The AD schema analyzer is quite useful for comparing schemas to
find missing attributes and classes (and to export them to LDIF so as to allow
an import to the target schema). Note however, that it doesn’t find
differences at the level of properties you have set for your schema
Agree, isolating by site is often confused with requiring a
separate subnet and thus extra efforts on the networking infrastructure. Thats
actually not the case. You can create your AD site and just assign it a
32bit masked IP address as the subnet if the other sites are properly
Are we actually talking blocking
GPO inheritance, or ACL inheritance?
If GPO I tend to agree with
Darren (as with anything on GPO J), as I dont think
that any change in either the Default Domain or the Default Domain Controller policy
should be implemented without testing (so if
You say "Obvious" but is this obvious? What
happens in the case of password policy. This can only be set at the top level of
the domain. Does this block actually prevent it being applied? I would guess
that is does, but I wonder if any one has tested it or has any docs on what actually
Morning,I am using csvde to create a CSV file for importing into another system and this runs (CRONS - say no more) on regular basis.the syntax is csvde -f accusers.csv -d "OU=User Accounts,OU=Office,OU=Company,DC=abc,DC=defghi,DC=inet" -l
Dear all,
Because our company is being merged by another company, in the process of
integration we need change the internal IP address and computer name.
Our domain controller of Windows Server 2003.
We have to change its computer name and internal IP but no need to change
The domain
Title: Sharepoint in the DMZ
Thank you
Is he in NY?
Thanks
Russ
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Ramon
LinanSent: Wednesday, September 13, 2006 9:14 AMTo:
ActiveDir@mail.activedir.orgSubject: FW: [ActiveDir] Sharepoint in
the DMZ
Hi Russ,
I have a
Title: Sharepoint in the DMZ
No problem at all, he is actually living in
MD.
Let me know if you would like his contact
info.
Rezuma
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Group,
RussSent: Thursday, September 14, 2006 9:18 AMTo:
In SBSland they made a change IP address wizard for our DCs because
invariably we forget something...
DHCP
WINS
kitchen sink stuff, etc
http://www.microsoft.com/technet/prodtechnol/sbs/2003/support/43dd693a-0cc4-47fd-94c7-cfe200439f41.mspx?mfr=true
You can see what the wizard does.. which is
If you're running a Certificate Authority on that DC, you can't change
the computer name without first uninstalling Certificate Services. I'm
not sure what the impact would be on the chain of trust if you reinstall
CertSvcs after the name change.
-Original Message-
From: [EMAIL
If you want to change the computer name you need to demote the server, wait for
replication then change the server name at this stage I would re ip the server,
then dcpromo the server again.
This is of course assuming you have multiple DC's if not and it's only for 3
months keep then why not
I am about to embark on a similar task.
I have a root DC running DNS that is
slowly dying. I have a fresh server to take it's place. The fresh server
will use a new hostname. Two scenarios I envision:
(1) Promote and install DNS on the fresh
server, using a temporary IP Address. Make the
Just curious what other people are using for protecting
against adware/spyware? We are using Webroot Spysweeper right now, but I see
some performance hits on computers running this software and it does work, but
it causes headaches will installing some apps that we approve. Any suggestions
have at look at:
http://blogs.dirteam.com/blogs/jorge/archive/2005/11/25/165.aspx
which might help you on your way
Met vriendelijke groeten / Kind regards,
Ing. Jorge de Almeida Pinto
Senior Infrastructure Consultant
MVP Windows Server - Directory Services
LogicaCMG Nederland B.V. (BU RTINC
Hey,
Don't know why csvde would change the order but try adfind from
www.joeware.net. So far for me, it's always kept the fields in the order
that I list them in the query.
Below gets just the user accounts in the OU. If you want everything in
the OU remove the -f ((objectcategory=person))
Title: Re: [ActiveDir] Any impacts to domain controller when changingits IP?
If you want to change the computer name you need
toDEMOTE the server
isn't that for w2k only? (he's got
w2k3)
Met vriendelijke groeten / Kind regards,
Ing. Jorge de Almeida Pinto
Senior Infrastructure
I think we discovered the problem... things were just locked down a *tad* too much.On 9/13/06, Akomolafe, Deji
[EMAIL PROTECTED] wrote:
Look at your default recipient policy. What's set there? Just curious.
Sincerely, _ (, / | /) /) /) /---| (/_ __ ___// _ // _
) / |_/(__(_) //
We're
using CounterSpy Enterprise from Sunbelt Software. Like you, we have seen
aperformance hit* on computers with just 128 meg of memory but that goes away
when we add more memory. The only issue I ran into, other than
performance, was it blocked a cookie that was necessary for our
Had Trend OfficeScan with Damage Cleanup Service on somewhere
between 60K and 90K devices. Worked great, they had graphs showing how well it
worked based on some custom data collection they did.
Thanks,
Brian Desmond
[EMAIL PROTECTED]
c - 312.731.3132
From:
[EMAIL
Chris,
I gather we tweaked ours so it only used a certain % of system
resources (20% I think) and while it does have some impact on performance it
does seem "livable with" now they have done that..
Dave.
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Chris
I'm not disregarding what has happened in this thread since
Matt asked if he couldwildcardthe IWAM account name. In fact,
I can't even answer that question authoritatively, but my gut feeling says that
it won't work. Matt can, however, delegate the logon locally right to a
group, then add
Title: Sharepoint in the DMZ
Can you send me his resume offline?
Thanks
Russ
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Ramon
LinanSent: Thursday, September 14, 2006 9:55 AMTo:
ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] Sharepoint in
the DMZ
No problem
Title: Elevating privileges from DA to EA
It has been suggested by certain parties here that elevating one's rights from AD to EA is 'simple'.
I have suggested that whilst it's possible it is not simple at all.
Does anyone have any descriptions of methods / backdoors / workarounds etc
And if you need the DN in the csv to import, remove the -nodn.
-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Mike Newell
Sent: Thursday, September 14, 2006 9:56 AM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] CSVDE Export
Hey,
Don't know
Just so you know that query will get you more than user accounts. To get
just users do ((objectCategory=person)(objectClass=user))
Thanks,
Brian Desmond
[EMAIL PROTECTED]
c - 312.731.3132
-Original Message-
From: [EMAIL PROTECTED] [mailto:ActiveDir-
[EMAIL PROTECTED] On Behalf Of
Glad I could help ;)
Sincerely, _ (, / | /) /) /) /---| (/_ __ ___// _ // _ ) / |_/(__(_) // (_(_)(/_(_(_/(__(/_(_/ /) (/ Microsoft MVP - Directory Serviceswww.akomolafe.com- we know IT-5.75, -3.23Do you now realize that Today is the Tomorrow you were worried about Yesterday?
Nobody runs as a local administrator. We have zero issues with spyware.
Coincidence?
From: [EMAIL PROTECTED] on behalf of Chris Pohlschneider
Sent: Thu 9/14/2006 9:44 AM
To: ActiveDir@mail.activedir.org
Subject: [ActiveDir] OT: Protecting against
Nonadmin
I peronally have had way less issues when users that don't need admin
rights don't have them.
Chinnery, Paul wrote:
We're using CounterSpy Enterprise from Sunbelt Software. Like you, we
have seen aperformance hit* on computers with just 128 meg of memory
but that goes away when we
Ulf did a really nice write up a while back that's worth reading:http://msmvps.com/blogs/ulfbsimonweidner/archive/2005/03/26/39841.aspx
here's the KB I was referring to: http://support.microsoft.com/?id=816592On 9/14/06,
Ravi Dogra [EMAIL PROTECTED] wrote:
Al this in not a priority for us now.
Return Receipt
Your RE: [ActiveDir] OT: Protecting against Spyware/Adware
document:
I have not done a lot of research on this,
but if you have users in either the power users or regular users group, wont
that cut down tremendously on the potential of getting adware/spyware?
From:
[EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Chinnery, Paul
Sent:
We use TrendMicro as well. Probably
not quite as good as Webroot as Trend is a bit more conservative than is
Webroot. Then again, Webroot is very agressive as spyware is all they do.
Eventually, I think you'll see them acquired by one of the top three A/V
folks (Symantec, McAffee or
I guess if you have "Widows", then someone must have "expired" :)[1]
What is the exact error message?
[1] Please don't take offense. I'm just in a laughing mood :)
Sincerely, _ (, / | /) /) /) /---| (/_ __ ___// _ // _ ) / |_/(__(_) // (_(_)(/_(_(_/(__(/_(_/ /) (/ Microsoft MVP
Mike,
Thanks I will give it a go later, I always seem to forget about ADfind.
ADfind is a bit like a potato - you can do so many different things with it.
Regards
Mark Parris
Base IT Ltd
Active Directory Consultancy
Tel +44(0)7801 690596
-Original Message-
From: Mike Newell
Really - must have missed that.
Whoops.
Mark Parris
Base IT Ltd
Active Directory Consultancy
Tel +44(0)7801 690596
-Original Message-
From: Almeida Pinto, Jorge de [EMAIL PROTECTED]
Date: Thu, 14 Sep 2006 16:50:13
To:ActiveDir@mail.activedir.org, ActiveDir.org
Esteemed colleagues,
We can't get the RAID configuration utility to give us the amount of
disk space we think we ought to have on our main file server. We used to
have 4 72Gb drives in a RAID-5. We put two more 72Gb drives into the
server, and followed the directions to expand the array using
Can you reword? I'm not sure I clearly understand the question. FWIW, going from DA to EA is a matter of adding one's id to the EA group. DA's have that right in the root domain of the forest (DA's of the root domain have that right). Editing etc. is not necessary. Nor are key-loggers etc.
If
Title: Re: [ActiveDir] Any impacts to domain controller when changingits IP?
Yep, that was Win2k – once you’ve reached Win2k3 domain
functional level, you can start adding another name to your DC, make it
primary, reboot, ensure everything replicates well and registers in DNS,
Title: Elevating privileges from DA to EA
Oh its easier than you think go look at the ACLs on some
objects and think about what the various system accounts run as over the
network on the DCs.
Thanks,
Brian Desmond
[EMAIL PROTECTED]
c - 312.731.3132
From: [EMAIL
Are all of your users in power user group
or user group of their workstation?
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On
Behalf Of Crawford, Scott
Sent: Thursday, September 14, 2006
11:33 AM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] OT:
Protecting
Nope.
Crawford, Scott wrote:
Nobody runs as a local administrator. We have zero issues with spyware.
Coincidence?
From: [EMAIL PROTECTED] on behalf of Chris Pohlschneider
Sent: Thu 9/14/2006 9:44 AM
To: ActiveDir@mail.activedir.org
Subject: [ActiveDir] OT:
Controlled user access, i.e. no admin rights, and use a good class
firewall with spyware/av protection on the gateway... no issues.
Rob
Robert Rutherford
QuoStar Solutions Limited
T:+44 (0) 8456 440 331
F:+44 (0) 8456 440 332
M:+44 (0) 7974 249 494
E:[EMAIL PROTECTED]
No worries, i don't take offense easily...=)Event Type: ErrorEvent Source: DNSEvent Category: NoneEvent ID: 6527Date: 9/14/2006Time: 10:08:04 AMUser: N/A
Computer: PHMAINDC1Description:Zone jacwf.phippsny.org expired before it could obtain a successful zone transfer or update from a master
Yep, nice catch. I guess I got lazy as the OU I ran that against in the
lab only has user and computer accounts in it ;-)
Thanks again.
Mike
-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Brian Desmond
Sent: Thursday, September 14, 2006 11:17 AM
To:
Title: Elevating privileges from DA to EA
Simple is a relative term but yes, there are mechanisms
that could be and aretermed simple.
No I don't think people shouldn't be sharing details even
offline. If someonecannot come up with a method on their own it
doesn't mean someone else who is
I run as local admin and have zero issues with spyware? Coincidence?
;o)
--
O'Reilly Active Directory Third Edition -
http://www.joeware.net/win/ad3e.htm
_
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Crawford, Scott
Sent: Thursday, September 14, 2006 11:33 AM
All regular users. Dont get me
wrong it was tough to get to this point, but its sooo worth it.
From:
[EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Chris Pohlschneider
Sent: Thursday, September 14, 2006
3:28 PM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir]
I didn't think so :)
-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Susan Bradley,
CPA aka Ebitz - SBS Rocks [MVP]
Sent: Thursday, September 14, 2006 3:33 PM
To: ActiveDir@mail.activedir.org
Subject: Re: [ActiveDir] OT: Protecting against Spyware/Adware
And if AdFind doesn't keep them in order, let me know as that would be a
featur... Err I mean bug. For -csv and -oao options I maintain the order
specified on purpose.
I can't speak to CSVDE and how it works, I actually have never looked at the
source for that program. I expect you may be
A potato Interesting analogy... Once I get past the image of a brown lump
buried in the dirt in the backyard (or your ears if you are a kid and don't
listen to your mom) it starts to grow on me...
I may actually have to post that quote on my blog...
--
O'Reilly Active Directory Third
Here's what I'd do:
Ensure that there is no NATting going on between the 2 DNS servers. Verify this by doing something like "telnet PrimaryDNSServer 53" from the secondary server and then going to the Primary server and doing "netstat |find ":53" and making sure that you could see the real IP
Yes. You run Mac. LOL
Sincerely, _ (, / | /) /) /) /---| (/_ __ ___// _ // _ ) / |_/(__(_) // (_(_)(/_(_(_/(__(/_(_/ /) (/ Microsoft MVP - Directory Serviceswww.akomolafe.com- we know IT-5.75, -3.23Do you now realize that Today is the Tomorrow you were worried about Yesterday?
I did it a couple years ago, and found out that it does
block the password policy. It seemsintuitive thatit shouldn't, but
it does.
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Dave
WadeSent: Thursday, September 14, 2006 3:54 AMTo:
ActiveDir@mail.activedir.orgSubject:
Use
adfind -sc sdump
or
adfind -sc sdump:csv
to dump a schema suitable for comparison with say
Windiff
I am
pretty sure it captures all of the critical info and it definitely maintains the
order of the attributes so you don't have to worry about the text analyzer
resyncing when lines
Yep, the new version of AdMod, in beta testing now, will
leverage the info that you get from an adfind query to do what I call partial
data attribute updates. That is when there is something in the current value you
need to generate the new value. DSMOD has to make a call to the DC for every
No, not yet. I am looking at the MAC Notebooks though.
--
O'Reilly Active Directory Third Edition - http://www.joeware.net/win/ad3e.htm
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Akomolafe,
DejiSent: Thursday, September 14, 2006 6:46 PMTo:
Yep and if you get the timeouts, adfind should tell you
that pretty clearly. You can then use the -t switch to modify the timeout value.
I often use -t 0 to disable the timeouts on really large (like get every user
object in the 200k user forest) queries.
If you are still getting other
This is OT for this forum and you didn't prefix with OT
which could be why I don't see any responses...
In the meanwhile, I would say no, if you just modify an
existing file in a folder, it shouldn't update the folder modification date
because there has been no change to the folder.
To me it seems intuitive that GP processing would behave the same way for DCs
as it would for other computers. And to answer the question, yes I have
confirmed this in testing numerous times over the years-most recently the day
Ben asked the question.
Darren
-Original Message-
From:
Touche
8-)
Mike Thommes
From:
[EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of joe
Sent: Thursday, September 14, 2006
5:04 PM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] OT:
Protecting against Spyware/Adware
I run as local admin and have zero issues
The secret is you cannot ENABLE an account with no password
if you have a password length policy and the PWD_NOT_REQD flag isn't set. So if
you have an account that is created which by default (i.e. no UAC
specified)will be 546. If you specify 544 it will still create and it will
allow a
A member of the Power Users group may be able to gain administrator
rights and permissions in Windows Server 2003, Windows 2000, or Windows XP:
http://support.microsoft.com/default.aspx?scid=kb;en-us;825069
Why power user isn't good enough
Thommes, Michael M. wrote:
Touche’ 8-)
Mike
I doubt that IADsTools was updated. They seemed to be trying to kill that as
far back as 2001. I think it was someone's pet project and they went to
another petting zoo to work... I know I found some time issues in it back
then and some more later that I tried to get corrected and was wholly
That's great info; thanks joe. I'll take a look at
msDS-ReplValueMetaData and msDS-ReplAttributeMetaData. I'm trying to do
this in a vbscript and avoid getting into any compiled solutions. I
told my boss I could do this in an hour because I thought I could just
use IADsTools, oopsie.
Yep, if vbscript you want the XML versions...
You should be able to do this in an hour You just need to pick the right
hour. ;o)
--
O'Reilly Active Directory Third Edition -
http://www.joeware.net/win/ad3e.htm
-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED]
A hotfix is available to change the daylight saving time for the
(GMT+02:00) Cairo time zone for the year 2006 on Windows XP-based and on
Windows Server 2003-based computers:
http://support.microsoft.com/?kbid=921028
--
Letting your vendors set your risk analysis these days?
Hi there,
I have already read and use the Active Directory Cookbook for Windows 2003
and Windows 2000 and see there are 2nd and 3rd editions. Is there anywhere
on the net which lists the contents of each so I can have a look before
purchase?
Thanks in advance,
Matt Duguid
Systems Engineer for
*points at joe's signature...*
And in case that was too vague, try here.
http://www.joeware.net/win/ad3e.htm
-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of
[EMAIL PROTECTED]
Sent: Thursday, September 14, 2006 9:13 PM
To: ActiveDir@mail.activedir.org
hahaha no worries cheers for that i'll just swim around the fish bowl one
more time...;-)
Matt Duguid
Systems Engineer for Identity Services
Department of Internal Affairs
Phone: +64 4 4748028 (wellington)
Mobile: +64 21 1713290
Fax: +64 4 4748894
Address: Level 4, 47 Boulcott Street,
Actually I did the Active Directory Third Edition. The Active Directory
Cookbook is in the Second Edition now and that was done by Laura Hunter. My
book you can find in my signature, the Cookbook you can find at
http://www.amazon.com/gp/product/059610202X/ref=pd_cp_b_title/002-4991631-48
I have just purchased the 2nd one and will be on to the 3rd one as soon as
I have finished that...
Cheers,
Matt Duguid
Systems Engineer for Identity Services
Department of Internal Affairs
Phone: +64 4 4748028 (wellington)
Mobile: +64 21 1713290
Fax: +64 4 4748894
Address: Level 4, 47 Boulcott
I think you are missing 5.
5. The account was created programmatically disabled with PWD_NOT_REQD set. So, we have 546 UAC. Then someone programmatically set UAC to 544 or went into ADUC and manually enabled the account.
It's a feasible scenario, no?
Sincerely, _ (, / | /) /) /)
Oh yeah. I get the two confused.
-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of joe
Sent: Thursday, September 14, 2006 10:15 PM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] Active Directory Cookbooks...
Actually I did the Active Directory
Anyone else getting timeouts trying to get to the list archive
URL?
http://www.activedir.org/ml/threads.aspx
yes
Sincerely, _ (, / | /) /) /) /---| (/_ __ ___// _ // _ ) / |_/(__(_) // (_(_)(/_(_(_/(__(/_(_/ /) (/ Microsoft MVP - Directory Serviceswww.akomolafe.com- we know IT-5.75, -3.23Do you now realize that Today is the Tomorrow you were worried about Yesterday? -anon
From: David
75 matches
Mail list logo