mail and any files transmitted with it are in commercial confidence and intended solely for the use of the individual or entity to whom they are addressed. If you have received this E-mail in error please notify the Administrator by E-mail ([EMAIL PROTECTED]). Any views or opinions expressed are solely those of the author and do not necessarily represent those of DEK International., or its affiliates. This footnote signifies that this message has been checked for viruses by MailswpUK1 List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
RE: [ActiveDir] GPO effect on Admin
Note to self, read whole post... I totally missed the computer config part. -Original Message- From: Rick Kingslan [mailto:[EMAIL PROTECTED] Sent: Wednesday, March 26, 2003 9:18 AM To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] GPO effect on Admin That's a tough one. Computer policy IS computer policy - it cannot distinguish between users because the user has not logged on. As to user effects, much easier - do not APPLY or allow READ for the group or Sec Pincipal that you don't want to affect. I'd have to look into loopback to determine if there is a way to affect user settings, but this is typicaly used to apply user settings to a computer startup, not computer settings to user logon - by then it's much too late. Rick Kingslan MCSE, MCSA, MCT Microsoft MVP - Active Directory Associate Expert Expert Zone - www.microsoft.com/windowsxp/expertzone -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of [EMAIL PROTECTED] Sent: Wednesday, March 26, 2003 8:02 AM To: [EMAIL PROTECTED] Hi All, It's been some time since I studied/looked at group policy. I want to know how to stop computer config polices applying when a selected admin logs onto any computer, even if the computers have policies applied on their OU. Any guidance would be appreciated... Also, thanks for the help on my other issues. BR, Rob Robert Rutherford This E-mail and any files transmitted with it are in commercial confidence and intended solely for the use of the individual or entity to whom they are addressed. If you have received this E-mail in error please notify the Administrator by E-mail ([EMAIL PROTECTED]). Any views or opinions expressed are solely those of the author and do not necessarily represent those of DEK International., or its affiliates. This footnote signifies that this message has been checked for viruses by MailswpUK1 List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
RE: [ActiveDir] AD synchronization
Title: Message Since you are one domain the sizes should be the same. The GC contains the partial attribute set from all domains in the forest. Since you only have one domain you dont have anything additional added. Also, yes the GC is a subset of all attributes for the domains which the DC is not a member. So again, since you are a single domain nothing is added. Also the NTDS.dit contains all naming contexts, Domain, Configuration, Schema so within the dit for the DC there will be domain naming contexts for all domains in the forest. Other than the domain which the DC is representing the DC only have partial information for all objects in the other domains. Even though only some of the users are on Exchange 2000, the definition of the user objects come from the schema which define exchange attributes. There are no values for the attributes but the user objects have those attributes present (Speaking of mail enabled users). In a multiple domain forest the GCs will be larger because they have all of their own info as well as some info from all other domains Hth, Kevin Sullivan Sales Engineer Aelita Software -Original Message- From: Marc Zukerman [mailto:[EMAIL PROTECTED] Sent: Wednesday, March 26, 2003 9:58 AM To: [EMAIL PROTECTED] Subject: Re: [ActiveDir] AD synchronization Now that's interesting Roger. I never thought to check it, but at my current client, the ntds.dit file does NOT change between GCs and DCs. For a directory of roughly 8500 objects we are at 250MB for all domain controllers, whether or not they are a DC. This environment is a single domain with Exchange 2000 (although only a very small subset of the users have Exchange - that's the project we're doing). Also, I've always assumed that the GC was smaller than the DC because it is merely a subset. A large one, but a subset nonetheless. Anyone with comments? Marc Zukerman Senior Network Engineer Greenwich Technology Partners - Original Message - From: Roger Seielstad To: '[EMAIL PROTECTED]' Sent: Wednesday, March 26, 2003 7:30 AM Subject: RE: [ActiveDir] AD synchronization That's a tough one. Its going to depend on the number of domains and the number of objects in each domain. We're using an empty root with a single 'production' domain below it, probably 2500 objects in the production domain. Looking at two root DCs, one which is and one which isn't a GC, the sizes of NTDS.DIT are significantly different: With GC: 79MB Without: 27MB So, roughly speaking, that's about 50MB for a GC replication of around 2500 objects. Of course, your mileage will vary quite a bit. So, in my case, a full GC replication is going to be about 50MB to 12 servers, which my WAN can handle without issue - most WAN's could probably handle that. Roger -- Roger D. Seielstad - MCSE Sr. Systems Administrator Inovis Inc. -Original Message- From: Don Murawski (Lenox) [mailto:[EMAIL PROTECTED] Sent: Wednesday, March 26, 2003 7:02 AM To: '[EMAIL PROTECTED]' Subject: RE: [ActiveDir] AD synchronization How big is the GC synch compared to the full AD synch? -Original Message- From: Marc Zukerman [mailto:[EMAIL PROTECTED] Sent: Tuesday, March 25, 2003 2:29 PM To: [EMAIL PROTECTED] Subject: Re: [ActiveDir] AD synchronization Yes. Any schema modification requires a full directory synchronization. Since the schema is forest-wide, this means it affects all whether there is a dedicated forest root or not. In addition, the first Exchange 2000 system forces a global catalog full synchronization. When I questioned the Microsoft developer at MEC '99 why it was necessary to replicate the GC completely, I didn't get a satisfactory answer as to why. If anyone out there can tell me, I'd love to know why. We all determined it would be best to handle the forestprep and initial server installation off hours and from the Schema FSMO for any environment that was sizeable. Marc Zukerman Senior Network Engineer Greenwich Technology Partners - Original Message - From: Don Murawski (Lenox) To: '[EMAIL PROTECTED]' Sent: Tuesday, March 25, 2003 2:09 PM Subject: RE: [ActiveDir] AD synchronization Does Forest prep cause a full synchronization? We have an empty root domain that contains the schema master. -Original Message- From: Marc Zukerman [mailto:[EMAIL PROTECTED] Sent: Tuesday, March 25, 2003 12:22 PM To: [EMAIL PROTECTED] Subject: Re: [ActiveDir] AD synchronization Even so, I wouldn't chance it. If you have any corruptions to the schema when it gets updated, it is much more difficult to deal with that at 2:00pm on a Wednesday. I'd shoot for Friday night to be safe. Marc Zukerman Senior Network
RE: [ActiveDir] AD synchronization
Title: Message Sorry, one more point of clarification after reading my post A GC has the complete domain naming context for the Domain which it directly represents. It also contains a partial replica of the other domains in the forest -Original Message- From: Marc Zukerman [mailto:[EMAIL PROTECTED] Sent: Wednesday, March 26, 2003 9:58 AM To: [EMAIL PROTECTED] Subject: Re: [ActiveDir] AD synchronization Now that's interesting Roger. I never thought to check it, but at my current client, the ntds.dit file does NOT change between GCs and DCs. For a directory of roughly 8500 objects we are at 250MB for all domain controllers, whether or not they are a DC. This environment is a single domain with Exchange 2000 (although only a very small subset of the users have Exchange - that's the project we're doing). Also, I've always assumed that the GC was smaller than the DC because it is merely a subset. A large one, but a subset nonetheless. Anyone with comments? Marc Zukerman Senior Network Engineer Greenwich Technology Partners - Original Message - From: Roger Seielstad To: '[EMAIL PROTECTED]' Sent: Wednesday, March 26, 2003 7:30 AM Subject: RE: [ActiveDir] AD synchronization That's a tough one. Its going to depend on the number of domains and the number of objects in each domain. We're using an empty root with a single 'production' domain below it, probably 2500 objects in the production domain. Looking at two root DCs, one which is and one which isn't a GC, the sizes of NTDS.DIT are significantly different: With GC: 79MB Without: 27MB So, roughly speaking, that's about 50MB for a GC replication of around 2500 objects. Of course, your mileage will vary quite a bit. So, in my case, a full GC replication is going to be about 50MB to 12 servers, which my WAN can handle without issue - most WAN's could probably handle that. Roger -- Roger D. Seielstad - MCSE Sr. Systems Administrator Inovis Inc. -Original Message- From: Don Murawski (Lenox) [mailto:[EMAIL PROTECTED] Sent: Wednesday, March 26, 2003 7:02 AM To: '[EMAIL PROTECTED]' Subject: RE: [ActiveDir] AD synchronization How big is the GC synch compared to the full AD synch? -Original Message- From: Marc Zukerman [mailto:[EMAIL PROTECTED] Sent: Tuesday, March 25, 2003 2:29 PM To: [EMAIL PROTECTED] Subject: Re: [ActiveDir] AD synchronization Yes. Any schema modification requires a full directory synchronization. Since the schema is forest-wide, this means it affects all whether there is a dedicated forest root or not. In addition, the first Exchange 2000 system forces a global catalog full synchronization. When I questioned the Microsoft developer at MEC '99 why it was necessary to replicate the GC completely, I didn't get a satisfactory answer as to why. If anyone out there can tell me, I'd love to know why. We all determined it would be best to handle the forestprep and initial server installation off hours and from the Schema FSMO for any environment that was sizeable. Marc Zukerman Senior Network Engineer Greenwich Technology Partners - Original Message - From: Don Murawski (Lenox) To: '[EMAIL PROTECTED]' Sent: Tuesday, March 25, 2003 2:09 PM Subject: RE: [ActiveDir] AD synchronization Does Forest prep cause a full synchronization? We have an empty root domain that contains the schema master. -Original Message- From: Marc Zukerman [mailto:[EMAIL PROTECTED] Sent: Tuesday, March 25, 2003 12:22 PM To: [EMAIL PROTECTED] Subject: Re: [ActiveDir] AD synchronization Even so, I wouldn't chance it. If you have any corruptions to the schema when it gets updated, it is much more difficult to deal with that at 2:00pm on a Wednesday. I'd shoot for Friday night to be safe. Marc Zukerman Senior Network Engineer Greenwich Technology Partners - Original Message - From: Kevin Miller To: [EMAIL PROTECTED] Sent: Tuesday, March 25, 2003 11:57 AM Subject: RE: [ActiveDir] AD synchronization How big is the AD implementation and how big are the pipes? I ran forest prep here in the middle of that day with 30 DC's and 10,000 AD objects not a problem at all. 768 CIR lines between servers. -- Kevinm WLKMMAS, Exchange MVP From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Marc Zukerman Sent: Tuesday, March 25, 2003 8:42 AM To: [EMAIL PROTECTED] If you have not run forestprep yet, it will update the schema. This will force a full synchronication of the directory and global catalog. This may be a concern. Marc Zukerman Senior Network Engineer Greenwich Technology Partners - Original Message
RE: [ActiveDir] AD synchronization
Title: Message Partial Attribute Set -Original Message- From: Roger Seielstad [mailto:[EMAIL PROTECTED] Sent: Wednesday, March 26, 2003 2:50 PM To: '[EMAIL PROTECTED]' Subject: RE: [ActiveDir] AD synchronization PAS? -- Roger D. Seielstad - MCSE Sr. Systems Administrator Inovis Inc. -Original Message- From: Fugleberg, David A [mailto:[EMAIL PROTECTED] Sent: Wednesday, March 26, 2003 1:48 PM To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] AD synchronization I like Roger's description of the GC in a single domain as 'single-instance storage'. That's a good way to think of it. One question that hasn't been completely addressed (although maybe implied) is what happens to replication if an attribute is added to the PAS in a single-domain environment. My guess would be that since all DCs contain the entire directory already, the only additional replication would bethe fact that the attribute should be part of the PAS and therefore available via a GC query. I would hope it would not cause a full replication of the PAS, since all the attributes are already there. True ? Dave -Original Message- From: Marc Zukerman [mailto:[EMAIL PROTECTED] Sent: Wednesday, March 26, 2003 12:14 PM To: [EMAIL PROTECTED] Subject: Re: [ActiveDir] AD synchronization Got it, thanks. Hey Don, has this discussion helped at all??? Marc Zukerman Senior Network Engineer Greenwich Technology Partners - Original Message - From: Roger Seielstad To: '[EMAIL PROTECTED]' Sent: Wednesday, March 26, 2003 12:31 PM Subject: RE: [ActiveDir] AD synchronization Because the Global Catalog data is already present in the .DIT file for the domain for which the server is a DC. Its in effect single instance storage - its not going to duplicate the data that's already there. -- Roger D. Seielstad - MCSE Sr. Systems Administrator Inovis Inc. -Original Message- From: Marc Zukerman [mailto:[EMAIL PROTECTED] Sent: Wednesday, March 26, 2003 11:36 AM To: [EMAIL PROTECTED] Subject: Re: [ActiveDir] AD synchronization OK, that makes sense and is consistent with everything else. That actually goes back to another conversation a few weeks ago when someone was asking about the true advantages/disadvantages of a dedicated forest root vs. single domain. The single domain would have a smaller GC (only one to manage). One thing it doesn't answer is why the size of the dit file doesn't change if a system is not a GC. In one case, a system was temporarily made a GC and then demoted again to just a DC. However there are other DCs that were never GCs at any time. Every one of them is approximately 250MB (within 2 MB in either direction depending on the DC). Marc Zukerman Senior Network Engineer Greenwich Technology Partners - Original Message - From: Sullivan, Kevin To: [EMAIL PROTECTED] Sent: Wednesday, March 26, 2003 10:17 AM Subject: RE: [ActiveDir] AD synchronization Since you are one domain the sizes should be the same. The GC contains the partial attribute set from all domains in the forest. Since you only have one domain you don't have anything additional added. Also, yes the GC is a subset of all attributes for the domains which the DC is not a member. So again, since you are a single domain nothing is added. Also the NTDS.dit contains all naming contexts, Domain, Configuration, Schema... so within the dit for the DC there will be domain naming contexts for all domains in the forest. Other than the domain which the DC is representing the DC only have partial information for all objects in the other domains. Even though only some of the users are on Exchange 2000, the definition of the user objects come from the schema which define exchange attributes. There are no values for the attributes but the user objects have those attributes present (Speaking of mail enabled users). In a multiple domain forest the GCs will be larger because they have all of their own info as well as some info from all other domains... Hth, Kevin Sullivan Sales Engineer Aelita Software -Original Message- From: Marc Zukerman [mailto:[EMAIL PROTECTED] Sent: Wednesday, March 26, 2003 9:58 AM To: [EMAIL PROTECTED] Subject: Re: [ActiveDir] AD synchronization Now that's interesting Roger. I never thought to check it, but at my current client, the ntds.dit file does NOT change between GCs and DCs. For a directory of roughly 8500 objects we are at 250MB for all domain controllers, whether or not they are a DC. This environment is a single domain with Exchange 2000 (although only a very small subset of the users have Exchange - that's the project we're doing). Also, I've always
RE: [ActiveDir] Different password policy
Here is a sort of convoluted albeit possible solution to the issue. It will be much easier to manage and design with the assistance of a comprehensive management platform that enforces business rules and manages access control. The idea is to audit the contents of an OU specifically users. Evaluate password age in one of many ways depending on the specific needs but find out how old the password is and evaluate it against the tighter password policy you want to apply to that container. To create a solution that creates an experience for the user the same or similar to that of a domain wide password policy you will have to figure out if the password is x number of days old and start presenting the user with the your password will expire in x days... and when the grace period is over switch the flag for user must change password at next logon. There are many reasons why this is more possible with a comprehensive management platform like gratuitous plug Aelita Enterprise Directory Manager /gratuitous plug. The first reason specifically mentioned as a requirement is having this setting apply to many different users throughout the enterprise. With a good management platform you can create essentially virtual containers that are query based and can be managed with rules like the one mentioned here. These management platforms will allow you advanced features like reporting that can kick off an automation job. The flexibility is very deep. Let me know offline if you want some more details. Kevin Aelita -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] Sent: Tuesday, March 25, 2003 6:54 AM To: [EMAIL PROTECTED] Cc: [EMAIL PROTECTED]; [EMAIL PROTECTED] Subject: Re: [ActiveDir] Different password policy The only way is to split the domain due to 'infamous domainwide security policy problem'... a drastic step. I guess you need to look at why you need a separate policy, and what would the implications be of enforcing the 'stronger password policy' domain wide. BR Robert Rutherford Ole Thomsen [EMAIL PROTECTED] Sent by: To: [EMAIL PROTECTED] [EMAIL PROTECTED]cc: tivedir.orgSubject: [ActiveDir] Different password policy 24/03/2003 14:43 Please respond to ActiveDir I need to implement a stronger password policy for a large group of users in my AD, and run into the infamous domainwide security policy problem. What is the best way to do this, and still being able to let these users have access to the file/print, Ex2K mailboxes and other resources they use today? Regards, Ole Thomsen List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ This E-mail and any files transmitted with it are in commercial confidence and intended solely for the use of the individual or entity to whom they are addressed. If you have received this E-mail in error please notify the Administrator by E-mail ([EMAIL PROTECTED]). Any views or opinions expressed are solely those of the author and do not necessarily represent those of DEK International., or its affiliates. This footnote signifies that this message has been checked for viruses by MailswpUK1 List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
RE: [ActiveDir] Active Directory Replication Monitor
Look at WinNetMag.com do a search for Replmon. IIRC there are a lot of brief articles. It is really pretty easy to work with just navigating -Original Message- From: Daniel Chaveco [mailto:[EMAIL PROTECTED] Sent: Tuesday, March 25, 2003 10:36 AM To: [EMAIL PROTECTED] Subject: [ActiveDir] Active Directory Replication Monitor Does anyone know a good article/site on how to proprtly use this? Do you Yahoo!? Yahoo! Platinum - Watch CBS' NCAA March Madness, live on your desktop! �
RE: [ActiveDir] OT: Export and import Windows 2000 local policy
It does do desktop lockdown though, not with regards to things like removing the run command but many lockdown options down to the file level security, (which is what I thought you were looking for). Any additional Desktop configuration can be done via scripts. -Original Message- From: Amit Zinman [mailto:[EMAIL PROTECTED] Sent: Tuesday, March 18, 2003 4:45 AM To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] OT: Export and import Windows 2000 local policy I don't think this tool does desktop settings L Amit Zinman Systems Consultant Integrity Systems [EMAIL PROTECTED] 03-7522424 058-326753 From: Sullivan, Kevin [mailto:[EMAIL PROTECTED] Sent: Sunday, March 16, 2003 2:59 PM To: [EMAIL PROTECTED] If they are using W2k/XP it should be fairly easy. Write the GPO and deploy to test client. Then use Security Configuration and Analysis to analyze the client and dump the config to a file. You should be able to use the same tool to deploy to a local security policy. I havent done this in a couple of years but remember it to be very straight forward. I just did it to remind myself and yes it is pretty easy. You create a database to hold the info and you load an .inf that has different levels of security info. This is essentially the baseline to compare your system to. You will analyze your system against the template and then have the option to export your security configuration. Hth, Kevin -Original Message- From: Amit Zinman [mailto:[EMAIL PROTECTED] Sent: Sunday, March 16, 2003 3:02 AM To: ActiveDir Mailing List Subject: [ActiveDir] OT: Export and import Windows 2000 local policy Hi, I need to implement locking down of desktop environment for a customer. They don't have AD and doesn't want it. How can I import and export Group Policy and distribute it to a lot of servers/desktops? Amit Zinman Systems Consultant Integrity Systems [EMAIL PROTECTED] 03-7522424 058-326753 �
RE: [ActiveDir] OT: Export and import Windows 2000 local policy
If they are using W2k/XP it should be fairly easy. Write the GPO and deploy to test client. Then use Security Configuration and Analysis to analyze the client and dump the config to a file. You should be able to use the same tool to deploy to a local security policy. I havent done this in a couple of years but remember it to be very straight forward. I just did it to remind myself and yes it is pretty easy. You create a database to hold the info and you load an .inf that has different levels of security info. This is essentially the baseline to compare your system to. You will analyze your system against the template and then have the option to export your security configuration. Hth, Kevin -Original Message- From: Amit Zinman [mailto:[EMAIL PROTECTED] Sent: Sunday, March 16, 2003 3:02 AM To: ActiveDir Mailing List Subject: [ActiveDir] OT: Export and import Windows 2000 local policy Hi, I need to implement locking down of desktop environment for a customer. They don't have AD and doesn't want it. How can I import and export Group Policy and distribute it to a lot of servers/desktops? Amit Zinman Systems Consultant Integrity Systems [EMAIL PROTECTED] 03-7522424 058-326753 �
RE: [ActiveDir]
I would make sure that your clients are pointing to the DNS server and the DNS server is updated with the appropriate SRV records. Check DNS and let us know your settings. Kevin -Original Message- From: bobo sy [mailto:[EMAIL PROTECTED] Sent: Sunday, March 09, 2003 3:53 PM To: [EMAIL PROTECTED] Subject: [ActiveDir] Hi all I have installed active directory on my w2k server. and now I cannot add any workstation. Anytime I get message: network path not found. have deleted network components add recreated them but still same. Pls help urgently cause my site is blocked now. Thks. �
[ActiveDir] OT: DEC
So just curious but who is going to DEC? Kevin Sullivan Aelita Software [EMAIL PROTECTED] �
RE: [ActiveDir] Domain Replication Question.
Just changes are replicated during normal replication and within the domain. Sites can cross domains remember so cross site replication will have to do with what domains are playing, what DC from what domains are across sites etc. Also, the only info replicated outside of the domain is information contained in the partial attribute set or the domain naming context. These attributes are replicated to GC servers in all domains in the forest. Configuration NC and Schema NC are fully replicated between domains within the forest. Replication is pretty complex and can't really be summed up this simply I suggest you take a look at Replmon and Repadmin from the resource kit (or are they in the support tools?)Also you can turn NTDSdiagnostics on to log replication events and really see what's going on. Definitely take a look at the info in the resource kit on replication in the distributed systems guide. There is a ton of info out there. Kevin -Original Message- From: ZAD Forum for Active Directory [mailto:[EMAIL PROTECTED] Sent: Friday, February 28, 2003 7:08 PM To: '[EMAIL PROTECTED]' Subject: [ActiveDir] Domain Replication Question. We are doing our DNS/Domain design for AD, and having a discussion here and the question that we have here is what gets replicated during AD replication? Does all of the AD dbase get replicated between sites or just changes? Does all of the AD dbase get replicated between child domains or is just changes? ___ \\ - - // ([EMAIL PROTECTED]@--) +-oOOo-(_)-oOOo--+ |\\_|_// | |John M. Strongosky, |San Diego Community College |District Email Administrator |Phone: 619.388.6725 |8bits down a wire, spoken words fly away, |while written word's stay on +--Oooo--+ oooO ( ) ( ) ) / \ ( (_/ \_) Remember 9/11, In an Atom Bomb, Chemical, and Biological Detonation we are all Downwinder's... List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
RE: [ActiveDir] Remove the ability to create computer accounts in the computer container
You may want to look into changing the default msDS-MachineAccountQuota. This setting allows any user to create 10 computer accounts by default. You can change this via a script, LDP or ADSI edit. If you change the default value to 0 then your delegation model will probably work but the default behavior will be changed. It may work... Keivn -Original Message- From: Greg Felzer [mailto:[EMAIL PROTECTED] Sent: Wednesday, February 26, 2003 11:28 AM To: [EMAIL PROTECTED] Subject: [ActiveDir] Remove the ability to create computer accounts in the computer container Hello, Maybe the collective minds here can come up with something. I have given a group (Join Computers to the Domain group) the rights to join computers to the domain through the Default Domain policy. Only this group has rights to join computers to the domain. I have created a web page that creates a computer account (it checks first to make sure the computer account does not exist) base upon department specific input from the user. Once the account is created the user names his computer the same as the computer account and joins the domain. The problem I am having is that some of the user that are members of the Join Computers to the Domain group are not using the web page. They are using My network place, advanced, network identification.ect to join the domain. This creates a computer account in the computer container. When this happens I get a computer account showing up in the computer container that I do not know what department it belongs to. My solution (that does not work) was to remove all rights (including System rights) to the computer container. I figured without rights they would not be able to create the computer accounts. This did not work so I denied the ability to create all child objects for the Join computers group in the Computers Container. This did not work so I denied the right for Everyone. Also did not work. Any ideas on how to prevent all users from creating computer objects in the computers container? Thanks Greg Greg Felzer MCSE NT4, MCSE 2000, CCA, CCNA, CNA Senior Systems Engineer Center for Computing and Information Technology Medical University of South Carolina List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
RE: [ActiveDir] Decrypt Files from a no longer existing domain
If you can't find the cert that encrypted them or the cert for the Data Recovery Agent (DRA) (usually the domain admin) you are out of luck. They key to open the data is stored in the headers of the file and it is locked up with the private key for the user who encrypted it and the private key for the DRA. The data is encrypted symmetrically. You may find those keys exist somewhere even though the domain doesn't exist anymore. You should be able to recover with them. -Original Message- From: Salandra, Justin A. [mailto:[EMAIL PROTECTED]] Sent: Monday, February 03, 2003 11:33 AM To: ActiveDir (E-mail) Subject: [ActiveDir] Decrypt Files from a no longer existing domain How can I decrypt some files that I did not know were encrypted when I decommissioned the last DC in that old domain. I have tried restoring them to a FAT Partition and I can open them but there is no data in them. Any help would be appreciated Justin A. Salandra, MCSE Senior Network Engineer Catholic Healthcare System 914.681.8117 office 646.483.3325 cell [EMAIL PROTECTED] mailto:[EMAIL PROTECTED] List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
RE: [ActiveDir] Decrypt Files from a no longer existing domain
I am not positive but if the domain admin had logged into a workstation at some point the cert may be in that profile. I would have to go to the RK to find the specific location. The recovery of encrypted docs is thoroughly documented. I just did a TechNet search and found reams of info I am sure there is something in there for you to look at. -Original Message- From: Salandra, Justin A. [mailto:[EMAIL PROTECTED]] Sent: Monday, February 03, 2003 11:46 AM To: '[EMAIL PROTECTED]' Subject: RE: [ActiveDir] Decrypt Files from a no longer existing domain I should mention that these files were encrypted by accident by the user by checking the box encrypt contents while looking at the properties of the folder. Where could I get the DRA from if the domain doesn't exist, restore the domain on a workstations? -Original Message- From: Sullivan, Kevin [mailto:[EMAIL PROTECTED]] Sent: Monday, February 03, 2003 11:37 AM To: [EMAIL PROTECTED] Subject:RE: [ActiveDir] Decrypt Files from a no longer existing domain If you can't find the cert that encrypted them or the cert for the Data Recovery Agent (DRA) (usually the domain admin) you are out of luck. They key to open the data is stored in the headers of the file and it is locked up with the private key for the user who encrypted it and the private key for the DRA. The data is encrypted symmetrically. You may find those keys exist somewhere even though the domain doesn't exist anymore. You should be able to recover with them. -Original Message- From: Salandra, Justin A. [mailto:[EMAIL PROTECTED]] Sent: Monday, February 03, 2003 11:33 AM To: ActiveDir (E-mail) Subject: [ActiveDir] Decrypt Files from a no longer existing domain How can I decrypt some files that I did not know were encrypted when I decommissioned the last DC in that old domain. I have tried restoring them to a FAT Partition and I can open them but there is no data in them. Any help would be appreciated Justin A. Salandra, MCSE Senior Network Engineer Catholic Healthcare System 914.681.8117 office 646.483.3325 cell [EMAIL PROTECTED] mailto:[EMAIL PROTECTED] List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
RE: [ActiveDir] Decrypt Files from a no longer existing domain
www.microsoft.com www.google.com www.rtfm.com www.YouAreProbablyNotGoingToGetTheFilesBack.com www.DontWasteYourTime.org -Original Message- From: Salandra, Justin A. [mailto:[EMAIL PROTECTED]] Sent: Monday, February 03, 2003 12:39 PM To: '[EMAIL PROTECTED]' Subject: RE: [ActiveDir] Decrypt Files from a no longer existing domain I looked in the profile on the server at the Administrators profile under documents and settings, there is a Crypto folder that contains a folder with a SID/GUID as the name of the folder. Inside there are three System Files. I am assuming that this is not the location, however is there a place I can look thru the RK online? -Original Message- From: Sullivan, Kevin [mailto:[EMAIL PROTECTED]] Sent: Monday, February 03, 2003 12:08 PM To: [EMAIL PROTECTED] Subject:RE: [ActiveDir] Decrypt Files from a no longer existing domain I am not positive but if the domain admin had logged into a workstation at some point the cert may be in that profile. I would have to go to the RK to find the specific location. The recovery of encrypted docs is thoroughly documented. I just did a TechNet search and found reams of info I am sure there is something in there for you to look at. -Original Message- From: Salandra, Justin A. [mailto:[EMAIL PROTECTED]] Sent: Monday, February 03, 2003 11:46 AM To: '[EMAIL PROTECTED]' Subject: RE: [ActiveDir] Decrypt Files from a no longer existing domain I should mention that these files were encrypted by accident by the user by checking the box encrypt contents while looking at the properties of the folder. Where could I get the DRA from if the domain doesn't exist, restore the domain on a workstations? -Original Message- From: Sullivan, Kevin [mailto:[EMAIL PROTECTED]] Sent: Monday, February 03, 2003 11:37 AM To: [EMAIL PROTECTED] Subject:RE: [ActiveDir] Decrypt Files from a no longer existing domain If you can't find the cert that encrypted them or the cert for the Data Recovery Agent (DRA) (usually the domain admin) you are out of luck. They key to open the data is stored in the headers of the file and it is locked up with the private key for the user who encrypted it and the private key for the DRA. The data is encrypted symmetrically. You may find those keys exist somewhere even though the domain doesn't exist anymore. You should be able to recover with them. -Original Message- From: Salandra, Justin A. [mailto:[EMAIL PROTECTED]] Sent: Monday, February 03, 2003 11:33 AM To: ActiveDir (E-mail) Subject: [ActiveDir] Decrypt Files from a no longer existing domain How can I decrypt some files that I did not know were encrypted when I decommissioned the last DC in that old domain. I have tried restoring them to a FAT Partition and I can open them but there is no data in them. Any help would be appreciated Justin A. Salandra, MCSE Senior Network Engineer Catholic Healthcare System 914.681.8117 office 646.483.3325 cell [EMAIL PROTECTED] mailto:[EMAIL PROTECTED] List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
RE: [ActiveDir] E2K and DC
Perfect rebut Rick. I totally agree. Execs hate the idle threat and from my experience they usually take it as a challenge. There are so many positives to point to when selling the idea of Win2k/2003 that using the fact the you may lose (perceived) support doesn't carry much weight. I do a lot of work with the government and DOD and they know that regardless of where they are in the process of moving forward they will not lose support from MS. They are too important to MS for them to just simply drop support for NT. I am sure support will end but some high end customers of MS's will continue with the relationships that they have and be OK. With that said, I really don't think anyone out there is thinking of staying on NT 4.0 indefinitely, but then again I don't quite get why I see so much Netware 3.12 out there still (definitely another thread). The technology is compelling and the fact that if I continue to move forward and support the future windows world, I will lower the costs of my network. Supporting NT 4.0 is much more expensive than Win2k, period. There are many case studies on MS's site to look at where organizations have done detailed research into how much it will save them to move forward and this allows them to see the ROI. Numbers, not threats, help executives see the future and value of new technologies. I agree with Rick, find the Case studies on MS's site that specify exactly where organization are finding compelling value in new technologies and sell that. http://www.microsoft.com/windows2000/server/evaluation/casestudies/default.asp (That URL may wrap...) Lastly the best way to convince someone that new technology is better is to believe that new technology is better by understanding exactly where it is better. Do a detailed analysis of your pains in day to day work and see exactly where Win2k/2003 addresses those pains and makes them better. Kevin See the ball Danny, be, be the ball Danny... I'm a veg Danny. - Chevy Chase -Original Message- From: Rick Kingslan [mailto:[EMAIL PROTECTED]] Sent: Thursday, January 23, 2003 9:58 AM To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] E2K and DC All, I've held my tongue on this issue (NT 4.0 retirement as a justification) because I think there is merit to it - but in a very negative and damaging way. There is another way - using the same method, but turning it positive. Executives NEVER like to be backed into a corner. And, to say that Microsoft has backed them into a corner is not correct. This life-cycle timeline for Win95 and Windows NT 4.0 has been advertised for some time. 18 mos to 2 years comes to mind. And, regardless - the idea that they WOULD maintain both NT 4.0 and 2000, with 2003 coming is a bit inane anyway. Your tactics would be much more successful AND retain a stronger relationship with Microsoft if you were to sell them (as well as the rest of your tech staff) on the power, flexibility, TCO, ROI (yes - they are there if you know what to measure) of MOVING to Windows 2000 rather than threatening them with gloom and doom of ending support. Or, you could just tell them that you won't have to re-boot the NT 4.0 machines on a regular schedule because the reliability on Windows 2000 is just THAT much better. No one wants to hear that they MUST move to (insert whatever here) or you won't have any support. Firstly, I know this to be a bit of a misnomer. Define support and what it means to your organization. Are you calling Microsoft regularly with support problems? No - most of you seem to come here and save the money . Are you worried about the lack of patches? Hmmm. That's an issue, if you really are applying them timely. But, how many showstoppers have come out for NT of late? There is no, and will be no Service Pack 7. Oh, but we've known that for some time. Did we go bludgeon the Executives at that time? Nope. We waited until the last minute. If any of your executives are saavy enough to do just a little bit of research, they will find out that we've known about this obsolesence for more than a month or two. Their first question would likely be along the lines of 'Why didn't you tell me this last year - or the year before when you knew or suspected this was going to be a problem?' That's the really TOUGH question to answer. And for those of you that have NOT been priming the pump on this, better have a good explanation before you go in with tales of horror. For most companies, it's a bit late to budget for a major migration. I'm not saying not to justify it. I just would caution all to not use negative tactics as your primary motivator. Believe me - most execs are a lot more intelligent than you are giving them credit for. ;o) Oh, and lastly - if you can't get it done until 2004 Calendar / fiscal year - big deal. Support is going to be available. I know that a cottage industry is going to spring up or
RE: [ActiveDir] Replmon Errors
Go to HKLM/System/CCS/Services/NTDS/Diagnostics and set the Replication Events value to 5. Then force replication. This will log all kinds of replication info into the NTDS log that may help you to trouble shoot. I don't have any references to the specific error off hand but thought this may be helpful. Kevin -Original Message- From: Devan Pala [mailto:[EMAIL PROTECTED]] Sent: Thursday, January 23, 2003 3:22 PM To: [EMAIL PROTECTED] Subject: [ActiveDir] Replmon Errors Hi All, I have the following errors occcurring between 2 sites (inter-site) between 2 domains (root and child). Errors appear on the root DC (also a GC, and Preferred Bridgehead for Site1). In Site2, a preferred Bridgehead (also a GC) does not show errors. Funny thing is only the Configuration container and the domain partition containers show errors, the schema container is OK from Site1Site2 --- Directory Partition: CN=Configuration,DC=root,DC=xyz,DC=com Partner Name: SITE2\DC02 Partner GUID: E720D134-68AF-4BB3-87F0-7BD787D135D2 Last Attempted Replication: 1/23/2003 1:24:14 PM (local) Last Successful Replication: 1/23/2003 1:24:14 PM (local) Number of Failures: 15 Failure Reason Error Code: 1908 Failure Description: Could not find the domain controller for this domain. Synchronization Flags: DRS_WRIT_REP,DRS_PER_SYNC,DRS_USE_COMPRESSION,DRS_NEVER_NOTIFY USN of Last Property Updated: 0 USN of Last Object Updated: 0 Transport: Inter-Site RPC Partner Name: SITE2\DC01 Partner GUID: 4ABEADA8-7373-48CA-8887-C235CE3EC908 Last Attempted Replication: 1/23/2003 1:36:16 PM (local) Last Successful Replication: 1/23/2003 1:36:16 PM (local) Number of Failures: 7 Failure Reason Error Code: 1726 Failure Description: The remote procedure call failed. Synchronization Flags: DRS_WRIT_REP,DRS_PER_SYNC,DRS_USE_COMPRESSION,DRS_NEVER_NOTIFY USN of Last Property Updated: 0 USN of Last Object Updated: 0 Transport: Inter-Site RPC I have looked for articles etc. for the following errors: Failure Description: Could not find the domain controller for this domain. Failure Description: The remote procedure call failed. I have verified the trust relationships between the domains (transitive between parent-child), there are no errors in the event logs, DNS resolution works, connectivity is good (122ms average). Please Help. Thanks, _ Help STOP SPAM with the new MSN 8 and get 2 months FREE* http://join.msn.com/?page=features/junkmail List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
RE: [ActiveDir] Child Domain Programming.
Definitely not the whole issue but in you code at the bottom 'Users' is not OU=Users it is CN=Users... Also, when you say PDC, I have to assume you are talking about PDC emulator and not a PDC but if you are looking at an NT DC make sure you test your code with WinNT:// as well as LDAP:// You will see different results. The latest I saw was when using the WinNT provider to look at a computer account in AD the class comes back as User whereas when you use the same script using LDAP:// as the provider the class comes back as computer. -Original Message- From: Stephens, Brendan [mailto:[EMAIL PROTECTED]] Sent: Thursday, January 23, 2003 3:02 PM To: '[EMAIL PROTECTED]' Subject: RE: [ActiveDir] Child Domain Programming. Continuing from Justin's Post: Currently our intranet user management system is completely based on LDAP and ADSI. Our organization is now breaking up our initial server into a parent/child domain structure. I will use PDC for the name of the domain controller, DOMAIN for our DNS name and CHILD for the child domain. If I specify the child domain in the programming as either: set ADS = getObject(LDAP://DC=CHILD,DC=DOMAIN,DC=Com;) or set ADS = getObject(LDAP://CHILD.DOMAIN.com/DC=CHILD,DC=DOMAIN,DC=com;) It only returns the object as domainDNS and will not list any child objects. The object(s) we are interested in are in a child domain of the PDC on which the script runs. For example, I have no problems retriving the Users container from the PDC, but if I want the Users container from the Child Domain Controller (LDAP://CHILD.DOMAIN.com/OU=USERS,DC=CHILD,DC=DOMAIN,DC=com;), using either of the specified paths, it gives me a path not found error...80072030 The script is running as Administrator, so permissions should not be an issue. List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
[ActiveDir] NTDS Diagnostics...
I recall the ability to add a value to the NTDS\Diagnostics registry key on a DC to be able to log information pertaining to management of objects in AD. Of course after I told someone about this I cant seem to find it anywhere. What I remember is it is a value that is not present by default and that when you add it you have the same values that you would have for the other NTDS diagnostics (0-5). It would log information on who made what types of modifications on objects in AD. I remember it being similar to the replication entries that specify metadata that is negotiated for replication amongst replication partners. tia Kevin Sullivan �
RE: [ActiveDir] Gathering Computer Account Info via script
Hello Chris, I have recently been playing with something similar to this. I used ADSI to iterate through an OU and find the computer objects and then use WMI to connect to those systems and query more specific info from the WMI repository. I can try to dig up some chicken scratch I have laying around but am confident by the time I do one of the gurus on this list will post your solution. I will try though. Kevin -Original Message- From: England, Christopher M [mailto:[EMAIL PROTECTED]] Sent: Monday, December 16, 2002 10:16 AM To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] Gathering Computer Account Info via script In response to my own message, I found a VB script in the 2000 resource kit called listproperties.vbs which can enumerate information about a computer object in the AD. However, I need to do this for all computer objects in an entire OU (with possible subOUs). Thanks again for any help! Chris -Original Message- From: England, Christopher M Sent: Monday, December 16, 2002 9:56 AM To: [EMAIL PROTECTED] Subject: [ActiveDir] Gathering Computer Account Info via script Greetings all, I need to query a portion of the Active Directory (the OUs that I control) and get a list of computer objects and some associated data (Operating System name and version, for example). Can I do this with VBS/WSH? Thanks in advance for any help! Chris Christopher England Server Administrator College Information Technology Office Indiana University List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
RE: [ActiveDir] Replication Satellite Links
Title: Message I am guessing you have but just in case. Have you looked for recommendations from the Branch Office Guide? http://www.microsoft.com/technet/treeview/default.asp?url="/technet/prodtechnol/ad/windows2000/deploy/adguide/DEFAULT.asp I have found it pretty helpful. I am interested in the answer to Rogers question as well, why is SMTP not an option? Kevin -Original Message- From: David Rudolph [mailto:[EMAIL PROTECTED]] Sent: Thursday, November 14, 2002 5:58 PM To: '[EMAIL PROTECTED]' Subject: [ActiveDir] Replication Satellite Links Our company is considering options for supporting a new branch office location. Connectivity to the office can only be accomplished via a satellite link. I'm aware of the problems of RPC-based replication over high latency links. SMTP-based replication is not an option. The link in question would be 512K. My question is does anybody know the threshold where latency will begin to adversely affect replication? I'd like to be able to tell management that we could live with x latency but nothing more. Thanks in advance. David Rudolph Anadarko Petroleum Corporation �
RE: [ActiveDir] AD Move Users script
LDAP://cn=users,dc=ntdev3,dc-KEMET,dc=com Users is not an OU -Original Message- From: Jones, Rick J.(Desktop Engineering) [mailto:[EMAIL PROTECTED]] Sent: Wednesday, November 13, 2002 2:34 PM To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] AD Move Users script You can not use VBNullString in VBScript. Try this; Set objOU = GetObject(LDAP://ou=users,dc=NTDEV3,dc=KEMET,dc=com) objOU.MoveHere LDAP://cn=Gberar1,OU=ACCT,dc=NTDEV3,dc=KEMET,dc=com,cn=Gberar1 Rick J. Jones -(NDE) National Desktop Engineering -http://nits.attws.com/dte -Headquarters RTC4 LAB 2461D -Exchange IM ID:[EMAIL PROTECTED] -Phone 425-580-8061 -Original Message- From: John Hicks/MIS/HQ/KEMET/US [mailto:[EMAIL PROTECTED]] Sent: Wednesday, November 13, 2002 8:22 AM To: [EMAIL PROTECTED] Subject: [ActiveDir] AD Move Users script I am working on a script to move users from the default users container to OU's that we specify. The goal is to be able to run an nlist from Novell to a text file and then have the script move the users in each text file to their designated OU's. I have looked around at a couple different places and have not found anything like this. Below is the script I was trying to use from Microsoft's scripting center, but I receive and an error when I run it that states object does not exist on the specified server. I checked in ADUC and the ID is there, so I am not sure why it cannot find it. Set objOU = GetObject(LDAP://ou=users,dc=NTDEV3,dc=KEMET,dc=com) objOU.MoveHere _ LDAP://cn=Gberar1,OU=ACCT,dc=NTDEV3,dc=KEMET,dc=com, vbNullString I have tried adding cn=Gberar1 to the beginning of the first statement and this does not help. I am sure it is something simple that I am missing but I cannot figure it out. Any help would be greatly appreciated. Thanks John Hicks | KEMET Electronics Corporation | Network Engineer Phone: 864-228-4473 | E-mail: [EMAIL PROTECTED] | AOL IM: ipaq1978 [ Mailing: 2835 KEMET Way Simpsonville, SC 29681 USA ] �
[ActiveDir] OT: Receiving Posts out of order
Sorry for the way off topic but I seem to receive some responses before I get the original posts. Hours apart. Also sometimes when I post I dont see the post for a few hours. Is anyone else experiencing this and any suggestions? Thanks Sent at 1:20 PM 11/8/02 �
RE: [ActiveDir] Password change issue
Title: Message Also if they are legacy (9x) clients make sure they have the DSClient setup. This will allow them to change PW at any DC. Without it they need to be talking to the PDC emulator. Kevin -Original Message- From: cflesher [mailto:[EMAIL PROTECTED]] Sent: Friday, November 08, 2002 1:25 PM To: [EMAIL PROTECTED] Subject: [ActiveDir] Password change issue I can change anyone's password from one of the DC's. However, no of our users can change their password from a client machine. It keeps saying that it is unable to change password at this time. Anyone know why it would do this? Replication is fine and all FSMO roles are up and talking. Chris Flesher The University of Chicago NSIT/DCS 1-773-834-8477 �
RE: [ActiveDir] which attribute to use for disabled account
How about this... Option Explicit Dim objUser Dim objAccountDisabled Set objUser = GetObject(LDAP://CN=User,DC=Domain,DC=MSFT;) If objUser.AccountDisabled = True Then objAccountDisabled = Yes Else objAccountDisabled = No End If WScript.Echo objAccountDisabled ** -Original Message- From: pio eqbal [mailto:eqbalpio;yahoo.com] Sent: Wednesday, November 06, 2002 12:30 PM To: [EMAIL PROTECTED] Subject: [ActiveDir] which attribute to use for disabled account Hi, is there an attribute in the user class, that I can use in the LDAP query to find if the user account is disabled? If so what is the name of the attribute? Thanks Eqbal __ Do you Yahoo!? HotJobs - Search new jobs daily now http://hotjobs.yahoo.com/ List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
RE: [ActiveDir] Biztalk
http://www.microsoft.com/biztalk/ -Original Message- From: Salandra, Justin A. [mailto:jasalandra;chcsnet.org] Sent: Tuesday, November 05, 2002 4:08 PM To: ActiveDir (E-mail) Subject: [ActiveDir] Biztalk What is Biztalk used for? My CIO asked me to look at it and I have never used it before. Does anyone use it out there? If so what do you do with it? Justin A. Salandra, MCSE Senior Network Engineer Catholic Healthcare System 914.681.8117 office 646.483.3325 cell [EMAIL PROTECTED] mailto:jasalandra;chcsnet.org List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
RE: [ActiveDir] Remote Folder appear local
I am not totally sure what your goal is here. But some things to think about... 1. Off Line files (of course occasionally they will need access to the network. 2. Write a script that does a file copy and call it from a logon script. 3. Create a .msi file with SMS Installer or WISE or WinInstall LE that does a file copy and push the .msi via group policy. (Of course they will need access to the network) How are you expecting to do this without access to the network? SneakerNet may work G... Kevin -Original Message- From: marija efnuseva [mailto:efmar;freemail.com.mk] Sent: Friday, October 25, 2002 4:36 AM To: ActiveDirLista Subject: [ActiveDir] Remote Folder appear local I am interested if anyone can tell me how can I put the same files on all client computers (some users) from my server. Is it possible. If not can I make a shared folder on the server visible as a local one to all my client computer. i mean that they would not have to connect to my server through the network. I do not want them to have access to the local network (should not be able to browse it) thanks marija P.S. Can anyone tell me how can I make backup of my server Windows 2000 Server List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
RE: [ActiveDir] ADMT v2
Aelita Domain Migration Wizard... (For one) -Original Message- From: Salandra, Justin A. [mailto:jasalandra;chcsnet.org] Sent: Friday, October 25, 2002 9:24 AM To: '[EMAIL PROTECTED]' Subject: RE: [ActiveDir] ADMT v2 Is there any migration tool that doesn't require the target be in native mode. -Original Message- From: Rick Kingslan [mailto:rkingsla;cox.net] Sent: Thursday, October 24, 2002 6:54 PM To: [EMAIL PROTECTED] Subject:RE: [ActiveDir] ADMT v2 erADMT requires that the target be native, too. -Original Message- From: [EMAIL PROTECTED] [mailto:ActiveDir-owner;mail.activedir.org] On Behalf Of Salandra, Justin A. Sent: Thursday, October 24, 2002 11:18 AM To: '[EMAIL PROTECTED]' Subject: RE: [ActiveDir] ADMT v2 But move tree requires that the target domain be in native mode. I have some places that need to stay in mixed mode. -Original Message- From: Tony Murray [mailto:tony;mail.activedir.org] Sent: Thursday, October 24, 2002 11:38 AM To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] ADMT v2 You've got Movetree to move objects within a Forest. You don't need to migrate with ADMT. http://www.winnetmag.com/Articles/Index.cfm?ArticleID=7614 Tony -- Original Message -- From: Salandra, Justin A. [EMAIL PROTECTED] Reply-To: [EMAIL PROTECTED] Date: Thu, 24 Oct 2002 09:47:56 -0400 So I can use ADMT v2 in a Windows 2000 AD environment to migrate between domains? Such as parent to child? -Original Message- From: Rick Kingslan [mailto:rkingsla;cox.net] Sent: Wednesday, October 23, 2002 6:50 PM To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] ADMT v2 Version 1 was/is usable in Win2k environments as well - typically cross forest. From the ADMT v 2.0 README: Scripting and command-line interface Password migration Migration log files Credentials needed for migration operators SID Mapping Files for security translation Windows 2000 attribute exclusion Agent credentials no longer required Fix membership is optional Rick Kingslan - Microsoft MVP [Windows NT/2000] Microsoft Certified Trainer MCSA, MCSE+I - Windows NT / 2000 Any sufficiently advanced technology is indistinguishable from magic. --- Arthur C. Clarke -Original Message- From: [EMAIL PROTECTED] [mailto:ActiveDir-owner;mail.activedir.org] On Behalf Of Salandra, Justin A. Sent: Wednesday, October 23, 2002 10:44 AM To: '[EMAIL PROTECTED]' Subject:RE: [ActiveDir] ADMT v2 What is the difference between ADMT v2 and v1? Can you use the ADMT v2 in a Windows 2000 Active Directory Enviorment? Justin A. Salandra, MCSE Senior Network Engineer Catholic Healthcare System 914.681.8117 office 646.483.3325 cell [EMAIL PROTECTED] -Original Message- From: Rick Kingslan [mailto:rkingsla;cox.net] Sent: Monday, October 21, 2002 1:37 PM To: [EMAIL PROTECTED] Subject:RE: [ActiveDir] ADMT v2 Diane, Look under the ADMT folder in the I386 directory. Rick Kingslan - Microsoft MVP [Windows NT/2000] Microsoft Certified Trainer MCSA, MCSE+I - Windows NT / 2000 Any sufficiently advanced technology is indistinguishable from magic. --- Arthur C. Clarke -Original Message- From: [EMAIL PROTECTED] [mailto:ActiveDir-owner;mail.activedir.org] On Behalf Of Ayers, Diane Sent: Monday, October 21, 2002 12:29 PM To: '[EMAIL PROTECTED]' Subject: [ActiveDir] ADMT v2 All: I'm looking for ADMT version 2. I've dug around my .NET CDs and can't find it. Can someone point me in the right direction... Diane List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir% 40mail.activedir.org/ List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir% 40mail.activedir.org/ List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir% 40mail.activedir.org/ List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir% 40mail.activedir.org/ List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir% 40mail.activedir.org/ List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir% 40mail.activedir.org/ List info :
RE: [ActiveDir] ADMT v2
Replied via email... (If anyone else is interested let me know and I will post the response) -Original Message- From: Stuart Kwan [mailto:skwan;windows.microsoft.com] Sent: Friday, October 25, 2002 11:01 AM To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] ADMT v2 Does it use SID History for the migration? -Original Message- From: Sullivan, Kevin [mailto:KSullivan;aelita.com] Sent: Friday, October 25, 2002 6:50 AM To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] ADMT v2 Aelita Domain Migration Wizard... (For one) -Original Message- From: Salandra, Justin A. [mailto:jasalandra;chcsnet.org] Sent: Friday, October 25, 2002 9:24 AM To: '[EMAIL PROTECTED]' Subject: RE: [ActiveDir] ADMT v2 Is there any migration tool that doesn't require the target be in native mode. -Original Message- From: Rick Kingslan [mailto:rkingsla;cox.net] Sent: Thursday, October 24, 2002 6:54 PM To: [EMAIL PROTECTED] Subject:RE: [ActiveDir] ADMT v2 erADMT requires that the target be native, too. -Original Message- From: [EMAIL PROTECTED] [mailto:ActiveDir-owner;mail.activedir.org] On Behalf Of Salandra, Justin A. Sent: Thursday, October 24, 2002 11:18 AM To: '[EMAIL PROTECTED]' Subject: RE: [ActiveDir] ADMT v2 But move tree requires that the target domain be in native mode. I have some places that need to stay in mixed mode. -Original Message- From: Tony Murray [mailto:tony;mail.activedir.org] Sent: Thursday, October 24, 2002 11:38 AM To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] ADMT v2 You've got Movetree to move objects within a Forest. You don't need to migrate with ADMT. http://www.winnetmag.com/Articles/Index.cfm?ArticleID=7614 Tony -- Original Message -- From: Salandra, Justin A. [EMAIL PROTECTED] Reply-To: [EMAIL PROTECTED] Date: Thu, 24 Oct 2002 09:47:56 -0400 So I can use ADMT v2 in a Windows 2000 AD environment to migrate between domains? Such as parent to child? -Original Message- From: Rick Kingslan [mailto:rkingsla;cox.net] Sent: Wednesday, October 23, 2002 6:50 PM To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] ADMT v2 Version 1 was/is usable in Win2k environments as well - typically cross forest. From the ADMT v 2.0 README: Scripting and command-line interface Password migration Migration log files Credentials needed for migration operators SID Mapping Files for security translation Windows 2000 attribute exclusion Agent credentials no longer required Fix membership is optional Rick Kingslan - Microsoft MVP [Windows NT/2000] Microsoft Certified Trainer MCSA, MCSE+I - Windows NT / 2000 Any sufficiently advanced technology is indistinguishable from magic. --- Arthur C. Clarke -Original Message- From: [EMAIL PROTECTED] [mailto:ActiveDir-owner;mail.activedir.org] On Behalf Of Salandra, Justin A. Sent: Wednesday, October 23, 2002 10:44 AM To: '[EMAIL PROTECTED]' Subject:RE: [ActiveDir] ADMT v2 What is the difference between ADMT v2 and v1? Can you use the ADMT v2 in a Windows 2000 Active Directory Enviorment? Justin A. Salandra, MCSE Senior Network Engineer Catholic Healthcare System 914.681.8117 office 646.483.3325 cell [EMAIL PROTECTED] -Original Message- From: Rick Kingslan [mailto:rkingsla;cox.net] Sent: Monday, October 21, 2002 1:37 PM To: [EMAIL PROTECTED] Subject:RE: [ActiveDir] ADMT v2 Diane, Look under the ADMT folder in the I386 directory. Rick Kingslan - Microsoft MVP [Windows NT/2000] Microsoft Certified Trainer MCSA, MCSE+I - Windows NT / 2000 Any sufficiently advanced technology is indistinguishable from magic. --- Arthur C. Clarke -Original Message- From: [EMAIL PROTECTED] [mailto:ActiveDir-owner;mail.activedir.org] On Behalf Of Ayers, Diane Sent: Monday, October 21, 2002 12:29 PM To: '[EMAIL PROTECTED]' Subject: [ActiveDir] ADMT v2 All: I'm looking for ADMT version 2. I've dug around my .NET CDs and can't find it. Can someone point me in the right direction... Diane List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir% 40mail.activedir.org/ List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir% 40mail.activedir.org/ List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir% 40mail.activedir.org/ List info : http://www.activedir.org/mail_list.htm List FAQ: http
RE: [ActiveDir] ADMT v2
Nope... -Original Message- From: Salandra, Justin A. [mailto:jasalandra;chcsnet.org] Sent: Friday, October 25, 2002 11:36 AM To: '[EMAIL PROTECTED]' Subject: RE: [ActiveDir] ADMT v2 Is it free? -Original Message- From: Sullivan, Kevin [mailto:KSullivan;aelita.com] Sent: Friday, October 25, 2002 9:50 AM To: [EMAIL PROTECTED] Subject:RE: [ActiveDir] ADMT v2 Aelita Domain Migration Wizard... (For one) -Original Message- From: Salandra, Justin A. [mailto:jasalandra;chcsnet.org] Sent: Friday, October 25, 2002 9:24 AM To: '[EMAIL PROTECTED]' Subject: RE: [ActiveDir] ADMT v2 Is there any migration tool that doesn't require the target be in native mode. -Original Message- From: Rick Kingslan [mailto:rkingsla;cox.net] Sent: Thursday, October 24, 2002 6:54 PM To: [EMAIL PROTECTED] Subject:RE: [ActiveDir] ADMT v2 erADMT requires that the target be native, too. -Original Message- From: [EMAIL PROTECTED] [mailto:ActiveDir-owner;mail.activedir.org] On Behalf Of Salandra, Justin A. Sent: Thursday, October 24, 2002 11:18 AM To: '[EMAIL PROTECTED]' Subject: RE: [ActiveDir] ADMT v2 But move tree requires that the target domain be in native mode. I have some places that need to stay in mixed mode. -Original Message- From: Tony Murray [mailto:tony;mail.activedir.org] Sent: Thursday, October 24, 2002 11:38 AM To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] ADMT v2 You've got Movetree to move objects within a Forest. You don't need to migrate with ADMT. http://www.winnetmag.com/Articles/Index.cfm?ArticleID=7614 Tony -- Original Message -- From: Salandra, Justin A. [EMAIL PROTECTED] Reply-To: [EMAIL PROTECTED] Date: Thu, 24 Oct 2002 09:47:56 -0400 So I can use ADMT v2 in a Windows 2000 AD environment to migrate between domains? Such as parent to child? -Original Message- From: Rick Kingslan [mailto:rkingsla;cox.net] Sent: Wednesday, October 23, 2002 6:50 PM To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] ADMT v2 Version 1 was/is usable in Win2k environments as well - typically cross forest. From the ADMT v 2.0 README: Scripting and command-line interface Password migration Migration log files Credentials needed for migration operators SID Mapping Files for security translation Windows 2000 attribute exclusion Agent credentials no longer required Fix membership is optional Rick Kingslan - Microsoft MVP [Windows NT/2000] Microsoft Certified Trainer MCSA, MCSE+I - Windows NT / 2000 Any sufficiently advanced technology is indistinguishable from magic. --- Arthur C. Clarke -Original Message- From: [EMAIL PROTECTED] [mailto:ActiveDir-owner;mail.activedir.org] On Behalf Of Salandra, Justin A. Sent: Wednesday, October 23, 2002 10:44 AM To: '[EMAIL PROTECTED]' Subject:RE: [ActiveDir] ADMT v2 What is the difference between ADMT v2 and v1? Can you use the ADMT v2 in a Windows 2000 Active Directory Enviorment? Justin A. Salandra, MCSE Senior Network Engineer Catholic Healthcare System 914.681.8117 office 646.483.3325 cell [EMAIL PROTECTED] -Original Message- From: Rick Kingslan [mailto:rkingsla;cox.net] Sent: Monday, October 21, 2002 1:37 PM To: [EMAIL PROTECTED] Subject:RE: [ActiveDir] ADMT v2 Diane, Look under the ADMT folder in the I386 directory. Rick Kingslan - Microsoft MVP [Windows NT/2000] Microsoft Certified Trainer MCSA, MCSE+I - Windows NT / 2000 Any sufficiently advanced technology is indistinguishable from magic. --- Arthur C. Clarke -Original Message- From: [EMAIL PROTECTED] [mailto:ActiveDir-owner;mail.activedir.org] On Behalf Of Ayers, Diane Sent: Monday, October 21, 2002 12:29 PM To: '[EMAIL PROTECTED]' Subject: [ActiveDir] ADMT v2 All: I'm looking for ADMT version 2. I've dug around my .NET CDs and can't find it. Can someone point me in the right direction... Diane List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir% 40mail.activedir.org/ List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir% 40mail.activedir.org/ List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir% 40mail.activedir.org/ List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir% 40mail.activedir.org
RE: [ActiveDir] ADMT v2
Not all that interesting but what I told Stuart was that our migration technologies will use SID History in both Native and Mixed mode domains. When in mixed mode, the user will only benefit from SID History if a W2k DC does the authentication. This is done by the way the SID History is applied. Aelita does it a bit different than MS. It is using the same SID History attribute it just applies it differently. I don't really know the bits and bytes of it or the APIs in use but understand it is done differently. It is definitely a nice feature to have available. I will try to get some more details... Kevin, -Original Message- From: Rick Kingslan [mailto:rkingsla;cox.net] Sent: Friday, October 25, 2002 1:43 PM To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] ADMT v2 I'd be interested - Yes, please do post it. Rick Kingslan - Microsoft MVP [Windows NT/2000] Microsoft Certified Trainer MCSA, MCSE+I - Windows NT / 2000 Any sufficiently advanced technology is indistinguishable from magic. --- Arthur C. Clarke -Original Message- From: [EMAIL PROTECTED] [mailto:ActiveDir-owner;mail.activedir.org] On Behalf Of Sullivan, Kevin Sent: Friday, October 25, 2002 10:32 AM To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] ADMT v2 Replied via email... (If anyone else is interested let me know and I will post the response) -Original Message- From: Stuart Kwan [mailto:skwan;windows.microsoft.com] Sent: Friday, October 25, 2002 11:01 AM To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] ADMT v2 Does it use SID History for the migration? -Original Message- From: Sullivan, Kevin [mailto:KSullivan;aelita.com] Sent: Friday, October 25, 2002 6:50 AM To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] ADMT v2 Aelita Domain Migration Wizard... (For one) -Original Message- From: Salandra, Justin A. [mailto:jasalandra;chcsnet.org] Sent: Friday, October 25, 2002 9:24 AM To: '[EMAIL PROTECTED]' Subject: RE: [ActiveDir] ADMT v2 Is there any migration tool that doesn't require the target be in native mode. -Original Message- From: Rick Kingslan [mailto:rkingsla;cox.net] Sent: Thursday, October 24, 2002 6:54 PM To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] ADMT v2 erADMT requires that the target be native, too. -Original Message- From: [EMAIL PROTECTED] [mailto:ActiveDir-owner;mail.activedir.org] On Behalf Of Salandra, Justin A. Sent: Thursday, October 24, 2002 11:18 AM To: '[EMAIL PROTECTED]' Subject:RE: [ActiveDir] ADMT v2 But move tree requires that the target domain be in native mode. I have some places that need to stay in mixed mode. -Original Message- From: Tony Murray [mailto:tony;mail.activedir.org] Sent: Thursday, October 24, 2002 11:38 AM To: [EMAIL PROTECTED] Subject:RE: [ActiveDir] ADMT v2 You've got Movetree to move objects within a Forest. You don't need to migrate with ADMT. http://www.winnetmag.com/Articles/Index.cfm?ArticleID=7614 Tony -- Original Message -- From: Salandra, Justin A. [EMAIL PROTECTED] Reply-To: [EMAIL PROTECTED] Date: Thu, 24 Oct 2002 09:47:56 -0400 So I can use ADMT v2 in a Windows 2000 AD environment to migrate between domains? Such as parent to child? -Original Message- From: Rick Kingslan [mailto:rkingsla;cox.net] Sent: Wednesday, October 23, 2002 6:50 PM To: [EMAIL PROTECTED] Subject:RE: [ActiveDir] ADMT v2 Version 1 was/is usable in Win2k environments as well - typically cross forest. From the ADMT v 2.0 README: Scripting and command-line interface Password migration Migration log files Credentials needed for migration operators SID Mapping Files for security translation Windows 2000 attribute exclusion Agent credentials no longer required Fix membership is optional Rick Kingslan - Microsoft MVP [Windows NT/2000] Microsoft Certified Trainer MCSA, MCSE+I - Windows NT / 2000 Any sufficiently advanced technology is indistinguishable from magic. --- Arthur C. Clarke -Original Message- From: [EMAIL PROTECTED] [mailto:ActiveDir-owner;mail.activedir.org] On Behalf Of Salandra, Justin A. Sent: Wednesday, October 23, 2002 10:44 AM To: '[EMAIL PROTECTED]' Subject: RE: [ActiveDir] ADMT v2 What is the difference between ADMT v2 and v1? Can you use the ADMT v2 in a Windows 2000 Active Directory Enviorment? Justin A. Salandra, MCSE Senior Network Engineer Catholic Healthcare System 914.681.8117 office 646.483.3325 cell [EMAIL PROTECTED] -Original Message- From: Rick Kingslan [mailto:rkingsla;cox.net] Sent: Monday, October 21, 2002 1:37 PM To: [EMAIL PROTECTED] Subject
RE: [ActiveDir] ADMT v2
This is fully supported by Microsoft. -Original Message- From: DiBias, Chip [mailto:Chip.DiBias;bindview.com] Sent: Friday, October 25, 2002 5:30 PM To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] ADMT v2 Kevin, Would Microsoft provide support if something happened during the SIDHistory update process since the published Microsoft API's are not being utilized? -Original Message- From: Sullivan, Kevin [mailto:KSullivan;aelita.com] Sent: Friday, October 25, 2002 2:06 PM To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] ADMT v2 Not all that interesting but what I told Stuart was that our migration technologies will use SID History in both Native and Mixed mode domains. When in mixed mode, the user will only benefit from SID History if a W2k DC does the authentication. This is done by the way the SID History is applied. Aelita does it a bit different than MS. It is using the same SID History attribute it just applies it differently. I don't really know the bits and bytes of it or the APIs in use but understand it is done differently. It is definitely a nice feature to have available. I will try to get some more details... Kevin, -Original Message- From: Rick Kingslan [mailto:rkingsla;cox.net] Sent: Friday, October 25, 2002 1:43 PM To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] ADMT v2 I'd be interested - Yes, please do post it. Rick Kingslan - Microsoft MVP [Windows NT/2000] Microsoft Certified Trainer MCSA, MCSE+I - Windows NT / 2000 Any sufficiently advanced technology is indistinguishable from magic. --- Arthur C. Clarke -Original Message- From: [EMAIL PROTECTED] [mailto:ActiveDir-owner;mail.activedir.org] On Behalf Of Sullivan, Kevin Sent: Friday, October 25, 2002 10:32 AM To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] ADMT v2 Replied via email... (If anyone else is interested let me know and I will post the response) -Original Message- From: Stuart Kwan [mailto:skwan;windows.microsoft.com] Sent: Friday, October 25, 2002 11:01 AM To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] ADMT v2 Does it use SID History for the migration? -Original Message- From: Sullivan, Kevin [mailto:KSullivan;aelita.com] Sent: Friday, October 25, 2002 6:50 AM To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] ADMT v2 Aelita Domain Migration Wizard... (For one) -Original Message- From: Salandra, Justin A. [mailto:jasalandra;chcsnet.org] Sent: Friday, October 25, 2002 9:24 AM To: '[EMAIL PROTECTED]' Subject: RE: [ActiveDir] ADMT v2 Is there any migration tool that doesn't require the target be in native mode. -Original Message- From: Rick Kingslan [mailto:rkingsla;cox.net] Sent: Thursday, October 24, 2002 6:54 PM To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] ADMT v2 erADMT requires that the target be native, too. -Original Message- From: [EMAIL PROTECTED] [mailto:ActiveDir-owner;mail.activedir.org] On Behalf Of Salandra, Justin A. Sent: Thursday, October 24, 2002 11:18 AM To: '[EMAIL PROTECTED]' Subject:RE: [ActiveDir] ADMT v2 But move tree requires that the target domain be in native mode. I have some places that need to stay in mixed mode. -Original Message- From: Tony Murray [mailto:tony;mail.activedir.org] Sent: Thursday, October 24, 2002 11:38 AM To: [EMAIL PROTECTED] Subject:RE: [ActiveDir] ADMT v2 You've got Movetree to move objects within a Forest. You don't need to migrate with ADMT. http://www.winnetmag.com/Articles/Index.cfm?ArticleID=7614 Tony -- Original Message -- From: Salandra, Justin A. [EMAIL PROTECTED] Reply-To: [EMAIL PROTECTED] Date: Thu, 24 Oct 2002 09:47:56 -0400 So I can use ADMT v2 in a Windows 2000 AD environment to migrate between domains? Such as parent to child? -Original Message- From: Rick Kingslan [mailto:rkingsla;cox.net] Sent: Wednesday, October 23, 2002 6:50 PM To: [EMAIL PROTECTED] Subject:RE: [ActiveDir] ADMT v2 Version 1 was/is usable in Win2k environments as well - typically cross forest. From the ADMT v 2.0 README: Scripting and command-line interface Password migration Migration log files Credentials needed for migration operators SID Mapping Files for security translation Windows 2000 attribute exclusion Agent credentials no longer required Fix membership is optional Rick Kingslan - Microsoft MVP [Windows NT/2000] Microsoft Certified Trainer MCSA, MCSE+I - Windows NT / 2000 Any sufficiently advanced technology is indistinguishable from magic. --- Arthur C. Clarke -Original Message- From: [EMAIL PROTECTED] [mailto:ActiveDir-owner;mail.activedir.org] On Behalf Of Salandra, Justin A. Sent: Wednesday, October 23, 2002 10
RE: [ActiveDir] ADMT v2
Sorry for the bad form but I wanted to add another comment. I never said Microsoft's published API's are not in use. I said I was not clear on the bits and bytes of it and the APIs used. But just understand from the developers that our process to update the attribute is different. (I don't know what different means here). I will try to get more information and post it next week. -Original Message- From: Sullivan, Kevin Sent: Friday, October 25, 2002 10:08 PM To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] ADMT v2 This is fully supported by Microsoft. -Original Message- From: DiBias, Chip [mailto:Chip.DiBias;bindview.com] Sent: Friday, October 25, 2002 5:30 PM To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] ADMT v2 Kevin, Would Microsoft provide support if something happened during the SIDHistory update process since the published Microsoft API's are not being utilized? -Original Message- From: Sullivan, Kevin [mailto:KSullivan;aelita.com] Sent: Friday, October 25, 2002 2:06 PM To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] ADMT v2 Not all that interesting but what I told Stuart was that our migration technologies will use SID History in both Native and Mixed mode domains. When in mixed mode, the user will only benefit from SID History if a W2k DC does the authentication. This is done by the way the SID History is applied. Aelita does it a bit different than MS. It is using the same SID History attribute it just applies it differently. I don't really know the bits and bytes of it or the APIs in use but understand it is done differently. It is definitely a nice feature to have available. I will try to get some more details... Kevin, -Original Message- From: Rick Kingslan [mailto:rkingsla;cox.net] Sent: Friday, October 25, 2002 1:43 PM To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] ADMT v2 I'd be interested - Yes, please do post it. Rick Kingslan - Microsoft MVP [Windows NT/2000] Microsoft Certified Trainer MCSA, MCSE+I - Windows NT / 2000 Any sufficiently advanced technology is indistinguishable from magic. --- Arthur C. Clarke -Original Message- From: [EMAIL PROTECTED] [mailto:ActiveDir-owner;mail.activedir.org] On Behalf Of Sullivan, Kevin Sent: Friday, October 25, 2002 10:32 AM To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] ADMT v2 Replied via email... (If anyone else is interested let me know and I will post the response) -Original Message- From: Stuart Kwan [mailto:skwan;windows.microsoft.com] Sent: Friday, October 25, 2002 11:01 AM To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] ADMT v2 Does it use SID History for the migration? -Original Message- From: Sullivan, Kevin [mailto:KSullivan;aelita.com] Sent: Friday, October 25, 2002 6:50 AM To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] ADMT v2 Aelita Domain Migration Wizard... (For one) -Original Message- From: Salandra, Justin A. [mailto:jasalandra;chcsnet.org] Sent: Friday, October 25, 2002 9:24 AM To: '[EMAIL PROTECTED]' Subject: RE: [ActiveDir] ADMT v2 Is there any migration tool that doesn't require the target be in native mode. -Original Message- From: Rick Kingslan [mailto:rkingsla;cox.net] Sent: Thursday, October 24, 2002 6:54 PM To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] ADMT v2 erADMT requires that the target be native, too. -Original Message- From: [EMAIL PROTECTED] [mailto:ActiveDir-owner;mail.activedir.org] On Behalf Of Salandra, Justin A. Sent: Thursday, October 24, 2002 11:18 AM To: '[EMAIL PROTECTED]' Subject:RE: [ActiveDir] ADMT v2 But move tree requires that the target domain be in native mode. I have some places that need to stay in mixed mode. -Original Message- From: Tony Murray [mailto:tony;mail.activedir.org] Sent: Thursday, October 24, 2002 11:38 AM To: [EMAIL PROTECTED] Subject:RE: [ActiveDir] ADMT v2 You've got Movetree to move objects within a Forest. You don't need to migrate with ADMT. http://www.winnetmag.com/Articles/Index.cfm?ArticleID=7614 Tony -- Original Message -- From: Salandra, Justin A. [EMAIL PROTECTED] Reply-To: [EMAIL PROTECTED] Date: Thu, 24 Oct 2002 09:47:56 -0400 So I can use ADMT v2 in a Windows 2000 AD environment to migrate between domains? Such as parent to child? -Original Message- From: Rick Kingslan [mailto:rkingsla;cox.net] Sent: Wednesday, October 23, 2002 6:50 PM To: [EMAIL PROTECTED] Subject:RE: [ActiveDir] ADMT v2 Version 1 was/is usable in Win2k environments as well - typically cross forest. From the ADMT v 2.0 README: Scripting and command-line interface Password migration Migration log files Credentials needed for migration operators SID Mapping Files for security translation
RE: [ActiveDir] NT to AD client migration headaches.. blargh
Wes, There are as many issues with an inplace upgrade as there are benefits. The option to create a pristine AD an move everything over allows you a lot of flexibility in cleaning up your old NT environment and making sure you don't migrate any junk that you should get rid of anyway. So with your original question, there are quite a few migration products out there that allow you to do everything you want to do while allowing for a secure and project oriented experience. The profile issue is an easy one for our (Aelita's) product to handle. The goal is no impact to the user and no touching of workstations. You want the profile re-ACLed and you want the system to recognize the new domain without a reboot, and you want all permissions to be reset to specify the new AD user and remove the legacy SID. The other products to evaluate would be Quest Software's migratory and NetIQs migratory to name the most obvious. There are many. Also, Ken pointed out the process to upgrade NT PDC to W2k and (in his words) Voila!... Know that the W2k machine is not a DC in an NT domain it is a DC in a new AD domain and it happens to have NT 4.0 BDCs... This is just a point of clarification because it sounded a bit confusing. Kevin -Original Message- From: Ayers, Diane [mailto:[EMAIL PROTECTED]] Sent: Wednesday, October 16, 2002 5:34 PM To: '[EMAIL PROTECTED]' Subject: RE: [ActiveDir] NT to AD client migration headaches.. blargh The biggest issues will be getting the ADC (active directory connector) between Exchange 5.5 and E2K/AD up and running. A badly configured connection agreement in the ADC can wreck havoc but is other wise straight forward. IN our testing, a bad CA is the only issue we ran into. Other testing process went without a hitch. The upgrade from NT 4.0 to AD is fairly easy once you have your forest design worked out which is sounds like you do Personally, IMHO, _if_ your NT 4.0 domain(s) is/are clean, I much prefer an upgrade to a migration. Diane -Original Message- From: Tom.Gray [mailto:[EMAIL PROTECTED]] Sent: Wednesday, October 16, 2002 1:39 PM To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] NT to AD client migration headaches.. blargh Wes -- I just completed an inplace upgrade. It wasn't too bad, but it had a couple of troublesome moments. Get the whitepaper from microsoft on upgrading exchange 5.5 to 2000, then get the rest of the docs from microsoft about potential problems. Some docs say you cannot be in mixed mode, others tell you how to upgrade and stay in mixed mode. (we stayed in mixed mode) During the inplace upgrade of our exchange server the install process failed (it hung in the middle of the mailbox upgrade) and after a call to PSS we had to go back to exchange 5.5 (then restore the IS from tape backup) and make some changes, then run the upgrade again. As of now we are running AD in mixed mode, exchange 2000. Single domain. Two domain controllers. No DHCP or WINS. We're having a couple of interesting issues that I haven't tracked down yet, but I'd say 95% is up and running. I can get you more information if you desire. Tom Gray, Network Engineer All Kinds of Minds The Center for Development and Learning University of North Carolina at Chapel Hill Internet: [EMAIL PROTECTED] ATT Net: (919)960- -Original Message- From: Weston Rogers [mailto:[EMAIL PROTECTED]] Sent: Wednesday, October 16, 2002 4:22 PM To: '[EMAIL PROTECTED]' Subject: RE: [ActiveDir] NT to AD client migration headaches.. blargh I'm starting to like the sound of this. Anyone have any info for me to check out? Thanks. Wes -Original Message- From: Salandra, Justin A. [mailto:[EMAIL PROTECTED]] Sent: Wednesday, October 16, 2002 4:09 PM To: '[EMAIL PROTECTED]' Subject: RE: [ActiveDir] NT to AD client migration headaches.. blargh Yes -Original Message- From: Weston Rogers [mailto:[EMAIL PROTECTED]] Sent: Wednesday, October 16, 2002 3:29 PM To: '[EMAIL PROTECTED]' Subject:RE: [ActiveDir] NT to AD client migration headaches.. blargh I need to preserve all groups/users/mailboxes/mail/public folders for the whole domain, does an in-place upgrade accomplish that? Wes -Original Message- From: Fugleberg, David A [mailto:[EMAIL PROTECTED]] Sent: Wednesday, October 16, 2002 2:53 PM To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] NT to AD client migration headaches.. blargh Any reason why you can't do an in-place upgrade instead of migrating ? Dave -Original Message- From: Weston Rogers [mailto:[EMAIL PROTECTED]] Sent: Wednesday, October 16, 2002 10:44 AM To: '[EMAIL PROTECTED]' Subject: [ActiveDir] NT to AD client migration headaches.. blargh Hey guys. I've got a few questions and I hope someone can lead me in the right direction or give me a heads up on an idea that will help my situation. My situation is that we have 1 NT 4 domain (1 PDC, 1 BDC, 1 webserver) with 300 so clients scattered throughout 5
RE: [ActiveDir] OT: Unable to browse across the subnets/gateways
Title: Message IPC$? If so you just need to kill it and recreate it. Net use ipc$ /d /y Net use ipc$ /user:username password Also this isnt an admin share as such, it is really just a authenticated connection that other communications will piggy back on to use those credentials. (In a really simple form). I think this should do it if you believe that connection is corrupt. Kevin -Original Message- From: Charles Carerros [mailto:[EMAIL PROTECTED]] Sent: Friday, October 04, 2002 10:42 AM To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] OT: Unable to browse across the subnets/gateways Thanks for the suggestions Kevin, but unfortunately the solution isn't so nice. My ICP$ admin share is messed up and that is what is causing my problems. Now all I have to do is figure out how to fix that part. Thanks for the input, Chuck -Original Message- From: Sullivan, Kevin [mailto:[EMAIL PROTECTED]] Sent: Thursday, October 03, 2002 4:50 PM To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] OT: Unable to browse across the subnets/gateways What are the subnets? And what is the gateway config. Also, When you say browse do you mean Network neighborhood? If so play with the LMHosts file to see if you can force resolution if you can it is probably a WINS issue. Are the servers WINS clients? Do the registrations look OK? Can the XP/2k systems log on? Can they ping via FQDN and IP? Make sure you separate the hostname function and the NetBIOS function when you troubleshoot this one. If it is Net Neighborhood :( then it is probably a WINS issue or browser service issue. Are there error in the System event log? Kevin -Original Message- From: Charles Carerros [mailto:[EMAIL PROTECTED]] Sent: Thursday, October 03, 2002 3:37 PM To: [EMAIL PROTECTED] Subject: [ActiveDir] OT: Unable to browse across the subnets/gateways Okay, Situation: I have two subnets (subnet A and subnet B) with gateways between then. All my DCs (and the rest of my server farm) is onsubnet A.There are clients on both subnets.All the theclients are either Windows XP or Windows 2000 Prof patched to current standards. The servers areall Windows 2000 fullypatched. Problem: For some reason I am unable to browse the network from any client on the subnets B.On subnet A I can only browse those computers and servers that are located onsubnet A. Attempted Fixes: I have reviewed my current services. I checked my WINS servers. I can locate all machines if I search Active Directory using the Find Computers options. The IPC$ is mapped. Any suggestions would be helpful. Thanks, Chuck �
RE: [ActiveDir] AD and NDS
I have worked quite a bit with MSDSS. It is really pretty straight forward. I have also done a few larger Netware 5.1 AD migrations where we used MSDSS and then used Aelitas (my company) Domain Migration Wizard to manage the enterprise project. Any specific questions about MSDSS? Kevin -Original Message- From: John Hicks/MIS/HQ/KEMET/US [mailto:[EMAIL PROTECTED]] Sent: Friday, October 04, 2002 5:06 PM To: [EMAIL PROTECTED] Subject: [ActiveDir] AD and NDS We are working on deploying active directory in our environment. We currently use Netware 5.1 and NDS. We are trying to use Novell account management and Edir 8.6.2 in conjunction with AD. We are having a ton of problems getting this setup to work in our test lab. Has anyone else had any experience getting these products working together properly. We have worked with Novel and as usual their support is no help. Also does anyone have any experiences with Microsoft's MSDSS product? Any help or suggestions would be greatly appreciated. Thanks �
RE: [ActiveDir] Joining computers to a domain?
Title: Joining computers to a domain? The ms-ds-machineAccountQuota (I believe) is a per domain setting. It allows any user in the domain to create 10 computer accounts in AD. I also think this is possibly restricted to the default computer container but am not sure. This really helps for roll outs because the end user can log on a sys-prepped machine give basic info (or none if scripted) and the computer account can be added to the domain without administrator intervention. You can increase that number through LDP or ADSI edit, I believe. If this is an admin adding computer accounts make sure that you delegate that permission to the OU/container that the admin user needs access to. Kevin -Original Message- From: Holmes,Raun M [mailto:[EMAIL PROTECTED]] Sent: Thursday, October 03, 2002 11:23 AM To: [EMAIL PROTECTED] Subject: [ActiveDir] Joining computers to a domain? Hello, I have a support person who is getting a msg: the following error occurred while attempting to join the domainxxx.xxx.xxx: you computer could not be joined to the domain, you have exceeded the max number of computer accounts you are allowed to created in this domain. contact your admin to have this limit reset or increased. How can we increase the counter for this user? Thanks in advanced. Raun Holmes �
RE: [ActiveDir] Joining computers to a domain?
I tried to post the swynk script and it didn't send. From past experience it will probably show up in a while. Anyway, I couldn't get the script that Tony mentioned to run. Can someone put their eyes on the script and let me know if you see any problems or lines that I may need to edit. Thanks, Kevin http://www.swynk.com/friends/policht/103101.asp List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
RE: [ActiveDir] Joining computers to a domain?
That's great Richard. I would still like to see the VBScript though. Any
for Jscript or Python?
-Original Message-
From: Puckett, Richard [mailto:[EMAIL PROTECTED]]
Sent: Thursday, October 03, 2002 2:40 PM
To: '[EMAIL PROTECTED]'
Subject: RE: [ActiveDir] Joining computers to a domain?
Dunno if this is useful for anyone, but here it is in Perl...
Regards,
Richard
use strict;
use Win32::OLE 'in';
use Win32::OLE::Const 'Active DS Type Library';
$Win32::OLE::Warn = 3;
# domain, access quota variables
my $usr = 'DOMAIN\userid';
my $pwd = 'password';
my $dse = 'dc=mycompanyname,dc=com';
my $srv = 'domaincontrollername';
my $val = '30';
mod_quota($srv, $dse, $usr, $pwd, $val);
exit;
# modify the ms-DS-MachineAccountQuota value
#-
sub mod_quota {
#-
my $adc = shift;
my $adspath = shift;
my $admact = shift;
my $passwd = shift;
my $newval = shift;
my $DSO = Win32::OLE-GetObject(LDAP:);
my $DSBind = $DSO-OpenDSObject(LDAP://.$adc./.$adspath,
$admact,
$passwd,
ADS_SECURE_AUTHENTICATION);
$DSBind-{'ms-DS-MachineAccountQuota'} = $newval;
$DSBind-SetInfo();
}
-Original Message-
From: Sullivan, Kevin [mailto:[EMAIL PROTECTED]]
Sent: Thursday, October 03, 2002 1:48 PM
To: [EMAIL PROTECTED]
Subject: RE: [ActiveDir] Joining computers to a domain?
I tried to post the swynk script and it didn't send. From
past experience it will probably show up in a while. Anyway,
I couldn't get the script that Tony mentioned to run. Can
someone put their eyes on the script and let me know if you
see any problems or lines that I may need to edit.
Thanks,
Kevin
http://www.swynk.com/friends/policht/103101.asp
List info : http://www.activedir.org/mail_list.htm
List FAQ: http://www.activedir.org/list_faq.htm
List archive:
http://www.mail-archive.com/activedir%40mail.activedir.org/
List info : http://www.activedir.org/mail_list.htm
List FAQ: http://www.activedir.org/list_faq.htm
List archive:
http://www.mail-archive.com/activedir%40mail.activedir.org/
List info : http://www.activedir.org/mail_list.htm
List FAQ: http://www.activedir.org/list_faq.htm
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
RE: [ActiveDir] Joining computers to a domain?
Perfect... Thanks Richard. The new Perl below works like a charm as well
as the VBScript. Great work.
-Original Message-
From: Puckett, Richard [mailto:[EMAIL PROTECTED]]
Sent: Thursday, October 03, 2002 3:23 PM
To: '[EMAIL PROTECTED]'
Subject: RE: [ActiveDir] Joining computers to a domain?
Picky, picky, picky... *grin*. Here is it in VBS (and a little cleaner
Perl
below it).
Richard
--
' VBS ms-DS-MachineAccountQuota Modifier
Option Explicit
On Error Resume Next
Dim DSO, DSBind, strDS, strDC, strPath, strUsr, strPwd, IntVal
strDC = domaincontrollername
strPath = dc=mycompanyname,dc=com
strUsr = DOMAIN\userid
strPwd = password
IntVal = 30
strDS = LDAP://; strDC / strPath
Set DSO = GetObject(LDAP:)
Set DSBind = DSO.OpenDSObject(strDS, strUsr, strPwd, 1)
DSBind.Put ms-DS-MachineAccountQuota, IntVal
DSBind.SetInfo
If Err.Number = 0 Then
WScript.Echo Successfully reset the quota value
Else
WScript.Echo Doh!: Err.Number : Err.Description
End If
--
# PERL ms-DS-MachineAccountQuota Modifier
use strict;
use Win32::OLE 'in';
use Win32::OLE::Const 'Active DS Type Library';
$Win32::OLE::Warn = 3;
# domain, access quota variables
my $usr = 'DOMAIN\userid';
my $pwd = 'password';
my $dse = 'dc=mycompanyname,dc=com';
my $srv = 'domaincontrollername';
my $val = '30';
mod_quota($srv, $dse, $usr, $pwd, $val);
exit;
# modify the ms-DS-MachineAccountQuota value
#-
sub mod_quota {
#-
my ($adc, $adspath, $admact, $passwd, $newval) = @_;
my $DSO = Win32::OLE-GetObject(LDAP:);
my $DSBind = $DSO-OpenDSObject(LDAP://.$adc./.$adspath,
$admact,
$passwd,
ADS_SECURE_AUTHENTICATION);
$DSBind-{'ms-DS-MachineAccountQuota'} = $newval;
$DSBind-SetInfo();
}
--
-Original Message-
From: Sullivan, Kevin [mailto:[EMAIL PROTECTED]]
Sent: Thursday, October 03, 2002 2:54 PM
To: [EMAIL PROTECTED]
Subject: RE: [ActiveDir] Joining computers to a domain?
That's great Richard. I would still like to see the VBScript
though. Any for Jscript or Python?
-Original Message-
From: Puckett, Richard [mailto:[EMAIL PROTECTED]]
Sent: Thursday, October 03, 2002 2:40 PM
To: '[EMAIL PROTECTED]'
Subject: RE: [ActiveDir] Joining computers to a domain?
Dunno if this is useful for anyone, but here it is in Perl...
Regards,
Richard
use strict;
use Win32::OLE 'in';
use Win32::OLE::Const 'Active DS Type Library'; $Win32::OLE::Warn = 3;
# domain, access quota variables
my $usr = 'DOMAIN\userid';
my $pwd = 'password';
my $dse = 'dc=mycompanyname,dc=com';
my $srv = 'domaincontrollername';
my $val = '30';
mod_quota($srv, $dse, $usr, $pwd, $val);
exit;
# modify the ms-DS-MachineAccountQuota value
#-
sub mod_quota {
#-
my $adc = shift;
my $adspath = shift;
my $admact = shift;
my $passwd = shift;
my $newval = shift;
my $DSO = Win32::OLE-GetObject(LDAP:);
my $DSBind = $DSO-OpenDSObject(LDAP://.$adc./.$adspath,
$admact,
$passwd,
ADS_SECURE_AUTHENTICATION);
$DSBind-{'ms-DS-MachineAccountQuota'} = $newval;
$DSBind-SetInfo();
}
-Original Message-
From: Sullivan, Kevin [mailto:[EMAIL PROTECTED]]
Sent: Thursday, October 03, 2002 1:48 PM
To: [EMAIL PROTECTED]
Subject: RE: [ActiveDir] Joining computers to a domain?
I tried to post the swynk script and it didn't send. From
past experience it will probably show up in a while. Anyway,
I couldn't get the script that Tony mentioned to run. Can
someone put their eyes on the script and let me know if you
see any problems or lines that I may need to edit.
Thanks,
Kevin
http://www.swynk.com/friends/policht/103101.asp
List info : http://www.activedir.org/mail_list.htm
List FAQ: http://www.activedir.org/list_faq.htm
List archive:
http://www.mail-archive.com/activedir% 40mail.activedir.org/
List info :
http://www.activedir.org/mail_list.htm
List FAQ: http://www.activedir.org/list_faq.htm
List archive:
http://www.mail-archive.com/activedir% 40mail.activedir.org/
List info :
http://www.activedir.org/mail_list.htm
List FAQ: http://www.activedir.org/list_faq.htm
List archive:
http://www.mail-archive.com/activedir% 40mail.activedir.org/
List info : http://www.activedir.org/mail_list.htm
List FAQ: http://www.activedir.org
RE: [ActiveDir] Restricting the ability to create Universal Groups
I can think of ways to run cleanup scripts on a schedule to do this. The Universal Group is designated via a specific bit value or some other designation. The script could look for that designation and look at the creator/owner of the object and check against an authorized list. If the creator/owner is not in the list the object is deleted. This doesn't keep them from creating the group it just may help you get a handle on the situation. The way Aelita's (The company that pays my bills G) handles this situation is with the 'rules and roles' engine of Enterprise directory Manager. The way the product works is on creates or modifies of an object, any policy objects (Aelita policy object) that are hung on the specific container will execute. We have a script that runs prior to the commitment to the directory that checks if the user is creating a universal group and then checks their permissions. If the user is denied creating the UG via the script and permissions (access templates) our EDM engine will not write to AD. This is how we handle it, I am sure that our competitors have similar features. Please contact me offline if you need some further explanation of our product. Kevin -Original Message- From: Rick Kingslan [mailto:[EMAIL PROTECTED]] Sent: Thursday, September 26, 2002 10:32 PM To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] Restricting the ability to create Universal Groups Devan, Once you are in a Native mode domain and you have granted someone the ability to CREATE groups - I have no information that tells me that you can limit the TYPES of groups that one can create. This, currently, might be a situation to where you have to put a policy - with a penalty - in place to control the creation of Universal groups without change control or justification. Maybe someone else will have more light to shed on this. Rick Kingslan - Microsoft MVP [Windows NT/2000] Microsoft Certified Trainer MCSA, MCSE+I - Windows NT / 2000 Any sufficiently advanced technology is indistinguishable from magic. --- Arthur C. Clarke -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]] On Behalf Of Devan Pala Sent: Thursday, September 26, 2002 9:18 PM To: [EMAIL PROTECTED] Subject: [ActiveDir] Restricting the ability to create Universal Groups Hi all, My question centers upon restricting OU Admins the ability to create Universal Groups but allowing them to create Global Groups and of course Domain Local Groups. The design involves OUs based on geographical locations and we would like local administration to be able to create almost all objects except for things that are central in nature. My greatest concern is if they start populating UGs with domain user accounts and other non-recommended practices then we'll have replication chaos through-out the forest and eventually a administration nightmare. I haven't really hit the test lab with the above scenario but from memory the advanced ACL permissions focus upon group objects in general. Does anyone know whether this can be acheived? Thanks, _ Send and receive Hotmail on your mobile device: http://mobile.msn.com List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir% 40mail.activedir.org/ List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
RE: [ActiveDir] Networkdrive-mapping @ logon
This is a pretty simple example so you could enhance it to best meet your needs = Set objNet = WScript.CreateObject (WScript.Network) objNet.MapNetworkDrive Z:, \\ServerName\SharePoint = Here is an example of calling an external app = Set objProg = WScript.CreateObject(WScript.Shell) objProg.Run (route.bat) = You will need to play with this one a bit. The path is parsed by the windows script host so you can use common environmental variables such as %systemroot% etc. I hope this help. I have many resources for scripting and I am anxiously awaiting the .NET server resource kit which will have a document on administrative scripting. But some examples are VBScript Programmers Reference by WROX press and William Staneks Windows 2000 Scripting Bible by IDG books. Also, I have a WMI book that I love called Windows Management Instrumentation by Matthew Lavy and Ashley Meggitt from New Riders Enjoy. -Original Message- From: Jochen Andries [mailto:[EMAIL PROTECTED]] Sent: Wednesday, September 18, 2002 9:14 AM To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] Networkdrive-mapping @ logon I would like to have one posted The only thing I can is doing this from a DOS-prompt L -Original Message- From: Sullivan, Kevin [mailto:[EMAIL PROTECTED]] Sent: woensdag 18 september 2002 14:22 To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] Networkdrive-mapping @ logon You can use a startup script and use VBScript to map the drives. You can pretty much call on any command like route. In the group policy for the container select startup script under computer configuration and point to the VBScript or JScript that you want to use. I will look for examples but I am sure that before I find one someone will post one It is that kind of group g. Kevin -Original Message- From: Jochen Andries [mailto:[EMAIL PROTECTED]] Sent: Wednesday, September 18, 2002 8:08 AM To: [EMAIL PROTECTED] Subject: [ActiveDir] Networkdrive-mapping @ logon Hello all, Is there a way I can configure to map drives at startup ? But more than 1 mapping. Also can I put in this same file other commands ? (Like route add .) Greetings, Jochen Andries Jabbeke Belgium �
RE: [ActiveDir] Network Infrastructure cause AD Security Fowl Ups?
I am having a brain cramp at the moment. I am trying to send you an example script but it is being rejected by the [EMAIL PROTECTED] How do I send script examples? I know it can be done. -Original Message- From: Salandra, Justin A. [mailto:[EMAIL PROTECTED]] Sent: Friday, September 06, 2002 10:40 AM To: ActiveDir (E-mail) Subject: [ActiveDir] Network Infrastructure cause AD Security Fowl Ups? I have a question for everyone. I have this one facility out of 13 that constantly has problems accessing their Exchange 5.5 mailboxes and making changes to their Distribution Lists. They are the only facility this happens to. ACL's in AD for Distribution Lists get screwed up and people that have been able to manage the DL's via Outlook no longer can, Users all of a sudden get errors when they try to open up their mailboxes, and forces us to make security changes to the Mailboxes ACL's. My question is, Would over complex, very locked down LAN Infrastructures cause delays or errors in communication to the AD and Exchange server that would cause these problems? Here is the layout This facility actually has a Main Hospital, and thee remote sites. They connect to my WAN via the Main Hospital. Site 1 Connects via T1 to the Site 2 Site 3 Connects via 2 T1's to Site 2 and connects to the Main Hospital via T1 Site 2 Connects via T3 to the Main Hospital There are 3 Com Routers on each end of each T Line There is a T1 Line that connects the Main Hospital to MY WAN. At the Main Hospital there is a 3com Router that is connected to my Cisco Router via Cat5 cable from the serial port on the 3com to the Ethernet port on the Cisco Router. The Cisco Router is connected to MY WAN From what I know protocols or blocked that are not needed, although I do not know which. Based on what I have told you, do you think that the question I posed is true? Thanks Justin A. Salandra, MCSE Senior Network Engineer Catholic Healthcare System 914.681.8117 office 646.483.3325 cell [EMAIL PROTECTED] mailto:[EMAIL PROTECTED] List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
RE: [ActiveDir] Networkdrive-mapping @ logon
Sorry about the formatting... I am adding _ to designate a line break. -Original Message- From: Sullivan, Kevin Sent: Wednesday, September 18, 2002 10:35 AM To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] Networkdrive-mapping @ logon This is a pretty simple example so you could enhance it to best meet your needs... '= Set objNet = WScript.CreateObject (WScript.Network)_ objNet.MapNetworkDrive Z:, \\ServerName\SharePoint '= Here is an example of calling an external app... '= Set objProg = WScript.CreateObject(WScript.Shell)_ objProg.Run (route.bat) '= You will need to play with this one a bit. The path is parsed by the windows script host so you can use common environmental variables such as %systemroot% etc. I hope this help. I have many resources for scripting and I am anxiously awaiting the .NET server resource kit which will have a document on administrative scripting. But some examples are VBScript Programmer's Reference by WROX press and William Stanek's Windows 2000 Scripting Bible by IDG books. Also, I have a WMI book that I love called Windows Management Instrumentation by Matthew Lavy and Ashley Meggitt from New Riders... Enjoy. -Original Message- From: Jochen Andries [mailto:[EMAIL PROTECTED]] Sent: Wednesday, September 18, 2002 9:14 AM To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] Networkdrive-mapping @ logon I would like to have one posted The only thing I can is doing this from a DOS-prompt T -Original Message- From: Sullivan, Kevin [mailto:[EMAIL PROTECTED]] Sent: woensdag 18 september 2002 14:22 To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] Networkdrive-mapping @ logon You can use a startup script and use VBScript to map the drives. You can pretty much call on any command like 'route'. In the group policy for the container select startup script under computer configuration and point to the VBScript or JScript that you want to use. I will look for examples but I am sure that before I find one someone will post one... It is that kind of group g. Kevin -Original Message- From: Jochen Andries [mailto:[EMAIL PROTECTED]] Sent: Wednesday, September 18, 2002 8:08 AM To: [EMAIL PROTECTED] Subject: [ActiveDir] Networkdrive-mapping @ logon Hello all, Is there a way I can configure to map drives at startup ? But more than 1 mapping. Also can I put in this same file other commands ? (Like route add ...) Greetings, Jochen Andries Jabbeke Belgium List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
RE: [ActiveDir] Network Infrastructure cause AD Security Fowl Ups?
My apologies, please disregard my last message to this thread. -Original Message- From: Sullivan, Kevin Sent: Wednesday, September 18, 2002 10:38 AM To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] Network Infrastructure cause AD Security Fowl Ups? I am having a brain cramp at the moment. I am trying to send you an example script but it is being rejected by the [EMAIL PROTECTED] How do I send script examples? I know it can be done. -Original Message- From: Salandra, Justin A. [mailto:[EMAIL PROTECTED]] Sent: Friday, September 06, 2002 10:40 AM To: ActiveDir (E-mail) Subject: [ActiveDir] Network Infrastructure cause AD Security Fowl Ups? I have a question for everyone. I have this one facility out of 13 that constantly has problems accessing their Exchange 5.5 mailboxes and making changes to their Distribution Lists. They are the only facility this happens to. ACL's in AD for Distribution Lists get screwed up and people that have been able to manage the DL's via Outlook no longer can, Users all of a sudden get errors when they try to open up their mailboxes, and forces us to make security changes to the Mailboxes ACL's. My question is, Would over complex, very locked down LAN Infrastructures cause delays or errors in communication to the AD and Exchange server that would cause these problems? Here is the layout This facility actually has a Main Hospital, and thee remote sites. They connect to my WAN via the Main Hospital. Site 1 Connects via T1 to the Site 2 Site 3 Connects via 2 T1's to Site 2 and connects to the Main Hospital via T1 Site 2 Connects via T3 to the Main Hospital There are 3 Com Routers on each end of each T Line There is a T1 Line that connects the Main Hospital to MY WAN. At the Main Hospital there is a 3com Router that is connected to my Cisco Router via Cat5 cable from the serial port on the 3com to the Ethernet port on the Cisco Router. The Cisco Router is connected to MY WAN From what I know protocols or blocked that are not needed, although I do not know which. Based on what I have told you, do you think that the question I posed is true? Thanks Justin A. Salandra, MCSE Senior Network Engineer Catholic Healthcare System 914.681.8117 office 646.483.3325 cell [EMAIL PROTECTED] mailto:[EMAIL PROTECTED] List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
RE: [ActiveDir] Customizing the MMC...
Try this... Open ADUC and on the left hand pane right-click on the OU that you want these admins to see... choose new window from here... Go to the windows menu and choose the original window... Close that window... save the .msc file out and apply NTFS permissions on the .mcs file. Alternatively you can remove the read permission from the authenticated users group and apply read permission to the objects that you want these admins to see. You will need to allow them to read the root but after that point they will only display those object that they have read access to. I personally like the first choice and have added tackpads to add links to frequently used actions i.e. reset passwords etc. plug A lot of the tedium is taken out of AD administration with third party tools such as 'Enterprise Directory Manager' from Aelita Software. /plug Kevin -Original Message- From: Daniel J. Cook [mailto:[EMAIL PROTECTED]] Sent: Wednesday, September 18, 2002 2:52 PM To: [EMAIL PROTECTED] Subject: [ActiveDir] Customizing the MMC... Dear Windows 2000 Free List, Hello! I have a situation with customizing an MMC and I am wondering if anyone can help. I would like to setup a custom MMC that will allow only a certain group of users the ability to see and change one OU in our Active Directory Users and Computers. Currently, we have about 10 OUs and I have been trying to make a custom MMC to my specifications. I can make a custom MMC that will allow people to change and alter AD Users and Computers (which includes all of the OUs) but I would like to make it more specific so that they can only alter or change one OU. For example, I would like to create an MMC that would only contain the Bonga OU and nothing else. I have experimented with customizing MMCs but cannot seem to find a method to create one that specific. Does anyone have any advice or suggestions on creating a custom MMC that is OU specific? Thanks in advance. Take care. All the best, Daniel J. Cook List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
