Jackson
I agree it would be very useful indeed, especially as Guido says it is
coming from you guys.
Amit
-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Grillenmeier, Guido
Sent: 20 June 2004 13:19
To: [EMAIL PROTECTED]; [EMAIL PROTECTED]
Subject: RE:
Jackson - ditto with the other e-mails that have been doing the rounds.
Like Guido said it would be great if it was a honest newsletter with
some handy points on some of the problems that are out there ... And not
just a sales pitch.
Regards, Andrew
-Original Message-
From: [EMAIL
Title: Need Directory Service command-line tools
Anyone have a below exe, if yes , then please send on my email ID. Rename all as txt.
Thanks
Dsadd.exe
dsget.exe
dsmod.exe
dsmove.exe
dsrm.exe
Regards,
Dinesh Tashildar
Cognizant Technology Solutions India Pvt. Ltd.
Tel :
Title: Need Directory Service command-line tools
Dinesh,
You should find in the system32 directory when installing Windows Server 2003.
Best Regards,
/MS
From: Tashildar, Dinesh (Cognizant)Sent: Mon 2004-06-21 11:50To: [EMAIL PROTECTED]Subject: [ActiveDir] Need Directory Service
Title: PC move
I want to move PC's from one OU to another OU based on IP Subnet.
Details :
I want to move all PC's whose IP is 10.238.10.* and 10.238.20.* from Office OU to Home OU. I want to do this in bulk command.
Regards,
Dinesh Tashildar
This e-mail and any files transmitted
I don't know of any easy way to do this. As the IP address information is not stored
in AD, I guess you would need to do this with a script (probably using WMI) to
directly query each machine who's object is in the first OU and then perform the move
using ADSI based on the retrieved IP address
...and XP too.
The tools won't run on Windows 2000 (or earlier) machines.
Tony
-- Original Message --
From: Mikael Svennungsson [EMAIL PROTECTED]
Reply-To: [EMAIL PROTECTED]
Date: Mon, 21 Jun 2004 12:52:30 +0200
Dinesh,
You should find in the system32
I would quite like to see some QA in there too. It would be great to have responses
from the horses mouth (as it were).
ReaderX: Why do I have to have Domain Admin permissions to see deleted objcts.
MS: Well, we had to do it that way because
ReaderY: Why is the lastLogoff attribute not
Title: Need Directory Service command-line tools
Fantastic, got this.. Thanks a lot for this
information...
From: Mikael Svennungsson
[mailto:[EMAIL PROTECTED] Sent: Monday, June 21, 2004
4:23 PMTo: [EMAIL PROTECTED]Subject: RE:
[ActiveDir] Need Directory Service command-line tools
Have you looked at this (one of Robbie Allen's gems)?
http://www.rallenhome.com/books/managingenterprisead/source/Ch09-Listing12_Create_Link.vbs.txt
Tony
-- Original Message --
From: Jorge de Almeida Pinto [EMAIL PROTECTED]
Reply-To: [EMAIL PROTECTED]
Yep, I already found this one. I'm specifically insterested in the VBS code
set the site link schedule. That piece is a lot more difficult!
-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Tony Murray
Sent: maandag 21 juni 2004 14:45
To: [EMAIL PROTECTED]
Title: FW: [ActiveDir] OT: Samba guest access?
Using guest only would remove the ability for other users to authenticate using samba, so what would happen is that your users would all have uid of guest. Therefore, when they tried to browse to a directory that required elevated permissions
oh my.. i definitely like Tony's idea! :)
lovely but .. example..
---
ReaderK: Is that anyway that AD can detect PCs without patches which have
security loop hole?
MS : Yes, you will... AD will push the computer object into OU named
Patching_in_Process and the OU will
Return Receipt
Your [ActiveDir] AD Sites and SYSVOL
document
:
Return Receipt
Your [ActiveDir] VBS code to set site link schedule
document
:
Title: AD, GPO and Technet
Ok, I have
done that. Do I do this from the RUN box, or do I need the Command Prompt
open?
I do have
Technet sitting in e:\technetshare\technet. The tn.msi file is in the ..\technet
subfolder, and I do have the e:\technetshare set to share the directory
and
I have Windows 2000 AD domain and for user account creation I'm using my
own script creating users with ADSI. This script is working OK but I
have a problem with setting usera acount expiration date with it. Below
is a fragment of my code:
code
Set usr = UserOU.Create(user, CN= strLogonName)
I am with Al and Roger on this one.
Separate out into sites any locations that get a physical DC placed there
that way you don't send unneeded traffic across your WAN. If you weren't
planning on sticking a DC in a specific site, don't think now you have to.
If you were going to do it already,
Title: RE: [ActiveDir] adding PCs
What is the problem you have, that they are joining the
domain or that they can't?
joe
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Kenny
LeeSent: Friday, June 04, 2004 2:59 AMTo:
[EMAIL PROTECTED]Subject: Re: [ActiveDir] adding
PCs
Title: AD, GPO and Technet
Ok. This is a two-step process. You run the administrative
setup below from a command prompt to set up the share on the server. Next step
is to then deploy the package using GPO. You have two (well three) options
there. You can assign it per machine, which requires
I am looking at group memberships in various groups in my AD
structure and notice some user icons are dim or gray looking. What does this
mean?
Debbie Ellis
Systems Administrator
Viasat, Inc.
4356
Communications Drive
Norcross, GA 30093
678-924-2591
attachment:
This is similar to what a large enterprise customer I know of does except it
is QIP based instead of BIND.
Static registration of host specific A records for the servers and dynamic
update of the underscore zones; clients register or not depending on their
zone and whether or not the zone is
Hey Debbie,
take a look here
http://support.microsoft.com/default.aspx?scid=kb;en-us;281923
|-+--
| | Ellis, Debbie|
| | [EMAIL PROTECTED]|
| | m |
| |
I remember asking the same question myself
a while back this article should shed some light on it for you:
http://www.winnetmag.com/Article/ArticleID/21073/21073.html
r/
Lou
-Original Message-
From:
[EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Ellis, Debbie
Title: AD, GPO and Technet
I prefer to
do it per machine assignment. The reasoning is, and correct me if I am wrong,
that if I, or some other admin, goes to another computer(such as anormal
user)and logs in, then TechNet would install on 'that' computer. If I do
it by machine, then I know
The whole user icon is dimmed or gray and other users in the same group
arenot dimmed or gray.
-Original Message-
From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]
Sent: Monday, June 21, 2004 2:12 PM
To: [EMAIL PROTECTED]
Subject: Re: [ActiveDir] User Icons
Hey Debbie,
take a look
Tomasz - I believe that you will see a difference between what date you see
programmatically and what date you see in the GUI. If I remember correctly, if the GUI
says an account expires on June 18th, using scripts to pull the expiration date you
will actually get a date/time of 2400 (midnight)
Say what?
C:\tempver
Microsoft Windows 2000 [Version 5.00.2195]
C:\tempdsquery user -name test110
C:\tempdsquery user -name test107
C:\temp
C:\tempdsquery user -name testuser107
CN=testuser107,OU=TestUsers,DC=joehome,DC=com
C:\tempdsget user -desc
It may not necessarily be a hack attempt, it may be
virus/worm chatter. I have seen this on really busy DCs that were getting the
crap kicked out of them by the various worms/viruses that try to figure out
admin passwords like MUMU, et alii.
joe
From: [EMAIL PROTECTED]
[mailto:[EMAIL
You could also have the script look at the dnsHostName, do a lookup (fairly
easy in perl, not so sure for vbscript) and then do the move. Keep in mind
people who move about from location to location. Also keep in mind what do
you do with machines that don't have a host name that can be looked up
Hey Daniel
I may be missing something here, but i don't think i've ever seen them work
correctly from a drive letter?
Even if i share something out from my local machine, for testing (like
SP2), i always end up doing \\computer\drive$\share\file
Might be something you want to try.
Title: RE: [ActiveDir] question on gpresult.exe
I would look at group nesting and SID Histories.
joe
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Rodriguez,
Daniel [EPM/SRM]Sent: Wednesday, June 09, 2004 12:26 PMTo:
'[EMAIL PROTECTED]'Subject: RE: [ActiveDir] question
Where does it say that? I tried outputting from the same script and it
doesn't have an issue. The problem is probably because it sets it to
Midnight of the given day and that may be interpreted differently by
different programs...
Here is the output from a quick test
G:\TEMP\deletetest
Microsoft
Title: AD, GPO and Technet
If you published the application per user, it would not
necessarily be installed everywhere you log on, since publishing provides an
"optonial" installation model.
Sounds like you're doing everything right. Have you tried
two reboots? If you've got fast logon
It simply means that the GUI didn't look that user's specific object up to
verify its class. It is simply displaying an icon, it has no impact on the
environment. If you have less than 500 users in the group however, it could
indicate an issue with your GCs in that the object couldn't be looked up
That attribute is an octetstring and those aren't generally fun to handle in
vbscript. You may want to look at
http://www.rlmueller.net/Document%20LogonHours.htm
To get a few hints on how to deal with this.
joe
-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL
Jeff Salisbury wrote:
Tomasz - I believe that you will see a difference between what date
u see programmatically and what date you see in the GUI. If I remember
correctly,
if the GUI says an account expires on June 18th, using scripts to
pull the expiration
date you will actually get a
Good point John--you didn't explicitly say that Daniel but when you
specify the package path, you need to enter the UNC and share name where
the package resides. If you just browse to c: or d: or something, it
won't work.
-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL
Tomasz Onyszko wrote:
Thanks Jeff, You are right - I just need to add one day becouse my users
needs to be valid till the end of this day I put into the account property.
OK, but once again :) - I'v performed a little test - I set up two
accounts and get following results:
- account1:
date in
depending on how you look at it, you are either in luck, or you are in
trouble :)
enjoy
Sincerely,
Dèjì Akómöláfé, MCSE MCSA MCP+I
Microsoft MVP - Directory Services
www.readymaids.com - we know IT
www.akomolafe.com
Do you now realize that Today is the Tomorrow you were worried about
I suggest you drop the habit of asking people to send you files. You are
opening yourself up to malware and other bad stuff.
Sincerely,
Dèjì Akómöláfé, MCSE MCSA MCP+I
Microsoft MVP - Directory Services
www.readymaids.com - we know IT
www.akomolafe.com
Do you now realize that Today is the
What is written into AD is dependent on what the code is writing, in this
case ADSI. AD plays no part here except being the receptacle for the data
being written to it. I have written code (LDAP API) that sets that time to
1AM (to clear confusion around midnight) or 5PM (end of business day) or
There is even a registry value that you
can configure for this:
http://support.microsoft.com/default.aspx?scid=kb;en-us;281923Product=win2000
From: Lou Vega
[mailto:[EMAIL PROTECTED]
Sent: Monday, June 21, 2004 11:18
AM
To: [EMAIL PROTECTED]
Subject: RE: [ActiveDir] User
CFO: How many people do we have in IT now?
IT Manager: 5
CFO (eyes popping out of sockets): 5???!!! Why do we need that many people???
Didn't I just read something about this Virus_cleaning_in_process
thingamabob in some magazine???
IT Manager: True, I read that, too
CFO: Good man. You know
Code from Deji... That falls pretty straight forwardly into the you are in
trouble category I think
:o)
-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of [EMAIL PROTECTED]
Sent: Monday, June 21, 2004 3:15 PM
To: [EMAIL PROTECTED]
Subject: RE:
I learnt from the best ;)
You got to agree, though, the job gets done.
Sincerely,
Dèjì Akómöláfé, MCSE MCSA MCP+I
Microsoft MVP - Directory Services
www.readymaids.com - we know IT
www.akomolafe.com
Do you now realize that Today is the Tomorrow you were worried about
Yesterday? -anon
if you have W2K3 servers are in 2000 functional forest level and you add
something to the GC, does the entire GC replicaticate between 2003- and
other 2003 DC's?
* - *
* Steve Schofield - MCP, CCA
* [EMAIL PROTECTED]
*
* Microsoft MVP - ASP.NET
*
Title: RE: [ActiveDir] AD, GPO and Technet
Ok.. I checked that in the GPO and it is listing the tn.msi in \\ussrm-fp02\technetshare\technet.
How do I change it to the listing \\ussrm-fp02\e$\technetshare\technet? I am using the GPMMC Utility to modify/create the GPO.
Now, when I reboot, I
Assuming you mean modify the PAS set see Dean's earlier response to this
(attached)...
joe
-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Steve Schofield
Sent: Monday, June 21, 2004 4:50 PM
To: [EMAIL PROTECTED]
Subject: [ActiveDir] w2k3
Well it depends on good you want your data to be
However the only real full proof way of doing this is to write a service
that runs on each PC and watches what is going on. You have several
different types of logons, network, interactive, service, etc. Someone could
log onto an ID on a
This thread seems confusing to me and doesn't seem to have all of the
information.
Questions:
1.
You say added the technician group to the computers OU
When you say that do you mean you added the Technicians group the ACL of the
Computers container (i.e. CN=COMPUTERS) or did you create an OU
Don't worry about how the permissions are being displayed. The GUI will try
and display the permissions based on how the ACEs are configured. An ACE can
not have both CREATE Computer Objects and Read Permissions, the ACE
structures don't work that way, they would have to be separate ACEs.
joe
Guido's #1 can be a nightmare. Say you have a single DC that isn't playing
well with the FRS replication topology and you go to change the restricted
group you will get this great battle going on in AD as the change is made by
GPO on one machine, it will replicate through the environment, the GPO
this can also be a phantom object from a foreign domain in a domain
local group or UG on a DC (not a GC), which has changed it's name in the
original domain, but wasn't yet updated in the domain by the
infrastructure master.
or it could just be a very old user account ;-))
-Original
Agh, it's not an object, it's a record ... just teasing :-)
--
Dean Wells
MSEtechnology
* Tel: +1 (954) 501-4307
* Email: [EMAIL PROTECTED]
http://msetechnology.com
-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Grillenmeier, Guido
Sent:
How does this one relate specifically to restricted groups? This applies to
a whole slew of items.. the worst offender IMO being a hub and spoke topo
with file system permissions being pushed down to sysvol or dfs link\root
which is replicated.
-steve
- Original Message -
From: joe
56 matches
Mail list logo
