How about Darren's article:
AD Network Interactions
Understanding AD logon and replication procedure
http://www.windowsitpro.com/Windows/Article/ArticleID/37928/37928.html
Cheers
#JORGE#
From: [EMAIL PROTECTED] on behalf of Rachui, Scott
Sent: Wed 8/3/2005
Hello,
We have 300 identical Dell GX270's running XP in a 2003 Active Directory
and we are seeing a few (1%) suffering from extremely long logons. The
applying computer settings is displayed after the users signs in and
stays there for some 20-30 Mins, during which time the HDD activity
light
I always find it quite ironic that those who have never used NDS/Netware always
seem to want NDS/Netware features, once they've worked with AD for a period of
time :)
I have to remind myself why I booted NDS out in preference to NT/AD years ago...
Novell have been offering the vast majority of
Portal - http://www.microsoft.com/windowsserver2003/technologies/default.mspx
Kerberos -
http://www.microsoft.com/windowsserver2003/technologies/security/default.mspx
http://www.microsoft.com/windows2000/technologies/security/kerberos/default.mspx
DNS -
- Are your subnets and sites defined correctly? If not, clients may
authenticate and process GPOs from DCs across slow WAN links.
- Does your GPO contain lots of registry and/or file DACL/SACL settings? This
could account for the slow processing.
neil
-Original Message-
From: [EMAIL
Hello all :)
I have more than 70 OUs.
In each of them, I create a group, say AdminGroup
with one or more users into it.
In OU1, i've then delegated to AdminGroup1 the
rights to only view certains attributes, and write others, create certains types
of objects such as groups, computers.
I
Hi Neil,
Thanks some long forgotten security profile settings seem to have woken
up. Computer policy refresh on each start up so why only a subset of
users are suffering is still a bit of a mystery. Some rethinking of our
policies is in order methinks.
Thank you for your help.
Gary
---
A netmon trace of group policy processing is a very insightful way to
troubleshoot these things as well. Feel free to email a trace if you need
help reading one.
DNS issues will also make it take quite a while to process policies at
startup...
Thanks,
Brian Desmond
[EMAIL PROTECTED]
c -
Take a look at the dsacls command line utility. :)
Thanks,
Brian
Desmond
[EMAIL PROTECTED]
c -
312.731.3132
From:
[EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of TIROA YANN
Sent: Wednesday, August 03, 2005
4:55 AM
To: ActiveDir@mail.activedir.org
Subject:
Yep, the tool you mention can do that because natively through AD it is not
possible.
However you could do with scripting and some of the free tools around
Use could use a VB script (see script repository from MS) to create all groups
and with DSACLS you can assign permissions to the group
Hi Jorge and Brian :)
Thanks for answer.
I thought indeed at dsacls, but i was hoping there was a way natively or an
add-on to AD to do this task :(
Thinking of a file such as delegwiz.inf that could be modified with my own
settings and then be applied in one time to my OUs.
Never
Hey all,
Have a quick question about Domain DFS
roots. If you have about 3000 users, do you recommend hosting the DFS root on
DCs or having dedicated boxes to host the Domain DFS roots? Since the
root is mainly just doing referrals, my though is that as long as you have
Title: Message
I
agree with your sentiments in principle, but would state that the number of
links rather than users is of importance. Domain and stand alone DFS each have
their own limitations so you should ascertain whether domain DFS will meet your
requirements, whatever they may be.
I
Title: Message
Correct Neil,
I dont want to host data on the DCs,
just use them to refer to the actual data hosted on fileservers.
Thanks,
Todd
From: Ruston, Neil
[mailto:[EMAIL PROTECTED]
Sent: Wednesday, August 03, 2005
7:31 AM
To: 'ActiveDir@mail.activedir.org'
Title: Set UserAccountControl
Hi,
Is there any possibility of setting both properties?
Password never expires and User must change password at next logon
I tried with this script, but i can't:
--
Set objConnection = CreateObject(ADODB.Connection)
Title: Set UserAccountControl
AFAIK these are mutually exclusive. Why
would you need both? If you want to force at least one password change and then
have it never expire you could create the account with the User Must
Change password at next logon property to on and then have your script
Title: Set UserAccountControl
Thanks, i know but i need it.
Your
suggestion is good andi will do what you say if i don't have another
possibility
-Mensaje original-De:
[EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED]En nombre de Peter
JohnsonEnviado el: miércoles, 03 de
Title: Set UserAccountControl
There are a couple of issues here
1. As was previously pointed out, these settings are
mutually exclusive. An account that is marked as "user must change password at
next logon" is, in reality, marked in the background as having an expired
password.
2. You
Title: Set UserAccountControl
Im just curious to know why, if you
dont mind, you need to set both at the same time.
From:
[EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Fernandez Rego, Ramon
Sent: 03 August 2005 14:44
To: ActiveDir@mail.activedir.org
Subject: RE:
Title: Turtle Stationery
I am
trying to resolve the issue of authentication in DOS mode using NDIS
driver. The purpose is to MAP a drive on a server for creating a Ghost
image. When I boot up with floppy/CDROM some times I get a message after
user name and password "You have been
Title: RE: [ActiveDir] Biggest AD Gripes
Whoops, sorry I have gone through each of the
gripes/comments/suggestions/dislikes yet in detail, just skimmed them to see we
were getting a good amount of items.
There was one comment about being not qualified to gripe.
Anyone on this list who has
Title: DCPromo Answer fileno DNS.
The
bit that threw me is that my DCPromo process ignored the section
[NetOptionalComponents]
DNS
= 1
Hence
first invoking.
C:\WINNT\SYSTEM32\SYSOCMGR
/I:C:\WINNT\SYSTEM32\SYSOC.INF
/u:C:\my_answer_file.txt
Also FYI - This is not the first DC on
Hi,
I would like to ask whether an
administration workstation (Win XP Pro) should receive for a zone transfer in the
main DNS server (Windows 2003 server)? The reason is that the administrator
would like perform some DNS monitoring task like using of NSLOOKUP Is d abc.com
command to
Script to enumerate file shares per server and spit them out?
I think you'll need to figure an additional column for the server name at a
minimum though and probably add some information about them such as whether or
not it's hidden etc.
Al
From: [EMAIL
Title: Message
When in DOS mode, you will *not* have any
DNS name resolution - all names will be translated via WINS or NBT broadcast or
lmhosts file.
Ensure you have an entry in your lmhosts
file if WINS is not available.
neil
-Original Message-From:
[EMAIL PROTECTED]
Not a AD gripe but a tools gripe. The AD Sites and Services snap-in
sucks canal water as Laura sez. MS said they would fix it in Win2K3
but it still sucks.
Diane
-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of joe
Sent: Tuesday, August 02, 2005 9:25
Title: Message
That
command will only be available if the DNS server is permitted to perform zone
transfers to either 1. any machine, or 2. a list of machines, of which the admin
workstation is a member. That command initiates a zone transfer and so the above
criteria must be met.
Maybe
Title: Account lockout
I just wanted to respond and thank everyone that responded
to my problem. The final answer happen to be a computer I was RDP into and
it was locking my account out. Thanks again to
everyone.
Jake
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Rick
Can you be a little more specific?
-Original Message-
From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Ayers, Diane
Sent: 03 August 2005 15:27
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] Biggest AD Gripes
Not a AD gripe but a tools gripe. The AD Sites and
Now I'm getting blank responses too. Funny that the Sent from my
Blackberry made it through though,
Phil
On 8/2/05, Kern, Tom [EMAIL PROTECTED] wrote:
--
Sent from my BlackBerry Wireless Handheld (www.BlackBerry.net)
List info : http://www.activedir.org/List.aspx
We recently had an Exchange server failure and mailboxes had
to be restored from backup. Now some users are having problems with their
contacts. When they click To in a message and select Contacts,
the list is empty. However, the contacts are present in the Contacts
folder in the users
Title: Turtle Stationery
Hello, Can someone explain what exactly the
"repair" will do in network connections? I tried to fix the problems for
two of our workstations.
Occasionally, they will have bad connections
or some of the drive mappings fail. When we perform repair, logoff and
logon
Title: Turtle Stationery
Specifically,
what the repair task does on Network Connections is synonymous typing IPCONFIG
/RELEASE, then IPCONFIG /REGISTERDNS
It really
is nothing more than checking the stack, ensuring that its
communicating, and in the event that you get your address from
It would be nice if the LimitLogin V 1.0 functionality were built into
AD some how. Haven't looked in a while. Maybe they've come out with
something better.
Robert
The information contained in this e-mail transmittal, including any attached
document(s) is confidential. The information is
Good Morning,
I would like to see the ability to just filter locked accounts or disabled
accounts from the MMC Gui with out having to write complicated scripts. Another
thing I have been asking for since NT 3.51 is the ability to enable email
alerts, such as when an account is locked out, it
Title: Turtle Stationery
Thanks.
We don't use DHCP instead use static IP address. I
think the repair does little bit more than IPConfig. We do not have any
problem for few days and it comes again.
Does the workstation keeps DNS cache some place in the
registry? If so can we stop it? The DNS
actually that's not the case Carlos - even after all DCs are upgraded to
R2, SYSVOL is still using the legacy FRS replication mechanism. This
won't change before Lonhorn.
so it should stay on the list of gripes ;-)
/Guido
-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL
Title: Message
Thanks. I am looking for
some more depth in this question. Why I get different answers with the
same floppy boot?
Rao/..
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Ruston,
NeilSent: Wednesday, August 03, 2005 10:22 AMTo:
Title: Message
Thanks Neil..thats the answer I been
looking for.
J
Kevin
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On
Behalf Of Ruston,
Neil
Sent: Wednesday, August 03, 2005
10:27 PM
To: 'ActiveDir@mail.activedir.org'
Subject: RE: [ActiveDir] Zone
Transfer Question
Correct, that's what I meant by accounts that they authenticate. When
I log into the domain from a domain computer, the actual computer I'm
using is not the one doing the authenticating.
-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Rick Kingslan
Sent:
My DCs reboot every now and then when a trying to remote in. It will try
to log you in and than kills your connection and reboot. The logs are
worthless, The computer shut down unexpectively. Any suggestion?
Have anyone actually got the built-in firewall to work properly? I got
fed up and
Restore to dissimilar hardware is a HUGE pain point for us in reference
to AD restores for DR drills (1). Take Joe's suggestion of removing the
OS dependency from AD version and go one further where the backup and
restore of AD is somewhat independent and not gloomed into system state.
Not sure
o in addition to the stagged delete process as described below, I'd like
to be able to force the full deletion of objects before the tombstone
lifetime has expired.
o better handling of cross-domain links during restore operations - goes
along with the stagged delete approach: allow linked
People will start suing Bill Gates for monopolying again.
Z.V.
Medeiros, Jose wrote:
Good Morning,
I would like to see the ability to just filter locked accounts or disabled accounts from the MMC Gui with out having to write complicated scripts. Another thing I have been asking for since NT
Hi Jose,
From your 1st question, if you are in AD 2k3, you can use the saved queries
fonction that it includes in ADUC mmc.
It permits you to create a custom ldapsearch for nearly everything ou are
looking for :)
If you are still in AD2k, you can use ADSIEDIT to create your own ldapsearch,
Question 1: what did you do just prior to the first time it acted this
way?
Answer: nothing
Question 2: what did you do before you did nothing? ;-)
e.g. what did you do while trying to get the FW running on a DC?
Fact is that you shouldn't use it on a DC. I doubt that's different for
a 3rd
I've been going to Sunguard in Philly for 3 yrs now and I can confirm its a
huge PITA.
Right now we just put win2k on a laptop and dcpromo it then diconnect and
remove the other dc metadata and vice versa and then take the laptop with us to
Sunguard for the DR.
Its worked pretty well so far.
Thanks for all who voiced in..
-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Almeida Pinto,
Jorge de
Sent: Tuesday, August 02, 2005 2:53 PM
To: ActiveDir@mail.activedir.org; ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] copy or migrating local
Title: DCPromo Answer fileno DNS.
No. DCPromo looks ONLY at the DCPromo
section.
Run Sysoc.inf against the answer file.
For a fresh dc, run
SYSOC.INF followed by DCPROMO as your two commands in the [GUIRunOnce] Section
From:
[EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On
Title: Message
Theres one much bigger issue that
may or may not impact you, but is usually missed by folks. That
is the delegation of MAINTENANCE OF THE DFS ROOT.
DFS Roots are really, technically and
practically, a scope for delegation
of administration, as well as a root of a
Title: Set UserAccountControl
I may be talking out of my butt here, but
I think that you may be running into an issue of the version of AD youre
using. I have a vague recollection that I ran into this problem and needed to
set the pwdLastSet attribute, rather than the User Account
there is an easier way, although you might not be able to
leverage it, depending on your situation.
1. you could promote the server to be the DC of a new
temp-forest (will take the local SAM and make "normal" AD accounts and groups
out of it)
2. then create a trust to your target forest and
DSACLS will let you do the reacling without having to worry about manually
doing it (although with one server it is probably not a big deal). I have
used it with a text file that maps old user account to new user account to
automate the repermissioning. You can also use this to repermission the
Hello,
Do you mean rather CACLS or XACLS for reacling file system ?
I think DSACLS is for permissioning Active Directory objects.
Cheers,
Yann
De: [EMAIL PROTECTED] de la part de [EMAIL PROTECTED]
Date: mer. 03/08/2005 22:23
À: ActiveDir@mail.activedir.org
Hi All
Actually, I meant SUBINACL but apparently 3 days in class have melted what
little brain I have.
Download and instructions are here and this worked very well. We used it
as a workgroup to AD home made migration tool and it worked well with
minimal scripting and a few simple text files.
Title: Turtle Stationery
Yeah, its
entirely probable that a DNS Cache flush is done as well and likely and
ARP cache dump. And as to the cache in registry, Im looking but I
dont believe its in registry but in memory same for ARP.
Ill
let you know if I come up with something
Guido (and all, really)-
You bring up a good point. There seems to be some misconception and
misinformation (BTW, no one here is doing the misinformation - just to be
clear) around R2.
When R2 is installed (or whatever this is going to be called when released -
it may be just Windows Server
Just making sure that *I* understood. I sometimes have a problem with plain
English... Ask joe and Dean. ;op
Rick
-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Crawford, Scott
Sent: Wednesday, August 03, 2005 11:15 AM
To:
Take a look at the ADPLus toolkit - it's used by PSS to assist in tracking
down weird Hang and Crash issues. It's very effective, and became a part of
my toolkit about a year ago.
http://support.microsoft.com/default.aspx?scid=kb;en-us;286350
Rick
-Original Message-
From: [EMAIL
Counting down the sections until MS Marketing and Legal descend upon Rick
for comparing the R2 Upgrade to a, and I quote, Fart Can Mr. Kingslan
whap whap whap this is whap whap snap not creak bang the way whap we
describe our bang bang smack products to smash crash boom potential
customers.
I
Don't sweat it. Just keep it in mind. You never know what is enough for
people to guess where you are talking about.
-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Kern, Tom
Sent: Saturday, July 30, 2005 5:13 PM
To: ActiveDir@mail.activedir.org
Yep best to script this.
Last place I was an ops guy for, we wrote an entire create
ou script. You told it what domain and the building number and it did the rest,
built all of the OUs structures needed, created all of the groups, put into
place all of the delegations, linked the proper
Yeah we brought this up at the last summit as well. Either
allow specying the SQL backend you wanted to use (hello ODBC) or incorporate the
DB technology as completely black box don't ever have to worry about it.
Multiple forests shouldn't be an issue as long as you have
proper trust
Title: Message
I just typed
ldifde
at the command line and it didn't sync my environment,
what's wrong with it Guido?
:o)
joe
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Grillenmeier,
GuidoSent: Tuesday, August 02, 2005 2:22 PMTo:
Title: Message
One of these days I should think about making a joeware
tool to do this. It would really shorten the answers to this question in the
newsgroups and lists.
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Dan
HolmeSent: Tuesday, August 02, 2005 3:58 PMTo:
Im attaching a script I used for a
scripted delegation demonstration. There is a lot of code (applying a lot of templates)
but the guts can be seen in one section and the RunDSACLS routine
at the end. Im sorry I dont have time to document this fully for
you, but Im heading out of town.
The locked accounts filter is locked in time though, you need to recalculate
the filetime each time you run the query or else you can get false
positives.
The disabled users query will obviously work.
Just one small change. I would replace (objectcategory=user) with
Yeah I am curious as well.
I would consider the tools given with AD to manage it something that belongs
with a list of AD gripes.
-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Ruston, Neil
Sent: Wednesday, August 03, 2005 10:33 AM
To:
I am not sure it is a people wanting NDS/Netware features as much as it is
people wanting certain features that would make their lives easier and it
just so happens Novelle had come to some of the same conclusions previously
on what to add or were bugged for them. A lot of the things being asked
Title: RE: [ActiveDir] Biggest AD Gripes
Unfortunately I think the answer for a lot of this business
rules kind of thing such as dynamic or rules based groups etc the answer is
already determined by MS to be MIIS. I don't often think of MIIS as the answer
to managing your AD but I know that
Ha! Nice response...
On another note - GPMC has built in APIs for this and there is a script
included with it that will export your OU,groups and users as well as GPO's
of course, to an XML file and then you can use that to reimport.
I cant recall the name of it right now.. something about
Createxmlfromenvironment.wsf
Didn't know that exist..thanks!
Thank you and have a splendid day!
Kind Regards,
Freddy Hartono
Windows Administrator (ADSM/NT Security)
Spherion Technology Group, Singapore
For Agilent Technologies
E-mail: [EMAIL PROTECTED]
-Original Message-
From:
Title: Message
I think you forgot /unsafe.
Thanks,
Brian
Desmond
[EMAIL PROTECTED]
c -
312.731.3132
From:
[EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of joe
Sent: Wednesday, August 03, 2005
7:45 PM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir]
73 matches
Mail list logo
