About a year and a half ago I have tested this as I was doing a migration from
NDS to AD. Worked like a charm! (I even did tests for legacy clients like W9x
as those were my biggest concern, did not find anything) The NDS groups were
64 chars and accepted all kinds of funny chars. I had to cut
I'll second guess joe - 91 stops ppl from using cyclic
passwords, which use dates or quarters to generate a password. e.g.
passwordq12006, passwordq22006 etc.
Hopefully joe will give an authoritative response
:)
neil
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of
Title: Virtual DCs
We have a single domain forest with about 7,000 users. Currently we 8 AD regional sites and one HQ AD site. The regional sites each have a DC serving their local regional area and there are multiple DCs in our HQ site. The environment is currently running Windows 2000 SP4
Title: Forcefully apply Group Policy
Hello,
We have a GP that defines which screensaver is to be used and when should this kick in. This is set to 10 minutes. Ideally this works for everyone. There are some users who require setting this time to 60 minutes (when they are presenting offline
Jorge, if you happen to find that in the archives, please post the link.
A quick search of the net brings back some items that seem to indicate that greater than 20 could result in a problem with some directory sync tools.
samaccountname is listed as being expected to be 20 chars. It doesn't
CN is typical. Inside a domain, samaccountname is unique. CN is only unique within the RDN.
For those reasons, I often recommend that your CN and samaccountname be matched (which is not the default if you use the ADUC to create users). It's also helpful if you're an Exchange shop to have your
Hi Murtaza...
You can try computer configuration/administrative templates/windows
components/system/group policy/registry policy processing. Checking the
process even if group policy has not changed may help.
Could cause some performance issues though, unless you have those machines
seperated.
Title: Virtual DCs
Im a great advocate of VMWare and
use it for many services. If the hardware supports the load happy days!
Robert
Rutherford
QuoStar
Solutions Limited
The Enterprise
Pavilion
Fern Barrow
Wallisdown
Poole
Dorset
Title: Virtual DCs
Ada,
I am intrigued as to why "management" are directing you to
do this. What benefits do they percieve? Do they understand the nature of the
2K3 directory and the load 7,000 users puts on it?
This is not a criticism - just a curious thinking out loud
moment...
Think divisble by 7
From:
[EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of [EMAIL PROTECTED]
Sent: Tuesday, June 06, 2006 12:36
AM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] max
password age where else to look?
I'll second guess joe - 91 stops ppl
Title: Virtual DCs
I would agree with your comments whole
heartedly. I dont think this is a good idea. Add to the fact that we
are running Exchange 2003 and all of our DCs are also GCs.
As to why management is
directing us to do this, one can only surmiseMy guess is they are
thinking of
We have two DC's in our headquarters
that are beefy boxes dedicated to being just DC's. They also hold our FSMO
roles. However, in our larger remote sites, we are running DCs with VMWare.
It has worked great. It reduced the number of boxes we support and what's
great about a VM DC is you can shut
Title: GPO Screen Saver
We have a GPO to lock users desktops after 10 mins. However, now it seems to be locking their terminal server sessions. The GPO is at the domain level so our ts servers have the gpo applied to them as well. Could this gpo be locking their ts session as well? This gpo
Title: Virtual DCs
Just because its a VM, doesnt
mean you can stop managing it. You still have to patch it, monitor it, upgrade
it, etc. Only thing it buys you from a management perspective is less hardware
to manage. How often are you managing your physical hardware? If the answer
is a
Title: GPO Screen Saver
Hey Christine-
You might want to check and see if something has changed on
the filtering of that GPO. If its linked to the domain then I would guess it
would be applying to all users in the domain, even if they are logged onto a TS
(unless you are using loopback in
Yeah, I realised that shortly afterwards. The value of this
approach escapes me, however :)
I don't care which day of the week I change my password on
and nor should the users IMHO.
neil
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Gil
KirkpatrickSent: 06 June 2006
Title: Virtual DCs
Hardware costs will fall but will the overall costs over
say 3 years really be lower?
Factor in the cost of VMware; additional engineering effort
required; additional admin overhead; additional support overhead to manage
virtual machines.
How will these machines be
Title: GPO Screen Saver
It is linked to the Domain and has been in place for about
2 years. I does filter down to our servers, which I liked. What's
weird is this just started happening and I'm not sure what
changed.
Can you explain a bit more about "(unless you are using
loopback in
Title: GPO Screen Saver
Sure. Most TS' are configured to use loopback policy. This
is per-computer policy you set in Admin. Templates that would apply to an OU
containing TS servers. What setting a machine for loopback says is, "when a user
logs into this TS, ignore their "normal" user
I have a group of applications (ie. Sibel etc) running from Unix boxes
using AD for LDAP. I'm wanting to put in a Lag Infrastructure.
The queries from these APPs basically look at mydomain.mycomapny.com 389.
That's about as smart as they get. So, I know this isn't a AD problem but
if I want
nope.
I disabled Antigen AV and rebooted the box.
Mail is stuck in the local queue and messages awaiting directory lookup queue.
In perfmon, the VM largest Block Size starts high(~80mb) but falls down to below 16mb in about an hour.
VM Total 16mb Free Blocks is at zero as is VM Total Large Free
If
you use Autoenrollment, you also need to repoint the PKI settings in
theGPO that tells the clients to autoenroll to the new
CA.
-Brandon
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Tony
MurraySent: Monday, June 05, 2006 11:09 PMTo:
Jason,
You shouldn't have any problems with your ldap query if you use the
LDAPSERVERS.mydomain.mycompany.com DNS record that you proposed below.
Using that record is the same thing as using mydomain.mycompany.com. Both
are records which point to another server.
Always glad to lend a hand to
On 06/06/06, [EMAIL PROTECTED] [EMAIL PROTECTED]
wrote:
Yeah, I realised that shortly afterwards. The value of this approach escapes me, however :)
I don't care which day of the week I change my password on and nor should the users IMHO.
neil
The Friday before a long public holiday weekend
One GC?
Can you verify the performance on that GC? Waiting on a response from disk, GC, or other could absolutely cause the problems you are seeing.
Al
On 6/6/06, Tom Kern [EMAIL PROTECTED] wrote:
nope.
I disabled Antigen AV and rebooted the box.
Mail is stuck in the local queue and
Can you tell me what counters I should be looking at to determine GC perf?
Thanks
On 6/6/06, Al Mulnick [EMAIL PROTECTED] wrote:
One GC?
Can you verify the performance on that GC? Waiting on a response from disk, GC, or other could absolutely cause the problems you are seeing.
Al
On
I have several sites that are sitting on one mailbox store
but are located in different OUs. What LDAP query can I use to
create an Exchange 2003 address list, based on users that are in a particular
OU?
-Devon
Sorry,
On the exchange server-
Smtp Server - Categorizer Queue length is always at zero
MsExchange DSAccess Process- LDAP read time is at zero
LDAP search time is at zero as well.
On the GC-
System- processor queue length is at zero
PhysicalDisk(NTDS db/logs)- Avg disk/sec read is at zero
Is there a Command line util., to remotely tell what user is
logged into a PC?
-Devon
---
This message (including any attachments) is intended only for
the use of the
I don't commit them to memory, but usually look here instead:
http://www.microsoft.com/technet/prodtechnol/exchange/guides/TrblshtE2k3Perf/8d4b5381-bdab-44bc-9df4-35e9d6192b86.mspx?mfr=true
Al
On 6/6/06, Tom Kern [EMAIL PROTECTED] wrote:
Can you tell me what counters I should be looking at to
psloggedon from sysinternals.com
On 6/6/06, Harding, Devon [EMAIL PROTECTED] wrote:
Is there a Command line util., to remotely tell what user is logged into a
PC?
-Devon
---
This message (including any attachments)
nbtstat - A ipaddress
John
Harding, Devon
[EMAIL PROTECTED]
NWINE.com
psloggedon from Sysinternals
On 6/6/06, Harding, Devon [EMAIL PROTECTED] wrote:
Is there a Command line util., to remotely tell what user is logged into a PC?
-Devon--- This message (including any attachments) is
At the dos prompt type SET USERNAME
From: [EMAIL PROTECTED] on behalf of Harding, Devon
Sent: Tue 6/6/2006 12:54 PM
To: ActiveDir@mail.activedir.org
Subject: [ActiveDir] Logged in user
Is there a Command line util., to remotely tell what user is logged into
Sorry, you said remotely.
I usually pull it from WMI. In Win32_ComputerSystem there's a property called
UserName that stores it along with the domain they're logged into in the
domain\username format.
From: [EMAIL PROTECTED] on behalf of Harding, Devon
RComp = remote-computer-name
Set objWMIService = GetObject(winmgmts:{impersonationLevel=impersonate}!\\
RComp \root\cimv2)
Set Attribs = objWMIService.ExecQuery(Select * from Win32_ComputerSystem)
For Each myProps in Attribs
Wscript.Echo myProps.UserName is the user currently logged
Devon,
I don't thinkit is possible to do an ldap
query based on the parent OU. In our environment, we have a script that
runs nightly, which stamps some of the extensionAttribute values with something
representative of their location. We then base our queries off of that
value.
-Andrew
Any command line tools?
-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of
[EMAIL PROTECTED]
Sent: Tuesday, June 06, 2006 2:17 PM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] Logged in user
RComp = remote-computer-name
Set
In that case, can you go ahead and show us the export of those pab entries that were found to cause the issue?
Al
On 6/6/06, Tom Kern [EMAIL PROTECTED] wrote:
Sorry,
On the exchange server-
Smtp Server - Categorizer Queue length is always at zero
MsExchange DSAccess Process- LDAP read time is
If youre looking for terminal services sessions in particular, you
can use query.exe (have to copy it from the sys32 dir of a server, I believe),
then issue: query session /server:servername
:m:dsm:cci:mvp|
You can't directly do that. To do that, you'll want to tag each of the users in that OU with some attribute and then create your AL based on that attribute instead.
Al
On 6/6/06, Harding, Devon [EMAIL PROTECTED] wrote:
I have several sites that are sitting on one mailbox store but are
Could some one send me a sample vbs script
that creates AD user accounts?
Thanks
Antonio
Lately I have been
thinking about the following:
What happens
actually in Active Directory and what changes in it, while or after having
uninstalled Exchange.
I am asking this
because usually when I uninstall an Exhange server, I do this according to the
KB articles from Microsoft
Well, I don't think that was the issue because those entries were deleted awhile ago and it was only one user with that PAB.
Since then, we've had issues with users having their mail stuck in the CAT queue.
This morning that was the case.
I disabled Antigen(which next to the Info store, was
DamnI was trying to avoid using
extensionAttribute
Oh well.admodify.NET?
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On
Behalf Of Al Mulnick
Sent: Tuesday, June 06, 2006 3:05
PM
To:
Take a look at the source code for chapter 6.1 in this
excellent (fish) book.
http://rallenhome.com/books/adcookbook/code.html
Clyde Burns
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Antonio
ArandaSent: Tuesday, June 06, 2006 3:29 PMTo:
There are several in the TechNet Script
Center
http://www.microsoft.com/technet/scriptcenter/scripts/ad/users/manage/default.mspx
From:
[EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Antonio Aranda
Sent: Tuesday, June 06, 2006 12:29
PM
To:
Hi Antonio
Here's a link to one of the microsoft script centre repositories. You may want
to look at some of the other sections to see how to set passwords, etc.
There are lots of other sites out there which will supply more sophisticated
scripts, but this is a good start for picking up the
IANAP, but ..
http://www.akomolafe.com/LinkClick.aspx?link=Create-Users-and-Sec-Group.vbst
abid=63mid=431
Sincerely,
_
(, / | /) /) /)
/---| (/_ __ ___// _ // _
) /|_/(__(_) // (_(_)(/_(_(_/(__(/_
(_/
Look at http://www.lissware.net, White Papers
section.
February 2000 (Compaq Active
Answers):Part
1 - Understanding
the Microsoft WSH and the ADSI in Windows 2000 (Script Kit) Part
2 - The powerful
combination of WSH and ADSI under Windows 2000 (Script Kit)
From: [EMAIL PROTECTED]
psloggedon \\Computername
http://www.sysinternals.com/Utilities/PsLoggedOn.html
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Harding, Devon
Sent: Tuesday, June 06, 2006 10:55 AM
To: ActiveDir@mail.activedir.org
Subject: [ActiveDir] Logged in
Even though Compaq let me go these are still my favourites...
-Original Message-
From: [EMAIL PROTECTED] on behalf of Alain Lissoir
Sent: Tue 06/06/2006 21:41
To: ActiveDir@mail.activedir.org
Cc:
Subject: RE: [ActiveDir] sample vbs
I prefer a script that can be waked up to read that OU periodically and assure me to some degree that the objects contained are tagged as I expect them to be.
ADMODIFY would like do it as well. I'm sure *somebody-who's-name-starts-with-j* would have a tool preference that would also do such a
Well, there are other similarities on those machines
Have you see this already?
http://support.microsoft.com/?kbid=329137 It might be worth it to check it out.
Al
On 6/6/06, Tom Kern [EMAIL PROTECTED] wrote:
Well, I don't think that was the issue because those entries were deleted awhile
In theory, you *could* just remove it from ESM if you believe this article.
http://support.microsoft.com/?kbid=260378
On 6/6/06, Victor W. [EMAIL PROTECTED] wrote:
Lately I have been thinking about the following:
What happens actually in Active Directory and what changes in it, while or
Speaking of SamAccountName...If they are using LDAP bind for authentication,
then it depends on what type of bind they are doing. For LDAP simple bind
(hopefully combined with SSL or it is not secure!), AD supports:
distinguishedName
userPrincipalName
NT account name (domain\user with user
Thanks for the help so far
But does any one know how to add the attribute Home Folder? Not the
Local Path but the Connect: with letter drive using vbs script?
Thanks Again
Antonio Aranda
attachment: winmail.dat
Look at BLOCKED::http://www.lissware.net http://www.lissware.net, White
Papers section, page 73, Sample 22, line 460 and 462.
459:
460:objUser.Put homeDirectory, \\ strAccountComputer
_
461:\ strUserID $
462:objUser.Put
Thank you ...
_
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Dave Wade
Sent: Tuesday, June 06, 2006 3:04 PM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] sample vbs script
Even though Compaq let me go these are still my favourites...
-Original
Just to throw in $0.02 (USD):
DN would be a bad idea with Active Directory outside of the information it gives away. Active Directory is desinged to allow for the movement and changing of accounts. Using the DN would break that as far as the user is concerned. Since you can have multiple UPN's
I with you on discouraging using DN as a binding user name for AD. However,
this is very common practice in other directories and DN is the only
attribute that the LDAP spec defines as needing to be supported for simple
bind. A lot of apps that support multiple directories will insist you do
IMO vmware is great for dev/stage/cit/test/dr and good for some prod
applications but I wouldn't be running my AD purely on VM's. AD is
critically dependant upon time and some VM configurations interfere
with the system clock, thereby upsetting the kbt timestamps.
Referring specifically to
Are you talking about Livestate or Ghost? Livestate is the old PQ V2i. Do
you have a Symtantec account person or are you buying shrink wrap? If the
former I'd give them a buzz, they can hook you up with a tech spec,
otherwise why not call support??
Thanks,
Brian
-Original Message-
From:
1753 is failed trust iirc.
Thanks,
Brian Desmond
[EMAIL PROTECTED]
c - 312.731.3132
From:
[EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On
Behalf Of Al Mulnick
Sent: Friday, June 02, 2006 1:38 PM
To: ActiveDir@mail.activedir.org
Subject: Re: [ActiveDir] PCs hang at Applying
And fwiw you have some forgiving firewall people. I would have told
you to f off and lock it down.
Thanks,
Brian Desmond
[EMAIL PROTECTED]
c - 312.731.3132
From:
[EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On
Behalf Of Clay, Justin (ITS)
Sent: Friday, June 02, 2006 4:30
Right. So you need to lock down DCOM ports on your workstatiosn,
servers, and then add that to your checkpoints. I use 5000-5020 (which is in a
KB), although we had some issues on really really busy boxes and upped it
enterprise wide to 5000-5100. Get a GPO together for the reg hack and
Probably some ports were open on the firewalls so crapshoot if
you hit them – network traceor tcpdump on the nokia’s would have revelealed
this straight away…
Thanks,
Brian Desmond
[EMAIL PROTECTED]
c - 312.731.3132
From:
[EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On
Behalf
www.microsoft.com/technet/scriptcenter
- go under ad
Thanks,
Brian Desmond
[EMAIL PROTECTED]
c - 312.731.3132
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Antonio Aranda
Sent: Tuesday, June 06, 2006 2:29 PM
To: ActiveDir@mail.activedir.org
Subject:
Psloggedon from pstools www.sysinternals.com
Thanks,
Brian Desmond
[EMAIL PROTECTED]
c - 312.731.3132
From:
[EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On
Behalf Of Harding, Devon
Sent: Tuesday, June 06, 2006 12:55 PM
To: ActiveDir@mail.activedir.org
Subject: [ActiveDir]
Title: Virtual DCs
I have no problem with VMWare or Virtual Server DCs if done
correctly. Frankly, 7K users is like pocket change if you ask me. Really, the
users generate no load they logon to the PC and change their password. Things
like Exchange (and OLK), machines, and other AD aware
70 matches
Mail list logo
