[ActiveDir] Inf Master and GC Clarification

2004-07-02 Thread David Adner 
Can someone tell me what exactly the problems I might see if I had 2
Domain's and in one of them the Infrastructure Master role was on the GC
with the other DC's in that Domain not also being a GC?  This assumes the
first Domain is setup correctly.

So:
Parent.com
DC1 - 5 FSMO roles and GC
DC2 - GC

Child.Parent.com
DC3 - 3 FSMO roles and GC
DC4 - *not* a GC

If I understand correctly, the INF Master's job is to inform other Domain's
of changes to objects in its own Domain.  If so, then in the above scenario,
DC3 will fail to inform DC1 of changes to objects in Child...?  Just what
kind of changes would it fail to pass along?

List info   : http://www.activedir.org/mail_list.htm
List FAQ: http://www.activedir.org/list_faq.htm
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/

[ActiveDir] Groups not replicating

2004-07-02 Thread Malachi Burke 








Never mind. 
Users not replicating properly either.  Spiffy clean event logs though.  I’m not sure where to look here.  For the record, I just transferred the
FSMO rules… from a Win2K to Win2003 server.  Interesting, huh?  Dcdiag reports that new FSMO holder
isn’t responding to messages properly… what am I missing here?

 

  Starting test: KnowsOfRoleHolders


Warning: LADB02 is the Schema Owner, but is not responding to DS RPC Bind.


[LADB02] LDAP connection failed with error 58,

 

that kinda
stuff=)

 

Mal

[ActiveDir] Groups not replicating

2004-07-02 Thread Malachi Burke 








Everything else seems to replicate
fine.  Changes to existing groups
and creation of new groups do not replicate.  I have some glitchiness
in the DNS but it basically works (can resolve SERVER(s).domain okay).  Double checking that user creation
replicates properly – modification of users replicates, as do DFS/FRS
entities.  Event logs report happy
successful times.  Any insight?

 

Malachi

 

 

Re: [ActiveDir] Logging User Logon and Logoffs

2004-07-02 Thread Paul Wilkinson 
Security is a problem for me, I want to give users the minimum rights 
needed. Right now they can only insert a new row in the database.   In 
order to be able to update the same row the used at logon with the 
logoff data, I'd be giving everyone the ability to completely change all 
login/logoff times in the database, which throws out the use of the log 
for security records.  It's interesting that you used a mdb database. 
I'll have to try that to see if it makes a speed difference.

Paul Wilkinson
865-974-0649
2422 Dunford Hall
OIT Lab Services
University of TN, Knoxville
Bruce Clingaman wrote:
I am using an mdb database. I had the exact issue you have, adding the
logout time to the same record as the login time. My solution was to store
the autonum from the mdb record in the user's registry then read it at
logout and look it up in the mdb and enter the logout time. In Access
databases this is very easy, but in SQL Server I had to take a completely
different approad which I had to drop because the logout script took too
long to execute.
The biggest issue I have with my method is security, users have modify
access to the share and database. 
The logout script misses about 1 in 50 logouts. I don't know why.
The mdb has the following fields: ID (Access autonumber), DC (rootDSE),
Computername, Username, Login (time/date), Logout (time/date)
I have login.vbs and logout.vbs:

'@
'Login.vbs
option explicit
On Error Resume Next
DIM strKeyPath, strValueName, strComputer, DC
const HKEY_CURRENT_USER = &H8001
strComputer = "."
'''
'''
Dim UserID, ComputerName, objNetwork
Dim objConn, objRS, AutoNum, Field
Dim fs, a
AutoNum = 0
Set objNetwork = CreateObject("WScript.Network")
Set DC = getObject("LDAP://rootDse";)
DC = DC.Get("dnsHostName")
ComputerName = objNetwork.ComputerName
UserID = objNetwork.UserName
Set objConn = CreateObject("ADODB.Connection")
objConn.Mode = 3
objConn.Open "Provider=Microsoft.Jet.OLEDB.4.0;Persist Security
Info=False;Data Source=\\DC1\logins$\logins.mdb"
Set objRS = CreateObject("ADODB.Recordset")
objRS.Open "Logins", objConn, 2, 2
objRS.AddNew
AutoNum = objRS("ID")
objRS("ComputerName") = ComputerName
objRS("UserID") = UserID
objRS("DC") = DC
objRS("TimeIn") = Now
objRS.Update
objRS.Close
Set objRS = Nothing
objConn.Close
Set objConn = Nothing
'''
'''
Dim oReg
Set oReg=GetObject("winmgmts:{impersonationLevel=impersonate}!\\" &_
strComputer & "\root\default:StdRegProv")
strKeyPath = "SOFTWARE\Microsoft\Windows\CurrentVersion\Logins"
strValueName = "autonum"
oReg.CreateKey HKEY_CURRENT_USER,strKeyPath,strValueName
oReg.SetStringValue HKEY_CURRENT_USER,strKeyPath,strValueName,AutoNum 
'@

'@
'Logout.vbs
option explicit
On Error Resume Next
Dim UserID, ComputerName, objNetwork
Dim objConn, objRS, AutoNum
Dim a, fs, SQL
Dim strComputer, oReg, strKeyPath,strValueName
const HKEY_CURRENT_USER = &H8001
strComputer = "."
Set oReg=GetObject("winmgmts:{impersonationLevel=impersonate}!\\" &_
strComputer & "\root\default:StdRegProv")
strKeyPath = "SOFTWARE\Microsoft\Windows\CurrentVersion\Logins"
strValueName = "autonum"
oReg.GetStringValue HKEY_CURRENT_USER,strKeyPath,strValueName,AutoNum 

Set objConn = CreateObject("ADODB.Connection")
objConn.Mode = 3
objConn.Open "Provider=Microsoft.Jet.OLEDB.4.0;Persist Security
Info=False;Data Source=\\DC1\logins$\logins.mdb"
Set objRS = CreateObject("ADODB.Recordset")
objRS.Open "Logins", objConn, 2, 2
SQL = "UPDATE Logins SET TimeOut='" & Now & "' WHERE ID = " & AutoNum
objConn.Execute(SQL)
Set objRS = Nothing
objConn.Close
Set objConn = Nothing
'@@@


-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Paul Wilkinson
Sent: Friday, July 02, 2004 11:21 AM
To: [EMAIL PROTECTED]
Subject: [ActiveDir] Logging User Logon and Logoffs 

Is anyone logging both logion and log offs?   I'm working on a method of 
recording this info for a computer lab environment, and I'd like to see if
someone else is already doing it. I want real time utilization info and I
want to be able to build stats off of it for latter use.

On Cs, you can determine when I person logs on to a client machine, but you
don't know when they log off because that information is only on the client
machine.
Right now I'm running a log on, and log off script to insert a row in SQ
database in the following format:
Computer name, use rid, login, log off
Where either the login, or log off fields are date/time, and the other field
is NULL.
The problem with this approach is that you get logs like this:
computer1, bob, 2004-04-29 14:

RE: [ActiveDir] Logging User Logon and Logoffs

2004-07-02 Thread Bruce Clingaman 
I am using an mdb database. I had the exact issue you have, adding the
logout time to the same record as the login time. My solution was to store
the autonum from the mdb record in the user's registry then read it at
logout and look it up in the mdb and enter the logout time. In Access
databases this is very easy, but in SQL Server I had to take a completely
different approad which I had to drop because the logout script took too
long to execute.
The biggest issue I have with my method is security, users have modify
access to the share and database. 
The logout script misses about 1 in 50 logouts. I don't know why.
The mdb has the following fields: ID (Access autonumber), DC (rootDSE),
Computername, Username, Login (time/date), Logout (time/date)
I have login.vbs and logout.vbs:

'@
'Login.vbs
option explicit

On Error Resume Next

DIM strKeyPath, strValueName, strComputer, DC

const HKEY_CURRENT_USER = &H8001
strComputer = "."

'''
'''
Dim UserID, ComputerName, objNetwork
Dim objConn, objRS, AutoNum, Field
Dim fs, a
AutoNum = 0

Set objNetwork = CreateObject("WScript.Network")
Set DC = getObject("LDAP://rootDse";)
DC = DC.Get("dnsHostName")
ComputerName = objNetwork.ComputerName

UserID = objNetwork.UserName

Set objConn = CreateObject("ADODB.Connection")
objConn.Mode = 3

objConn.Open "Provider=Microsoft.Jet.OLEDB.4.0;Persist Security
Info=False;Data Source=\\DC1\logins$\logins.mdb"

Set objRS = CreateObject("ADODB.Recordset")
objRS.Open "Logins", objConn, 2, 2

objRS.AddNew
AutoNum = objRS("ID")
objRS("ComputerName") = ComputerName
objRS("UserID") = UserID
objRS("DC") = DC
objRS("TimeIn") = Now

objRS.Update

objRS.Close
Set objRS = Nothing
objConn.Close
Set objConn = Nothing

'''
'''
Dim oReg
Set oReg=GetObject("winmgmts:{impersonationLevel=impersonate}!\\" &_
strComputer & "\root\default:StdRegProv")

strKeyPath = "SOFTWARE\Microsoft\Windows\CurrentVersion\Logins"
strValueName = "autonum"

oReg.CreateKey HKEY_CURRENT_USER,strKeyPath,strValueName
oReg.SetStringValue HKEY_CURRENT_USER,strKeyPath,strValueName,AutoNum 
'@

'@
'Logout.vbs
option explicit

On Error Resume Next

Dim UserID, ComputerName, objNetwork
Dim objConn, objRS, AutoNum
Dim a, fs, SQL
Dim strComputer, oReg, strKeyPath,strValueName

const HKEY_CURRENT_USER = &H8001
strComputer = "."
Set oReg=GetObject("winmgmts:{impersonationLevel=impersonate}!\\" &_
strComputer & "\root\default:StdRegProv")

strKeyPath = "SOFTWARE\Microsoft\Windows\CurrentVersion\Logins"
strValueName = "autonum"

oReg.GetStringValue HKEY_CURRENT_USER,strKeyPath,strValueName,AutoNum 

Set objConn = CreateObject("ADODB.Connection")
objConn.Mode = 3

objConn.Open "Provider=Microsoft.Jet.OLEDB.4.0;Persist Security
Info=False;Data Source=\\DC1\logins$\logins.mdb"
Set objRS = CreateObject("ADODB.Recordset")
objRS.Open "Logins", objConn, 2, 2

SQL = "UPDATE Logins SET TimeOut='" & Now & "' WHERE ID = " & AutoNum
objConn.Execute(SQL)

Set objRS = Nothing
objConn.Close
Set objConn = Nothing

'@@@





-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Paul Wilkinson
Sent: Friday, July 02, 2004 11:21 AM
To: [EMAIL PROTECTED]
Subject: [ActiveDir] Logging User Logon and Logoffs 


Is anyone logging both logion and log offs?   I'm working on a method of 
recording this info for a computer lab environment, and I'd like to see if
someone else is already doing it. I want real time utilization info and I
want to be able to build stats off of it for latter use.

On Cs, you can determine when I person logs on to a client machine, but you
don't know when they log off because that information is only on the client
machine.

Right now I'm running a log on, and log off script to insert a row in SQ
database in the following format:

Computer name, use rid, login, log off

Where either the login, or log off fields are date/time, and the other field
is NULL.


The problem with this approach is that you get logs like this:

computer1, bob, 2004-04-29 14:36:08, NULL
computer1, bob, NULL, 2004-04-29 14:52:34

So I need a way to combine the login/off logs into one roll to be able 
to perform stats.  I'm a SQ novice, so I don't really know a good way of 
doing this besides exporting all of it to a cs, write a script that 
combines them, then export that back to a new database before running stats.





-- 
Paul Wilkinson
865-974-0649
2422 Dunford Hall
OIT Lab Services
University of TN, Knoxville
List info   : http://www.activedir.org/mail_list.htm
List FAQ: http://www.activedir.org/list_faq.htm
List archive: http:

RE: [ActiveDir] Logging User Logon and Logoffs

2004-07-02 Thread Mulnick, Al 
There are tools for this type of work if you really wanted to go there.
Tools that deal with host intrusion detection can do this as can tools such
as remote management tools (think SMS, Tivoli, etc).  Anything that watches
the event log can do this.  

Your idea can also work, but has some flaws such as being able to detect
whether or not the user was active or had the screen locked etc.  That's
another issue, but I suggest that you may want to have a logon and a logoff
script if you continue down your path.  The logon script will update a table
(table1) with the information you currently capture.  The logoff script
would have to update a different table (table2).  Your query would then be a
join of the two tables based on computer name (as the key field). You can
run that report from Access or Excel if you want.

Again, that gives a picture of some of the workstations under particular
scenarios.  Not all will be recorded with this solution.

Al   

-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Paul Wilkinson
Sent: Friday, July 02, 2004 12:21 PM
To: [EMAIL PROTECTED]
Subject: [ActiveDir] Logging User Logon and Logoffs 


Is anyone logging both logion and log offs?   I'm working on a method of 
recording this info for a computer lab environment, and I'd like to see if
someone else is already doing it. I want real time utilization info and I
want to be able to build stats off of it for latter use.

On Cs, you can determine when I person logs on to a client machine, but you
don't know when they log off because that information is only on the client
machine.

Right now I'm running a log on, and log off script to insert a row in SQ
database in the following format:

Computer name, use rid, login, log off

Where either the login, or log off fields are date/time, and the other field
is NULL.


The problem with this approach is that you get logs like this:

computer1, bob, 2004-04-29 14:36:08, NULL
computer1, bob, NULL, 2004-04-29 14:52:34

So I need a way to combine the login/off logs into one roll to be able 
to perform stats.  I'm a SQ novice, so I don't really know a good way of 
doing this besides exporting all of it to a cs, write a script that 
combines them, then export that back to a new database before running stats.





-- 
Paul Wilkinson
865-974-0649
2422 Dunford Hall
OIT Lab Services
University of TN, Knoxville
List info   : http://www.activedir.org/mail_list.htm
List FAQ: http://www.activedir.org/list_faq.htm
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
List info   : http://www.activedir.org/mail_list.htm
List FAQ: http://www.activedir.org/list_faq.htm
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/

[ActiveDir] Logging User Logon and Logoffs

2004-07-02 Thread Paul Wilkinson 
Is anyone logging both logion and log offs?   I'm working on a method of 
recording this info for a computer lab environment, and I'd like to see 
if someone else is already doing it. I want real time utilization info 
and I want to be able to build stats off of it for latter use.

On Cs, you can determine when I person logs on to a client machine, but 
you don't know when they log off because that information is only on the 
client machine.

Right now I'm running a log on, and log off script to insert a row in SQ 
database in the following format:

Computer name, use rid, login, log off
Where either the login, or log off fields are date/time, and the other 
field is NULL.

The problem with this approach is that you get logs like this:
computer1, bob, 2004-04-29 14:36:08, NULL
computer1, bob, NULL, 2004-04-29 14:52:34
So I need a way to combine the login/off logs into one roll to be able 
to perform stats.  I'm a SQ novice, so I don't really know a good way of 
doing this besides exporting all of it to a cs, write a script that 
combines them, then export that back to a new database before running stats.



--
Paul Wilkinson
865-974-0649
2422 Dunford Hall
OIT Lab Services
University of TN, Knoxville
List info   : http://www.activedir.org/mail_list.htm
List FAQ: http://www.activedir.org/list_faq.htm
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/

RE: [ActiveDir] GPO question concerning LOCAL GPO

2004-07-02 Thread Edwin 








I just wanted to say that this is an
awesome reply!

 

Thank you Darren.

 









From:
[EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Darren Mar-Elia
Sent: Thursday, July 01, 2004 7:38
PM
To: [EMAIL PROTECTED]
Subject: RE: [ActiveDir] GPO
question concerning LOCAL GPO



 

A user-driven script is not likely to
work. These policies are set in HKCU but the keys involved are
permissioned away from normal users by default--to prevent a normal user from
undoing a policy. There are a couple of ways you could skin this. If you want
to pay money, Full Armor has a tool called GPAnywhere that lets you do mass
manipulation of the local GPO. If you want to do it on the cheap then there is
another way, but it is a bit tricky. Essentially, all Admin. Template
policy for the local GPO is stored in two files on the local drive. Any
machine-specific Admin. Template policy is stored in
%windir%\system32\grouppolicy\machine\registry.pol and any user-specific policy
is stored in %windir%\system32\grouppolicy\user\registry.pol. For the screensaver
policies you talk about below, these are user-specific and so would be stored
in the user-specific registry.pol file. If you are reasonably sure that all of
the affected machines have roughly the same local GPO, then you could pick one
of them, edit it to include your new screen saver settings, and then just copy
over that user registry.pol file on all the desired machines. Then, you have to
increment the version number of the local GPO, so that when the user logs on,
it knows there are new policy settings and it processes them. The version
number is stored in a file called GPT.ini, found in
%windir%\system32\grouppolicy. GPT.ini typically looks something like this:

 

[General]
gPCFunctionalityVersion=2
gPCUserExtensionNames=[{35378EAC-683F-11D2-A89A-00C04FBBCFA2}{0F6B957E-509E-11D1-A7CC-F87571E3}] 

Version=917538
gPCMachineExtensionNames=[{35378EAC-683F-11D2-A89A-00C04FBBCFA2}{0F6B957D-509E-11D1-A7CC-F87571E3}{53D6AB1D-2488-11D1-A28C-00C04FB94F17}][{B1BE8D72-6EAC-11D2-A4EA-00C04F79F83A}{53D6AB1D-2488-11D1-A28C-00C04FB94F17}]  

 

You'll need to increment the Version= key
and, if there were no Admin Template policies formerly found in the local GPO,
you need to be sure the GUID {35378EAC-683F-11D2-A89A-00C04FBBCFA2} is found in
the value gPCUserExtensionNames key, as it is above. The version number should
be incremented according to how many policy changes you make. If you want to
stick to Microsoft's byzantine versioning scheme for GPOs, then for each
user-specific change you make (which is what you'll be doing in this case), the
version number is increased by 65536. So three changes to user policy would
result in a version number increase of 65536 x 3 or 196608, which gets added to
the existing version number (so in the example above, 917538+196608=new version
number). So what you can do is copy the registry.pol file and an updated
gpt.ini (again this assumes that all machines have the same
starting gpt.ini version number) to each of the target machines and
then the next time the user logs on, they should get the correct screen saver
policy. Like I said, tricky, but not impossible. 

 

Darren

 







From:
[EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of [EMAIL PROTECTED]
Sent: Thursday, July 01, 2004 3:57
PM
To: [EMAIL PROTECTED]
Subject: RE: [ActiveDir] GPO
question concerning LOCAL GPO



If the machine is standalone, you could
e-mail them a script that makes the proposed registry changes. How else are you
going to touch a machine that doesn't login regularly to have a GPO applied ?





 





Kevin Gent





Pearson Digital Learning





-Original Message-
From:
[EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]On Behalf Of Cothern Jeff D. Team EITC
Sent: Thursday, July 01, 2004 6:49
PM
To: [EMAIL PROTECTED]
Subject: [ActiveDir] GPO question
concerning LOCAL GPO

We have identified an issue with a security policy (the
paper kind)  that conflicts with how our current build is set on our
workstations.  The workstations are running Windows 2000.  I need to
see if there is a way to change the LOCAL GPO on say 2000+ machines on the
domain without having to remotely or sneaker login.  Anyone know if a script
could be written that say changes the GPO so the screen saver activates in 600
seconds, password protected and the user doesn’t see the screen saver
tab.  I have already worked out the GPOs for users with these settings but
the question was posed to me what about if the machine is operating in a
standalone mode temporarily, IE laptop.  

 

Any ideas or suggestions would be appreciated.

 

Jeff 

 

Re: [ActiveDir] GPO question concerning LOCAL GPO

2004-07-02 Thread jpsalemi 




Hey Jeff...If you can get them to use cached credentials on the laptops,
you can do a loopback policy.  They'll cache it locally and get the
settings even when off the wire.

Not sure this fits your needsAnd it does make for some complaints,
travellers doing presentations etc.

John




|-+-->
| |   "Cothern Jeff D. Team  |
| |   EITC"  |
| |   <[EMAIL PROTECTED]>|
| |   Sent by:   |
| |   [EMAIL PROTECTED]|
| |   tivedir.org|
| |  |
| |  |
| |   07/01/2004 05:48 PM|
| |   Please respond to  |
| |   ActiveDir  |
| |  |
|-+-->
  
>--|
  |
  |
  |   To:   <[EMAIL PROTECTED]>
   |
  |   cc:  
  |
  |   Subject:  [ActiveDir] GPO question concerning LOCAL GPO  
  |
  
>--|





We have identified an issue with a security policy (the paper kind)  that
conflicts with how our current build is set on our workstations.  The
workstations are running Windows 2000.  I need to see if there is a way to
change the LOCAL GPO on say 2000+ machines on the domain without having to
remotely or sneaker login.  Anyone know if a script could be written that
say changes the GPO so the screen saver activates in 600 seconds, password
protected and the user doesnât see the screen saver tab.  I have already
worked out the GPOs for users with these settings but the question was
posed to me what about if the machine is operating in a standalone mode
temporarily, IE laptop.

Any ideas or suggestions would be appreciated.

Jeff

.+-Šwè†Ûiÿü0Á-Š÷+ƒùšŠYb²Øm˜¸¬´P†Ûiÿü0Á-Š÷+ƒùb²×Úf.+-j·!Š÷¡¶Úÿ
0™¨¥j·!Š÷œ¢oÚrØyØãIšŠVœ¶+Þv*è®

RE: [ActiveDir] windows repair and reinstallation

2004-07-02 Thread Roseta Radfar 
hello,
 
reinstalling did not solve my problem. the RPC and Telephony service does not stop. 
you know i think this program that did just some cleaning on registery caused this 
problem!!1
i have a good antivirus installed and it works properly and there is not virus for 
sure.
 
i do not want to install the whole thing.
one supprising thing is that if i connect to this server with terminal service every 
thing works perfectly.
i should find out when using terminal service what it is that you are using from the 
source computer. not from the remote one.
that makes the active directory console works perfectly on terminal service but not 
working on computer itself. on the computer it self when i open active directory 
console it gives the error " the RPC server can not be found"
 
any help is appriciated
roseta
 

-Original Message- 
From: Manjeet [mailto:[EMAIL PROTECTED] 
Sent: ÙÙØØÙØÙ 2004/07/01 04:09 Ø.Ø 
To: [EMAIL PROTECTED] 
Cc: 
Subject: Re: [ActiveDir] windows repair and reinstallation


 

<>