[ActiveDir] Inf Master and GC Clarification
Can someone tell me what exactly the problems I might see if I had 2 Domain's and in one of them the Infrastructure Master role was on the GC with the other DC's in that Domain not also being a GC? This assumes the first Domain is setup correctly. So: Parent.com DC1 - 5 FSMO roles and GC DC2 - GC Child.Parent.com DC3 - 3 FSMO roles and GC DC4 - *not* a GC If I understand correctly, the INF Master's job is to inform other Domain's of changes to objects in its own Domain. If so, then in the above scenario, DC3 will fail to inform DC1 of changes to objects in Child...? Just what kind of changes would it fail to pass along? List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
[ActiveDir] Groups not replicating
Never mind. Users not replicating properly either. Spiffy clean event logs though. I’m not sure where to look here. For the record, I just transferred the FSMO rules… from a Win2K to Win2003 server. Interesting, huh? Dcdiag reports that new FSMO holder isn’t responding to messages properly… what am I missing here? Starting test: KnowsOfRoleHolders Warning: LADB02 is the Schema Owner, but is not responding to DS RPC Bind. [LADB02] LDAP connection failed with error 58, that kinda stuff=) Mal
[ActiveDir] Groups not replicating
Everything else seems to replicate fine. Changes to existing groups and creation of new groups do not replicate. I have some glitchiness in the DNS but it basically works (can resolve SERVER(s).domain okay). Double checking that user creation replicates properly – modification of users replicates, as do DFS/FRS entities. Event logs report happy successful times. Any insight? Malachi
Re: [ActiveDir] Logging User Logon and Logoffs
Security is a problem for me, I want to give users the minimum rights needed. Right now they can only insert a new row in the database. In order to be able to update the same row the used at logon with the logoff data, I'd be giving everyone the ability to completely change all login/logoff times in the database, which throws out the use of the log for security records. It's interesting that you used a mdb database. I'll have to try that to see if it makes a speed difference. Paul Wilkinson 865-974-0649 2422 Dunford Hall OIT Lab Services University of TN, Knoxville Bruce Clingaman wrote: I am using an mdb database. I had the exact issue you have, adding the logout time to the same record as the login time. My solution was to store the autonum from the mdb record in the user's registry then read it at logout and look it up in the mdb and enter the logout time. In Access databases this is very easy, but in SQL Server I had to take a completely different approad which I had to drop because the logout script took too long to execute. The biggest issue I have with my method is security, users have modify access to the share and database. The logout script misses about 1 in 50 logouts. I don't know why. The mdb has the following fields: ID (Access autonumber), DC (rootDSE), Computername, Username, Login (time/date), Logout (time/date) I have login.vbs and logout.vbs: '@ 'Login.vbs option explicit On Error Resume Next DIM strKeyPath, strValueName, strComputer, DC const HKEY_CURRENT_USER = &H8001 strComputer = "." ''' ''' Dim UserID, ComputerName, objNetwork Dim objConn, objRS, AutoNum, Field Dim fs, a AutoNum = 0 Set objNetwork = CreateObject("WScript.Network") Set DC = getObject("LDAP://rootDse";) DC = DC.Get("dnsHostName") ComputerName = objNetwork.ComputerName UserID = objNetwork.UserName Set objConn = CreateObject("ADODB.Connection") objConn.Mode = 3 objConn.Open "Provider=Microsoft.Jet.OLEDB.4.0;Persist Security Info=False;Data Source=\\DC1\logins$\logins.mdb" Set objRS = CreateObject("ADODB.Recordset") objRS.Open "Logins", objConn, 2, 2 objRS.AddNew AutoNum = objRS("ID") objRS("ComputerName") = ComputerName objRS("UserID") = UserID objRS("DC") = DC objRS("TimeIn") = Now objRS.Update objRS.Close Set objRS = Nothing objConn.Close Set objConn = Nothing ''' ''' Dim oReg Set oReg=GetObject("winmgmts:{impersonationLevel=impersonate}!\\" &_ strComputer & "\root\default:StdRegProv") strKeyPath = "SOFTWARE\Microsoft\Windows\CurrentVersion\Logins" strValueName = "autonum" oReg.CreateKey HKEY_CURRENT_USER,strKeyPath,strValueName oReg.SetStringValue HKEY_CURRENT_USER,strKeyPath,strValueName,AutoNum '@ '@ 'Logout.vbs option explicit On Error Resume Next Dim UserID, ComputerName, objNetwork Dim objConn, objRS, AutoNum Dim a, fs, SQL Dim strComputer, oReg, strKeyPath,strValueName const HKEY_CURRENT_USER = &H8001 strComputer = "." Set oReg=GetObject("winmgmts:{impersonationLevel=impersonate}!\\" &_ strComputer & "\root\default:StdRegProv") strKeyPath = "SOFTWARE\Microsoft\Windows\CurrentVersion\Logins" strValueName = "autonum" oReg.GetStringValue HKEY_CURRENT_USER,strKeyPath,strValueName,AutoNum Set objConn = CreateObject("ADODB.Connection") objConn.Mode = 3 objConn.Open "Provider=Microsoft.Jet.OLEDB.4.0;Persist Security Info=False;Data Source=\\DC1\logins$\logins.mdb" Set objRS = CreateObject("ADODB.Recordset") objRS.Open "Logins", objConn, 2, 2 SQL = "UPDATE Logins SET TimeOut='" & Now & "' WHERE ID = " & AutoNum objConn.Execute(SQL) Set objRS = Nothing objConn.Close Set objConn = Nothing '@@@ -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Paul Wilkinson Sent: Friday, July 02, 2004 11:21 AM To: [EMAIL PROTECTED] Subject: [ActiveDir] Logging User Logon and Logoffs Is anyone logging both logion and log offs? I'm working on a method of recording this info for a computer lab environment, and I'd like to see if someone else is already doing it. I want real time utilization info and I want to be able to build stats off of it for latter use. On Cs, you can determine when I person logs on to a client machine, but you don't know when they log off because that information is only on the client machine. Right now I'm running a log on, and log off script to insert a row in SQ database in the following format: Computer name, use rid, login, log off Where either the login, or log off fields are date/time, and the other field is NULL. The problem with this approach is that you get logs like this: computer1, bob, 2004-04-29 14:
RE: [ActiveDir] Logging User Logon and Logoffs
I am using an mdb database. I had the exact issue you have, adding the logout time to the same record as the login time. My solution was to store the autonum from the mdb record in the user's registry then read it at logout and look it up in the mdb and enter the logout time. In Access databases this is very easy, but in SQL Server I had to take a completely different approad which I had to drop because the logout script took too long to execute. The biggest issue I have with my method is security, users have modify access to the share and database. The logout script misses about 1 in 50 logouts. I don't know why. The mdb has the following fields: ID (Access autonumber), DC (rootDSE), Computername, Username, Login (time/date), Logout (time/date) I have login.vbs and logout.vbs: '@ 'Login.vbs option explicit On Error Resume Next DIM strKeyPath, strValueName, strComputer, DC const HKEY_CURRENT_USER = &H8001 strComputer = "." ''' ''' Dim UserID, ComputerName, objNetwork Dim objConn, objRS, AutoNum, Field Dim fs, a AutoNum = 0 Set objNetwork = CreateObject("WScript.Network") Set DC = getObject("LDAP://rootDse";) DC = DC.Get("dnsHostName") ComputerName = objNetwork.ComputerName UserID = objNetwork.UserName Set objConn = CreateObject("ADODB.Connection") objConn.Mode = 3 objConn.Open "Provider=Microsoft.Jet.OLEDB.4.0;Persist Security Info=False;Data Source=\\DC1\logins$\logins.mdb" Set objRS = CreateObject("ADODB.Recordset") objRS.Open "Logins", objConn, 2, 2 objRS.AddNew AutoNum = objRS("ID") objRS("ComputerName") = ComputerName objRS("UserID") = UserID objRS("DC") = DC objRS("TimeIn") = Now objRS.Update objRS.Close Set objRS = Nothing objConn.Close Set objConn = Nothing ''' ''' Dim oReg Set oReg=GetObject("winmgmts:{impersonationLevel=impersonate}!\\" &_ strComputer & "\root\default:StdRegProv") strKeyPath = "SOFTWARE\Microsoft\Windows\CurrentVersion\Logins" strValueName = "autonum" oReg.CreateKey HKEY_CURRENT_USER,strKeyPath,strValueName oReg.SetStringValue HKEY_CURRENT_USER,strKeyPath,strValueName,AutoNum '@ '@ 'Logout.vbs option explicit On Error Resume Next Dim UserID, ComputerName, objNetwork Dim objConn, objRS, AutoNum Dim a, fs, SQL Dim strComputer, oReg, strKeyPath,strValueName const HKEY_CURRENT_USER = &H8001 strComputer = "." Set oReg=GetObject("winmgmts:{impersonationLevel=impersonate}!\\" &_ strComputer & "\root\default:StdRegProv") strKeyPath = "SOFTWARE\Microsoft\Windows\CurrentVersion\Logins" strValueName = "autonum" oReg.GetStringValue HKEY_CURRENT_USER,strKeyPath,strValueName,AutoNum Set objConn = CreateObject("ADODB.Connection") objConn.Mode = 3 objConn.Open "Provider=Microsoft.Jet.OLEDB.4.0;Persist Security Info=False;Data Source=\\DC1\logins$\logins.mdb" Set objRS = CreateObject("ADODB.Recordset") objRS.Open "Logins", objConn, 2, 2 SQL = "UPDATE Logins SET TimeOut='" & Now & "' WHERE ID = " & AutoNum objConn.Execute(SQL) Set objRS = Nothing objConn.Close Set objConn = Nothing '@@@ -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Paul Wilkinson Sent: Friday, July 02, 2004 11:21 AM To: [EMAIL PROTECTED] Subject: [ActiveDir] Logging User Logon and Logoffs Is anyone logging both logion and log offs? I'm working on a method of recording this info for a computer lab environment, and I'd like to see if someone else is already doing it. I want real time utilization info and I want to be able to build stats off of it for latter use. On Cs, you can determine when I person logs on to a client machine, but you don't know when they log off because that information is only on the client machine. Right now I'm running a log on, and log off script to insert a row in SQ database in the following format: Computer name, use rid, login, log off Where either the login, or log off fields are date/time, and the other field is NULL. The problem with this approach is that you get logs like this: computer1, bob, 2004-04-29 14:36:08, NULL computer1, bob, NULL, 2004-04-29 14:52:34 So I need a way to combine the login/off logs into one roll to be able to perform stats. I'm a SQ novice, so I don't really know a good way of doing this besides exporting all of it to a cs, write a script that combines them, then export that back to a new database before running stats. -- Paul Wilkinson 865-974-0649 2422 Dunford Hall OIT Lab Services University of TN, Knoxville List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http:
RE: [ActiveDir] Logging User Logon and Logoffs
There are tools for this type of work if you really wanted to go there. Tools that deal with host intrusion detection can do this as can tools such as remote management tools (think SMS, Tivoli, etc). Anything that watches the event log can do this. Your idea can also work, but has some flaws such as being able to detect whether or not the user was active or had the screen locked etc. That's another issue, but I suggest that you may want to have a logon and a logoff script if you continue down your path. The logon script will update a table (table1) with the information you currently capture. The logoff script would have to update a different table (table2). Your query would then be a join of the two tables based on computer name (as the key field). You can run that report from Access or Excel if you want. Again, that gives a picture of some of the workstations under particular scenarios. Not all will be recorded with this solution. Al -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Paul Wilkinson Sent: Friday, July 02, 2004 12:21 PM To: [EMAIL PROTECTED] Subject: [ActiveDir] Logging User Logon and Logoffs Is anyone logging both logion and log offs? I'm working on a method of recording this info for a computer lab environment, and I'd like to see if someone else is already doing it. I want real time utilization info and I want to be able to build stats off of it for latter use. On Cs, you can determine when I person logs on to a client machine, but you don't know when they log off because that information is only on the client machine. Right now I'm running a log on, and log off script to insert a row in SQ database in the following format: Computer name, use rid, login, log off Where either the login, or log off fields are date/time, and the other field is NULL. The problem with this approach is that you get logs like this: computer1, bob, 2004-04-29 14:36:08, NULL computer1, bob, NULL, 2004-04-29 14:52:34 So I need a way to combine the login/off logs into one roll to be able to perform stats. I'm a SQ novice, so I don't really know a good way of doing this besides exporting all of it to a cs, write a script that combines them, then export that back to a new database before running stats. -- Paul Wilkinson 865-974-0649 2422 Dunford Hall OIT Lab Services University of TN, Knoxville List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
[ActiveDir] Logging User Logon and Logoffs
Is anyone logging both logion and log offs? I'm working on a method of recording this info for a computer lab environment, and I'd like to see if someone else is already doing it. I want real time utilization info and I want to be able to build stats off of it for latter use. On Cs, you can determine when I person logs on to a client machine, but you don't know when they log off because that information is only on the client machine. Right now I'm running a log on, and log off script to insert a row in SQ database in the following format: Computer name, use rid, login, log off Where either the login, or log off fields are date/time, and the other field is NULL. The problem with this approach is that you get logs like this: computer1, bob, 2004-04-29 14:36:08, NULL computer1, bob, NULL, 2004-04-29 14:52:34 So I need a way to combine the login/off logs into one roll to be able to perform stats. I'm a SQ novice, so I don't really know a good way of doing this besides exporting all of it to a cs, write a script that combines them, then export that back to a new database before running stats. -- Paul Wilkinson 865-974-0649 2422 Dunford Hall OIT Lab Services University of TN, Knoxville List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
RE: [ActiveDir] GPO question concerning LOCAL GPO
I just wanted to say that this is an awesome reply! Thank you Darren. From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Darren Mar-Elia Sent: Thursday, July 01, 2004 7:38 PM To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] GPO question concerning LOCAL GPO A user-driven script is not likely to work. These policies are set in HKCU but the keys involved are permissioned away from normal users by default--to prevent a normal user from undoing a policy. There are a couple of ways you could skin this. If you want to pay money, Full Armor has a tool called GPAnywhere that lets you do mass manipulation of the local GPO. If you want to do it on the cheap then there is another way, but it is a bit tricky. Essentially, all Admin. Template policy for the local GPO is stored in two files on the local drive. Any machine-specific Admin. Template policy is stored in %windir%\system32\grouppolicy\machine\registry.pol and any user-specific policy is stored in %windir%\system32\grouppolicy\user\registry.pol. For the screensaver policies you talk about below, these are user-specific and so would be stored in the user-specific registry.pol file. If you are reasonably sure that all of the affected machines have roughly the same local GPO, then you could pick one of them, edit it to include your new screen saver settings, and then just copy over that user registry.pol file on all the desired machines. Then, you have to increment the version number of the local GPO, so that when the user logs on, it knows there are new policy settings and it processes them. The version number is stored in a file called GPT.ini, found in %windir%\system32\grouppolicy. GPT.ini typically looks something like this: [General] gPCFunctionalityVersion=2 gPCUserExtensionNames=[{35378EAC-683F-11D2-A89A-00C04FBBCFA2}{0F6B957E-509E-11D1-A7CC-F87571E3}] Version=917538 gPCMachineExtensionNames=[{35378EAC-683F-11D2-A89A-00C04FBBCFA2}{0F6B957D-509E-11D1-A7CC-F87571E3}{53D6AB1D-2488-11D1-A28C-00C04FB94F17}][{B1BE8D72-6EAC-11D2-A4EA-00C04F79F83A}{53D6AB1D-2488-11D1-A28C-00C04FB94F17}] You'll need to increment the Version= key and, if there were no Admin Template policies formerly found in the local GPO, you need to be sure the GUID {35378EAC-683F-11D2-A89A-00C04FBBCFA2} is found in the value gPCUserExtensionNames key, as it is above. The version number should be incremented according to how many policy changes you make. If you want to stick to Microsoft's byzantine versioning scheme for GPOs, then for each user-specific change you make (which is what you'll be doing in this case), the version number is increased by 65536. So three changes to user policy would result in a version number increase of 65536 x 3 or 196608, which gets added to the existing version number (so in the example above, 917538+196608=new version number). So what you can do is copy the registry.pol file and an updated gpt.ini (again this assumes that all machines have the same starting gpt.ini version number) to each of the target machines and then the next time the user logs on, they should get the correct screen saver policy. Like I said, tricky, but not impossible. Darren From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of [EMAIL PROTECTED] Sent: Thursday, July 01, 2004 3:57 PM To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] GPO question concerning LOCAL GPO If the machine is standalone, you could e-mail them a script that makes the proposed registry changes. How else are you going to touch a machine that doesn't login regularly to have a GPO applied ? Kevin Gent Pearson Digital Learning -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]On Behalf Of Cothern Jeff D. Team EITC Sent: Thursday, July 01, 2004 6:49 PM To: [EMAIL PROTECTED] Subject: [ActiveDir] GPO question concerning LOCAL GPO We have identified an issue with a security policy (the paper kind) that conflicts with how our current build is set on our workstations. The workstations are running Windows 2000. I need to see if there is a way to change the LOCAL GPO on say 2000+ machines on the domain without having to remotely or sneaker login. Anyone know if a script could be written that say changes the GPO so the screen saver activates in 600 seconds, password protected and the user doesn’t see the screen saver tab. I have already worked out the GPOs for users with these settings but the question was posed to me what about if the machine is operating in a standalone mode temporarily, IE laptop. Any ideas or suggestions would be appreciated. Jeff
Re: [ActiveDir] GPO question concerning LOCAL GPO
Hey Jeff...If you can get them to use cached credentials on the laptops, you can do a loopback policy. They'll cache it locally and get the settings even when off the wire. Not sure this fits your needsAnd it does make for some complaints, travellers doing presentations etc. John |-+--> | | "Cothern Jeff D. Team | | | EITC" | | | <[EMAIL PROTECTED]>| | | Sent by: | | | [EMAIL PROTECTED]| | | tivedir.org| | | | | | | | | 07/01/2004 05:48 PM| | | Please respond to | | | ActiveDir | | | | |-+--> >--| | | | To: <[EMAIL PROTECTED]> | | cc: | | Subject: [ActiveDir] GPO question concerning LOCAL GPO | >--| We have identified an issue with a security policy (the paper kind) that conflicts with how our current build is set on our workstations. The workstations are running Windows 2000. I need to see if there is a way to change the LOCAL GPO on say 2000+ machines on the domain without having to remotely or sneaker login. Anyone know if a script could be written that say changes the GPO so the screen saver activates in 600 seconds, password protected and the user doesnât see the screen saver tab. I have already worked out the GPOs for users with these settings but the question was posed to me what about if the machine is operating in a standalone mode temporarily, IE laptop. Any ideas or suggestions would be appreciated. Jeff .+-Šwè†Ûiÿü0Á-Š÷+ƒùšŠYb²Øm˜¸¬´P†Ûiÿü0Á-Š÷+ƒùb²×Úf.+-j·!Š÷¡¶Úÿ 0™¨¥j·!Š÷œ¢oÚrØyØãIšŠVœ¶+Þv*è®
RE: [ActiveDir] windows repair and reinstallation
hello, reinstalling did not solve my problem. the RPC and Telephony service does not stop. you know i think this program that did just some cleaning on registery caused this problem!!1 i have a good antivirus installed and it works properly and there is not virus for sure. i do not want to install the whole thing. one supprising thing is that if i connect to this server with terminal service every thing works perfectly. i should find out when using terminal service what it is that you are using from the source computer. not from the remote one. that makes the active directory console works perfectly on terminal service but not working on computer itself. on the computer it self when i open active directory console it gives the error " the RPC server can not be found" any help is appriciated roseta -Original Message- From: Manjeet [mailto:[EMAIL PROTECTED] Sent: ÙÙØØÙØÙ 2004/07/01 04:09 Ø.Ø To: [EMAIL PROTECTED] Cc: Subject: Re: [ActiveDir] windows repair and reinstallation <>