Hi Jeff,
Concerning Exchange 2000,
Windows 2003 and the Forest functional level DON'T forget the following as
mentioned in http://support.microsoft.com/?kbid=831809(Exchange
2000 Recipient Update Service does not replicate changes successfully in forest
functional level 1 or 2 in Windows
Hello,
Could i do a backup of the Active Directory? How?
We have a tape library backup and ARCServer Software
Backup... but it's not necessary to use this library.
Thanks
Sergio Sánchez
Hi Sergio,
You can use whatever tool that's
Windows 2000/2003 compliant to backup Active Directory. Windows 2000/2003 itself
has NTBACKUP that gives you the possibility to backup to TAPE or
FILE.
To backup Active Directory you
must at a minimum backup the SYSTEM STATE (I always also backup
Bob - the main thing I meant was that you can't add the new DC with the
same name/IP, before the other one is gone...
So if you were to only have 2 DCs in a domain and you'd want to replace
these at run-time without loosing failover capabilities, you'd first
have to add a third interims DC with
note that it's worth to backup Group-Policies separately,
as you don't want to restore your AD to fix a specific GPO. This can be
achieved very well with the GPMC (http://www.microsoft.com/windowsserver2003/gpmc/gpmcwp.mspx).
also check out this whitepaper:
Colleagues,
I am having problems with my users who
cannot access their home directories. The directories are on a Windows
Nt4 machine and the users having the problem are in the windows 2000
domain. Those on our widows Nt domain are accesing fine. Everyone
has full access to their home
Can you give some more information about trust configuration between
domain, if users were migrated to the w2k domain, how you create the home
directories, if it ever was accessible for w2k users, etc
Colleagues,
I am having problems with my users who cannot access their home
directories. The
Hi,
The Homedirectories are stored
on NT4 file servers. I presume the DACLs (permissions) that are assigned are
from the NT4 domain.
Does the following somehow
represent your environment?
drive on file
server:\HOMEDIRS\username - shared as username$ DACLs
are NT4\username with modify,
Title: Message
Please, does anyone know of a quick way to
find the number of users in a particular security and/or distribution group in
AD and perhaps export the list ?
Many
thanks
�
You can use following command to get the list of member
adfind = to get the member for distribution group
global = to get the member forglobal group
Best-
Manjeet
"Abbiss, Mark" [EMAIL PROTECTED] wrote:
Please, does anyone know of a quick way to find the number of users in a particular
Title: Message
This will dump the groups in an OU, their members, and
the count of the members. If you're only interested in a single group, you can
tweak it a bit to grab just that group.
Hunter
const ForReading
We have moved away from the rest of our
Organization and replication has stopped and we have deleted our X400
connector. I have found an article that goes over the process. One of the steps
is to remove Public Folder Replicas from Exchange_Site_B (our site). This is
where I'm having
Title: Message
Many
thanks, excellent help.
I hope
I am not pushingmy luckby asking for another brainstorm on how I can
do a simple check for how many members are found both in GROUP1 and GROUP2.
These are quite large groups (1000 members) and I cannot do it by visual
checking
Thanks
These home directories were accessible
before. the problem started three days ago. The trust relationship between
the two domains still exists. Users were created independently on the two
domains and the home directories were created when the account is created.
Accounts are created on one of the
Here's a follow up question. What's the best way to recover active directory? For some reason, my veritas backup of the system state caused a blue screen last time I tested it. Any ideas?
Thanks,
John
On Mon, 2005-02-07 at 11:04 +0100, Jorge de Almeida Pinto wrote:
Hi Sergio,
Title: Message
In that case, you could use adfind like
this:
adfind -b dc=subdomain,dc=domain,dc=com -f
"((objectcategory=person)(memberOf=cn=Group1,ou=Test1,dc=subdomain,dc=domain,dc=com)(memberOf=cn=Group2,ou=Test3,dc=subdomain,dc=domain,dc=com)"
name any other attributes you want
If you dump to a text file, you can get a
line count by issuing this:
Find /v /c nameoffile.txt
marcus c. oh
\\.\core technologies\cox communications, inc.
\\.\mvp\windows server systems\management
[v] 404.847.6117 [c] 404.391.7097
From: [EMAIL PROTECTED]
Title: Message
I'm so proud, it brings a tear to my eye.
:o)
Also for the first question
adfind -b dc=domain,dc=com -f samaccountname=groupname
member |grep -c "member"
Doing this for
multiple groups is trickier. No doubt it can be done with batch commands but I'm
not the one that could
I got a little more information on this from an attorney of one of my
colleagues. The only area that disclaimers have been tested in court
(according to him) is in the case of a lawyer corresponding with a client
bound by the attorney / client confidentiality or doctor / patient
confidentiality.
Title: Message
This is pretty simple adsi vbscript I use when I get those
kind of "who is in that group" question.
It prompts for the NetBIOS domain name,
group name, file to save as (in CSV style
output)
Clyde
Burns
' Gets input on the domain name, group
Exchange 5.5: http://support.microsoft.com/default.aspx?scid=kb;en-us;152433
I suggest you read it carefully, because the warnings are there for good
reason.
al
-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Philadelphia,
Lynden - Revios Toronto
Sent:
Title: Message
Shouldnt it do that natively? I
mean, come on joe
(just kiddingplease dont
block my IP from your treasure trove of joeware goodies!)
mc
From:
[EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of joe
Sent: Monday, February 07, 2005
11:07 AM
To:
(Gotta get out of the habit of ending my subject lines with ellipses so
that Deji's webmail will be able to open them.)
Hello all,
Playing with a situation in a break-and-fix test lab and am looking for
the...fix:
1. I'm a Domain admin for mycompany.com. I create an OU called Test1,
that
Brian,
I think the most important issue to take into account with this is one of
perceived or real confidentiality. The technology of SMTP is not, nor was
it really ever, designed with confidentiality in mind.
S/MIME - different story. This is a solution to the SMTP issue.
So, if one wants
Title: Message
Doing
this for multiple groups is trickier. No doubt it can be done with batch
commands but I'm not the one that could do it.
Pose that one to Dean. Ive
never seen keener DOS or CMD batch scripts in my life (sorry joe
including you) ;o)
-rtk
From:
If Domain Admins is the owner of Test1, then they can change permissions
on the OU.
If Domain Admins is not the owner of Test1, you'll have to grab that
first. Right-click the OU, go to Properties, Security, Advanced, click
on the Owner tab, and grab ownership.
Hunter
-Original
Title: Message
Oh don't be sorry. I know I am not the guru of batch, Dean
writes crap that I can't even read... They call perl write once read never...
Dean's batch files are firmly in that area for me. I would rather see a three
line regular _expression_ and be told I was under penalty of
Rats, sorry about the obvious question. I was having operating system
interference from Novell NDS, since there actually -was- a way to
rather nastily lock yourself out of portions of the NDS tree by doing
that.
(Why this interference happened just now, I don't know, since I haven't
touched an
Alternatives to grabbing ownership would be to make yourself an account
operator and add yourself to test1; spawning a process as localsystem and
adding yourself to test1.
Note that the test1admins would also have to remove builtin/administrators
access as well or else ent and dom admins will
Title: Message
Heh. IP blocked
Seriously though... It is the kind of thing I argue with
myself on a regular basis. It is an argument over generic tools versus specific
tool. It is why I still haven't put out admod -add option. How far do I want to
go? Doing something like give a member
Honestly, I wouldn't mind if that nasty method was available in AD. Then
when you kicked out admins, it really meant they were kicked out. They call
that security versus false sense of security. The whole creator/owner thing
is a giant get out of jail free card but it can be used for or against
Instead of grep you can also use find
Command |find /c member
-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Charlie Kaiser
Sent: Monday, February 07, 2005 11:20 AM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] Obtaining a count of members
Title: Message
Hmm been awhile since I looked at the winnt provider (I
tend to avoid ADSI when I can and WinNT provider pretty much always)but
you may have a problem with this script with native mode domains that have same
scope group nesting going on... The problem being the nested groups
The simplest solution is to use the full DN of the object that you are using
getobject on. You have the parent DN, prepend the object DN and do a
getobject; don't do it in the relative way that it was being done. Shouldn't
be an issue then because you don't specify the object type then.
joe
Agreed. I can't imagine a way to have that kind of isolated OU the
way Active Directory is currently laid out - I'm seeing the words
security boundary and new forest in my head before I get even three
seconds into the thought. Though it would certainly solve the problem
of wanting to create that
You CAN, but 'FIND' has nowhere near the 'fun' that grep does. Have you
ever seen an entire BOOK written on 'FIND'?
;p
-rtk
-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of joe
Sent: Monday, February 07, 2005 12:37 PM
To: ActiveDir@mail.activedir.org
What kind of events are being logged when they try to connect to the home
drive? (on the NT 4 server and the W2K machines?)
Al
-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Lucia Washaya
Sent: Monday, February 07, 2005 10:29 AM
To:
Rick,
I would agree 100% which is why I am lobbying for the removal of our
disclaimer and the implementation of encryption.
Brian
-Original Message-
From: Rick Kingslan [mailto:[EMAIL PROTECTED]
Sent: Monday, February 07, 2005 10:01 AM
To: ActiveDir@mail.activedir.org
Subject: RE:
Hi everyone,
For some time I have been trying to find out which Operation Attributes are
available/located on the RootDSE but I haven't been able to find any info on
that besides the attributes to transfer the FSMO roles:
* becomeRidMaster
* becomeSchemaMaster
* becomeDomainMaster
* becomePDC
*
nope, that's not a problem - however, it is true that
specific things won't happen, until you move certain FSMO roles to a Win2003 DC
(e.g. a few new Win2003 security principals won't be created until PDCE is
running on 2003). But you can easily do this later - so this won't hinder you in
At least MS is continuing their work on AD permissions - even though
domain + enterprise admins will remain Gods of the forest (which is
certainly a reason only to have very few of them in any AD forest).
One of the issues with delegating Read-Access to Users to specific
objects in AD is that
Hi Jorge,
One well-known operational attribute is schemaUpdateNow, which triggers a
schema cache update, when you write 1 to it.
A more complete list can be digged out from ntdsa.dll:
doOnlineDefrag
removeLingeringObject
SchemaUpgradeInProgress
doLinkCleanup
becomePdcWithCheckPoint
Objective: Use Group Policy to force workstations to lock after 60 minutes
of inactivity.
Well, I know that there's no way to easily do this by using a GPO. Most
admins just use the GPO settings to enable a screensaver and password for
it, however, I really want to lock the workstation
Sakari,
To echo the one phrase from Microsoft that, I personally have flat gotten
sick of, we can likely expect to see your next edition In the LONGHORN
TIMEFRAME
;o)
-rtk
-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Sakari Kouti
Sent: Monday,
Jason,
I'm sure that there's a good reason for not wanting to use the enable screen
saver option, but I'm curious as to why you want to do that actual
LockWorkStation function. Is it an academic exercise, or is there something
more to it?
Just simply curious...
-rtk
-Original
I doubt that the task scheduler can run a shortcut... Shortcuts are a
shell function. Can you run the .exe directly from the scheduler instead
of running the shortcut?
-gil
-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Rick Kingslan
Sent: Monday,
The problem is that I am adding arguments to the rundll.exe that tell it to
lock the workstation. Just having scheduler run the rundll.exe won't do
anything. As I pointed out, though, the scheduled task runs just fine from
my workstation. The same set up on a test machine with a standard
Title: Message
For the VBS posted earlier, listMembers is supposed to be
an array, so if you want to get the number of members you can output a
ubound(listMembers)-
lbound(listMembers).
To batch adfind the following should
work:
for /f "tokens=1*" %i in (groups.txt) do
(
adfind adfind
I'm still confused how this is different than a screensaver and
password?
marcus c. oh
\\.\core technologies\cox communications, inc.
\\.\mvp\windows server systems\management
[v] 404.847.6117 [c] 404.391.7097
-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On
Title: Message
Check out http://www.windowsitpro.com/Windows/Article/ArticleID/44085/44085.html
for a script that will document the OU structure and the number of user, group
and computer accounts contained therein. It doesnt list the
individual accounts that are contained in each, but it
Another thing I would like to point out is that not only do
you have to have a good backup strategy but also you have to test your recovery
of AD from your backup system. It is always a very useful exercise to take
your tapes of AD and go to a test benchand see if you can
recover.
Recovery
Kind of where I'm at But, I'm merely a by-stander. :o)
-rtk
-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of [EMAIL PROTECTED]
Sent: Monday, February 07, 2005 4:20 PM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] Using GPO's to force a
Title: Message
Just an FYI while this will get the member
attribute of a group if a users primary groupID has been changed to this group
you will not see them as a member using the method defined below. I had
that problem a while back, in fact Microsoft had that problem when Exchange
2000
Hello!
I would like to know if anyone knows how to standardize the
wallpaper/background via GPO on XP workstations?
I want to specify a background color with no wallpaper, no
background, and to not allow the user to change the color or any other
settings.
It looks like I can
Jason-
What security context is the task running in? Windows has the notion of
WindowsStations which represent the user's active shell session, or
something roughly approximating that. The interactive user's
WindowsStation is going to be different from, say, LocalSystem's. I
suspect that could be
When I've used scheduler to run an exe that needs arguments, I put the
command in a batch file and schedule that to run.
-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Jason B
Sent: Monday, February 07, 2005 4:01 PM
To: ActiveDir@mail.activedir.org
Ahh, I misunderstood. So the real question is why does the task
scheduler fail to run the .exe on the test machine, when it seems to run
the .exe properly on your machine.
My first thought would be that the scheduler is running under a
different security context.
-Original Message-
From:
Wouldn't enabling a password protected screensaver require a universal
screensaver password for all users?
- Original Message -
From: [EMAIL PROTECTED]
To: ActiveDir@mail.activedir.org
Sent: Monday, February 07, 2005 3:20 PM
Subject: RE: [ActiveDir] Using GPO's to force a Lock
No. You can set the requirement to password lock the screensaver
separate from the chosen screensaver.
Although, I haven't seen what will happen if you force the screensaver
to lock, but don't have a screensaver chosen.
Dave
//SIGNED//
David J.
There is a dependency in the GPO elements - you can enable the Screen Saver
requirement, but it won't come active if you haven't chosen a screen saver
that is available on the target machine(s).
Also, the screen saver timeout must be set to a non-zero value.
-rtk
-Original Message-
I think this may work... I'll try it and get back with the list.
Thanks.
- Original Message -
From: Crawford, Scott [EMAIL PROTECTED]
To: ActiveDir@mail.activedir.org
Sent: Monday, February 07, 2005 4:07 PM
Subject: RE: [ActiveDir] Using GPO's to force a Lock Workstation in
conjunction
Joe
Under User Configuration\Administrative
Templates\Desktop
Disable Active Desktop
Wallpaper. This will Turn off wallpaper.
User Configuration\Administrative Templates\Control
Panel\Display
Enable Prevent changing
Wallpaper
Enable Hide appearance and
themes Tab.
As for
User Configuration-Administrative
Templates-Desktop
From:
[EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Pelle, Joe
Sent: Monday, February 07, 2005
5:27 PM
To: ActiveDir@mail.activedir.org
Subject: [ActiveDir] GPO for
standardizing the background/wallpaper
Hello!
Yep. I agree. Grep is always one of the first things I put on any new
machine. However Charlie hasn't come around to using grep so I mentioned how
it could be done with find.
joe
-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Rick Kingslan
Sent:
Jason-
I haven't used hte task scheduler recently (more a command line person), but,
as I recall you can't specify an argument in the wizard. Just have to give it
rundll32, and then go back in and manually edi thte task with your arguments.
Also, try quoting the path to rundll32, and then
65 matches
Mail list logo
