Title: Locating empty GPOs in a domain / forest
Does anyone have a script or know of a process which can be used to locate empty GPOs? i.e. GPOs which have no settings enabled or set.
The customer has hundreds of GPOs so viewing them one by one using GPMC is not a viable option :/
Many
http://blogs.dirteam.com/blogs/jorge/archive/2006/11/15/Finding-unused-GPOs.aspx
Met vriendelijke groeten / Kind regards,
Ing. Jorge de Almeida Pinto
Senior Infrastructure Consultant
MVP Windows Server - Directory Services
LogicaCMG Nederland B.V. (BU RTINC Eindhoven)
( Tel :
Cool, I will test that out, thanks.
I am not too familiar with using or
configuring EAP would this solution require installing a CA on the
network? Furthermore, would these certificates be assigned to the machine, not
the user?
No, I understand the difference between
IAS and ISA. I
Hehe MSSBS = MSKSE
Microsoft Windows, Kitchen Sink Edition
One day I'm actually going to load it up and see why SBS rocks, cause
without doing that, I tend to think what your tagline really means is
SBS [takes] rocks [to run all that stuff on one box and tell someone to
connect to it] :op
I
Brett does bbisw.lib come in an SDK somewhere? ;-)
Rich
-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Brett Shirley
Sent: Monday, November 13, 2006 3:05 PM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] OT: new ms-Sysinternals utils: .exe
Title: Locating empty GPOs in a domain / forest
Thanks horhay :-^
I'd found the GPMC script but your extra logic is very
useful :)
neil
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Almeida Pinto,
Jorge deSent: 15 November 2006 12:19To:
As we find that, once again, the answer to all of the world's problems
is Blame Laura. (Only make sure that you're blaming the -correct-
Laura, as we've just learned.) ;-)
- The Other Laura, wondering how on Earth she got dragged into this. :-)
On 11/15/06, Rich Milburn [EMAIL PROTECTED]
http://msinfluentials.com/blogs/jesper/archive/2006/09/28/New-Article_3A00_-SBS-At-Home.aspx
Install it at home -- monitor and control your kid's Internet access :-)
It is a compromise... but the advantages still outweigh the risks IMHO
Rich Milburn wrote:
Hehe MSSBS = MSKSE
Microsoft
Title: Locating empty GPOs in a domain / forest
Another option is to perform an LDAP search on the
cn=policies, cn=system container for GPC objects, and on each GPC object, look
for a versionNumber attribute== 0. Its probably slightly faster than first
generating the HTML report and then
http://home.comcast.net/~clearviewtc/
This is about wireless setup ... but it might help with some of the
basic concepts of setup
*Configuring Secure Wireless Network Access with Microsoft® Windows®
Small Business Server 2003*
These documents provide prescriptive guidance to implement
Title: Locating empty GPOs in a domain / forest
Thanks Darren - that assumes the GPO is empty and always
was empty, of course :)
neil
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Darren
Mar-EliaSent: 15 November 2006 15:05To:
ActiveDir@mail.activedir.orgSubject: RE:
But... but... then I wouldn't have replication issues to play with! Oh,
wait, that's a good thing, nevermind... :)
Thanks for pulling out yet another good, relevant link Susan :)
-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Susan Bradley,
CPA aka
Yes, you will need a CA for EAP. Ideally, you'd do a machine cert, because machines are what you want to filter.
Are you providing hosted services to your clients, or what?
Yes, there are ISA appliances. There have been since 2004.
Sincerely, _ (, / | /) /) /) /---| (/_ __ ___//
I understand in general terms the debate between only a
firewall vs. only ISA. What intrigued me was why Sonicwall was singled
out, and why this argument raged in particular in the SBS world, which is
scale-wise in my neighborhood.
- Original Message -
From:
Akomolafe,
Title: Locating empty GPOs in a domain / forest
Well, it depends upon the purpose of you quest, but you're
correct. For example, you may not want to delete a GPOthat has no settings
(but does have versionNumber 0) because that may be a desirable state for
it. In other words, if a GPO had
Expensive ISA appliances... let's qualify that
Akomolafe, Deji wrote:
Yes, you will need a CA for EAP. Ideally, you'd do a machine cert,
because machines are what you want to filter.
Are you providing hosted services to your clients, or what?
Yes, there are ISA appliances. There have been
Sonicwall has been very SMB friendly is why been a vendor at
SMBnation many times.
For the uber business class firewalls... single nic Sonicwall is what
many var/vaps have standardized on.
Albert Duro wrote:
I understand in general terms the debate between only a firewall vs.
only ISA.
All "appliances" are expensive, IMO. Not just the monetary part, but also their up-keep. I resell a product that gets grossly marked up in appliance form, and is not as regularly updated as the non-applianced version. But people are willing to pay the additional (unnecessary) cost, just because
if a GPO had settings and doesn't anymore, it may be needed by users and
computers processing GP to undo settings that were previously applied
IMHO, no settings means all settings in the GPO are set to Not Defined.
Wouldn't it, for the case you mention, need to have reverse settings or
Hey Guys,
I receive this error on my DC and my newly created Citrix Server.
Event Type:ErrorEvent Source:KerberosEvent Category:NoneEvent ID:4Date:11/15/2006Time:12:30:17 PMUser:N/AComputer:PHMAINDC1Description:The kerberos client received a KRB_AP_ERR_MODIFIED error from the server
If I set an Admin template policy from Enabled to Not Configured, then
that GPO with Not Configured needs to be processed at least once by the
target in order to remove the setting. So, even though GPMC might report No
Settings (and frankly I haven't look at how it reports other areas besides
Compare the IP registered for phmaindc1 in DNS to the actual IP address of this machine. Do you see any discrepancy?
Is this your only DC? If not, then I'd demote it, clean it completely out of AD (ADUC, AD Site and services, DNS),and then re-promote it.
Sincerely, _ (, / | /) /) /)
Did you use an image to create the Citrix
server?
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of
hboogzSent: Wednesday, November 15, 2006 12:43 PMTo:
ActiveDir@mail.activedir.orgSubject: [ActiveDir] Strange DC behaviour
and error
Hey Guys,
I receive this error on my DC
Verify DNS is working properly and that DCs are synching time. These
are two things that can cause Kerberos/ log on problems. Also, make sure there
is not another computer object in AD, DNS record, WINS record named phmaindc1.
LMK if you need help in doing these tasks.
Hey Guys,
Thanks for responses.
I've been stuck in the data center for the past few hours.
Here goes:
It all started with this error in the event log:
Event Type:Error
Event Source:Kerberos
Event Category:None
Event ID:4
Date:11/15/2006
Time:03:17:45 PM
User:
Well I also have a strange thing... It concerns 2 SBS 2003 systems.
Some months ago I raised both domain and forrest functional level on
those boxes. By reading this thread I decided to have a look...
Both tools report the correct OS actually on both boxes.
The only I wonder is a bit that they
Were these clean installs or inplace?
Bart Van den Wyngaert wrote:
Well I also have a strange thing... It concerns 2 SBS 2003 systems.
Some months ago I raised both domain and forrest functional level on
those boxes. By reading this thread I decided to have a look...
Both tools report the
Clean ones, both of them.
1 in English, 1 in a regional language called Dutch.
Both act the same way.
On both boxes I raised the functional level the same way.
On 11/16/06, Susan Bradley, CPA aka Ebitz - SBS Rocks [MVP]
[EMAIL PROTECTED] wrote:
Were these clean installs or inplace?
Bart Van
We're in the middle of an SMS deployment and SMS is making us very aware
that DNS scavenging and WINS tombstoning doesn't appear to be happening
as much as it should. Looking through our DNS records for our domain,
there's like 2 and 3 machine names for one IP. Two of them were tossed
in the
Unless you enable it on a server (or manually initiate it against a server)
nothing's actually being scavenged. The settings on the zone only allow the
timestamps to replicate and defines what records would be deleted assuming
scavenging is run. So until a DNS server that hosts a primary copy
You need some quiet time (and your favorite bottle/keg of liquor) with this
document
http://www.microsoft.com/technet/prodtechnol/windows2000serv/plan/w2kdns2.mspx
If you are in a hurry, just skip down to the Aging and Scavenging part.
Enjoy
Sincerely,
_
You may want to consider disabling BASL Bridge All SIte Links option if you are
having issues with branch sites trying to create connection objects to other
branch sites. This will only allow servers to only create CO's to servers in
other sites to which they are directly connected. Making
OK that explains my problems then. When I enable it at the server
level, it won't actually do anything to the zones that aren't enabled,
correct? I mean, is it a two step process, you enable the server, and
then enable the zones you actually want to scavenge one at a time? I
just don't want
Also keep in mind scavenging only applies to records that have timestamps
(which are typically dynamically created.)
Keep in mind that you CAN enable scavenging on static records. The facility is
in dnscmd. So, please don't assume that your static records are safe from
scavenging just
34 matches
Mail list logo
