RE: [ActiveDir] Getting computer name from a username

[Grillenmeier, Guido]

hey joe - good questions - let me clarify:

1. no we purposely don't - this would cause excessive replication and as
you've mentioned, there's no guarantee that we would be able to write
the value. But the goal of this information is not to show who is
_currently_ logged on a machine (I wouldn't use a distributed system to
store this information), actually it doesn't store any time information
with the username. Instead it's goal is to document the general
relationship between computers and users, which allows helpdesk folks
and location admins to easier localize a user's PC or vice versa. 

2. naturally, the logon-script solution will only account for those
folks that logon interactively. This will never be as accurate as a
point in time check against a workstation. However, as mobile users will
have logged on interactively to their notebook at one time in the past,
their user name is also associated with their notebook in AD. Doesn't
matter if they hibernate or disconnect afterwards.

3. good to know - I wasn't aware of that. Still prefer not to request a
write operation if I don't have to.


I've received a few other questions offline, mainly around how do I
grant the permissions for users to change the description attribute on
computer objects, so that a user can write to it: if users should be
granted permissions to write to the description attribute of all
computer objects in a specific OU, this can be done by using the
advanced permission options for that OU. Doing so allows the admin to
choose the type of objects for which to apply specific permissions to.
In this case you would first go to the Properties tab and then choose
the option to Apply onto Computer objects. Then grant the Write
description permission for the appropriate group. 
So what's the appropriate group? This depends on your situation - you
could use Authenticated Users allowing any user in the domain to
update the attribute, or you'd use a location specific group of which
all users of the respective location are members (this will limit the
scope of users who can update the computer description attribute, which
is usually a good thing).

Naturally, you can also use DSACLs to set the permissions via
commandline: 
DSACLS OU=Computers,OU=Location-XYZ,DC=mydom,DC=net /I:S /G
mydom\AllUsers-Location-XYZ:WP;description;computer


/Guido

-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of joe
Sent: Sonntag, 4. Dezember 2005 16:23
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] Getting computer name from a username

The few questions/comments I thought of are...

1. Do you clear the attribute you set when the user logs of?? If you do,
how
do you account for hibernation, etc that wouldn't let you do anything.  

2. What if someone comes up with cached creds and then reconnects the
computer (wireless or even purposeful disconnect/reconnect)?

3. If you send an update for an attribute to AD that is identical to the
value that is there it will accept it like you made the change but no
change
is really made to reduce overhead. MS thought of that one. 



-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Grillenmeier,
Guido
Sent: Sunday, December 04, 2005 9:01 AM
To: ActiveDir@mail.activedir.org; [EMAIL PROTECTED]
Subject: RE: [ActiveDir] Getting computer name from a username

I'm using a similar script for a few customers the other way around =
it
writes the user's name into the description attribute of the computer
he's
logging onto. 

To limit the replication impact in AD, the script first checks if the
value
needs to be updated which is not often the case, as users don't roam
much to
other machines. It also check if the user is a member of specific
administrator groups (such as client admins) which won't update the
computer
object either as they logon to various clients by nature of their job.  

Realize that you'll need to grant an appopriate group (e.g.
All-Users-SiteXYZ) the rights to update the description field on
computer
objects in the respective OU. This is not required when leveraging the
homepage attribute on the user object as mentioned in the previous post,
since every user has the permission to update this attribute by default
via
the SELF security principal. Nevertheless, we preferred to have this
information bound to the computer object.  

Ideally you might actually want to use the managedBy attribute of the
respective computer object to _link_ the user to the computer = this
way
you could view all computers that the user is actively logging onto via
the
managedObjects attribute on the user account. These attributes are
linked
together quite similar to the membership of a user in a group, or to the
manager and directReports attributes on a user object - the difference
here
is (sadly enough), that the managedObjects attribute is not shown in the
AD
UserComputers MMC that is used by many delegated admins to manage their
objects. Also, you 

RE: [ActiveDir] Exporting Mailbox rights

[Amy Hunter]

Hi Alain,thanks for your response, it all looks very clever.I have tried running the following command:WMIManageSD.Wsf /E2KMailbox:"cn=POTrust,ou=group mailboxes,OU=,DC=spinnaker,DC=org" /adsi   WMIManageSD.Wsf /E2KMailbox:"cn=POTrust,ou=group mailboxes,OU=,DC=spinnaker,DC=org" /decipher  I receive this error "c:\WMIManageSD.Wsf(155, 39) Windows Script Host: Cannot retrieve referenced URL : ..\Functions\SecurityInclude.vbs"when I open this script, i can't see any reference to this Also, How can I run this against all group mailboxes in an OUany ideas?Amy ;-)Ps...sorry if I sound lame, scripting is not an area I spent too much time with Yet. 
   Alain Lissoir [EMAIL PROTECTED] wrote:  You can look at http://www.lissware.net, volume 2, Sample 4.02 to 4.13 - WMIManageSD.Wsf (and associated sub-functions in the Functions folder).Syntax to use in red below (the script supports Filesystem, Share, ADObject with Extended Rights, Exchange Mailbox, Registry Key, WMI namespace).Microsoft (R) Windows Script Host Version 5.6Copyright (C) Microsoft Corporation 1996-2001. All rights reserved.Usage: WMIManageSD.Wsf [/FileSystem:value] [/Share:value] [/ADObject:value] [/E2KMailbox:value] [/E2KStore[+|-]] [/RegistryKey:value] [/WMINameSpace:value] [/ViewSD[+|-]] [/Owner:value] [/Group:value] [/SDControls:value] [/AddAce[+|-]] [/DelAce[+|-]] [/Trustee:value] [/ACEMask:value] [/ACEType:value] [/ACEFlags:value] [/ObjectType:value] [/InheritedObjectType:value] [/SACL[+|-]] [/Decipher[+|-]] [/ADSI[+|-]] [/SIDResolutionDC[+|-]] [/Machine:value] [/User:value] [/Password:value]Options:FileSystem : Get the security descriptor of the specified file or directory path.Share : Get the security descriptor of the specified share name.ADObject : Get the security descriptor of the specified distinguished name AD object.E2KMailbox : Get the security descriptor of the Exchange 2000 mailbox specified by AD user distinguished name.E2KStore : Specify if the
 security descriptor must come from the Exchange 2000 store.RegistryKey : Get the security descriptor of the specified registry key.WMINameSpace : Get the security descriptor of the specified WMI Name space.ViewSD : Decipher the security descriptor.Owner : Set the security descriptor owner.Group : Set the security descriptor group.SDControls : Set the security descriptor control flags.AddAce : Add a new ACE to the
 ACL.DelAce : Remove an existing ACE from the ACL.Trustee : Specify the ACE mask (granted user, group or machine account).ACEMask : Specify the ACE mask (granted rights).ACEType : Specify the ACE type (allow or deny the ACE mask).ACEFlags : Specify the ACE flags (ACE mask inheritance).ObjectType : Specify which object type, property set, or property an ACE refers to.InheritedObjectType : Specify the GUID of an object that will inherit the ACE.SACL : Manage
 the System ACL (auditing) (default=Discretionary ACL).Decipher : Decipher the security descriptor.ADSI : Retrieve the security descriptor with ADSI.SIDResolutionDC : Domain Controller to use for SID resolution.Machine : Determine the WMI system to connect to. (default=LocalHost)User : Determine the UserID to perform the remote connection. (default=none)Password : Determine the password to perform the remote connection. (default=none)Examples: Viewing Security descriptors ... Files and Folders --- WMIManageSD.Wsf /FileSystem:C:\MyDirectory /Decipher+ WMIManageSD.Wsf /FileSystem:C:\MyDirectory /Decipher+ /ADSI+  WMIManageSD.Wsf /FileSystem:C:\MyDirectory\MyFile.Txt /Decipher+ WMIManageSD.Wsf /FileSystem:C:\MyDirectory\MyFile.Txt /Decipher+ /ADSI+  Share
 --- WMIManageSD.Wsf /Share:MyDirectory /Decipher+ AD object --- WMIManageSD.Wsf /ADObject:"user;CN=MyUser,CN=Users,DC=LissWare,DC=Net" /Decipher+ WMIManageSD.Wsf /ADObject:"CN=MyUser,CN=Users,DC=LissWare,DC=Net" /Decipher+ /ADSI+ Exchange 2000 mailbox
 --- WMIManageSD.Wsf /E2KMailbox:"CN=MyUser,CN=Users,DC=LissWare,DC=Net" /Decipher+  WMIManageSD.Wsf /E2KMailbox:"CN=MyUser,CN=Users,DC=LissWare,DC=Net" /Decipher+ /ADSI+ WMIManageSD.Wsf /E2KMailbox:"CN=MyUser,CN=Users,DC=LissWare,DC=Net" /Decipher+ /E2KStore+ Registry  WMIManageSD.Wsf /RegistryKey:HKLM\SOFTWARE\Microsoft /Decipher+ /ADSI+ WMI namespace --- WMIManageSD.Wsf /WMINameSpace:Root\CIMv2 /Decipher+  Adding ACE in Security descriptors ... Files (Rights) -- WMIManageSD.Wsf /FileSystem:C:\MyDirectory\MyFile.Txt 

RE: [ActiveDir] AD Wish list

[al_maurer]

Title: AD Wish list








In my experience, if its going to
be in the ,00s, its going to be a script. J





Al Maurer 
Service
Manager, Naming and Authentication Services 
IT
| Information Technology

Agilent
Technologies 
(719)
590-2639; Telnet 590-2639 
http://activedirectory.it.agilent.com 
--
Cry
'Havoc!' and let slip the dogs of war - Anthony, in Julius Caesar
III i.











From:
[EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of McCann, Danny
Sent: Thursday, December 01, 2005
4:05 AM
To: ActiveDir@mail.activedir.org
Subject: [ActiveDir] AD Wish list





Hi


I've
been asked to contribute to a wish list and was planning on asking for some AD
tools - specifically for reporting. I've had a look about, but the prices vary
wildly. I know there's no chance of anything that's going to do a great job
(Quest) as we're talking ,00's rather than ,000's. :)

Trouble
is there are a lot of tools out there and often they're doing stuff much of
which I can script (or plagiarise :) ), plus the odd extra.

Does
anyone have good experiences of anything in the ,00's price range that'll
report back auditing/stats/security info?

All
the best 

Danny

RE: [ActiveDir] SBS Transition Pack installation experience?

[al_maurer]

Thanks, Susan.  I imagine if we can establish the trust after applying the 
transition pack, we'll be good to go.

Funny about that Setup cannot continue because the version of Windows on your 
computer is newer than the version on the CD. Warning.  Had the same warning 
and ending experience when installing w2k3 R2/RC.

Al Maurer 
Service Manager, Naming and Authentication Services 
IT | Information Technology 
Agilent Technologies 
(719) 590-2639; Telnet 590-2639 
http://activedirectory.it.agilent.com 
-- 
Cry 'Havoc!' and let slip the dogs of war  - Anthony, in Julius Caesar III i. 


-Original Message-
From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Susan Bradley, 
CPA aka Ebitz - SBS Rocks [MVP]
Sent: Friday, December 02, 2005 8:40 AM
To: ActiveDir@mail.activedir.org
Subject: Re: [ActiveDir] SBS Transition Pack installation experience?

And the documentation is on this side too is a bit sparse.

In our SBS MVP ranks we've had one MVP go through it... below are his 
comments when we asked him to go over the experience... as most folks 
post in the SBS newsgroup and say we're applying this and we never 
hear back from them...they get sucked into this blackhole never to post 
again



OK, here's what I found.

Installed the Transition pack on SBS SP1 Premium (running SQL but not 
ISA).

It churned for a while and rebooted twice.  Note that you are warned 
all over the place that you'll have to reinstall all service packs 
after installing the transition pack.

Towards the end of the install, I get a message box Setup cannot 
continue because the version of Windows on your computer is newer 
than the version on the CD.  Warning: If you decide to delete the 
newer version of Windows that is currently installed on your 
computer, the files and settings cannot be recovered.  To exit, click 
Cancel.  For more information, click Details.

Clicking Details got me nowhere, so I clicked Cancel.  I thought I 
was in trouble, and was ready to call PSS.  I rebooted after clicking 
cancel, and much to my surprise, I get prompted that the transition 
pack was installed successfully.

So now the box is in the I think the transition pack is applied 
state.  I moved FSMO roles to another box without a problem 
(something you're only supposed to be able to do post transition 
pack).  I moved Exchange and SQL each to their own box.  I am also 
now running 2 DHCP servers in the environment, and the old SBS box 
seems to be stable.  I'm not sure what else I can do to confirm that 
the transition pack is OK, but everything seems to be stable at this 
point.

--

To add to that. yes the transition pack was applied 
successfuly...the way you check is attempt to disable license logging 
serivce and sbscore services. If those two services will shut off and 
stay off, you don't have a SBS box anymore.

In this no longer a SBS box state, Remote Web Workplace and all the 
SBS wizards still work, there are just no guarantees that future 
patches/service packs will break things.

I imagine if all you wanted to do was sucking life out of it...you could 
have FSMO transferred the AD to a normal Windows 2003 box and sucked 
that over too. [you know the seize ntdsutil thingy]

[EMAIL PROTECTED] wrote:

 Hi,

 Anyone have experience/recommendations for applying the SBS Transition 
 pack? We just got the software and the admin who received it says the 
 documentation is sparse. (Feel free to jump in, Susan J)

 The situation is that a recent acquisition is running SBS and we need 
 to build a trust to their domain so that we can suck the life out of 
 it...I mean, so that we can transition users and resources to the 
 corporate domain.

 Thanks in advance,

 AL

 Al Maurer
 Service Manager, Naming and Authentication Services
 IT | Information Technology
 Agilent Technologies
 (719) 590-2639; Telnet 590-2639
 http://activedirectory.it.agilent.com
 --
 Cry 'Havoc!' and let slip the dogs of war - Anthony, in Julius 
 Caesar III i.

List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/

RE: [ActiveDir] Exporting Mailbox rights

[Alain Lissoir]

Do you have 
the Functions folder available? It contains a series of functions used by 
WMIManageSD.Wsf
Next you must 
register the DLL with REGSVR32 in the resource folder. Then you are all 
set.
By default, 
WMIManageSD.Wsf must be in Folder XYZ while Functions folder must be at the same 
level.

Root 
+ Functions
 |
 +XYZ

Otherwise you can change the "..\Functions" reference to an 
absolute path and point to the exact location of the Functions folder in your 
installation (you call).

To run against a group of MB in an OU, just query the 
users you have in that OU with DSQUERY (or any equivalent tool) and combine them 
in a command like:
(one single when you type. Line is cut for readability 
reasons in this mail).

For 
/F "delims=*" %i in ('dsquery * "ou=group mailboxes,OU=,DC=spinnaker,DC=org" 
 -filter 
"(objectClass=user)"') 
do 
WMIManageSD.Wsf /E2KMailbox:"%1" /Decipher+ 
/ADSI+
HTH.

PS: Don't forget the + at the end of 
the /Decipher+ and /ADSI+ switches.



From: Amy Hunter [mailto:[EMAIL PROTECTED] 
Sent: Monday, December 05, 2005 4:41 AMTo: 
ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] Exporting 
Mailbox rights

Hi Alain,

thanks for your response, it all looks very clever.

I have tried running the following command:

WMIManageSD.Wsf /E2KMailbox:"cn=POTrust,ou=group 
mailboxes,OU=,DC=spinnaker,DC=org" /adsi 
WMIManageSD.Wsf /E2KMailbox:"cn=POTrust,ou=group 
mailboxes,OU=,DC=spinnaker,DC=org" /decipher


I receive this error "c:\WMIManageSD.Wsf(155, 39) Windows Script Host: 
Cannot retrieve referenced URL : ..\Functions\SecurityInclude.vbs"

when I open this script, i can't see any reference to this 

Also, How can I run this against all group mailboxes in an OU

any ideas?

Amy ;-)

Ps...sorry if I sound lame, scripting is not an area I spent too much time 
with Yet. /DIV 



Alain Lissoir [EMAIL PROTECTED] 
wrote:

  
  You can 
  look at http://www.lissware.net, volume 
  2, Sample 4.02 to 4.13 - WMIManageSD.Wsf (and associated sub-functions in the 
  Functions folder).
  
  Syntax to 
  use in red below (the script supports Filesystem, Share, ADObject with 
  Extended Rights, Exchange Mailbox, Registry Key, WMI 
  namespace).
  
  Microsoft (R) Windows Script Host Version 5.6Copyright (C) 
  Microsoft Corporation 1996-2001. All rights reserved.
  
  Usage: WMIManageSD.Wsf [/FileSystem:value] [/Share:value] 
  [/ADObject:value] [/E2KMailbox:value] [/E2KStore[+|-]] [/RegistryKey:value] 
  [/WMINameSpace:value] [/ViewSD[+|-]] [/Owner:value] [/Group:value] 
  [/SDControls:value] [/AddAce[+|-]] [/DelAce[+|-]] [/Trustee:value] 
  [/ACEMask:value] [/ACEType:value] [/ACEFlags:value] [/ObjectType:value] 
  [/InheritedObjectType:value] [/SACL[+|-]] [/Decipher[+|-]] [/ADSI[+|-]] 
  [/SIDResolutionDC[+|-]] [/Machine:value] [/User:value] 
  [/Password:value]
  
  Options:
  
  FileSystem : Get 
  the security descriptor of the specified file or directory 
  path.Share 
  : Get the security descriptor of the specified share 
  name.ADObject 
  : Get the security descriptor of the specified distinguished name AD 
  object.E2KMailbox 
  : Get the security descriptor of the Exchange 2000 mailbox specified by AD 
  user distinguished 
  name.E2KStore 
  : Specify if th e security descriptor must come from the Exchange 2000 
  store.RegistryKey : Get 
  the security descriptor of the specified registry 
  key.WMINameSpace : Get the 
  security descriptor of the specified WMI Name 
  space.ViewSD 
  : Decipher the security 
  descriptor.Owner 
  : Set the security descriptor 
  owner.Group 
  : Set the security descriptor 
  group.SDControls : 
  Set the security descriptor control 
  flags.AddAce 
  : Add a new ACE to the 
  ACL.DelAce 
  : Remove an existing ACE from the 
  ACL.Trustee 
  : Specify the ACE mask (granted user, group or machine 
  account).ACEMask 
  : Specify the ACE mask (granted 
  rights).ACEType 
  : Specify the ACE type (allow or deny the ACE 
  mask).ACEFlags 
  : Specify the ACE flags (ACE mask 
  inheritance).ObjectType 
  : Specify which object type, property set, or property an ACE refers 
  to.InheritedObjectType : Specify the GUID of an object that will inherit 
  the 
  ACE.SACL 
  : Manage the System ACL (auditing) (default=Discretionary 
  ACL).Decipher 
  : Decipher the security 
  descriptor.ADSI 
  : Retrieve the security descriptor with 
  ADSI.SIDResolutionDC : Domain Controller to use 
  for SID 
  resolution.Machine 
  : Determine the WMI system to connect to. 
  (default=LocalHost)User 
  : Determine the UserID to perform the remote connection. 
  (default=none)Password 
  : Determine the password to perform the remote connection. 
  (default=none)Examples:
  
   Viewing Security descriptors 
  ... Files and Folders 
  --- 
  WMIManageSD.Wsf /FileSystem:C:\MyDirectory 
  /Decipher+ WMIManageSD.Wsf 
  /FileSystem:C:\MyDirectory /Decipher+ /ADSI+ 
   WMIManageSD.Wsf 
  

RE: [ActiveDir] Exporting Mailbox rights

[Coleman, Hunter]

The reference is on line 155 of the script. Go to Alain's 
site (www.lissware.net) and scroll down to 
the link for "Script Kit of Volume 2". Download that and extract the whole 
thing...you should get a directory structure, and themain script is in 
\Volume_2_ScriptKits\Chapter_04\Sample 4.02 to 4.13. You should also see a 
\Functions directory, which is where the SecurityInclude.vbs script (and others) 
reside.

To run it against all of the mailboxes in an OU, you'll 
need to wrap Alain's script with code that queries the OU for all mailboxes, and 
then pipes the CN for each mailbox to the WMIManageSD.Wsf 
code.

Hunter


From: [EMAIL PROTECTED] 
[mailto:[EMAIL PROTECTED] On Behalf Of Amy 
HunterSent: Monday, December 05, 2005 5:41 AMTo: 
ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] Exporting 
Mailbox rights

Hi Alain,

thanks for your response, it all looks very clever.

I have tried running the following command:

WMIManageSD.Wsf /E2KMailbox:"cn=POTrust,ou=group 
mailboxes,OU=,DC=spinnaker,DC=org" /adsi 
WMIManageSD.Wsf /E2KMailbox:"cn=POTrust,ou=group 
mailboxes,OU=,DC=spinnaker,DC=org" /decipher


I receive this error "c:\WMIManageSD.Wsf(155, 39) Windows Script Host: 
Cannot retrieve referenced URL : ..\Functions\SecurityInclude.vbs"

when I open this script, i can't see any reference to this 

Also, How can I run this against all group mailboxes in an OU

any ideas?

Amy ;-)

Ps...sorry if I sound lame, scripting is not an area I spent too much time 
with Yet. /DIV 



Alain Lissoir [EMAIL PROTECTED] 
wrote:

  
  You can 
  look at http://www.lissware.net, volume 
  2, Sample 4.02 to 4.13 - WMIManageSD.Wsf (and associated sub-functions in the 
  Functions folder).
  
  Syntax to 
  use in red below (the script supports Filesystem, Share, ADObject with 
  Extended Rights, Exchange Mailbox, Registry Key, WMI 
  namespace).
  
  Microsoft (R) Windows Script Host Version 5.6Copyright (C) 
  Microsoft Corporation 1996-2001. All rights reserved.
  
  Usage: WMIManageSD.Wsf [/FileSystem:value] [/Share:value] 
  [/ADObject:value] [/E2KMailbox:value] [/E2KStore[+|-]] [/RegistryKey:value] 
  [/WMINameSpace:value] [/ViewSD[+|-]] [/Owner:value] [/Group:value] 
  [/SDControls:value] [/AddAce[+|-]] [/DelAce[+|-]] [/Trustee:value] 
  [/ACEMask:value] [/ACEType:value] [/ACEFlags:value] [/ObjectType:value] 
  [/InheritedObjectType:value] [/SACL[+|-]] [/Decipher[+|-]] [/ADSI[+|-]] 
  [/SIDResolutionDC[+|-]] [/Machine:value] [/User:value] 
  [/Password:value]
  
  Options:
  
  FileSystem : Get 
  the security descriptor of the specified file or directory 
  path.Share 
  : Get the security descriptor of the specified share 
  name.ADObject 
  : Get the security descriptor of the specified distinguished name AD 
  object.E2KMailbox 
  : Get the security descriptor of the Exchange 2000 mailbox specified by AD 
  user distinguished 
  name.E2KStore 
  : Specify if th e security descriptor must come from the Exchange 2000 
  store.RegistryKey : Get 
  the security descriptor of the specified registry 
  key.WMINameSpace : Get the 
  security descriptor of the specified WMI Name 
  space.ViewSD 
  : Decipher the security 
  descriptor.Owner 
  : Set the security descriptor 
  owner.Group 
  : Set the security descriptor 
  group.SDControls : 
  Set the security descriptor control 
  flags.AddAce 
  : Add a new ACE to the 
  ACL.DelAce 
  : Remove an existing ACE from the 
  ACL.Trustee 
  : Specify the ACE mask (granted user, group or machine 
  account).ACEMask 
  : Specify the ACE mask (granted 
  rights).ACEType 
  : Specify the ACE type (allow or deny the ACE 
  mask).ACEFlags 
  : Specify the ACE flags (ACE mask 
  inheritance).ObjectType 
  : Specify which object type, property set, or property an ACE refers 
  to.InheritedObjectType : Specify the GUID of an object that will inherit 
  the 
  ACE.SACL 
  : Manage the System ACL (auditing) (default=Discretionary 
  ACL).Decipher 
  : Decipher the security 
  descriptor.ADSI 
  : Retrieve the security descriptor with 
  ADSI.SIDResolutionDC : Domain Controller to use 
  for SID 
  resolution.Machine 
  : Determine the WMI system to connect to. 
  (default=LocalHost)User 
  : Determine the UserID to perform the remote connection. 
  (default=none)Password 
  : Determine the password to perform the remote connection. 
  (default=none)Examples:
  
   Viewing Security descriptors 
  ... Files and Folders 
  --- 
  WMIManageSD.Wsf /FileSystem:C:\MyDirectory 
  /Decipher+ WMIManageSD.Wsf 
  /FileSystem:C:\MyDirectory /Decipher+ /ADSI+ 
   WMIManageSD.Wsf 
  /FileSystem:C:\MyDirectory\MyFile.Txt 
  /Decipher+ WMIManageSD.Wsf 
  /FileSystem:C:\MyDirectory\MyFile.Txt /Decipher+ /ADSI+ 
  
   Share 
  --- 
  WMIManageSD.Wsf /Share:MyDirectory /Decipher+
  
   AD object 
  

RE: [ActiveDir] Ntds.dit file corruption

[Medeiros, Jose]

Correction. I meant to say:  Esentutl utility with the /d switch . Not  
Eseutil /d.



Sincerely, 
Jose Medeiros
ADP | National Account Services
ProBusiness Division | Information Services
925.737.7967 | 408-449-6621 CELL




-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] Behalf Of Jose Medeiros
Sent: Sunday, December 04, 2005 12:42 AM
To: ActiveDir@mail.activedir.org
Subject: Re: [ActiveDir] Ntds.dit file corruption


Even if it's SCSI on a RAID 5 Array, you can still have corrupt clusters. A 
power outage or a hard reboot could have damaged the clusters on the drives. 
Try running Chkdsk /r.  And I have an idea, but have not tried it yet, try 
running Eseutil /d after the chkdsk completes since it creates a new 
database, it may repair the problem.
http://www.mcpmag.com/columns/article.asp?EditorialsID=330

Jose
- Original Message - 
From: Susan Bradley, CPA aka Ebitz - SBS Rocks [MVP] 
[EMAIL PROTECTED]
To: ActiveDir@mail.activedir.org
Sent: Sunday, December 04, 2005 12:13 AM
Subject: Re: [ActiveDir] Ntds.dit file corruption


 Nope just confirmed SCSI ...but there's still Dell hardware to lay blame 
 on here  ;-)

 Brian Desmond wrote:

I think those are SATA only?

Thanks,
Brian Desmond
[EMAIL PROTECTED]
 c - 312.731.3132


-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Susan Bradley, 
CPA
aka Ebitz - SBS Rocks [MVP]
Sent: Sunday, December 04, 2005 2:21 AM
To: ActiveDir@mail.activedir.org
Subject: Re: [ActiveDir] Ntds.dit file corruption

http://www.dell.com/downloads/global/products/pedge/en/sc1420_specs.pdf

Well he said it's a Dell [ugh] 1420 but do not know if SATA or SCSI.

Jose Medeiros wrote:


Hmm.. I have never experienced this with either McAfee or Symantec AV on 
any of the DC's that I have built and or maintened.  Have you had a 
chance to run chkdsk /r yet? More then likely the problem is bad clusters 
on the drive which caused the NTDS.DIT file to become corrupt.

Was this server built using IDE /ATA/SATA drives?


Jose



- Original Message - From: Susan Bradley, CPA aka Ebitz - SBS 
Rocks [MVP] [EMAIL PROTECTED]
To: ActiveDir@mail.activedir.org
Sent: Saturday, December 03, 2005 10:58 PM
Subject: [ActiveDir] Ntds.dit file corruption



SBS box [with Windows 2003 sp1 since September]

RE: [ActiveDir] Database Corruption:
http://www.mail-archive.com/activedir@mail.activedir.org/msg32676.html

We have a SBS 2003 sp1 box with a corrupt ntds.dit that the Consultant 
and PSS have been banging on.  Could not get the services back running, 
changed the RPC service to local system and some service came back up [I 
don't have all the details but the consultant opened a support case of 
SRX051202605433].
Bottom line they are about going to give up and start a restore but 
before they do that I'd like to get the view of the AD gods and 
goddesses around here.  From all that I've seen, read, seen in the SBS 
newsgroup, the corruption of ntds.dit is rare to nil and an underlying 
cause is hardware issues [raid, disk subsystem].  This doesn't just 
happen.
The VAP asked if not properly excluding the ad databases from the a/v 
would cause this/trigger this and my expectation is 'no', given that I 
doubt the majority of us in SBSland properly set up exclusions
Virus scanning recommendations on a Windows 2000 or on a Windows Server 
2003 domain controller:
http://support.microsoft.com/default.aspx?scid=kb;en-us;822158

If this were my hardware and box, I'd be putting this sucker on the 
operating table and getting an autopsy before putting it back online.

Are we right in being paranoid now about this hardware?  For you guys in 
big server land you'd just slide over another box into that server role.

---
Stupid question alert

Okay so we know that having a secondary/additional domain controller is 
a good thing even in SBSland...but question many times the second 
server in SBSland is a terminal server box because we do not support TS 
in app mode on our PDCs. So we've established that having a domain 
controller and a terminal server is a security issue [see Windows 
Security resource kit, NIST Terminal services hardening guide, etc 
etc]  If our second server is a member server handing out TS 
externally, should that be a candidate for the additional DC?  Are the 
issues of TS on a DC ... true for 'any' DC?  Would it be better than to 
Vserver/VPC a Win2k3 inside a workstation in the network if a third 
server box was not feasible?

List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive: 
http://www.mail-archive.com/activedir%40mail.activedir.org/
List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/


List info   : http://www.activedir.org/List.aspx
List FAQ: 

RE: [ActiveDir] Ntds.dit file corruption

[Brett Shirley]

She replied offline, very likely a single bit flip, tragedy, they aren't
one release later (Longhorn), where this would've probably been
non-disruptively handled, logged, and possibly self-healed:
  http://blogs.technet.com/efleis/archive/2005/01.aspx

Anyway, this kind of thing is usually hardware ...

While there are much better disk sub-system testers, one that is freely
available to any box with Exchange is jetstress.  You might give that a
try.  If you can reproduce the event / error with jetstress I would not
use that box in production.

If you do reproduce the issue several times (several times is key, as you 
want a trend before you start playing the variable game), some things
you might vary (one at a time):

 - Try making sure you have the latest driver and motherboard / controller
firmware.  Then see if you can reproduce.

 - Try a different RAID configuration, such as RAID1/RAID1+0 if you're on
RAID5.

 - Try swapping out the hard drives, one at a time.

 - Adding the jetstress files to the exclude list in the Anti-Virus
software. (A low probablility, I've never heard of Anit-Virus causing this
paticular type of error, and I can't imagine the mistake an anti-virus
product would have to have to cause this side effect)

 - If you can reproduce it several times, you could followup with Dell.  
Good luck.

I'm not sure if I answered your question ...

Cheers,
BrettSh


On Sun, 4 Dec 2005, Eric Fleischman wrote:

 Going back to the original post, I'm not sure I fully understand the
 problem yet. Susan, can you define ntds.dit file corruption for us?
 What sort of corruption? What errors/events lead you to believe this?
 Specifically, I'm interested in errors from NTDS ISAM or ESE if you
 have any.
  
  
 
 
 
 From: [EMAIL PROTECTED] on behalf of Susan Bradley, CPA aka Ebitz - SBS Rocks 
 [MVP]
 Sent: Sat 12/3/2005 10:58 PM
 To: ActiveDir@mail.activedir.org
 Subject: [ActiveDir] Ntds.dit file corruption
 
 
 
 SBS box [with Windows 2003 sp1 since September]
 
 RE: [ActiveDir] Database Corruption:
 http://www.mail-archive.com/activedir@mail.activedir.org/msg32676.html
 
 We have a SBS 2003 sp1 box with a corrupt ntds.dit that the Consultant
 and PSS have been banging on.  Could not get the services back running,
 changed the RPC service to local system and some service came back up [I
 don't have all the details but the consultant opened a support case of
 SRX051202605433].
 
 Bottom line they are about going to give up and start a restore but
 before they do that I'd like to get the view of the AD gods and
 goddesses around here.  From all that I've seen, read, seen in the SBS
 newsgroup, the corruption of ntds.dit is rare to nil and an underlying
 cause is hardware issues [raid, disk subsystem].  This doesn't just
 happen.
 
 The VAP asked if not properly excluding the ad databases from the a/v
 would cause this/trigger this and my expectation is 'no', given that I
 doubt the majority of us in SBSland properly set up exclusions
 Virus scanning recommendations on a Windows 2000 or on a Windows Server
 2003 domain controller:
 http://support.microsoft.com/default.aspx?scid=kb;en-us;822158
 
 If this were my hardware and box, I'd be putting this sucker on the
 operating table and getting an autopsy before putting it back online.
 
 Are we right in being paranoid now about this hardware?  For you guys in
 big server land you'd just slide over another box into that server role.
 
 ---
 Stupid question alert
 
 Okay so we know that having a secondary/additional domain controller is
 a good thing even in SBSland...but question many times the second
 server in SBSland is a terminal server box because we do not support TS
 in app mode on our PDCs. So we've established that having a domain
 controller and a terminal server is a security issue [see Windows
 Security resource kit, NIST Terminal services hardening guide, etc
 etc]  If our second server is a member server handing out TS
 externally, should that be a candidate for the additional DC?  Are the
 issues of TS on a DC ... true for 'any' DC?  Would it be better than to
 Vserver/VPC a Win2k3 inside a workstation in the network if a third
 server box was not feasible?
 
 List info   : http://www.activedir.org/List.aspx
 List FAQ: http://www.activedir.org/ListFAQ.aspx
 List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
 
 
 

List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/

Re: [ActiveDir] Ntds.dit file corruption

[Susan Bradley, CPA aka Ebitz - SBS Rocks [MVP]]

I did? :-)  I think I still said all I know is what the poster said  :-)

I think I need a course in event log reading because even with the logs, 
and the default size of the logs, I still don't see a smoking gun.  The 
directory services one is filled with events 'post' blow up.


What is interesting is that it seems to me big server land goes .. oh 
yeah... ntds.dit corruption... and sbsland freaks out.  Either we do 
indeed need to ensure we have a secondary DC or we need to park a second 
copy of a system state offsite [say at the vap/var]


Brett Shirley wrote:

She replied offline, very likely a single bit flip, tragedy, they aren't
one release later (Longhorn), where this would've probably been
non-disruptively handled, logged, and possibly self-healed:
  http://blogs.technet.com/efleis/archive/2005/01.aspx

Anyway, this kind of thing is usually hardware ...

While there are much better disk sub-system testers, one that is freely
available to any box with Exchange is jetstress.  You might give that a
try.  If you can reproduce the event / error with jetstress I would not
use that box in production.

If you do reproduce the issue several times (several times is key, as you 
want a trend before you start playing the variable game), some things

you might vary (one at a time):

 - Try making sure you have the latest driver and motherboard / controller
firmware.  Then see if you can reproduce.

 - Try a different RAID configuration, such as RAID1/RAID1+0 if you're on
RAID5.

 - Try swapping out the hard drives, one at a time.

 - Adding the jetstress files to the exclude list in the Anti-Virus
software. (A low probablility, I've never heard of Anit-Virus causing this
paticular type of error, and I can't imagine the mistake an anti-virus
product would have to have to cause this side effect)

 - If you can reproduce it several times, you could followup with Dell.  
Good luck.


I'm not sure if I answered your question ...

Cheers,
BrettSh


On Sun, 4 Dec 2005, Eric Fleischman wrote:

  

Going back to the original post, I'm not sure I fully understand the
problem yet. Susan, can you define ntds.dit file corruption for us?
What sort of corruption? What errors/events lead you to believe this?
Specifically, I'm interested in errors from NTDS ISAM or ESE if you
have any.
 
 




From: [EMAIL PROTECTED] on behalf of Susan Bradley, CPA aka Ebitz - SBS Rocks 
[MVP]
Sent: Sat 12/3/2005 10:58 PM
To: ActiveDir@mail.activedir.org
Subject: [ActiveDir] Ntds.dit file corruption



SBS box [with Windows 2003 sp1 since September]

RE: [ActiveDir] Database Corruption:
http://www.mail-archive.com/activedir@mail.activedir.org/msg32676.html

We have a SBS 2003 sp1 box with a corrupt ntds.dit that the Consultant
and PSS have been banging on.  Could not get the services back running,
changed the RPC service to local system and some service came back up [I
don't have all the details but the consultant opened a support case of
SRX051202605433].

Bottom line they are about going to give up and start a restore but
before they do that I'd like to get the view of the AD gods and
goddesses around here.  From all that I've seen, read, seen in the SBS
newsgroup, the corruption of ntds.dit is rare to nil and an underlying
cause is hardware issues [raid, disk subsystem].  This doesn't just
happen.

The VAP asked if not properly excluding the ad databases from the a/v
would cause this/trigger this and my expectation is 'no', given that I
doubt the majority of us in SBSland properly set up exclusions
Virus scanning recommendations on a Windows 2000 or on a Windows Server
2003 domain controller:
http://support.microsoft.com/default.aspx?scid=kb;en-us;822158

If this were my hardware and box, I'd be putting this sucker on the
operating table and getting an autopsy before putting it back online.

Are we right in being paranoid now about this hardware?  For you guys in
big server land you'd just slide over another box into that server role.

---
Stupid question alert

Okay so we know that having a secondary/additional domain controller is
a good thing even in SBSland...but question many times the second
server in SBSland is a terminal server box because we do not support TS
in app mode on our PDCs. So we've established that having a domain
controller and a terminal server is a security issue [see Windows
Security resource kit, NIST Terminal services hardening guide, etc
etc]  If our second server is a member server handing out TS
externally, should that be a candidate for the additional DC?  Are the
issues of TS on a DC ... true for 'any' DC?  Would it be better than to
Vserver/VPC a Win2k3 inside a workstation in the network if a third
server box was not feasible?

List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/






List info   : 

Re: [ActiveDir] Ntds.dit file corruption

[Al Mulnick]

Those are fine ideas.  You may want to have a closer look at that hardware.  
Whichever the vendor, they usually have their own diagnostics.  It's time 
consuming, but often worth checking along with checking for known issues 
with drivers, firmware, etc.


In my experience, I've mostly seen this type of corruption with faulty 
hardware.  Sometimes drive cache can hurt (not battery backed up array 
controller, but on the disk) as can bad run of hardware or cracked 
motherboards. Giving the machine the once-over is a great idea.  And if you 
can't spot it, I might still consider the machine suspect and not worth 
reinstalling on. Vote of no-confidence so to speak.


Keeping good backups (by good, I mean tested) is always recommended 
regardless of size of company.  Keep with that any and all information 
needed to recover the machine if it were to become a smoking puddle of goo 
in the wiring closet. Unless the data is not worth recovering. :)



From: Susan Bradley, CPA aka Ebitz - SBS Rocks [MVP] 
[EMAIL PROTECTED]

Reply-To: ActiveDir@mail.activedir.org
To: ActiveDir@mail.activedir.org
Subject: Re: [ActiveDir] Ntds.dit file corruption
Date: Mon, 05 Dec 2005 08:52:48 -0800

I did? :-)  I think I still said all I know is what the poster said  :-)

I think I need a course in event log reading because even with the logs, 
and the default size of the logs, I still don't see a smoking gun.  The 
directory services one is filled with events 'post' blow up.


What is interesting is that it seems to me big server land goes .. oh 
yeah... ntds.dit corruption... and sbsland freaks out.  Either we do indeed 
need to ensure we have a secondary DC or we need to park a second copy of a 
system state offsite [say at the vap/var]


Brett Shirley wrote:

She replied offline, very likely a single bit flip, tragedy, they aren't
one release later (Longhorn), where this would've probably been
non-disruptively handled, logged, and possibly self-healed:
  http://blogs.technet.com/efleis/archive/2005/01.aspx

Anyway, this kind of thing is usually hardware ...

While there are much better disk sub-system testers, one that is freely
available to any box with Exchange is jetstress.  You might give that a
try.  If you can reproduce the event / error with jetstress I would not
use that box in production.

If you do reproduce the issue several times (several times is key, as you 
want a trend before you start playing the variable game), some things

you might vary (one at a time):

 - Try making sure you have the latest driver and motherboard / 
controller

firmware.  Then see if you can reproduce.

 - Try a different RAID configuration, such as RAID1/RAID1+0 if you're on
RAID5.

 - Try swapping out the hard drives, one at a time.

 - Adding the jetstress files to the exclude list in the Anti-Virus
software. (A low probablility, I've never heard of Anit-Virus causing this
paticular type of error, and I can't imagine the mistake an anti-virus
product would have to have to cause this side effect)

 - If you can reproduce it several times, you could followup with Dell.  
Good luck.


I'm not sure if I answered your question ...

Cheers,
BrettSh


On Sun, 4 Dec 2005, Eric Fleischman wrote:



Going back to the original post, I'm not sure I fully understand the
problem yet. Susan, can you define ntds.dit file corruption for us?
What sort of corruption? What errors/events lead you to believe this?
Specifically, I'm interested in errors from NTDS ISAM or ESE if you
have any.




From: [EMAIL PROTECTED] on behalf of Susan Bradley, CPA 
aka Ebitz - SBS Rocks [MVP]

Sent: Sat 12/3/2005 10:58 PM
To: ActiveDir@mail.activedir.org
Subject: [ActiveDir] Ntds.dit file corruption



SBS box [with Windows 2003 sp1 since September]

RE: [ActiveDir] Database Corruption:
http://www.mail-archive.com/activedir@mail.activedir.org/msg32676.html

We have a SBS 2003 sp1 box with a corrupt ntds.dit that the Consultant
and PSS have been banging on.  Could not get the services back running,
changed the RPC service to local system and some service came back up [I
don't have all the details but the consultant opened a support case of
SRX051202605433].

Bottom line they are about going to give up and start a restore but
before they do that I'd like to get the view of the AD gods and
goddesses around here.  From all that I've seen, read, seen in the SBS
newsgroup, the corruption of ntds.dit is rare to nil and an underlying
cause is hardware issues [raid, disk subsystem].  This doesn't just
happen.

The VAP asked if not properly excluding the ad databases from the a/v
would cause this/trigger this and my expectation is 'no', given that I
doubt the majority of us in SBSland properly set up exclusions
Virus scanning recommendations on a Windows 2000 or on a Windows Server
2003 domain controller:
http://support.microsoft.com/default.aspx?scid=kb;en-us;822158

If this were my hardware and box, I'd be putting this sucker on the
operating 

RE: [ActiveDir] Ntds.dit file corruption

[Medeiros, Jose]

Well at least the corruption occurred on just a single DC. One thing that has 
bugged me about Active Directory is not being able to select if you want a DC 
in a remote office to not have the ability to replicate back in a large 
enterprise environment. Since most remote offices only have a few people at the 
location and a DC is usually placed for improvised logon and authentication 
time, many companies will either use a very low end server or a very old 
decommissioned one from their production data center ( Which is probably close 
to useable life ). I am always concerned that once the NTDS.DIT file becomes 
corrupt it will replicate the corruption to the other DC's in the Forrest. 

Maybe I am just being a worry wort and this really is not an issue.



Sincerely, 
Jose Medeiros
ADP | National Account Services
ProBusiness Division | Information Services
925.737.7967 | 408-449-6621 CELL




-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] Behalf Of Susan Bradley,
CPA aka Ebitz - SBS Rocks [MVP]
Sent: Monday, December 05, 2005 8:53 AM
To: ActiveDir@mail.activedir.org
Subject: Re: [ActiveDir] Ntds.dit file corruption


I did? :-)  I think I still said all I know is what the poster said  :-)

I think I need a course in event log reading because even with the logs, 
and the default size of the logs, I still don't see a smoking gun.  The 
directory services one is filled with events 'post' blow up.

What is interesting is that it seems to me big server land goes .. oh 
yeah... ntds.dit corruption... and sbsland freaks out.  Either we do 
indeed need to ensure we have a secondary DC or we need to park a second 
copy of a system state offsite [say at the vap/var]

Brett Shirley wrote:
 She replied offline, very likely a single bit flip, tragedy, they aren't
 one release later (Longhorn), where this would've probably been
 non-disruptively handled, logged, and possibly self-healed:
   http://blogs.technet.com/efleis/archive/2005/01.aspx

 Anyway, this kind of thing is usually hardware ...

 While there are much better disk sub-system testers, one that is freely
 available to any box with Exchange is jetstress.  You might give that a
 try.  If you can reproduce the event / error with jetstress I would not
 use that box in production.

 If you do reproduce the issue several times (several times is key, as you 
 want a trend before you start playing the variable game), some things
 you might vary (one at a time):

  - Try making sure you have the latest driver and motherboard / controller
 firmware.  Then see if you can reproduce.

  - Try a different RAID configuration, such as RAID1/RAID1+0 if you're on
 RAID5.

  - Try swapping out the hard drives, one at a time.

  - Adding the jetstress files to the exclude list in the Anti-Virus
 software. (A low probablility, I've never heard of Anit-Virus causing this
 paticular type of error, and I can't imagine the mistake an anti-virus
 product would have to have to cause this side effect)

  - If you can reproduce it several times, you could followup with Dell.  
 Good luck.

 I'm not sure if I answered your question ...

 Cheers,
 BrettSh


 On Sun, 4 Dec 2005, Eric Fleischman wrote:

   
 Going back to the original post, I'm not sure I fully understand the
 problem yet. Susan, can you define ntds.dit file corruption for us?
 What sort of corruption? What errors/events lead you to believe this?
 Specifically, I'm interested in errors from NTDS ISAM or ESE if you
 have any.
  
  

 

 From: [EMAIL PROTECTED] on behalf of Susan Bradley, CPA aka Ebitz - SBS 
 Rocks [MVP]
 Sent: Sat 12/3/2005 10:58 PM
 To: ActiveDir@mail.activedir.org
 Subject: [ActiveDir] Ntds.dit file corruption



 SBS box [with Windows 2003 sp1 since September]

 RE: [ActiveDir] Database Corruption:
 http://www.mail-archive.com/activedir@mail.activedir.org/msg32676.html

 We have a SBS 2003 sp1 box with a corrupt ntds.dit that the Consultant
 and PSS have been banging on.  Could not get the services back running,
 changed the RPC service to local system and some service came back up [I
 don't have all the details but the consultant opened a support case of
 SRX051202605433].

 Bottom line they are about going to give up and start a restore but
 before they do that I'd like to get the view of the AD gods and
 goddesses around here.  From all that I've seen, read, seen in the SBS
 newsgroup, the corruption of ntds.dit is rare to nil and an underlying
 cause is hardware issues [raid, disk subsystem].  This doesn't just
 happen.

 The VAP asked if not properly excluding the ad databases from the a/v
 would cause this/trigger this and my expectation is 'no', given that I
 doubt the majority of us in SBSland properly set up exclusions
 Virus scanning recommendations on a Windows 2000 or on a Windows Server
 2003 domain controller:
 http://support.microsoft.com/default.aspx?scid=kb;en-us;822158

 If this were my hardware and box, I'd be putting 

Re: [ActiveDir] Ntds.dit file corruption

[Phil Renouf]

Will Read Only DC's take care of this? I don't know much about them yet, but it makes sense that if the copy of the dit that a DC has is RO that it won't try to replicate that anywhere and would only be the recipient of replication. Anyone with more knowledge about how RO DC's will work to comment on that?


Phil
On 12/5/05, Medeiros, Jose [EMAIL PROTECTED] wrote:
Well at least the corruption occurred on just a single DC. One thing that has bugged me about Active Directory is not being able to select if you want a DC in a remote office to not have the ability to replicate back in a large enterprise environment. Since most remote offices only have a few people at the location and a DC is usually placed for improvised logon and authentication time, many companies will either use a very low end server or a very old decommissioned one from their production data center ( Which is probably close to useable life ). I am always concerned that once the 
NTDS.DIT file becomes corrupt it will replicate the corruption to the other DC's in the Forrest.Maybe I am just being a worry wort and this really is not an issue.Sincerely,Jose MedeirosADP | National Account Services
ProBusiness Division | Information Services925.737.7967 | 408-449-6621 CELL-Original Message-From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED]]On Behalf Of Susan Bradley,CPA aka Ebitz - SBS Rocks [MVP]Sent: Monday, December 05, 2005 8:53 AMTo: 
ActiveDir@mail.activedir.orgSubject: Re: [ActiveDir] Ntds.dit file corruptionI did? :-)I think I still said all I know is what the poster said:-)I think I need a course in event log reading because even with the logs,
and the default size of the logs, I still don't see a smoking gun.Thedirectory services one is filled with events 'post' blow up.What is interesting is that it seems to me big server land goes .. ohyeah... 
ntds.dit corruption... and sbsland freaks out.Either we doindeed need to ensure we have a secondary DC or we need to park a secondcopy of a system state offsite [say at the vap/var]Brett Shirley wrote:
 She replied offline, very likely a single bit flip, tragedy, they aren't one release later (Longhorn), where this would've probably been non-disruptively handled, logged, and possibly self-healed:
 http://blogs.technet.com/efleis/archive/2005/01.aspx Anyway, this kind of thing is usually hardware ... While there are much better disk sub-system testers, one that is freely
 available to any box with Exchange is jetstress.You might give that a try.If you can reproduce the event / error with jetstress I would not use that box in production. If you do reproduce the issue several times (several times is key, as you
 want a trend before you start playing the variable game), some things you might vary (one at a time):- Try making sure you have the latest driver and motherboard / controller firmware.Then see if you can reproduce.
- Try a different RAID configuration, such as RAID1/RAID1+0 if you're on RAID5.- Try swapping out the hard drives, one at a time.- Adding the jetstress files to the exclude list in the Anti-Virus
 software. (A low probablility, I've never heard of Anit-Virus causing this paticular type of error, and I can't imagine the mistake an anti-virus product would have to have to cause this side effect)
- If you can reproduce it several times, you could followup with Dell. Good luck. I'm not sure if I answered your question ... Cheers, BrettSh
 On Sun, 4 Dec 2005, Eric Fleischman wrote: Going back to the original post, I'm not sure I fully understand the problem yet. Susan, can you define ntds.dit file corruption for us?
 What sort of corruption? What errors/events lead you to believe this? Specifically, I'm interested in errors from NTDS ISAM or ESE if you have any.
  From: [EMAIL PROTECTED] on behalf of Susan Bradley, CPA aka Ebitz - SBS Rocks [MVP]
 Sent: Sat 12/3/2005 10:58 PM To: ActiveDir@mail.activedir.org Subject: [ActiveDir] Ntds.dit file corruption
 SBS box [with Windows 2003 sp1 since September] RE: [ActiveDir] Database Corruption: 
http://www.mail-archive.com/activedir@mail.activedir.org/msg32676.html We have a SBS 2003 sp1 box with a corrupt ntds.dit that the Consultant and PSS have been banging on.Could not get the services back running,
 changed the RPC service to local system and some service came back up [I don't have all the details but the consultant opened a support case of SRX051202605433]. Bottom line they are about going to give up and start a restore but
 before they do that I'd like to get the view of the AD gods and goddesses around here.From all that I've seen, read, seen in the SBS newsgroup, the corruption of ntds.dit is rare to nil and an underlying
 cause is hardware issues [raid, disk subsystem].This doesn't just happen. The VAP asked if not properly excluding the ad databases from the a/v would cause this/trigger this and my expectation is 'no', given that I
 doubt the majority of us in SBSland properly set up 

RE: [ActiveDir] Ntds.dit file corruption

[Medeiros, Jose]

I was 
not aware that Microsoft had incorporated such a feature in AD 2003. I know for 
a fact that Microsoft did not have this feature when AD 2000 was first released 
because I mentioned it to several Microsoft AD  premier support 
specialists and they each confirmed it was not available ( However it may have 
been added in a service pack ).

I 
would love to know how to enable a read only DC. I think that is a great idea, I 
wonder who thought of it. :-)
Sincerely,Jose MedeirosADP | National Account 
ServicesProBusiness Division | Information Services925.737.7967 | 
408-449-6621 CELL

  -Original Message-From: 
  [EMAIL PROTECTED] 
  [mailto:[EMAIL PROTECTED]On Behalf Of Phil 
  RenoufSent: Monday, December 05, 2005 11:04 AMTo: 
  ActiveDir@mail.activedir.orgSubject: Re: [ActiveDir] Ntds.dit file 
  corruption
  Will Read Only DC's take care of this? I don't know much about them yet, 
  but it makes sense that if the copy of the dit that a DC has is RO that it 
  won't try to replicate that anywhere and would only be the recipient of 
  replication. Anyone with more knowledge about how RO DC's will work to comment 
  on that? 
  
  Phil
  On 12/5/05, Medeiros, 
  Jose [EMAIL PROTECTED] 
  wrote: 
  Well 
at least the corruption occurred on just a single DC. One thing that has 
bugged me about Active Directory is not being able to select if you want a 
DC in a remote office to not have the ability to replicate back in a large 
enterprise environment. Since most remote offices only have a few people at 
the location and a DC is usually placed for improvised logon and 
authentication time, many companies will either use a very low end server or 
a very old decommissioned one from their production data center ( Which is 
probably close to useable life ). I am always concerned that once the 
NTDS.DIT file becomes corrupt it will replicate the corruption to the other 
DC's in the Forrest.Maybe I am just being a worry wort and this 
really is not an issue.Sincerely,Jose MedeirosADP | 
National Account Services ProBusiness Division | Information 
Services925.737.7967 | 408-449-6621 
CELL-Original Message-From: [EMAIL PROTECTED] 
[mailto:[EMAIL PROTECTED]]On 
Behalf Of Susan Bradley,CPA aka Ebitz - SBS Rocks [MVP]Sent: Monday, 
December 05, 2005 8:53 AMTo: ActiveDir@mail.activedir.orgSubject: 
Re: [ActiveDir] Ntds.dit file corruptionI did? :-)I 
think I still said all I know is what the poster 
said:-)I think I need a course in event log reading 
because even with the logs, and the default size of the logs, I still 
don't see a smoking gun.Thedirectory services one is filled 
with events 'post' blow up.What is interesting is that it seems to 
me big server land goes .. ohyeah... ntds.dit corruption... and sbsland 
freaks out.Either we doindeed need to ensure we have a 
secondary DC or we need to park a secondcopy of a system state offsite 
[say at the vap/var]Brett Shirley wrote: She replied 
offline, very likely a single bit flip, tragedy, they aren't one 
release later (Longhorn), where this would've probably been 
non-disruptively handled, logged, and possibly 
self-healed: http://blogs.technet.com/efleis/archive/2005/01.aspx 
Anyway, this kind of thing is usually hardware ... While 
there are much better disk sub-system testers, one that is freely  
available to any box with Exchange is jetstress.You might give 
that a try.If you can reproduce the event / error with 
jetstress I would not use that box in production. If 
you do reproduce the issue several times (several times is key, as you 
 want a trend before you start playing the variable game), some 
things you might vary (one at a time):- 
Try making sure you have the latest driver and motherboard / 
controller firmware.Then see if you can reproduce. 
- Try a different RAID configuration, such as 
RAID1/RAID1+0 if you're on RAID5.- Try 
swapping out the hard drives, one at a time.- 
Adding the jetstress files to the exclude list in the Anti-Virus  
software. (A low probablility, I've never heard of Anit-Virus causing 
this paticular type of error, and I can't imagine the mistake an 
anti-virus product would have to have to cause this side effect) 
- If you can reproduce it several times, you 
could followup with Dell. Good luck. I'm not sure if 
I answered your question ... Cheers, 
BrettSh  On Sun, 4 Dec 2005, Eric Fleischman 
wrote: Going back to the original post, I'm not 
sure I fully understand the problem yet. Susan, can you define 
"ntds.dit file corruption" for us?  What sort of corruption? 
What errors/events lead you to believe this? Specifically, I'm 
interested in errors from NTDS ISAM or ESE if you have 
any. 
 From: [EMAIL PROTECTED] 
on behalf of Susan 

RE: [ActiveDir] Ntds.dit file corruption

[Steve Linehan]

We do not replicate corruption so if you have local 
corruption as noted below there is no worry that it would replicate around to 
other servers in the environment.

Thanks,

-Steve


From: [EMAIL PROTECTED] 
[mailto:[EMAIL PROTECTED] On Behalf Of Phil 
RenoufSent: Monday, December 05, 2005 1:04 PMTo: 
ActiveDir@mail.activedir.orgSubject: Re: [ActiveDir] Ntds.dit file 
corruption

Will Read Only DC's take care of this? I don't know much about them yet, 
but it makes sense that if the copy of the dit that a DC has is RO that it won't 
try to replicate that anywhere and would only be the recipient of replication. 
Anyone with more knowledge about how RO DC's will work to comment on that? 


Phil
On 12/5/05, Medeiros, 
Jose [EMAIL PROTECTED] 
wrote: 
Well 
  at least the corruption occurred on just a single DC. One thing that has 
  bugged me about Active Directory is not being able to select if you want a DC 
  in a remote office to not have the ability to replicate back in a large 
  enterprise environment. Since most remote offices only have a few people at 
  the location and a DC is usually placed for improvised logon and 
  authentication time, many companies will either use a very low end server or a 
  very old decommissioned one from their production data center ( Which is 
  probably close to useable life ). I am always concerned that once the NTDS.DIT 
  file becomes corrupt it will replicate the corruption to the other DC's in the 
  Forrest.Maybe I am just being a worry wort and this really is not an 
  issue.Sincerely,Jose MedeirosADP | National Account 
  Services ProBusiness Division | Information Services925.737.7967 | 
  408-449-6621 CELL-Original Message-From: [EMAIL PROTECTED] 
  [mailto:[EMAIL PROTECTED]]On 
  Behalf Of Susan Bradley,CPA aka Ebitz - SBS Rocks [MVP]Sent: Monday, 
  December 05, 2005 8:53 AMTo: ActiveDir@mail.activedir.orgSubject: 
  Re: [ActiveDir] Ntds.dit file corruptionI did? :-)I 
  think I still said all I know is what the poster said:-)I 
  think I need a course in event log reading because even with the logs, and 
  the default size of the logs, I still don't see a smoking 
  gun.Thedirectory services one is filled with events 'post' 
  blow up.What is interesting is that it seems to me big server land 
  goes .. ohyeah... ntds.dit corruption... and sbsland freaks 
  out.Either we doindeed need to ensure we have a secondary DC 
  or we need to park a secondcopy of a system state offsite [say at the 
  vap/var]Brett Shirley wrote: She replied offline, very likely 
  a single bit flip, tragedy, they aren't one release later (Longhorn), 
  where this would've probably been non-disruptively handled, logged, 
  and possibly self-healed: http://blogs.technet.com/efleis/archive/2005/01.aspx 
  Anyway, this kind of thing is usually hardware ... While there 
  are much better disk sub-system testers, one that is freely  available 
  to any box with Exchange is jetstress.You might give that 
  a try.If you can reproduce the event / error with 
  jetstress I would not use that box in production. If 
  you do reproduce the issue several times (several times is key, as you 
   want a trend before you start playing the variable game), some 
  things you might vary (one at a time):- 
  Try making sure you have the latest driver and motherboard / 
  controller firmware.Then see if you can reproduce. 
  - Try a different RAID configuration, such as 
  RAID1/RAID1+0 if you're on RAID5.- Try 
  swapping out the hard drives, one at a time.- 
  Adding the jetstress files to the exclude list in the Anti-Virus  
  software. (A low probablility, I've never heard of Anit-Virus causing 
  this paticular type of error, and I can't imagine the mistake an 
  anti-virus product would have to have to cause this side effect) 
  - If you can reproduce it several times, you could 
  followup with Dell. Good luck. I'm not sure if I 
  answered your question ... Cheers, 
  BrettSh  On Sun, 4 Dec 2005, Eric Fleischman 
  wrote: Going back to the original post, I'm not 
  sure I fully understand the problem yet. Susan, can you define 
  "ntds.dit file corruption" for us?  What sort of corruption? What 
  errors/events lead you to believe this? Specifically, I'm 
  interested in errors from NTDS ISAM or ESE if you have 
  any. 
   From: [EMAIL PROTECTED] 
  on behalf of Susan Bradley, CPA aka Ebitz - SBS Rocks [MVP]  Sent: 
  Sat 12/3/2005 10:58 PM To: ActiveDir@mail.activedir.org 
  Subject: [ActiveDir] Ntds.dit file 
  corruption SBS box [with 
  Windows 2003 sp1 since September] RE: [ActiveDir] 
  Database Corruption: http://www.mail-archive.com/activedir@mail.activedir.org/msg32676.html 
  We have a SBS 2003 sp1 box with a corrupt ntds.dit that the 
  Consultant and PSS have been banging on.Could not get 
  the services back running,  changed the RPC service to local 
  system and some service came back up [I don't have all the details 
  but the 

Re: [ActiveDir] Ntds.dit file corruption

[Phil Renouf]

I was thinking about Longhorn :) It has been brought up here as a possible longhorn feature a couple of times, but yeah that doesn't help much for the immediate future.

Phil
On 12/5/05, Medeiros, Jose [EMAIL PROTECTED] wrote:

I was not aware that Microsoft had incorporated such a feature in AD 2003. I know for a fact that Microsoft did not have this feature when AD 2000 was first released because I mentioned it to several Microsoft AD  premier support specialists and they each confirmed it was not available ( However it may have been added in a service pack ).


I would love to know how to enable a read only DC. I think that is a great idea, I wonder who thought of it. :-)
Sincerely,Jose MedeirosADP | National Account ServicesProBusiness Division | Information Services925.737.7967 | 408-449-6621 CELL


-Original Message-From: 
[EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]]On Behalf Of 
Phil RenoufSent: Monday, December 05, 2005 11:04 AMTo: ActiveDir@mail.activedir.org
Subject: Re: [ActiveDir] Ntds.dit file corruption
Will Read Only DC's take care of this? I don't know much about them yet, but it makes sense that if the copy of the dit that a DC has is RO that it won't try to replicate that anywhere and would only be the recipient of replication. Anyone with more knowledge about how RO DC's will work to comment on that? 


Phil
On 12/5/05, Medeiros, Jose [EMAIL PROTECTED]
 wrote: 
Well at least the corruption occurred on just a single DC. One thing that has bugged me about Active Directory is not being able to select if you want a DC in a remote office to not have the ability to replicate back in a large enterprise environment. Since most remote offices only have a few people at the location and a DC is usually placed for improvised logon and authentication time, many companies will either use a very low end server or a very old decommissioned one from their production data center ( Which is probably close to useable life ). I am always concerned that once the 
NTDS.DIT file becomes corrupt it will replicate the corruption to the other DC's in the Forrest.Maybe I am just being a worry wort and this really is not an issue.Sincerely,Jose MedeirosADP | National Account Services 
ProBusiness Division | Information Services925.737.7967 | 408-449-6621 CELL-Original Message-From: 
[EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]]On Behalf Of Susan Bradley,
CPA aka Ebitz - SBS Rocks [MVP]Sent: Monday, December 05, 2005 8:53 AMTo: ActiveDir@mail.activedir.org
Subject: Re: [ActiveDir] Ntds.dit file corruptionI did? :-)I think I still said all I know is what the poster said:-)I think I need a course in event log reading because even with the logs, 
and the default size of the logs, I still don't see a smoking gun.Thedirectory services one is filled with events 'post' blow up.What is interesting is that it seems to me big server land goes .. ohyeah... 
ntds.dit corruption... and sbsland freaks out.Either we doindeed need to ensure we have a secondary DC or we need to park a secondcopy of a system state offsite [say at the vap/var]Brett Shirley wrote:
 She replied offline, very likely a single bit flip, tragedy, they aren't one release later (Longhorn), where this would've probably been non-disruptively handled, logged, and possibly self-healed:
 http://blogs.technet.com/efleis/archive/2005/01.aspx Anyway, this kind of thing is usually hardware ...
 While there are much better disk sub-system testers, one that is freely  available to any box with Exchange is jetstress.You might give that a try.If you can reproduce the event / error with jetstress I would not
 use that box in production. If you do reproduce the issue several times (several times is key, as you  want a trend before you start playing the variable game), some things you might vary (one at a time):
- Try making sure you have the latest driver and motherboard / controller firmware.Then see if you can reproduce. - Try a different RAID configuration, such as RAID1/RAID1+0 if you're on
 RAID5.- Try swapping out the hard drives, one at a time.- Adding the jetstress files to the exclude list in the Anti-Virus  software. (A low probablility, I've never heard of Anit-Virus causing this
 paticular type of error, and I can't imagine the mistake an anti-virus product would have to have to cause this side effect) - If you can reproduce it several times, you could followup with Dell.
 Good luck. I'm not sure if I answered your question ... Cheers, BrettSh  On Sun, 4 Dec 2005, Eric Fleischman wrote: Going back to the original post, I'm not sure I fully understand the
 problem yet. Susan, can you define ntds.dit file corruption for us?  What sort of corruption? What errors/events lead you to believe this? Specifically, I'm interested in errors from NTDS ISAM or ESE if you
 have any.  From: 
[EMAIL PROTECTED] on behalf of Susan Bradley, CPA aka Ebitz - SBS Rocks [MVP]  Sent: Sat 12/3/2005 10:58 PM To: 
ActiveDir@mail.activedir.org 

RE: [ActiveDir] Ntds.dit file corruption

[joe]

RODCs are a LongHorn feature. It will be one-way 
replication to the RODCs. They will not replicate out anything. If you are on 
the LongHorn beta you should be able to test this right now.

But as Steve (one of the really good PSS guys)said 
and I can concur as I have seen my share of corrupted DITs, the corruption 
doesn't replicate. 

In every case I have seen it the problem has been hardware 
failure or a firmware/driver matchup issue in the disk 
subsystem.

Fixing them is easy, wipe the machine, do hardware tests, 
if it passes, do it again. If it passes do it a third time. If it passes, reload 
and repromo. If it fails one of the tests, get the hardware fixed, reload, and 
repromo.

If SBS, well you have all sorts of issues in that basket as 
your eggs leak. 

 joe


From: [EMAIL PROTECTED] 
[mailto:[EMAIL PROTECTED] On Behalf Of Medeiros, 
JoseSent: Monday, December 05, 2005 2:24 PMTo: 
ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] Ntds.dit file 
corruption

I was 
not aware that Microsoft had incorporated such a feature in AD 2003. I know for 
a fact that Microsoft did not have this feature when AD 2000 was first released 
because I mentioned it to several Microsoft AD  premier support 
specialists and they each confirmed it was not available ( However it may have 
been added in a service pack ).

I 
would love to know how to enable a read only DC. I think that is a great idea, I 
wonder who thought of it. :-)
Sincerely,Jose MedeirosADP | National Account 
ServicesProBusiness Division | Information Services925.737.7967 | 
408-449-6621 CELL

  -Original Message-From: 
  [EMAIL PROTECTED] 
  [mailto:[EMAIL PROTECTED]On Behalf Of Phil 
  RenoufSent: Monday, December 05, 2005 11:04 AMTo: 
  ActiveDir@mail.activedir.orgSubject: Re: [ActiveDir] Ntds.dit file 
  corruption
  Will Read Only DC's take care of this? I don't know much about them yet, 
  but it makes sense that if the copy of the dit that a DC has is RO that it 
  won't try to replicate that anywhere and would only be the recipient of 
  replication. Anyone with more knowledge about how RO DC's will work to comment 
  on that? 
  
  Phil
  On 12/5/05, Medeiros, 
  Jose [EMAIL PROTECTED] 
  wrote: 
  Well 
at least the corruption occurred on just a single DC. One thing that has 
bugged me about Active Directory is not being able to select if you want a 
DC in a remote office to not have the ability to replicate back in a large 
enterprise environment. Since most remote offices only have a few people at 
the location and a DC is usually placed for improvised logon and 
authentication time, many companies will either use a very low end server or 
a very old decommissioned one from their production data center ( Which is 
probably close to useable life ). I am always concerned that once the 
NTDS.DIT file becomes corrupt it will replicate the corruption to the other 
DC's in the Forrest.Maybe I am just being a worry wort and this 
really is not an issue.Sincerely,Jose MedeirosADP | 
National Account Services ProBusiness Division | Information 
Services925.737.7967 | 408-449-6621 
CELL-Original Message-From: [EMAIL PROTECTED] 
[mailto:[EMAIL PROTECTED]]On 
Behalf Of Susan Bradley,CPA aka Ebitz - SBS Rocks [MVP]Sent: Monday, 
December 05, 2005 8:53 AMTo: ActiveDir@mail.activedir.orgSubject: 
Re: [ActiveDir] Ntds.dit file corruptionI did? :-)I 
think I still said all I know is what the poster 
said:-)I think I need a course in event log reading 
because even with the logs, and the default size of the logs, I still 
don't see a smoking gun.Thedirectory services one is filled 
with events 'post' blow up.What is interesting is that it seems to 
me big server land goes .. ohyeah... ntds.dit corruption... and sbsland 
freaks out.Either we doindeed need to ensure we have a 
secondary DC or we need to park a secondcopy of a system state offsite 
[say at the vap/var]Brett Shirley wrote: She replied 
offline, very likely a single bit flip, tragedy, they aren't one 
release later (Longhorn), where this would've probably been 
non-disruptively handled, logged, and possibly 
self-healed: http://blogs.technet.com/efleis/archive/2005/01.aspx 
Anyway, this kind of thing is usually hardware ... While 
there are much better disk sub-system testers, one that is freely  
available to any box with Exchange is jetstress.You might give 
that a try.If you can reproduce the event / error with 
jetstress I would not use that box in production. If 
you do reproduce the issue several times (several times is key, as you 
 want a trend before you start playing the variable game), some 
things you might vary (one at a time):- 
Try making sure you have the latest driver and motherboard / 
controller firmware.Then see if you can reproduce. 
- Try a different RAID configuration, such as 
   

[ActiveDir] remove logon script?

[Harding, Devon]

How can I remove the logon.bat from all my user (2000+)
accounts at one time in my domain? Ive switch to GPO for the logon
scripts.



Devon Harding

Windows Systems Engineer

Southern Wine  Spirits
- BSG

954-602-2469












__This message and any attachments are solely for the intended recipientand may contain confidential or privileged information.  If you are notthe intended recipient, any disclosure, copying, use or distribution ofthe information included in the message and any attachments isprohibited.  If you have received this communication in error, pleasenotify us by reply e-mail and immediately and permanently delete thismessage and any attachments.  Thank You.

RE: [ActiveDir] remove logon script?

[Ayers, Diane]

Try ADmodify for a GUI 
tool...

Diane

http://tinyurl.com/5ruog


From: [EMAIL PROTECTED] 
[mailto:[EMAIL PROTECTED] On Behalf Of Harding, 
DevonSent: Monday, December 05, 2005 12:40 PMTo: 
ActiveDir@mail.activedir.orgSubject: [ActiveDir] remove logon 
script?





How can I remove the logon.bat from 
all my user (2000+) accounts at one time in my domain? Ive switch to GPO 
for the logon scripts.

Devon 
Harding
Windows Systems 
Engineer
Southern Wine  Spirits 
- BSG
954-602-2469





__This message and any 
attachments are solely for the intended recipientand may contain 
confidential or privileged information. If you are notthe intended 
recipient, any disclosure, copying, use or distribution ofthe information 
included in the message and any attachments isprohibited. If you have 
received this communication in error, pleasenotify us by reply e-mail and 
immediately and permanently delete thismessage and any attachments. Thank 
You. 

RE: [ActiveDir] remove logon script?

[Brian Desmond]

Adfind and admod from joeware.net



Adfind f ((objectCategory=person)(objectClass=user)(scriptpath=logon.bat))
default dsq | admod unsafe scriptpath-





Thanks,
Brian
Desmond

[EMAIL PROTECTED]



c -
312.731.3132















From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On
Behalf Of Harding, Devon
Sent: Monday, December 05, 2005
3:40 PM
To: ActiveDir@mail.activedir.org
Subject: [ActiveDir] remove logon
script?





How can I remove the logon.bat from all my user (2000+)
accounts at one time in my domain? Ive switch to GPO for the logon
scripts.



Devon Harding

Windows Systems Engineer

Southern Wine  Spirits
- BSG

954-602-2469









__
This message and any attachments are
solely for the intended recipient
and may contain confidential or
privileged information. If you are not
the intended recipient, any disclosure,
copying, use or distribution of
the information included in the message
and any attachments is
prohibited. If you have received this
communication in error, please
notify us by reply e-mail and
immediately and permanently delete this
message and any attachments. Thank You.

RE: [ActiveDir] remove logon script?

[Crawford, Scott]

This is a fairly old and ugly vbs script, and
it only works for one OU in the domain, but it should get the job done. Youll
need to modify strPathToContainer and strDomain.



Option Explicit

Dim strPathToContainer, strDomain

Dim oUser, oUserContainer



strPathToContainer =
OU=Student

strDomain = ,DC=evangel,DC=edu



Set oUserContainer =
GetObject(LDAP://  strPathToContainer  strDomain)

oUserContainer.Filter =
Array(User)



For Each oUser In oUserContainer

 oUser.PutEx 1,
profilePath, vbNullString

 oUser.SetInfo()

Next



Set oUserContainer = nothing



MsgBox Done











From:
[EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Harding, Devon
Sent: Monday, December 05, 2005
2:40 PM
To: ActiveDir@mail.activedir.org
Subject: [ActiveDir] remove logon
script?





How can I remove the logon.bat from all my user (2000+)
accounts at one time in my domain? Ive switch to GPO for the logon
scripts.



Devon Harding

Windows Systems Engineer

Southern Wine  Spirits
- BSG

954-602-2469









__
This message and any attachments are
solely for the intended recipient
and may contain confidential or
privileged information. If you are not
the intended recipient, any disclosure,
copying, use or distribution of
the information included in the message
and any attachments is
prohibited. If you have received this
communication in error, please
notify us by reply e-mail and
immediately and permanently delete this
message and any attachments. Thank You.

RE: [ActiveDir] Ntds.dit file corruption

[Medeiros, Jose]

If 
that failsafe is built in then I am just being a worry wort and I have to admit, 
I have yet to experience this particular problem.
Sincerely,Jose MedeirosADP | National Account 
ServicesProBusiness Division | Information Services925.737.7967 | 
408-449-6621 CELL

  -Original Message-From: 
  [EMAIL PROTECTED] 
  [mailto:[EMAIL PROTECTED]On Behalf Of Steve 
  LinehanSent: Monday, December 05, 2005 11:26 AMTo: 
  ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] Ntds.dit file 
  corruption
  We do not replicate corruption so if you have local 
  corruption as noted below there is no worry that it would replicate around to 
  other servers in the environment.
  
  Thanks,
  
  -Steve
  
  
  From: [EMAIL PROTECTED] 
  [mailto:[EMAIL PROTECTED] On Behalf Of Phil 
  RenoufSent: Monday, December 05, 2005 1:04 PMTo: 
  ActiveDir@mail.activedir.orgSubject: Re: [ActiveDir] Ntds.dit file 
  corruption
  
  Will Read Only DC's take care of this? I don't know much about them yet, 
  but it makes sense that if the copy of the dit that a DC has is RO that it 
  won't try to replicate that anywhere and would only be the recipient of 
  replication. Anyone with more knowledge about how RO DC's will work to comment 
  on that? 
  
  Phil
  On 12/5/05, Medeiros, 
  Jose [EMAIL PROTECTED] 
  wrote: 
  Well 
at least the corruption occurred on just a single DC. One thing that has 
bugged me about Active Directory is not being able to select if you want a 
DC in a remote office to not have the ability to replicate back in a large 
enterprise environment. Since most remote offices only have a few people at 
the location and a DC is usually placed for improvised logon and 
authentication time, many companies will either use a very low end server or 
a very old decommissioned one from their production data center ( Which is 
probably close to useable life ). I am always concerned that once the 
NTDS.DIT file becomes corrupt it will replicate the corruption to the other 
DC's in the Forrest.Maybe I am just being a worry wort and this 
really is not an issue.Sincerely,Jose MedeirosADP | 
National Account Services ProBusiness Division | Information 
Services925.737.7967 | 408-449-6621 
CELL-Original Message-From: [EMAIL PROTECTED] 
[mailto:[EMAIL PROTECTED]]On 
Behalf Of Susan Bradley,CPA aka Ebitz - SBS Rocks [MVP]Sent: Monday, 
December 05, 2005 8:53 AMTo: ActiveDir@mail.activedir.orgSubject: 
Re: [ActiveDir] Ntds.dit file corruptionI did? :-)I 
think I still said all I know is what the poster 
said:-)I think I need a course in event log reading 
because even with the logs, and the default size of the logs, I still 
don't see a smoking gun.Thedirectory services one is filled 
with events 'post' blow up.What is interesting is that it seems to 
me big server land goes .. ohyeah... ntds.dit corruption... and sbsland 
freaks out.Either we doindeed need to ensure we have a 
secondary DC or we need to park a secondcopy of a system state offsite 
[say at the vap/var]Brett Shirley wrote: She replied 
offline, very likely a single bit flip, tragedy, they aren't one 
release later (Longhorn), where this would've probably been 
non-disruptively handled, logged, and possibly 
self-healed: http://blogs.technet.com/efleis/archive/2005/01.aspx 
Anyway, this kind of thing is usually hardware ... While 
there are much better disk sub-system testers, one that is freely  
available to any box with Exchange is jetstress.You might give 
that a try.If you can reproduce the event / error with 
jetstress I would not use that box in production. If 
you do reproduce the issue several times (several times is key, as you 
 want a trend before you start playing the variable game), some 
things you might vary (one at a time):- 
Try making sure you have the latest driver and motherboard / 
controller firmware.Then see if you can reproduce. 
- Try a different RAID configuration, such as 
RAID1/RAID1+0 if you're on RAID5.- Try 
swapping out the hard drives, one at a time.- 
Adding the jetstress files to the exclude list in the Anti-Virus  
software. (A low probablility, I've never heard of Anit-Virus causing 
this paticular type of error, and I can't imagine the mistake an 
anti-virus product would have to have to cause this side effect) 
- If you can reproduce it several times, you 
could followup with Dell. Good luck. I'm not sure if 
I answered your question ... Cheers, 
BrettSh  On Sun, 4 Dec 2005, Eric Fleischman 
wrote: Going back to the original post, I'm not 
sure I fully understand the problem yet. Susan, can you define 
"ntds.dit file corruption" for us?  What sort of corruption? 
What errors/events lead you to believe this? Specifically, I'm 
interested in errors from NTDS ISAM or ESE if you have 

RE: [ActiveDir] remove logon script?

[joe]

One tiny correction :)


Adfind 
f ((objectCategory=person)(objectClass=user)(scriptpath=logon.bat)) 
default dsq | admod unsafe scriptpath:-


From: [EMAIL PROTECTED] 
[mailto:[EMAIL PROTECTED] On Behalf Of Brian 
DesmondSent: Monday, December 05, 2005 4:00 PMTo: 
ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] remove logon 
script?


Adfind 
and admod from joeware.net

Adfind 
f ((objectCategory=person)(objectClass=user)(scriptpath=logon.bat)) 
default dsq | admod unsafe scriptpath-


Thanks,Brian 
Desmond
[EMAIL PROTECTED]

c - 
312.731.3132






From: 
[EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] 
On Behalf Of Harding, 
DevonSent: Monday, December 
05, 2005 3:40 PMTo: 
ActiveDir@mail.activedir.orgSubject: [ActiveDir] remove logon 
script?

How can I remove the logon.bat from 
all my user (2000+) accounts at one time in my domain? Ive switch to GPO 
for the logon scripts.

Devon 
Harding
Windows Systems 
Engineer
Southern Wine  Spirits 
- BSG
954-602-2469




__This 
message and any attachments are solely for the intended 
recipientand may 
contain confidential or privileged information. If you are 
notthe intended 
recipient, any disclosure, copying, use or distribution 
ofthe 
information included in the message and any attachments 
isprohibited. If 
you have received this communication in error, 
pleasenotify us 
by reply e-mail and immediately and permanently delete 
thismessage and 
any attachments. Thank You. 

RE: [ActiveDir] AD Wish list

[joe]

Title: AD Wish list



I would have to concur, reporting is pretty heavy duty 
stuff.



From: [EMAIL PROTECTED] 
[mailto:[EMAIL PROTECTED] On Behalf Of 
[EMAIL PROTECTED]Sent: Monday, December 05, 2005 9:50 
AMTo: ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] 
AD Wish list


In my experience, if 
its going to be in the ,00s, its going to be a script. J


Al Maurer Service Manager, Naming and 
Authentication Services 
IT | Information 
Technology 
Agilent Technologies (719) 590-2639; Telnet 
590-2639 
http://activedirectory.it.agilent.com --"Cry 'Havoc!' and let slip the 
dogs of war" - Anthony, in Julius Caesar III i.




From: 
[EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] 
On Behalf Of McCann, 
DannySent: Thursday, December 
01, 2005 4:05 AMTo: 
ActiveDir@mail.activedir.orgSubject: [ActiveDir] AD Wish 
list

Hi 
I've been asked to contribute to a 
wish list and was planning on asking for some AD tools - specifically for 
reporting. I've had a look about, but the prices vary wildly. I know there's no 
chance of anything that's going to do a great job (Quest) as we're talking 
,00's rather than ,000's. :)
Trouble is there are a lot of tools 
out there and often they're doing stuff much of which I can script (or 
plagiarise :) ), plus the odd extra.
Does anyone have good experiences of 
anything in the ,00's price range that'll report back auditing/stats/security 
info?
All 
the best 
Danny 

RE: [ActiveDir] Exporting Mailbox rights

[joe]

Here is a little code snippet I posted here previously for 
enumerating mailbox permissions

http://www.mail-archive.com/activedir@mail.activedir.org/msg14221.html




From: [EMAIL PROTECTED] 
[mailto:[EMAIL PROTECTED] On Behalf Of Amy 
HunterSent: Monday, December 05, 2005 7:41 AMTo: 
ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] Exporting 
Mailbox rights

Hi Alain,

thanks for your response, it all looks very clever.

I have tried running the following command:

WMIManageSD.Wsf /E2KMailbox:"cn=POTrust,ou=group 
mailboxes,OU=,DC=spinnaker,DC=org" /adsi 
WMIManageSD.Wsf /E2KMailbox:"cn=POTrust,ou=group 
mailboxes,OU=,DC=spinnaker,DC=org" /decipher


I receive this error "c:\WMIManageSD.Wsf(155, 39) Windows Script Host: 
Cannot retrieve referenced URL : ..\Functions\SecurityInclude.vbs"

when I open this script, i can't see any reference to this 

Also, How can I run this against all group mailboxes in an OU

any ideas?

Amy ;-)

Ps...sorry if I sound lame, scripting is not an area I spent too much time 
with Yet.



Alain Lissoir [EMAIL PROTECTED] 
wrote:

  
  You can 
  look at http://www.lissware.net, volume 
  2, Sample 4.02 to 4.13 - WMIManageSD.Wsf (and associated sub-functions in the 
  Functions folder).
  
  Syntax to 
  use in red below (the script supports Filesystem, Share, ADObject with 
  Extended Rights, Exchange Mailbox, Registry Key, WMI 
  namespace).
  
  Microsoft (R) Windows Script Host Version 5.6Copyright (C) 
  Microsoft Corporation 1996-2001. All rights reserved.
  
  Usage: WMIManageSD.Wsf [/FileSystem:value] [/Share:value] 
  [/ADObject:value] [/E2KMailbox:value] [/E2KStore[+|-]] [/RegistryKey:value] 
  [/WMINameSpace:value] [/ViewSD[+|-]] [/Owner:value] [/Group:value] 
  [/SDControls:value] [/AddAce[+|-]] [/DelAce[+|-]] [/Trustee:value] 
  [/ACEMask:value] [/ACEType:value] [/ACEFlags:value] [/ObjectType:value] 
  [/InheritedObjectType:value] [/SACL[+|-]] [/Decipher[+|-]] [/ADSI[+|-]] 
  [/SIDResolutionDC[+|-]] [/Machine:value] [/User:value] 
  [/Password:value]
  
  Options:
  
  FileSystem : Get 
  the security descriptor of the specified file or directory 
  path.Share 
  : Get the security descriptor of the specified share 
  name.ADObject 
  : Get the security descriptor of the specified distinguished name AD 
  object.E2KMailbox 
  : Get the security descriptor of the Exchange 2000 mailbox specified by AD 
  user distinguished 
  name.E2KStore 
  : Specify if the security descriptor must come from the Exchange 2000 
  store.RegistryKey : Get 
  the security descriptor of the specified registry 
  key.WMINameSpace : Get the 
  security descriptor of the specified WMI Name 
  space.ViewSD 
  : Decipher the security 
  descriptor.Owner 
  : Set the security descriptor 
  owner.Group 
  : Set the security descriptor 
  group.SDControls : 
  Set the security descriptor control 
  flags.AddAce 
  : Add a new ACE to the 
  ACL.DelAce 
  : Remove an existing ACE from the 
  ACL.Trustee 
  : Specify the ACE mask (granted user, group or machine 
  account).ACEMask 
  : Specify the ACE mask (granted 
  rights).ACEType 
  : Specify the ACE type (allow or deny the ACE 
  mask).ACEFlags 
  : Specify the ACE flags (ACE mask 
  inheritance).ObjectType 
  : Specify which object type, property set, or property an ACE refers 
  to.InheritedObjectType : Specify the GUID of an object that will inherit 
  the 
  ACE.SACL 
  : Manage the System ACL (auditing) (default=Discretionary 
  ACL).Decipher 
  : Decipher the security 
  descriptor.ADSI 
  : Retrieve the security descriptor with 
  ADSI.SIDResolutionDC : Domain Controller to use 
  for SID 
  resolution.Machine 
  : Determine the WMI system to connect to. 
  (default=LocalHost)User 
  : Determine the UserID to perform the remote connection. 
  (default=none)Password 
  : Determine the password to perform the remote connection. 
  (default=none)Examples:
  
   Viewing Security descriptors 
  ... Files and Folders 
  --- 
  WMIManageSD.Wsf /FileSystem:C:\MyDirectory 
  /Decipher+ WMIManageSD.Wsf 
  /FileSystem:C:\MyDirectory /Decipher+ /ADSI+ 
   WMIManageSD.Wsf 
  /FileSystem:C:\MyDirectory\MyFile.Txt 
  /Decipher+ WMIManageSD.Wsf 
  /FileSystem:C:\MyDirectory\MyFile.Txt /Decipher+ /ADSI+ 
  
   Share 
  --- 
  WMIManageSD.Wsf /Share:MyDirectory /Decipher+
  
   AD object 
  --- 
  WMIManageSD.Wsf /ADObject:"user;CN=MyUser,CN=Users,DC=LissWare,DC=Net" 
  /Decipher+ WMIManageSD.Wsf 
  /ADObject:"CN=MyUser,CN=Users,DC=LissWare,DC=Net" /Decipher+ 
  /ADSI+
  
   Exchange 2000 
  mailbox 
  --- 
  WMIManageSD.Wsf /E2KMailbox:"CN=MyUser,CN=Users,DC=LissWare,DC=Net" /Decipher+ 
   WMIManageSD.Wsf 
  

RE: [ActiveDir] Getting computer name from a username

[joe]

Ah, sorry I must have missed the intent. :o) 

-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Grillenmeier, Guido
Sent: Monday, December 05, 2005 4:09 AM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] Getting computer name from a username

hey joe - good questions - let me clarify:

1. no we purposely don't - this would cause excessive replication and as
you've mentioned, there's no guarantee that we would be able to write the
value. But the goal of this information is not to show who is _currently_
logged on a machine (I wouldn't use a distributed system to store this
information), actually it doesn't store any time information with the
username. Instead it's goal is to document the general relationship between
computers and users, which allows helpdesk folks and location admins to
easier localize a user's PC or vice versa. 

2. naturally, the logon-script solution will only account for those folks
that logon interactively. This will never be as accurate as a point in time
check against a workstation. However, as mobile users will have logged on
interactively to their notebook at one time in the past, their user name is
also associated with their notebook in AD. Doesn't matter if they hibernate
or disconnect afterwards.

3. good to know - I wasn't aware of that. Still prefer not to request a
write operation if I don't have to.


I've received a few other questions offline, mainly around how do I grant
the permissions for users to change the description attribute on computer
objects, so that a user can write to it: if users should be granted
permissions to write to the description attribute of all computer objects in
a specific OU, this can be done by using the advanced permission options for
that OU. Doing so allows the admin to choose the type of objects for which
to apply specific permissions to.
In this case you would first go to the Properties tab and then choose the
option to Apply onto Computer objects. Then grant the Write description
permission for the appropriate group. 
So what's the appropriate group? This depends on your situation - you could
use Authenticated Users allowing any user in the domain to update the
attribute, or you'd use a location specific group of which all users of the
respective location are members (this will limit the scope of users who can
update the computer description attribute, which is usually a good thing).

Naturally, you can also use DSACLs to set the permissions via
commandline: 
DSACLS OU=Computers,OU=Location-XYZ,DC=mydom,DC=net /I:S /G
mydom\AllUsers-Location-XYZ:WP;description;computer


/Guido

-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of joe
Sent: Sonntag, 4. Dezember 2005 16:23
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] Getting computer name from a username

The few questions/comments I thought of are...

1. Do you clear the attribute you set when the user logs of?? If you do, how
do you account for hibernation, etc that wouldn't let you do anything.  

2. What if someone comes up with cached creds and then reconnects the
computer (wireless or even purposeful disconnect/reconnect)?

3. If you send an update for an attribute to AD that is identical to the
value that is there it will accept it like you made the change but no change
is really made to reduce overhead. MS thought of that one. 



-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Grillenmeier, Guido
Sent: Sunday, December 04, 2005 9:01 AM
To: ActiveDir@mail.activedir.org; [EMAIL PROTECTED]
Subject: RE: [ActiveDir] Getting computer name from a username

I'm using a similar script for a few customers the other way around = it
writes the user's name into the description attribute of the computer he's
logging onto. 

To limit the replication impact in AD, the script first checks if the value
needs to be updated which is not often the case, as users don't roam much to
other machines. It also check if the user is a member of specific
administrator groups (such as client admins) which won't update the computer
object either as they logon to various clients by nature of their job.  

Realize that you'll need to grant an appopriate group (e.g.
All-Users-SiteXYZ) the rights to update the description field on computer
objects in the respective OU. This is not required when leveraging the
homepage attribute on the user object as mentioned in the previous post,
since every user has the permission to update this attribute by default via
the SELF security principal. Nevertheless, we preferred to have this
information bound to the computer object.  

Ideally you might actually want to use the managedBy attribute of the
respective computer object to _link_ the user to the computer = this way
you could view all computers that the user is actively logging onto via the
managedObjects attribute on the user account. These attributes are linked
together quite similar 

RE: [ActiveDir] Obsolete Domain groups

[joe]

Nope, there is no last used. Kind of hard to define last used for a group
anyway, for instance for a security group it would be the last time anyone
from the group logged in and the group SID was stuffed in the user's token.

If you are talking security groups, the best to do is change the group to a
DL and then it won't get added to security groups. If there is no screaming
for a couple of months, you are probably safe.

If the group is used for non-Windows security or to send IMs or emails to a
group of people or otherwise group items (like OUs or whatever) then a
solution would be to put the groups in a heavily protected OU so nothing can
read the membership for a while and make sure no one screams. 

Either way, dump the membership to some other format so you can repopulate
as needed and before final delete, clear the membership for a while.

  joe


-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Figueroa, Johnny
Sent: Sunday, December 04, 2005 4:05 PM
To: ActiveDir@mail.activedir.org
Subject: [ActiveDir] Obsolete Domain groups


Does anyone know of a way to identify old\obsolete domain groups?

Are the group objects in AD stamped with something like a last used date
stamp?. I am thinking a member server with some resources and domain
permissions on those resources has to ask the domain some questions about
it. 

Thanks

Johnny Figueroa
Enterprise Network Consultant/Integrator Network Services Banner Health
Voice (602)
495-4195 Fax (602) 495-4406
 
WARNING: This message, and any attachments, are intended only for the use of
the individual or entity to which it is addressed and may contain
information that is privileged, confidential and exempt from disclosure
under applicable law.  If the reader of this message is not the intended
recipient or employee/agent responsible for delivering the message to the
intended recipient, you are hereby notified that any dissemination,
distribution or copying of the communication is strictly prohibited.  If you
receive this communication in error, please notify us immediately

List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/

List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/

RE: [ActiveDir] Saved Query for Distinguished Name Contains

[joe]

It seems I have been answering a lot of questions like this 
lately...

You can not put parts of the DN into the LDAP query. The 
only way to control what branches a query looks at are

1. Permissions
2. Search base
3. Search scope.

You need to be the most specific you need to be to either 
include or exclude various branches of the tree.

That being said, someone who wanted to have those specific 
branches filtered out or filtered in to the outputted return set but didn't mind 
actually returning a lot more data could look to see if they can find a tool 
that was written by someone bright enough to add options to let you do 
that.

Hey there is one... It is called adfind and has excldn and 
incldn switches to allow you to specify portions of a DN of objects you would 
like outputted. 

FYI, there is a bug in the objects returned counter when 
using incldn, I have to go in and fish it out of there. It is because I cut and 
pasted the excldn code to produce the incldn section. ;o)

Anyway, your query would look something 
like

adfind -default -f objectcategory=computer -incldn 
ou=workstations

Keep in mind though that every computer in your org will be 
passed back to your client so if you have 100k computers and only 10 are in the 
ou=workstations ou's it will seem AWFULLY SLOW There is no way for me to get 
around that.


 joe



From: [EMAIL PROTECTED] 
[mailto:[EMAIL PROTECTED] On Behalf Of Dan 
HolmeSent: Sunday, December 04, 2005 2:18 PMTo: 
ActiveDir@mail.activedir.orgSubject: [ActiveDir] Saved Query for 
Distinguished Name Contains


Hey, 
all!

I am trying to create a 
saved query to pull out computers that exist within a WORKSTATIONS ou; and that 
OU may exist within several higher-level OUs, i.e.

distinguishedName=*OU=Workstations*

but the Saved Queries 
interface in ADUC doesnt seem to like distinguishedName (Ive also tried dn= 
and DN=). Any ideas, please?


Dan 
Holme

RE: [ActiveDir] Obsolete Domain groups

[Figueroa, Johnny]

Got it. Thanks  

-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of joe
Sent: Monday, December 05, 2005 3:12 PM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] Obsolete Domain groups

Nope, there is no last used. Kind of hard to define last used for a
group anyway, for instance for a security group it would be the last
time anyone from the group logged in and the group SID was stuffed in
the user's token.

If you are talking security groups, the best to do is change the group
to a DL and then it won't get added to security groups. If there is no
screaming for a couple of months, you are probably safe.

If the group is used for non-Windows security or to send IMs or emails
to a group of people or otherwise group items (like OUs or whatever)
then a solution would be to put the groups in a heavily protected OU so
nothing can read the membership for a while and make sure no one
screams. 

Either way, dump the membership to some other format so you can
repopulate as needed and before final delete, clear the membership for a
while.

  joe


-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Figueroa,
Johnny
Sent: Sunday, December 04, 2005 4:05 PM
To: ActiveDir@mail.activedir.org
Subject: [ActiveDir] Obsolete Domain groups


Does anyone know of a way to identify old\obsolete domain groups?

Are the group objects in AD stamped with something like a last used date
stamp?. I am thinking a member server with some resources and domain
permissions on those resources has to ask the domain some questions
about it. 

Thanks

Johnny Figueroa
Enterprise Network Consultant/Integrator Network Services Banner Health
Voice (602)
495-4195 Fax (602) 495-4406
 
WARNING: This message, and any attachments, are intended only for the
use of the individual or entity to which it is addressed and may contain
information that is privileged, confidential and exempt from disclosure
under applicable law.  If the reader of this message is not the intended
recipient or employee/agent responsible for delivering the message to
the intended recipient, you are hereby notified that any dissemination,
distribution or copying of the communication is strictly prohibited.  If
you receive this communication in error, please notify us immediately

List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive:
http://www.mail-archive.com/activedir%40mail.activedir.org/

List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive:
http://www.mail-archive.com/activedir%40mail.activedir.org/


List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/

RE: [ActiveDir] remove logon script?

[Medeiros, Jose]

Select all the accounts at once, then select the properties, then remove the 
logon.bat file name from the AD account attribute. It will change it on all of 
them at once. This capability was first introduced in NT4 somewhere around 
sp5or sp6. Or you can of course script it using the command  net user 
/scriptpath:path.

BTW: This also works with passwords.

Sincerely,
Jose Medeiros
ADP | National Account Services
ProBusiness Division | Information Services
925.737.7967 | 408-449-6621 CELL



-Original Message-
From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] Behalf Of Harding, Devon
Sent: Monday, December 05, 2005 12:40 PM
To: ActiveDir@mail.activedir.org
Subject: [ActiveDir] remove logon script?


How can I remove the logon.bat from all my user (2000+) accounts at one time in 
my domain?  I've switch to GPO for the logon scripts.
 
Devon Harding
Windows Systems Engineer
Southern Wine  Spirits - BSG
954-602-2469
 



__
This message and any attachments are solely for the intended recipient
and may contain confidential or privileged information. If you are not
the intended recipient, any disclosure, copying, use or distribution of
the information included in the message and any attachments is
prohibited. If you have received this communication in error, please
notify us by reply e-mail and immediately and permanently delete this
message and any attachments. Thank You. 


List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/

RE: [ActiveDir] Ntds.dit file corruption

[Carpenter Robert A Contr WROCI/Enterprise IT]

Novell.


From: [EMAIL PROTECTED] 
[mailto:[EMAIL PROTECTED] On Behalf Of Medeiros, 
JoseSent: Monday, December 05, 2005 11:24 AMTo: 
ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] Ntds.dit file 
corruption

I was 
not aware that Microsoft had incorporated such a feature in AD 2003. I know for 
a fact that Microsoft did not have this feature when AD 2000 was first released 
because I mentioned it to several Microsoft AD  premier support 
specialists and they each confirmed it was not available ( However it may have 
been added in a service pack ).

I 
would love to know how to enable a read only DC. I think that is a great idea, I 
wonder who thought of it. :-)
Sincerely,Jose MedeirosADP | National Account 
ServicesProBusiness Division | Information Services925.737.7967 | 
408-449-6621 CELL

  -Original Message-From: 
  [EMAIL PROTECTED] 
  [mailto:[EMAIL PROTECTED]On Behalf Of Phil 
  RenoufSent: Monday, December 05, 2005 11:04 AMTo: 
  ActiveDir@mail.activedir.orgSubject: Re: [ActiveDir] Ntds.dit file 
  corruption
  Will Read Only DC's take care of this? I don't know much about them yet, 
  but it makes sense that if the copy of the dit that a DC has is RO that it 
  won't try to replicate that anywhere and would only be the recipient of 
  replication. Anyone with more knowledge about how RO DC's will work to comment 
  on that? 
  
  Phil
  On 12/5/05, Medeiros, 
  Jose [EMAIL PROTECTED] 
  wrote: 
  Well 
at least the corruption occurred on just a single DC. One thing that has 
bugged me about Active Directory is not being able to select if you want a 
DC in a remote office to not have the ability to replicate back in a large 
enterprise environment. Since most remote offices only have a few people at 
the location and a DC is usually placed for improvised logon and 
authentication time, many companies will either use a very low end server or 
a very old decommissioned one from their production data center ( Which is 
probably close to useable life ). I am always concerned that once the 
NTDS.DIT file becomes corrupt it will replicate the corruption to the other 
DC's in the Forrest.Maybe I am just being a worry wort and this 
really is not an issue.Sincerely,Jose MedeirosADP | 
National Account Services ProBusiness Division | Information 
Services925.737.7967 | 408-449-6621 
CELL-Original Message-From: [EMAIL PROTECTED] 
[mailto:[EMAIL PROTECTED]]On 
Behalf Of Susan Bradley,CPA aka Ebitz - SBS Rocks [MVP]Sent: Monday, 
December 05, 2005 8:53 AMTo: ActiveDir@mail.activedir.orgSubject: 
Re: [ActiveDir] Ntds.dit file corruptionI did? :-)I 
think I still said all I know is what the poster 
said:-)I think I need a course in event log reading 
because even with the logs, and the default size of the logs, I still 
don't see a smoking gun.Thedirectory services one is filled 
with events 'post' blow up.What is interesting is that it seems to 
me big server land goes .. ohyeah... ntds.dit corruption... and sbsland 
freaks out.Either we doindeed need to ensure we have a 
secondary DC or we need to park a secondcopy of a system state offsite 
[say at the vap/var]Brett Shirley wrote: She replied 
offline, very likely a single bit flip, tragedy, they aren't one 
release later (Longhorn), where this would've probably been 
non-disruptively handled, logged, and possibly 
self-healed: http://blogs.technet.com/efleis/archive/2005/01.aspx 
Anyway, this kind of thing is usually hardware ... While 
there are much better disk sub-system testers, one that is freely  
available to any box with Exchange is jetstress.You might give 
that a try.If you can reproduce the event / error with 
jetstress I would not use that box in production. If 
you do reproduce the issue several times (several times is key, as you 
 want a trend before you start playing the variable game), some 
things you might vary (one at a time):- 
Try making sure you have the latest driver and motherboard / 
controller firmware.Then see if you can reproduce. 
- Try a different RAID configuration, such as 
RAID1/RAID1+0 if you're on RAID5.- Try 
swapping out the hard drives, one at a time.- 
Adding the jetstress files to the exclude list in the Anti-Virus  
software. (A low probablility, I've never heard of Anit-Virus causing 
this paticular type of error, and I can't imagine the mistake an 
anti-virus product would have to have to cause this side effect) 
- If you can reproduce it several times, you 
could followup with Dell. Good luck. I'm not sure if 
I answered your question ... Cheers, 
BrettSh  On Sun, 4 Dec 2005, Eric Fleischman 
wrote: Going back to the original post, I'm not 
sure I fully understand the problem yet. Susan, can you define 
"ntds.dit file corruption" for us?  What sort of corruption? 

RE: [ActiveDir] Saved Query for Distinguished Name Contains

[Dan Holme]

Thanks For the scoop, Joe!!!



And yes, I LOVE ADFIND, but it
doesnt provide a result set within the MMC Im trying to do
an MMC (AD UC snap-in) Saved Query as the basis for a custom Taskpad 
Sorry I wasnt clear about that. Guess Im out of luck.



Thanks again, though! At least I
know not to keep beating my head against the wall!



Dan













From:
[EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of joe
Sent: Monday, December 05, 2005
3:20 PM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] Saved
Query for Distinguished Name Contains





It seems I have been answering a lot of
questions like this lately...



You can not put parts of the DN into the
LDAP query. The only way to control what branches a query looks at are



1. Permissions

2. Search base

3. Search scope.



You need to be the most specific you need
to be to either include or exclude various branches of the tree.



That being said, someone who wanted to
have those specific branches filtered out or filtered in to the outputted
return set but didn't mind actually returning a lot more data could look to see
if they can find a tool that was written by someone bright enough to add
options to let you do that.



Hey there is one... It is called adfind
and has excldn and incldn switches to allow you to specify portions of a DN of
objects you would like outputted. 



FYI, there is a bug in the objects
returned counter when using incldn, I have to go in and fish it out of there.
It is because I cut and pasted the excldn code to produce the incldn section.
;o)



Anyway, your query would look something
like



adfind -default -f objectcategory=computer
-incldn ou=workstations



Keep in mind though that every computer in
your org will be passed back to your client so if you have 100k computers and
only 10 are in the ou=workstations ou's it will seem AWFULLY SLOW There is
no way for me to get around that.





 joe











From:
[EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Dan
 Holme
Sent: Sunday, December 04, 2005
2:18 PM
To: ActiveDir@mail.activedir.org
Subject: [ActiveDir] Saved Query
for Distinguished Name Contains

Hey, all!



I am trying to create a saved query to pull
out computers that exist within a WORKSTATIONS ou; and that OU may exist within
several higher-level OUs, i.e.



distinguishedName=*OU=Workstations*



but the Saved Queries interface in ADUC
doesnt seem to like distinguishedName (Ive also tried dn= and
DN=). Any ideas, please?





Dan
 Holme

RE: [ActiveDir] Saved Query for Distinguished Name Contains

[Ulf B. Simon-Weidner]

Hi
Dan,



as
joe said you can also modify the search base, so when creating the saved query
select the seach base (its on the first screen of the dialog which lets
you add a saved query, not in the definition of the query itself). Sorry 
dont have the interface in front of me so Im not sure about the
wording, but there are just three options: name of the saved query, search base
and query.



If
you have any further questions ...



Ulf













From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Dan Holme
Sent: Tuesday, December 06, 2005 12:36 AM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] Saved Query for Distinguished Name Contains





Thanks For the scoop, Joe!!!



And yes, I LOVE ADFIND, but it doesnt provide a result set
within the MMC Im trying to do an MMC (AD UC snap-in) Saved Query
as the basis for a custom Taskpad  Sorry I wasnt clear about
that. Guess Im out of luck.



Thanks again, though! At least I know not to keep beating my
head against the wall!



Dan













From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of joe
Sent: Monday, December 05, 2005 3:20 PM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] Saved Query for Distinguished Name Contains





It seems I have been answering a lot of questions like this
lately...



You can not put parts of the DN into the LDAP query. The only way
to control what branches a query looks at are



1. Permissions

2. Search base

3. Search scope.



You need to be the most specific you need to be to either include
or exclude various branches of the tree.



That being said, someone who wanted to have those specific branches
filtered out or filtered in to the outputted return set but didn't mind actually
returning a lot more data could look to see if they can find a tool that was
written by someone bright enough to add options to let you do that.



Hey there is one... It is called adfind and has excldn and incldn
switches to allow you to specify portions of a DN of objects you would like
outputted. 



FYI, there is a bug in the objects returned counter when using
incldn, I have to go in and fish it out of there. It is because I cut and
pasted the excldn code to produce the incldn section. ;o)



Anyway, your query would look something like



adfind -default -f objectcategory=computer -incldn ou=workstations



Keep in mind though that every computer in your org will be passed
back to your client so if you have 100k computers and only 10 are in the
ou=workstations ou's it will seem AWFULLY SLOW There is no way for me to
get around that.





 joe











From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Dan Holme
Sent: Sunday, December 04, 2005 2:18 PM
To: ActiveDir@mail.activedir.org
Subject: [ActiveDir] Saved Query for Distinguished Name Contains

Hey, all!



I am trying to create a saved query to pull out computers that
exist within a WORKSTATIONS ou; and that OU may exist within several
higher-level OUs, i.e.



distinguishedName=*OU=Workstations*



but the Saved Queries interface in ADUC doesnt seem to like
distinguishedName (Ive also tried dn= and DN=). Any ideas, please?





Dan Holme

RE: [ActiveDir] Saved Query for Distinguished Name Contains

[joe]

What is this MMC thing you speak of? 

;o)




From: [EMAIL PROTECTED] 
[mailto:[EMAIL PROTECTED] On Behalf Of Dan 
HolmeSent: Monday, December 05, 2005 6:36 PMTo: 
ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] Saved Query for 
Distinguished Name Contains


Thanks For the 
scoop, Joe!!!

And yes, I LOVE ADFIND, 
but it doesnt provide a result set within the MMC Im trying to do an MMC (AD 
UC snap-in) Saved Query as the basis for a custom Taskpad  Sorry I wasnt clear 
about that. Guess Im out of luck.

Thanks again, 
though! At least I know not to keep beating my head against the 
wall!

Dan






From: 
[EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] 
On Behalf Of joeSent: Monday, December 05, 2005 3:20 
PMTo: 
ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] Saved Query for 
Distinguished Name Contains

It seems I have been 
answering a lot of questions like this lately...

You can not put parts 
of the DN into the LDAP query. The only way to control what branches a query 
looks at are

1. 
Permissions
2. Search 
base
3. Search 
scope.

You need to be the most 
specific you need to be to either include or exclude various branches of the 
tree.

That being said, 
someone who wanted to have those specific branches filtered out or filtered in 
to the outputted return set but didn't mind actually returning a lot more data 
could look to see if they can find a tool that was written by someone bright 
enough to add options to let you do that.

Hey there is one... It 
is called adfind and has excldn and incldn switches to allow you to specify 
portions of a DN of objects you would like outputted. 


FYI, there is a bug in 
the objects returned counter when using incldn, I have to go in and fish it out 
of there. It is because I cut and pasted the excldn code to produce the incldn 
section. ;o)

Anyway, your query 
would look something like

adfind -default -f 
objectcategory=computer -incldn ou=workstations

Keep in mind though 
that every computer in your org will be passed back to your client so if you 
have 100k computers and only 10 are in the ou=workstations ou's it will seem 
AWFULLY SLOW There is no way for me to get around 
that.


 
joe





From: 
[EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] 
On Behalf Of Dan HolmeSent: Sunday, December 04, 2005 2:18 
PMTo: 
ActiveDir@mail.activedir.orgSubject: [ActiveDir] Saved Query for 
Distinguished Name Contains
Hey, 
all!

I am trying to create a 
saved query to pull out computers that exist within a WORKSTATIONS ou; and that 
OU may exist within several higher-level OUs, i.e.

distinguishedName=*OU=Workstations*

but the Saved Queries 
interface in ADUC doesnt seem to like distinguishedName (Ive also tried dn= 
and DN=). Any ideas, please?


Dan 
Holme

[ActiveDir] Moral of this story...don't move the log files

[Susan Bradley, CPA aka Ebitz - SBS Rocks [MVP]]

When you perform a system state backup on a domain controller that is 
running Windows Server 2003 with Service Pack 1, Backup may fail:

http://support.microsoft.com/?kbid=909265

--
Letting your vendors set your risk analysis these days?  
http://www.threatcode.com


List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/

RE: [ActiveDir] Ntds.dit file corruption

[Sullivan Tim]

BDC


From: [EMAIL PROTECTED] 
[mailto:[EMAIL PROTECTED] On Behalf Of Carpenter Robert 
A Contr WROCI/Enterprise IT Sent: Monday, December 05, 2005 5:33 
PMTo: ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] 
Ntds.dit file corruption

Novell.


From: [EMAIL PROTECTED] 
[mailto:[EMAIL PROTECTED] On Behalf Of Medeiros, 
JoseSent: Monday, December 05, 2005 11:24 AMTo: 
ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] Ntds.dit file 
corruption

I was 
not aware that Microsoft had incorporated such a feature in AD 2003. I know for 
a fact that Microsoft did not have this feature when AD 2000 was first released 
because I mentioned it to several Microsoft AD  premier support 
specialists and they each confirmed it was not available ( However it may have 
been added in a service pack ).

I 
would love to know how to enable a read only DC. I think that is a great idea, I 
wonder who thought of it. :-)
Sincerely,Jose MedeirosADP | National Account 
ServicesProBusiness Division | Information Services925.737.7967 | 
408-449-6621 CELL

  -Original Message-From: 
  [EMAIL PROTECTED] 
  [mailto:[EMAIL PROTECTED]On Behalf Of Phil 
  RenoufSent: Monday, December 05, 2005 11:04 AMTo: 
  ActiveDir@mail.activedir.orgSubject: Re: [ActiveDir] Ntds.dit file 
  corruption
  Will Read Only DC's take care of this? I don't know much about them yet, 
  but it makes sense that if the copy of the dit that a DC has is RO that it 
  won't try to replicate that anywhere and would only be the recipient of 
  replication. Anyone with more knowledge about how RO DC's will work to comment 
  on that? 
  
  Phil
  On 12/5/05, Medeiros, 
  Jose [EMAIL PROTECTED] 
  wrote: 
  Well 
at least the corruption occurred on just a single DC. One thing that has 
bugged me about Active Directory is not being able to select if you want a 
DC in a remote office to not have the ability to replicate back in a large 
enterprise environment. Since most remote offices only have a few people at 
the location and a DC is usually placed for improvised logon and 
authentication time, many companies will either use a very low end server or 
a very old decommissioned one from their production data center ( Which is 
probably close to useable life ). I am always concerned that once the 
NTDS.DIT file becomes corrupt it will replicate the corruption to the other 
DC's in the Forrest.Maybe I am just being a worry wort and this 
really is not an issue.Sincerely,Jose MedeirosADP | 
National Account Services ProBusiness Division | Information 
Services925.737.7967 | 408-449-6621 
CELL-Original Message-From: [EMAIL PROTECTED] 
[mailto:[EMAIL PROTECTED]]On 
Behalf Of Susan Bradley,CPA aka Ebitz - SBS Rocks [MVP]Sent: Monday, 
December 05, 2005 8:53 AMTo: ActiveDir@mail.activedir.orgSubject: 
Re: [ActiveDir] Ntds.dit file corruptionI did? :-)I 
think I still said all I know is what the poster 
said:-)I think I need a course in event log reading 
because even with the logs, and the default size of the logs, I still 
don't see a smoking gun.Thedirectory services one is filled 
with events 'post' blow up.What is interesting is that it seems to 
me big server land goes .. ohyeah... ntds.dit corruption... and sbsland 
freaks out.Either we doindeed need to ensure we have a 
secondary DC or we need to park a secondcopy of a system state offsite 
[say at the vap/var]Brett Shirley wrote: She replied 
offline, very likely a single bit flip, tragedy, they aren't one 
release later (Longhorn), where this would've probably been 
non-disruptively handled, logged, and possibly 
self-healed: http://blogs.technet.com/efleis/archive/2005/01.aspx 
Anyway, this kind of thing is usually hardware ... While 
there are much better disk sub-system testers, one that is freely  
available to any box with Exchange is jetstress.You might give 
that a try.If you can reproduce the event / error with 
jetstress I would not use that box in production. If 
you do reproduce the issue several times (several times is key, as you 
 want a trend before you start playing the variable game), some 
things you might vary (one at a time):- 
Try making sure you have the latest driver and motherboard / 
controller firmware.Then see if you can reproduce. 
- Try a different RAID configuration, such as 
RAID1/RAID1+0 if you're on RAID5.- Try 
swapping out the hard drives, one at a time.- 
Adding the jetstress files to the exclude list in the Anti-Virus  
software. (A low probablility, I've never heard of Anit-Virus causing 
this paticular type of error, and I can't imagine the mistake an 
anti-virus product would have to have to cause this side effect) 
- If you can reproduce it several times, you 
could followup with Dell. Good luck. I'm not sure if 
I answered your question ... 

RE: [ActiveDir] Ntds.dit file corruption

[Steve Linehan]

For full disclosure I am no longer in the Microsoft 
Services organization, I was the last time Joe talked to me where I was an 
Advisory Support Engineer (AKA Alliance Support). I am now a Product 
Technology Specialist for Directories and Identities in Microsoft's technical 
pre-sales organization. Not that it changes the answer below. 
:-)

Thanks,

-Steve
Steve 
Linehan | Technology 
Specialist Directories  Identities | South Central District | Microsoft 
Corporation


From: [EMAIL PROTECTED] 
[mailto:[EMAIL PROTECTED] On Behalf Of 
joeSent: Monday, December 05, 2005 2:38 PMTo: 
ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] Ntds.dit file 
corruption

RODCs are a LongHorn feature. It will be one-way 
replication to the RODCs. They will not replicate out anything. If you are on 
the LongHorn beta you should be able to test this right now.

But as Steve (one of the really good PSS guys)said 
and I can concur as I have seen my share of corrupted DITs, the corruption 
doesn't replicate. 

In every case I have seen it the problem has been hardware 
failure or a firmware/driver matchup issue in the disk 
subsystem.

Fixing them is easy, wipe the machine, do hardware tests, 
if it passes, do it again. If it passes do it a third time. If it passes, reload 
and repromo. If it fails one of the tests, get the hardware fixed, reload, and 
repromo.

If SBS, well you have all sorts of issues in that basket as 
your eggs leak. 

 joe


From: [EMAIL PROTECTED] 
[mailto:[EMAIL PROTECTED] On Behalf Of Medeiros, 
JoseSent: Monday, December 05, 2005 2:24 PMTo: 
ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] Ntds.dit file 
corruption

I was 
not aware that Microsoft had incorporated such a feature in AD 2003. I know for 
a fact that Microsoft did not have this feature when AD 2000 was first released 
because I mentioned it to several Microsoft AD  premier support 
specialists and they each confirmed it was not available ( However it may have 
been added in a service pack ).

I 
would love to know how to enable a read only DC. I think that is a great idea, I 
wonder who thought of it. :-)
Sincerely,Jose MedeirosADP | National Account 
ServicesProBusiness Division | Information Services925.737.7967 | 
408-449-6621 CELL

  -Original Message-From: 
  [EMAIL PROTECTED] 
  [mailto:[EMAIL PROTECTED]On Behalf Of Phil 
  RenoufSent: Monday, December 05, 2005 11:04 AMTo: 
  ActiveDir@mail.activedir.orgSubject: Re: [ActiveDir] Ntds.dit file 
  corruption
  Will Read Only DC's take care of this? I don't know much about them yet, 
  but it makes sense that if the copy of the dit that a DC has is RO that it 
  won't try to replicate that anywhere and would only be the recipient of 
  replication. Anyone with more knowledge about how RO DC's will work to comment 
  on that? 
  
  Phil
  On 12/5/05, Medeiros, 
  Jose [EMAIL PROTECTED] 
  wrote: 
  Well 
at least the corruption occurred on just a single DC. One thing that has 
bugged me about Active Directory is not being able to select if you want a 
DC in a remote office to not have the ability to replicate back in a large 
enterprise environment. Since most remote offices only have a few people at 
the location and a DC is usually placed for improvised logon and 
authentication time, many companies will either use a very low end server or 
a very old decommissioned one from their production data center ( Which is 
probably close to useable life ). I am always concerned that once the 
NTDS.DIT file becomes corrupt it will replicate the corruption to the other 
DC's in the Forrest.Maybe I am just being a worry wort and this 
really is not an issue.Sincerely,Jose MedeirosADP | 
National Account Services ProBusiness Division | Information 
Services925.737.7967 | 408-449-6621 
CELL-Original Message-From: [EMAIL PROTECTED] 
[mailto:[EMAIL PROTECTED]]On 
Behalf Of Susan Bradley,CPA aka Ebitz - SBS Rocks [MVP]Sent: Monday, 
December 05, 2005 8:53 AMTo: ActiveDir@mail.activedir.orgSubject: 
Re: [ActiveDir] Ntds.dit file corruptionI did? :-)I 
think I still said all I know is what the poster 
said:-)I think I need a course in event log reading 
because even with the logs, and the default size of the logs, I still 
don't see a smoking gun.Thedirectory services one is filled 
with events 'post' blow up.What is interesting is that it seems to 
me big server land goes .. ohyeah... ntds.dit corruption... and sbsland 
freaks out.Either we doindeed need to ensure we have a 
secondary DC or we need to park a secondcopy of a system state offsite 
[say at the vap/var]Brett Shirley wrote: She replied 
offline, very likely a single bit flip, tragedy, they aren't one 
release later (Longhorn), where this would've probably been 
non-disruptively handled, logged, and possibly 
self-healed: http://blogs.technet.com/efleis/archive/2005/01.aspx 
Anyway,