RE: [ActiveDir] VERY OT: Preventing Viruses from Lab to Live network
This is similar to the solution I was thinking of as well. It only costs you
a firewall and the full protection of a single machine. I wouldn't even give
full access to this box to production, it would allow HTTP access to it.
Someone checks a file in on the lab side, you check it out on the prod side.
Ditto but in reverse to get something from prod to dev.
I was just telling my team this this last week. You have a see-saw, on one
side is security, on the other is flexibility/useabilty. You need to decide
which side should be focused on. If you have to have the flexibility and
useability you have to sacrifice security. If you are sane, you choose
security and sacrifice flexibility and useability. Just because people are
used to having full access doesn't mean it should continue or that it makes
sense. It is something that has been pushed due to how MS trains admins and
Developers (MC* programs) and there own software and with how the
environment has evolved with third party stuff.
I know I beat on E2K a lot, but it is a great example of a poor directory
integrated poor security app. I recall when I got the instructions for how
to separate the administrators of Exchange and AD... I looked down the list,
you had multiple ways to do it. First was to give property sets and add a
bunch of deny's, the other was to add a bunch of individual grants. Either
way really goes against the recommendation of managing your directory
security well because it is confusing plus you don't want a bunch of ace's
on your objects. Additionally one of the attributes that was to be delegated
was the nTSecurityDescriptor... Heh Game over.
It is only recently that true security has started to become something that
less than a minority on Windows is becoming aware of. You know me, I have
always been paranoid about it. It is good to see the rest of the world
starting to show up at that party (though I ate all the peanuts and drank
all the beer already so BYOB).
Additionally, I think it is not only silly, not only dangerous, but outright
stupid to allow people to pull something directly from dev or the lab into
the production environment without some form of logged process in between.
joe
-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Bill Moran
Sent: Friday, October 17, 2003 3:01 PM
To: [EMAIL PROTECTED]
Well, I still think you could work it out with an intermediate machine.
Just put a Server in between the two networks with two interfaces on it.
Load it up with all the virus protection you can find (most server-based
virus protection will check incomming and outgoing files as they are
up/downloaded) and keep the machine updated with all patches/etc.
Then set it up so the only way to get files from production to lab is to
copy them on to this server first. It's a little annoying for the people
copying the files ("Damn ... I forgot to copy this to the transfer server
from the
lab") but I would say that this is where you've got to draw the line if you
want have any level of safety/protection whatsoever.
List info : http://www.activedir.org/mail_list.htm
List FAQ: http://www.activedir.org/list_faq.htm
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
RE: [ActiveDir] LDAP'ing a computer object in AD
Title: Message
Rick I
am getting unknown identifier when I try that. What am I doing
wrong?
joe
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Kingslan, Rick
T.Sent: Friday, October 17, 2003 9:26 AMTo:
[EMAIL PROTECTED]
'blah, blah, blah' was added as a new method in VB.Net
in Visual Studio .Net 2003. It should compile just fine. The default
behavior is to simply not work at all.
;oD
Rick Kingslan MCSE, MCSA, MCTMicrosoft MVP - Active
DirectoryLAN Administration - Windows 2000West Corporation[EMAIL PROTECTED]
-Original Message-From: Pennell, Ronald
B. [mailto:[EMAIL PROTECTED] Sent: Friday, October 17, 2003 7:54
AMTo: [EMAIL PROTECTED]Subject: RE:
[ActiveDir] LDAP'ing a computer object in AD
How
can I take your code and save as an executable script?
Ron
-Original
Message-From: Michael B.
Smith [mailto:[EMAIL PROTECTED] Sent: Friday, October 17, 2003 8:34
AMTo:
[EMAIL PROTECTED]Subject: RE: [ActiveDir] LDAP'ing a
computer object in AD
compname
= InputBox ("Enter name of computer", "GetComputerName",
"mycomputername")
domname =
InputBox ("Enter name of domain", "GetDomainName",
"myhostname")
blah
blah blah
From:
[EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] Sent: Friday, October 17, 2003 8:21
AMTo:
[EMAIL PROTECTED]Subject: RE: [ActiveDir] LDAP'ing a
computer object in AD
Anyway
to make screen pops asking for compname and domname?
Shawn
-Original
Message-From: Frederic
Allaert [mailto:[EMAIL PROTECTED] Sent: Friday, October 17, 2003 3:17
AMTo:
'[EMAIL PROTECTED]'Subject: RE: [ActiveDir] LDAP'ing a
computer object in AD
OK,
I figured it out using your tip on the SAM
account:
Dim
compnameDim domnamecompname = "MYHOSTNAME"domname =
"MYDOMAIN"
Set Set oTrans =
CreateObject("NameTranslate") oTrans.Init 1, domnameoTrans.Set 3,
domname &"\"& compname &"$"sAdsPath = oTrans.Get(1) Set
>Set oTrans = Nothingwscript.echo "LDAP path: " &
sAdsPath
Thanks &
greetings,
Frederic
Allaert System Engineer
Johnson Pump
AB
-Original
Message-From: Ken
Cornetet [mailto:[EMAIL PROTECTED] Sent: Thursday, October 16, 2003 3:55
PMTo:
[EMAIL PROTECTED]Subject: RE: [ActiveDir] LDAP'ing a
computer object in AD
I think this
is what you want. Search for samaccountname=computername$ (append a
"$" to the computer name).
-Original
Message-From:
Frederic Allaert [mailto:[EMAIL PROTECTED] Sent: Thursday, October 16, 2003
8:50 AMTo:
[EMAIL PROTECTED]Subject: [ActiveDir] LDAP'ing a
computer object in AD
Hello all,
I have been searching some
good, clear examples how to determine the LDAP path
for a computer object,
(without knowing the "location" in AD), with the only input being
the hostname of the
computer, and the DNS-name for the domain. All this using a
.VBS-script...
Can someone produce such an
example, or direct me to some good resource websites on this
topic?
Greetings,
Frederic
Allaert
[ActiveDir] One computer is fine, one has "can't find domain controller" errors
Hello all, I posted earlier concerning Windows XP machines not allowing any scripts to run and presenting no clue as to why. After additional discussion with other techs, as well as multiple searches on the 'net, we decided to completely reinstall the two machines. This solved the IE problem. However, we are getting error messages on 1 machine, but not on the other. The one machine claims it can not contact the domain server. (which is ridiculous because it's mounting shared drives from it, and those shares function properly) Event ID 5719. These two machines are identical in every way. Same hardware. Same software and versions of software. Plugged in side by side to the same switch. The ONLY difference we can imagine, is that the one with the problem was configured for a workgroup during install, and then joined to the domain afterwards (just the tech clicking without thinking) while the one that works was joined to the domain during the initial install. I'm putting this out for two reasons: 1 -> to see if anyone has any insight as to what's happening. 2 -> to have this information made public, so if others come across it they can see they're not alone. Perhaps someone with some time and a lab available could test to see if the problem I describe is, in fact, caused by the install process described, or if it's just coincidence. Both machines appear to function properly aside from the errors. -- Bill Moran Potential Technologies http://www.potentialtech.com List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
RE: [ActiveDir] One computer is fine, one has "can't find domain controller" errors
By chance, do you have Cisco switches? If so, check the PORTFAST command on the port this client is connected to. PORTFAST has to do with Spanning Tree (mainly used if you have redundant links between two or more switches). With PORTFAST disabled, it takes about almost a minute for the port to allow traffic through (go from a BLOCKING state to LEARNING state, then to FORWARDING state if the switch determines that another switch isn't connected at that port). Chris -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Bill Moran Sent: Saturday, October 18, 2003 11:05 AM To: [EMAIL PROTECTED] Subject: [ActiveDir] One computer is fine, one has "can't find domain controller" errors Hello all, I posted earlier concerning Windows XP machines not allowing any scripts to run and presenting no clue as to why. After additional discussion with other techs, as well as multiple searches on the 'net, we decided to completely reinstall the two machines. This solved the IE problem. However, we are getting error messages on 1 machine, but not on the other. The one machine claims it can not contact the domain server. (which is ridiculous because it's mounting shared drives from it, and those shares function properly) Event ID 5719. These two machines are identical in every way. Same hardware. Same software and versions of software. Plugged in side by side to the same switch. The ONLY difference we can imagine, is that the one with the problem was configured for a workgroup during install, and then joined to the domain afterwards (just the tech clicking without thinking) while the one that works was joined to the domain during the initial install. I'm putting this out for two reasons: 1 -> to see if anyone has any insight as to what's happening. 2 -> to have this information made public, so if others come across it they can see they're not alone. Perhaps someone with some time and a lab available could test to see if the problem I describe is, in fact, caused by the install process described, or if it's just coincidence. Both machines appear to function properly aside from the errors. -- Bill Moran Potential Technologies http://www.potentialtech.com List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
Re: [ActiveDir] One computer is fine, one has "can't find domain controller" errors
Chris Lynch wrote: By chance, do you have Cisco switches? No. If so, check the PORTFAST command on the port this client is connected to. PORTFAST has to do with Spanning Tree (mainly used if you have redundant links between two or more switches). With PORTFAST disabled, it takes about almost a minute for the port to allow traffic through (go from a BLOCKING state to LEARNING state, then to FORWARDING state if the switch determines that another switch isn't connected at that port). Sorry. I forgot to mention that we already researched this particular issue (it seems to be a well-documented problem). The switch is a D-Link DSS-8+. Low-end switch, non-managed. The manual provided gives a lot of information on the "exciting features", but mentions nothing about portfast or spanning tree, which leads me to believe that it doesn't have those features. Even if it did, that would not explain why one computer has the problem while another does not (since they're both plugged into the same switch). Thanks for the input. Chris -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Bill Moran Sent: Saturday, October 18, 2003 11:05 AM To: [EMAIL PROTECTED] Subject: [ActiveDir] One computer is fine, one has "can't find domain controller" errors Hello all, I posted earlier concerning Windows XP machines not allowing any scripts to run and presenting no clue as to why. After additional discussion with other techs, as well as multiple searches on the 'net, we decided to completely reinstall the two machines. This solved the IE problem. However, we are getting error messages on 1 machine, but not on the other. The one machine claims it can not contact the domain server. (which is ridiculous because it's mounting shared drives from it, and those shares function properly) Event ID 5719. These two machines are identical in every way. Same hardware. Same software and versions of software. Plugged in side by side to the same switch. The ONLY difference we can imagine, is that the one with the problem was configured for a workgroup during install, and then joined to the domain afterwards (just the tech clicking without thinking) while the one that works was joined to the domain during the initial install. I'm putting this out for two reasons: 1 -> to see if anyone has any insight as to what's happening. 2 -> to have this information made public, so if others come across it they can see they're not alone. Perhaps someone with some time and a lab available could test to see if the problem I describe is, in fact, caused by the install process described, or if it's just coincidence. Both machines appear to function properly aside from the errors. -- Bill Moran Potential Technologies http://www.potentialtech.com List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
RE: [ActiveDir] LDAP'ing a computer object in AD
Title: Message
Joe - Yep. I'm sure.
You're sure you're using the release version,and not one of
the betas? This method was added very late in the process,
right about the same time that the class 'Yada:' was added, along with the
function 'whatever (var middle-finger, str [EMAIL PROTECTED] you)'.
Try adding all hotfixes, SP's, any updates to the
Framework. If that doesn't work - just give up. That's what most
developers would do anyway.
;P
Rick Kingslan MCSE, MCSA, MCTMicrosoft MVP - Active
DirectoryAssociate ExpertExpert Zone -
www.microsoft.com/windowsxp/expertzone
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of
JoeSent: Saturday, October 18, 2003 9:28 AMTo:
[EMAIL PROTECTED]Subject: RE: [ActiveDir] LDAP'ing a
computer object in AD
Rick I
am getting unknown identifier when I try that. What am I doing
wrong?
joe
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Kingslan, Rick
T.Sent: Friday, October 17, 2003 9:26 AMTo:
[EMAIL PROTECTED]
'blah, blah, blah' was added as a new method in VB.Net
in Visual Studio .Net 2003. It should compile just fine. The default
behavior is to simply not work at all.
;oD
Rick Kingslan MCSE, MCSA, MCTMicrosoft MVP - Active
DirectoryLAN Administration - Windows 2000West Corporation[EMAIL PROTECTED]
-Original Message-From: Pennell, Ronald
B. [mailto:[EMAIL PROTECTED] Sent: Friday, October 17, 2003 7:54
AMTo: [EMAIL PROTECTED]Subject: RE:
[ActiveDir] LDAP'ing a computer object in AD
How
can I take your code and save as an executable script?
Ron
-Original
Message-From: Michael B.
Smith [mailto:[EMAIL PROTECTED] Sent: Friday, October 17, 2003 8:34
AMTo:
[EMAIL PROTECTED]Subject: RE: [ActiveDir] LDAP'ing a
computer object in AD
compname
= InputBox ("Enter name of computer", "GetComputerName",
"mycomputername")
domname =
InputBox ("Enter name of domain", "GetDomainName",
"myhostname")
blah
blah blah
From:
[EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] Sent: Friday, October 17, 2003 8:21
AMTo:
[EMAIL PROTECTED]Subject: RE: [ActiveDir] LDAP'ing a
computer object in AD
Anyway
to make screen pops asking for compname and domname?
Shawn
-Original
Message-From: Frederic
Allaert [mailto:[EMAIL PROTECTED] Sent: Friday, October 17, 2003 3:17
AMTo:
'[EMAIL PROTECTED]'Subject: RE: [ActiveDir] LDAP'ing a
computer object in AD
OK,
I figured it out using your tip on the SAM
account:
Dim
compnameDim domnamecompname = "MYHOSTNAME"domname =
"MYDOMAIN"
Set Set oTrans =
CreateObject("NameTranslate") oTrans.Init 1, domnameoTrans.Set 3,
domname &"\"& compname &"$"sAdsPath = oTrans.Get(1) Set
>Set oTrans = Nothingwscript.echo "LDAP path: " &
sAdsPath
Thanks &
greetings,
Frederic
Allaert System Engineer
Johnson Pump
AB
-Original
Message-From: Ken
Cornetet [mailto:[EMAIL PROTECTED] Sent: Thursday, October 16, 2003 3:55
PMTo:
[EMAIL PROTECTED]Subject: RE: [ActiveDir] LDAP'ing a
computer object in AD
I think this
is what you want. Search for samaccountname=computername$ (append a
"$" to the computer name).
-Original
Message-From:
Frederic Allaert [mailto:[EMAIL PROTECTED] Sent: Thursday, October 16, 2003
8:50 AMTo:
[EMAIL PROTECTED]Subject: [ActiveDir] LDAP'ing a
computer object in AD
Hello all,
I have been searching some
good, clear examples how to determine the LDAP path
for a computer object,
(without knowing the "location" in AD), with the only input being
the hostname of the
computer, and the DNS-name for the domain. All this using a
.VBS-script...
Can someone produce such an
example, or direct me to some good resource websites on this
topic?
Greetings,
Frederic
Allaert
RE: [ActiveDir] LDAP'ing a computer object in AD
Title: Message
I've
found that if I add Domain Users to the Schema and Enterprise
Admins groups of my forest, it seems to work. You also have to be careful
to only use NULL for any SD references. Thanks for the help!
joe
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Rick
KingslanSent: Saturday, October 18, 2003 5:06 PMTo:
[EMAIL PROTECTED]
Joe - Yep. I'm sure.
You're sure you're using the release version,and not one of
the betas? This method was added very late in the process,
right about the same time that the class 'Yada:' was added, along with the
function 'whatever (var middle-finger, str [EMAIL PROTECTED] you)'.
Try adding all hotfixes, SP's, any updates to the
Framework. If that doesn't work - just give up. That's what most
developers would do anyway.
;P
Rick Kingslan MCSE, MCSA, MCTMicrosoft MVP - Active
DirectoryAssociate ExpertExpert Zone -
www.microsoft.com/windowsxp/expertzone
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of
JoeSent: Saturday, October 18, 2003 9:28 AMTo:
[EMAIL PROTECTED]Subject: RE: [ActiveDir] LDAP'ing a
computer object in AD
Rick I
am getting unknown identifier when I try that. What am I doing
wrong?
joe
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Kingslan, Rick
T.Sent: Friday, October 17, 2003 9:26 AMTo:
[EMAIL PROTECTED]
'blah, blah, blah' was added as a new method in VB.Net
in Visual Studio .Net 2003. It should compile just fine. The default
behavior is to simply not work at all.
;oD
Rick Kingslan MCSE, MCSA, MCTMicrosoft MVP - Active
DirectoryLAN Administration - Windows 2000West Corporation[EMAIL PROTECTED]
-Original Message-From: Pennell, Ronald
B. [mailto:[EMAIL PROTECTED] Sent: Friday, October 17, 2003 7:54
AMTo: [EMAIL PROTECTED]Subject: RE:
[ActiveDir] LDAP'ing a computer object in AD
How
can I take your code and save as an executable script?
Ron
-Original
Message-From: Michael B.
Smith [mailto:[EMAIL PROTECTED] Sent: Friday, October 17, 2003 8:34
AMTo:
[EMAIL PROTECTED]Subject: RE: [ActiveDir] LDAP'ing a
computer object in AD
compname
= InputBox ("Enter name of computer", "GetComputerName",
"mycomputername")
domname =
InputBox ("Enter name of domain", "GetDomainName",
"myhostname")
blah
blah blah
From:
[EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] Sent: Friday, October 17, 2003 8:21
AMTo:
[EMAIL PROTECTED]Subject: RE: [ActiveDir] LDAP'ing a
computer object in AD
Anyway
to make screen pops asking for compname and domname?
Shawn
-Original
Message-From: Frederic
Allaert [mailto:[EMAIL PROTECTED] Sent: Friday, October 17, 2003 3:17
AMTo:
'[EMAIL PROTECTED]'Subject: RE: [ActiveDir] LDAP'ing a
computer object in AD
OK,
I figured it out using your tip on the SAM
account:
Dim
compnameDim domnamecompname = "MYHOSTNAME"domname =
"MYDOMAIN"
Set Set oTrans =
CreateObject("NameTranslate") oTrans.Init 1, domnameoTrans.Set 3,
domname &"\"& compname &"$"sAdsPath = oTrans.Get(1) Set
>Set oTrans = Nothingwscript.echo "LDAP path: " &
sAdsPath
Thanks &
greetings,
Frederic
Allaert System Engineer
Johnson Pump
AB
-Original
Message-From: Ken
Cornetet [mailto:[EMAIL PROTECTED] Sent: Thursday, October 16, 2003 3:55
PMTo:
[EMAIL PROTECTED]Subject: RE: [ActiveDir] LDAP'ing a
computer object in AD
I think this
is what you want. Search for samaccountname=computername$ (append a
"$" to the computer name).
-Original
Message-From:
Frederic Allaert [mailto:[EMAIL PROTECTED] Sent: Thursday, October 16, 2003
8:50 AMTo:
[EMAIL PROTECTED]Subject: [ActiveDir] LDAP'ing a
computer object in AD
Hello all,
I have been searching some
good, clear examples how to determine the LDAP path
for a computer object,
(without knowing the "location" in AD), with the only input being
the hostname of the
computer, and the DNS-name for the domain. All this using a
.VBS-script...
Can someone produce such an
example, or direct me to some good resource websites on this
topic?
Greetings,
Frederic
Allaert
RE: [ActiveDir] One computer is fine, one has "can't find domain controller" errors
This is the perfect case of when to break out a network monitor and watch the traffic. Do what it is you are trying to do and see what the network is doing. joe -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Bill Moran Sent: Saturday, October 18, 2003 2:05 PM To: [EMAIL PROTECTED] Hello all, I posted earlier concerning Windows XP machines not allowing any scripts to run and presenting no clue as to why. After additional discussion with other techs, as well as multiple searches on the 'net, we decided to completely reinstall the two machines. This solved the IE problem. However, we are getting error messages on 1 machine, but not on the other. The one machine claims it can not contact the domain server. (which is ridiculous because it's mounting shared drives from it, and those shares function properly) Event ID 5719. These two machines are identical in every way. Same hardware. Same software and versions of software. Plugged in side by side to the same switch. The ONLY difference we can imagine, is that the one with the problem was configured for a workgroup during install, and then joined to the domain afterwards (just the tech clicking without thinking) while the one that works was joined to the domain during the initial install. I'm putting this out for two reasons: 1 -> to see if anyone has any insight as to what's happening. 2 -> to have this information made public, so if others come across it they can see they're not alone. Perhaps someone with some time and a lab available could test to see if the problem I describe is, in fact, caused by the install process described, or if it's just coincidence. Both machines appear to function properly aside from the errors. -- Bill Moran Potential Technologies http://www.potentialtech.com List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
RE: [ActiveDir] LDAP'ing a computer object in AD
Title: Message
I'm glad that I was finally able to show you something -
given everything that you've taught me over the years. I find it
interesting, however, that you had to add the Enterprise Admins group at the
forest level. I did find that adding the Domain Users to the Schema was
helpful, it now takes away that annoying problem where I have to create schema
entries for all of the apps that they write. Now, they are free to do it
themselves.
I guess that I'm going to have to study the ACLs at the
forest level and determine the E-A issue. I'm not sure why that's
happening, but there has to be a rational solution.
I'll let you know what I find.
Rick Kingslan MCSE, MCSA, MCTMicrosoft MVP - Active
DirectoryAssociate ExpertExpert Zone -
www.microsoft.com/windowsxp/expertzone
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of
JoeSent: Saturday, October 18, 2003 4:30 PMTo:
[EMAIL PROTECTED]Subject: RE: [ActiveDir] LDAP'ing a
computer object in AD
I've
found that if I add Domain Users to the Schema and Enterprise
Admins groups of my forest, it seems to work. You also have to be careful
to only use NULL for any SD references. Thanks for the help!
joe
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Rick
KingslanSent: Saturday, October 18, 2003 5:06 PMTo:
[EMAIL PROTECTED]
Joe - Yep. I'm sure.
You're sure you're using the release version,and not one of
the betas? This method was added very late in the process,
right about the same time that the class 'Yada:' was added, along with the
function 'whatever (var middle-finger, str [EMAIL PROTECTED] you)'.
Try adding all hotfixes, SP's, any updates to the
Framework. If that doesn't work - just give up. That's what most
developers would do anyway.
;P
Rick Kingslan MCSE, MCSA, MCTMicrosoft MVP - Active
DirectoryAssociate ExpertExpert Zone -
www.microsoft.com/windowsxp/expertzone
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of
JoeSent: Saturday, October 18, 2003 9:28 AMTo:
[EMAIL PROTECTED]Subject: RE: [ActiveDir] LDAP'ing a
computer object in AD
Rick I
am getting unknown identifier when I try that. What am I doing
wrong?
joe
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Kingslan, Rick
T.Sent: Friday, October 17, 2003 9:26 AMTo:
[EMAIL PROTECTED]
'blah, blah, blah' was added as a new method in VB.Net
in Visual Studio .Net 2003. It should compile just fine. The default
behavior is to simply not work at all.
;oD
Rick Kingslan MCSE, MCSA, MCTMicrosoft MVP - Active
DirectoryLAN Administration - Windows 2000West Corporation[EMAIL PROTECTED]
-Original Message-From: Pennell, Ronald
B. [mailto:[EMAIL PROTECTED] Sent: Friday, October 17, 2003 7:54
AMTo: [EMAIL PROTECTED]Subject: RE:
[ActiveDir] LDAP'ing a computer object in AD
How
can I take your code and save as an executable script?
Ron
-Original
Message-From: Michael B.
Smith [mailto:[EMAIL PROTECTED] Sent: Friday, October 17, 2003 8:34
AMTo:
[EMAIL PROTECTED]Subject: RE: [ActiveDir] LDAP'ing a
computer object in AD
compname
= InputBox ("Enter name of computer", "GetComputerName",
"mycomputername")
domname =
InputBox ("Enter name of domain", "GetDomainName",
"myhostname")
blah
blah blah
From:
[EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] Sent: Friday, October 17, 2003 8:21
AMTo:
[EMAIL PROTECTED]Subject: RE: [ActiveDir] LDAP'ing a
computer object in AD
Anyway
to make screen pops asking for compname and domname?
Shawn
-Original
Message-From: Frederic
Allaert [mailto:[EMAIL PROTECTED] Sent: Friday, October 17, 2003 3:17
AMTo:
'[EMAIL PROTECTED]'Subject: RE: [ActiveDir] LDAP'ing a
computer object in AD
OK,
I figured it out using your tip on the SAM
account:
Dim
compnameDim domnamecompname = "MYHOSTNAME"domname =
"MYDOMAIN"
Set Set oTrans =
CreateObject("NameTranslate") oTrans.Init 1, domnameoTrans.Set 3,
domname &"\"& compname &"$"sAdsPath = oTrans.Get(1) Set
>Set oTrans = Nothingwscript.echo "LDAP path: " &
sAdsPath
Thanks &
greetings,
Frederic
Allaert System Engineer
Johnson Pump
AB
-Original
Message-From: Ken
Cornetet [mailto:[EMAIL PROTECTED] Sent: Thursday, October 16, 2003 3:55
PMTo:
[EMAIL PROTECTED]Subject: RE: [ActiveDir] LDAP'ing a
computer object in AD
I think this
is what you want. Search for samaccountname=computername$ (append a
"$" to the computer name).
-Original
Message-From:
Frederic Allaert [mailto:[EMAIL PROTECTED] Sent: Thursday, October 16, 2003
8:50 AMTo:
[EMAIL PROTECTED]Subject: [ActiveDir] LDAP'ing
RE: [ActiveDir] LDAP'ing a computer object in AD
Title: Message
Excellent, thanks Rick.
Also I
just realized that the Enterprise Admin group was nested in Account
Operators. That might have something to do with it as well. I say this only
because as soon as I removed that nesting things started breaking again. It
seems that this started to occur right after installing Exchange 2000 and
that seemed to have really torked something up with the ACL's, it is almost like
some of my groups got non-canonical format ACL structures and the only people
with rights into those groups for seeing membership were Account Operators and
Exchange Servers. Quite strange. You wouldn't expect something like that, or at
least I wouldn't. Where is the logic in setting an ACL that way... Kind of like
security by obscurity. Eschew obfuscation I always try to say and only succeed
when I am a case into the weekend and not listening to myself any longer.
Keep
me in the loop on your discoveries, we may have found a serious thing here,
especially with class Yada.
joe
--
Joe
Richards Microsoft MVP Windows Server / Active Directory
"There
are few who deny, at what I do, I am the best, for my talents
are renowned far and wide.
When
it comes to surprises in the moonlit night, I excel without ever even
trying."
- Jack Skellington
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Rick
KingslanSent: Saturday, October 18, 2003 5:48 PMTo:
[EMAIL PROTECTED]
I'm glad that I was finally able to show you something -
given everything that you've taught me over the years. I find it
interesting, however, that you had to add the Enterprise Admins group at the
forest level. I did find that adding the Domain Users to the Schema was
helpful, it now takes away that annoying problem where I have to create schema
entries for all of the apps that they write. Now, they are free to do it
themselves.
I guess that I'm going to have to study the ACLs at the
forest level and determine the E-A issue. I'm not sure why that's
happening, but there has to be a rational solution.
I'll let you know what I find.
Rick Kingslan MCSE, MCSA, MCTMicrosoft MVP - Active
DirectoryAssociate ExpertExpert Zone -
www.microsoft.com/windowsxp/expertzone
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of
JoeSent: Saturday, October 18, 2003 4:30 PMTo:
[EMAIL PROTECTED]Subject: RE: [ActiveDir] LDAP'ing a
computer object in AD
I've
found that if I add Domain Users to the Schema and Enterprise
Admins groups of my forest, it seems to work. You also have to be careful
to only use NULL for any SD references. Thanks for the help!
joe
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Rick
KingslanSent: Saturday, October 18, 2003 5:06 PMTo:
[EMAIL PROTECTED]
Joe - Yep. I'm sure.
You're sure you're using the release version,and not one of
the betas? This method was added very late in the process,
right about the same time that the class 'Yada:' was added, along with the
function 'whatever (var middle-finger, str [EMAIL PROTECTED] you)'.
Try adding all hotfixes, SP's, any updates to the
Framework. If that doesn't work - just give up. That's what most
developers would do anyway.
;P
Rick Kingslan MCSE, MCSA, MCTMicrosoft MVP - Active
DirectoryAssociate ExpertExpert Zone -
www.microsoft.com/windowsxp/expertzone
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of
JoeSent: Saturday, October 18, 2003 9:28 AMTo:
[EMAIL PROTECTED]Subject: RE: [ActiveDir] LDAP'ing a
computer object in AD
Rick I
am getting unknown identifier when I try that. What am I doing
wrong?
joe
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Kingslan, Rick
T.Sent: Friday, October 17, 2003 9:26 AMTo:
[EMAIL PROTECTED]
'blah, blah, blah' was added as a new method in VB.Net
in Visual Studio .Net 2003. It should compile just fine. The default
behavior is to simply not work at all.
;oD
Rick Kingslan MCSE, MCSA, MCTMicrosoft MVP - Active
DirectoryLAN Administration - Windows 2000West Corporation[EMAIL PROTECTED]
-Original Message-From: Pennell, Ronald
B. [mailto:[EMAIL PROTECTED] Sent: Friday, October 17, 2003 7:54
AMTo: [EMAIL PROTECTED]Subject: RE:
[ActiveDir] LDAP'ing a computer object in AD
How
can I take your code and save as an executable script?
Ron
-Original
Message-From: Michael B.
Smith [mailto:[EMAIL PROTECTED] Sent: Friday, October 17, 2003 8:34
AMTo:
[EMAIL PROTECTED]Subject: RE: [ActiveDir] LDAP'ing a
computer object in AD
compname
= InputBox ("Enter name of computer", "GetComputerName",
"mycomputername")
domname =
InputBox ("Enter name of domain", "GetDomainName",
"myhostname")
blah
blah blah
From:
[EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] Sent: Friday, October 17, 2003 8:21
AMTo:
[EMAIL PROTECTED]Subject: RE: [ActiveDir] LDAP'ing a
compute
RE: [ActiveDir] One computer is fine, one has "can't find domain controller" errors
Hi, I had once a problem similar to this, I do not know exactly why it is happening (but I have one guess about my situation, I had two OS on my computer Windows 98 and XP) but I did one thing and no problem till that time. I loged to the computer itself. Made it to join a test workgroup. Then after restarting, the computer was in a test workgroup. And then deleted the computer account on Windows 2000 AD. Then I changed the name of the computer of XP. Then again after restarting I joined the domain with the new name. and a new account for computer will be created in AD. I do not know maybe my problem is different from your. But the error and situation seems similar. May be my experience can help you. Roseta. -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Joe Sent: Sunday, October 19, 2003 1:02 AM To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] One computer is fine, one has "can't find domain controller" errors This is the perfect case of when to break out a network monitor and watch the traffic. Do what it is you are trying to do and see what the network is doing. joe -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Bill Moran Sent: Saturday, October 18, 2003 2:05 PM To: [EMAIL PROTECTED] Hello all, I posted earlier concerning Windows XP machines not allowing any scripts to run and presenting no clue as to why. After additional discussion with other techs, as well as multiple searches on the 'net, we decided to completely reinstall the two machines. This solved the IE problem. However, we are getting error messages on 1 machine, but not on the other. The one machine claims it can not contact the domain server. (which is ridiculous because it's mounting shared drives from it, and those shares function properly) Event ID 5719. These two machines are identical in every way. Same hardware. Same software and versions of software. Plugged in side by side to the same switch. The ONLY difference we can imagine, is that the one with the problem was configured for a workgroup during install, and then joined to the domain afterwards (just the tech clicking without thinking) while the one that works was joined to the domain during the initial install. I'm putting this out for two reasons: 1 -> to see if anyone has any insight as to what's happening. 2 -> to have this information made public, so if others come across it they can see they're not alone. Perhaps someone with some time and a lab available could test to see if the problem I describe is, in fact, caused by the install process described, or if it's just coincidence. Both machines appear to function properly aside from the errors. -- Bill Moran Potential Technologies http://www.potentialtech.com List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
