RE: [ActiveDir] DSget Contacts in AD
Without the pipe to dsget it does not choke. At 19:05 12/10/2004, you wrote: One thing that bothers me is that DSQUERY should have brought back all the entries and you should have been able to use it as expected. I'm trying to figure out why DSQUERY chokes on the amount. Can you verify that it's the amount that's causing it to choke? Can you run it without piping the results to dsget and see if you get the same results? Al -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of joe Sent: Friday, December 10, 2004 12:14 PM To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] DSget Contacts in AD How about Command | grep Or do you mean the dn: string prefixing the dn being returned? If the latter, you can have it returned distinguishedname as one of the attributes and then use the command above but you will still get the attribute labels. If you just want DN strings, you can use the -dsq option but you won't get attributes output at all then. joe -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Dan HINCKLEY Sent: Friday, December 10, 2004 10:14 AM To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] DSget Contacts in AD Any way to exclude the DN from the output? At 15:44 12/10/2004, you wrote: C:\adfind -b ou=companies,dc=domain,dc=com -f ((objectcategory=Person)(objectClass=contact )) cn createTimeStamp AdFind V01.17.00cpp Joe Richards ([EMAIL PROTECTED]) May 2004 Using server: wil-dc01.bbtnet.com dn:CN=Test User,CN=Users,DC=bbtnet,DC=com createTimeStamp: 20041210144136.0Z cn: Test User 1 Objects returned Specifying the attribute list tells ADFIND to return those attributes only. In your case, you'd use displayname, mail, and physicaldeliveryofficename for the attributes you want. Al -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Dan HINCKLEY Sent: Friday, December 10, 2004 9:27 AM To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] DSget Contacts in AD I had it set to 500 because for any limit size above that (0, or 1500, etc.) it fails with that error. I've read through the ADfind docs and must not be alert enough to see how to spec the attribs I want. How is it done? At 15:17 12/10/2004, you wrote: You may misunderstand ADFIND. It will allow you to specify the attribs you want vs. which one's you don't want last I checked. As for your DSQUERY command, why are you limiting to 1000 on the one that doesn't work? Why not leave it at 0 ? Al -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Dan HINCKLEY Sent: Friday, December 10, 2004 8:16 AM To: [EMAIL PROTECTED] Subject: [ActiveDir] DSget Contacts in AD I find DSget works like a charm retrieving user info like this: dsquery user ou=companies,dc=domain,dc=com -limit 0 | dsget user -display -email -office -acctexpires d:\temp\dsquery.txt But when I try to retrieve more than about 500 contacts like this: dsquery contact ou=companies,dc=domain,dc=com -limit 1000 | dsget contact -display -email -office d:\temp\dsquerycontacts.txt I get this error: dsget failed:Value for `Target object for this command' has incorrect format The Contacts folder has a series of subfolders and a few distribution groups mixed in; might they cause this? ADfind doesn't seem to give me the option to specify which fields I wnat to retrieve, only to exclude fields, and there are too many to do that. Dan Hinckleyt: (41 22) 999 0183 Information Management Groupf: (41 22) 999 0010 IUCN, The World Conservation Union e: [EMAIL PROTECTED] 1196 Gland, Switzerland w: http://iucn.org/ List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive:
RE: [ActiveDir] List object mode
there is always something new to learn ;-) Thanks Eric, I wasn't aware of that one (but I can confirm that I've never noticed any difference in performance myself). Can you elaborate a little as to why a double ACL check is required? /Guido From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Eric FleischmanSent: Monday, December 13, 2004 3:52 AMTo: [EMAIL PROTECTED]Subject: RE: [ActiveDir] List object mode The typical negative thing associated with list_object mode is the double ACL check required which can have a performance overhead. I couldnt quantify what perf overhead means as frankly Ive never seen a number from the test team on what that overhead is, but it is exists, and perhaps in some cases is measurable. It is probably quite small in the aggregate though. I would venture to guess that in order to really feel the overhead one would need a pretty serious load, and single instance store of SDs makes this even more true (caching benefits felt there), and youd need a query load that lends itself to having this overhead (some probably do not). But that last bit is speculation on my part. ~Eric From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Grillenmeier, GuidoSent: Sunday, December 12, 2004 2:06 PMTo: [EMAIL PROTECTED]Subject: RE: [ActiveDir] List object mode Hello Mika - I have not found any negative effects by List object mode on other apps whatsoever. Andthere shouldn't be any either, since it doesn't change the underlying security mechanisms at all. It merely gives you the option to distinguish between the list contentand list object permission, which would otherwise always be applied in parallel (i.e. you don't even see the list object permission, but it's always applied when you grant the list content right, e.g. when you grant read permissions on an OU). I've used it for quitea few companies already and it works like a charm. Realize that the theory behind the list object permission is rather easy (allows you to distinguish which objects someone can see in an OU - such as only specific sub-OUs). However, correctly leveraging list object mode does add complexity to the overall security modell and requires people that really know what they're doing. People need to fully understand the various permissions granted by default in AD and then need to take some of these away (mainly the Read-Permission for Auth. Users on OUs) before they can take advantage of the list object permissions in the first place. They also need to understandthe impact on GPOs, as the required permissions to read GPOs are usually granted via the Auth. User permission on an OU... - so you need to mimikthese permissions as well (not only for users, but also for the computer accounts). Usually it's those companies that have a distinct desire to tighten security in AD - these will also invest in the extra time needed to plan the security model and to manage it in the longrun. Thus, the list object permission is nothing that you'd just want to leverage for the fun of it or because it's cool - if there's a business case (i.e. need to restrict what people can see in AD), then it makes sense, otherwise it doesn't. /Guido From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Mika SeitsonenSent: Sunday, December 12, 2004 6:16 PMTo: [EMAIL PROTECTED]Subject: [ActiveDir] List object mode I haven't found too many comments discussing the use of list object mode in production environments. Anybody care to share their experiences when enabling the list object mode. Has it affected applications running on top of AD such as Exchange SMS? Thanks in advance Mika
RE: [ActiveDir] What is the LDAPS port?
Return Receipt Your RE: [ActiveDir] What is the LDAPS port? document : was Lucia Washaya/UNAMSIL received by: at: 13/12/2004 09:25:04 GMT List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
RE: [ActiveDir] Making a user a Domain Administrator
You can use Restricted Groups in a Policy to do this. Regards, /Jimmy - Jimmy Andersson, Q Advice AB Principal Advisor Microsoft MVP - Directory Services -- www.qadvice.com -- -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Peter Johnson Sent: Monday, December 13, 2004 11:10 AM To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] Making a user a Domain Administrator Add the user to the local administrator group on each machine in the domain. This can be done via script for example. Does anyone know if this can be done by GPO? Regards Peter Johnson -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Oluwaseyi Owoeye Sent: 13 December 2004 12:10 To: [EMAIL PROTECTED] Subject: [ActiveDir] Making a user a Domain Administrator Hi Guys, By Default the Domain Admin is an administrator on every client system in the domain. Suppose I want to extend this functionality, i.e. having a particular user who is not a domain administrator but has administrator rights on every client machine in the domain. How can I achieve this? Cheers Seyi List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
[ActiveDir] Making a user a Domain Administrator
Hi Guys, By Default the Domain Admin is an administrator on every client system in the domain. Suppose I want to extend this functionality, i.e. having a particular user who is not a domain administrator but has administrator rights on every client machine in the domain. How can I achieve this? Cheers Seyi List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
RE: [ActiveDir] OT: pagefile
I confirm it Ghost DOESN'T images pagefile.sys and other temporary If you want you can delete/extract/view/copy files from the image (.gho) file (only delete if NTFS, also add in Windows9x case) by a symantec utility (ghost explorer) From: Cothern Jeff D. Team EITC [EMAIL PROTECTED] Reply-To: [EMAIL PROTECTED] To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] OT: pagefile Date: Sun, 12 Dec 2004 21:51:00 -0500 MIME-Version: 1.0 Received: from mail.activedir.org ([64.245.160.7]) by mc9-f6.hotmail.com with Microsoft SMTPSVC(5.0.2195.6824); Sun, 12 Dec 2004 18:49:28 -0800 Received: from UHQCL02-MAIL2.socom.mil [209.22.231.17] by mail.activedir.org with ESMTP (SMTPD32-8.11) id A2D5205900E6; Sun, 12 Dec 2004 21:47:49 -0500 Received: from USOHQMACDEX05.socom.mil ([172.16.15.100]) by UHQCL02-MAIL2.socom.mil with Microsoft SMTPSVC(5.0.2195.6713); Sun, 12 Dec 2004 21:51:01 -0500 X-Message-Info: EoYTbT2lH2MsQxQLKd6QGg8OdPqYrWLN content-class: urn:content-classes:message X-MimeOLE: Produced By Microsoft Exchange V6.0.6603.0 X-MS-Has-Attach: X-MS-TNEF-Correlator: Thread-Topic: [ActiveDir] OT: pagefile Thread-Index: AcTgvpQPls5/UEh8Qe67PVhZ9ozeag== Return-Path: [EMAIL PROTECTED] X-OriginalArrivalTime: 13 Dec 2004 02:51:01.0846 (UTC) FILETIME=[94D2AF60:01C4E0BE] Precedence: bulk Unfortunately that file is corrupted on their server. Chuckle but I looked on their CD. It is suppose to do that Will have to check my server and boot disks. Thanks.. -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Jorge de Almeida Pinto Sent: Sunday, December 12, 2004 6:24 PM To: Cothern Jeff D. Team EITC; '[EMAIL PROTECTED] '; '[EMAIL PROTECTED] ' Subject: RE: [ActiveDir] OT: pagefile If I'm correct GHOST discards hibernation and swap files when creating an image. also see: ftp://ftp.symantec.com/public/english_us_canada/products/ghost/manuals/g host 2003_guide.pdf search for hibernation and swap files Regards, Jorge -Original Message- From: [EMAIL PROTECTED] To: [EMAIL PROTECTED] Sent: 12/12/2004 11:11 PM Subject: [ActiveDir] OT: pagefile I am creating a ghost image of and XP sp2 machine. I am wanting to reduce the final image file size. The easiest way I can think to do this is to create the image without a pagefile present. But I would like to ensure that when the new machine is setup that the page file is created once more. Is there a way I can either put this in a script or policy or sysprep.inf file? Thanks Jeff This e-mail and any attachment is for authorised use by the intended recipient(s) only. It may contain proprietary material, confidential information and/or be subject to legal privilege. It should not be copied, disclosed to, retained or used by, any other party. If you are not an intended recipient then please promptly delete this e-mail and any attachment and all copies and inform the sender. Thank you. List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
RE: [ActiveDir] Making a user a Domain Administrator
I'd suggest using Restricted Groups through group policy. If you go on the MS site you will get a ton of explanations and examples. BR Rob -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Oluwaseyi Owoeye Sent: 13 December 2004 10:19 To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] Making a user a Domain Administrator I have a domain with over 1000 computers and can't possibly go round the machines doing this. DO you have a sample script that can achieve this? -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Peter Johnson Sent: Monday, December 13, 2004 11:10 AM To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] Making a user a Domain Administrator Add the user to the local administrator group on each machine in the domain. This can be done via script for example. Does anyone know if this can be done by GPO? Regards Peter Johnson -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Oluwaseyi Owoeye Sent: 13 December 2004 12:10 To: [EMAIL PROTECTED] Subject: [ActiveDir] Making a user a Domain Administrator Hi Guys, By Default the Domain Admin is an administrator on every client system in the domain. Suppose I want to extend this functionality, i.e. having a particular user who is not a domain administrator but has administrator rights on every client machine in the domain. How can I achieve this? Cheers Seyi List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ === Scanned for virus infection by Messagelabs === List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
RE: [ActiveDir] Distributing Administrative templates
Title: Message I find the following approach works for me: 1. Keep a master copy of all ADM files on a server which is backed up regularly 2. When an ADM is to be altered, alter the master copy and then copy it toa folder on a DC (ideally the same DC each time for consistency - let's say the PDCe) 3. Edit the GPO on the PDCe[where the ADM is used] and remove the old version, then add the new version. (I use version numbers within the file names) 4. Make any necessary changes to the new ADM settings and close the GP editor (thus saving the changes) This new ADM will be replicated to all DCs (via SYSVOL/FRS replication) and all clients will apply the changes when they next refresh their GP settings (every 60 mins for servers/workstations and 60 mins for DCs) assuming their 'local' DC has received the changes via FRS. WRT the relationship between ADMs and GPOs - think of the ADMs as supplying the supported settings to each GPO. If you need to add a new setting (not supported out of the box) you could add the setting to an existing ADM or (preferred) create a new ADM and add that to the GPO. HTH, neil -Original Message-From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Abbiss, MarkSent: 13 December 2004 10:39To: '[EMAIL PROTECTED]'Subject: [ActiveDir] Distributing Administrative templates I have been searching around for a clear and definitive explanation of how to replicate updated ADM files around my Windows 2003 domain. I an currently trying to update my ADM files to the latest version so that I can support a roll-out of Windows XP SP2. However, I cannot remember or find instructions explaining how I achieve a replication of these files around all my domain controllers. As I understand, the SYSVOL folder is automatically replicated around the domain but the ADM files are held in the %systemfolder%\INF directory. Am I misunderstanding the basic idea ? If I update one DC with the new ADM files (i.e.replace the existing files in the INF directory) and then create on this DCthe GPO I need, will thenecessary ADM updates be replicated around the domain ? I have to admit to a certain amount of confusion just how ADM files and the GPO fit together. Are the new ADM files needed on all the DC's ? Thanks for any pointers. Mark Abbiss == This message is for the sole use of the intended recipient. If you received this message in error please delete it and notify us. If this message was misdirected, CSFB does not waive any confidentiality or privilege. CSFB retains and monitors electronic communications sent through its network. Instructions transmitted over this system are not binding on CSFB until they are confirmed by us. Message transmission is not guaranteed to be secure. ==
RE: [ActiveDir] Distributing Administrative templates
Title: Message Many thanks for the information and pointers. Having read them, can someone then tell me if I have got this correct. If I copy the latest ADM files to one of my DC's (In my case my local site DC, which has no FSMO roles) and then create a new GPO and assign it to an OU, the following statementswill betrue :- 1. A new policy object will appear under the SYSVOL directory on my DC 2. The ADM files used by the GPO will be stored inthe ADM subdirectory of the GPO 3. The final GPO will then be replicated around the domain to all other DC's 4. The locally stored versions ofADM files held on each DC in the %systemroot%\INF directory, will haveno bearing on how the GPO will be processed, as the ADM files located in the SYSVOL structure will be used during GPO processing. Therefore, I do not need to ensure that identical versions of the ADM files exist on all DC's in the domain ? Many thanks for the help, Mark -Original Message-From: Ruston, Neil [mailto:[EMAIL PROTECTED] Sent: Montag, 13. Dezember 2004 12:06To: '[EMAIL PROTECTED]'Subject: RE: [ActiveDir] Distributing Administrative templates I find the following approach works for me: 1. Keep a master copy of all ADM files on a server which is backed up regularly 2. When an ADM is to be altered, alter the master copy and then copy it toa folder on a DC (ideally the same DC each time for consistency - let's say the PDCe) 3. Edit the GPO on the PDCe[where the ADM is used] and remove the old version, then add the new version. (I use version numbers within the file names) 4. Make any necessary changes to the new ADM settings and close the GP editor (thus saving the changes) This new ADM will be replicated to all DCs (via SYSVOL/FRS replication) and all clients will apply the changes when they next refresh their GP settings (every 60 mins for servers/workstations and 60 mins for DCs) assuming their 'local' DC has received the changes via FRS. WRT the relationship between ADMs and GPOs - think of the ADMs as supplying the supported settings to each GPO. If you need to add a new setting (not supported out of the box) you could add the setting to an existing ADM or (preferred) create a new ADM and add that to the GPO. HTH, neil -Original Message-From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Abbiss, MarkSent: 13 December 2004 10:39To: '[EMAIL PROTECTED]'Subject: [ActiveDir] Distributing Administrative templates I have been searching around for a clear and definitive explanation of how to replicate updated ADM files around my Windows 2003 domain. I an currently trying to update my ADM files to the latest version so that I can support a roll-out of Windows XP SP2. However, I cannot remember or find instructions explaining how I achieve a replication of these files around all my domain controllers. As I understand, the SYSVOL folder is automatically replicated around the domain but the ADM files are held in the %systemfolder%\INF directory. Am I misunderstanding the basic idea ? If I update one DC with the new ADM files (i.e.replace the existing files in the INF directory) and then create on this DCthe GPO I need, will thenecessary ADM updates be replicated around the domain ? I have to admit to a certain amount of confusion just how ADM files and the GPO fit together. Are the new ADM files needed on all the DC's ? Thanks for any pointers. Mark Abbiss ==This message is for the sole use of the intended recipient. If you received this message in error please delete it and notify us. If this message was misdirected, CSFB does not waive any confidentiality or privilege. CSFB retains and monitors electronic communications sent through its network. Instructions transmitted over this system are not binding on CSFB until they are confirmed by us. Message transmission is not guaranteed to be secure.==
RE: [ActiveDir] Distributing Administrative templates
Title: Message see inline comments. Note: This is a huge subject and I would suggest further reading as follows: http://www.microsoft.com/resources/documentation/WindowsServ/2003/all/techref/en-us/Default.asp?url=""> (the URL may wrap) neil -Original Message-From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Abbiss, MarkSent: 13 December 2004 11:42To: '[EMAIL PROTECTED]'Subject: RE: [ActiveDir] Distributing Administrative templates Many thanks for the information and pointers. Having read them, can someone then tell me if I have got this correct. If I copy the latest ADM files to one of my DC's (In my case my local site DC, which has no FSMO roles) and then create a new GPO and assign it to an OU, the following statementswill betrue :- 1. A new policy object will appear under the SYSVOL directory on my DC[Neil Ruston]A new folder, yesand a new container in System/Policies in the root of the domain partition 2. The ADM files used by the GPO will be stored inthe ADM subdirectory of the GPO[Neil Ruston]correct (in SYSVOL) 3. The final GPO will then be replicated around the domain to all other DC's[Neil Ruston]correct. AD "parts" via AD replication and file based SYSVOL "parts" via FRS 4. The locally stored versions ofADM files held on each DC in the %systemroot%\INF directory, will haveno bearing on how the GPO will be processed, as the ADM files located in the SYSVOL structure will be used during GPO processing.[Neil Ruston]correct Therefore, I do not need to ensure that identical versions of the ADM files exist on all DC's in the domain ?[Neil Ruston]This will occur by design. SYSVOLon all DCs is kept in synch by FRS, which watches for file system changes in the NTFS journal.If a file is updated on a DC, FRS replicates the change to all other DCs. Many thanks for the help, Mark -Original Message-From: Ruston, Neil [mailto:[EMAIL PROTECTED] Sent: Montag, 13. Dezember 2004 12:06To: '[EMAIL PROTECTED]'Subject: RE: [ActiveDir] Distributing Administrative templates I find the following approach works for me: 1. Keep a master copy of all ADM files on a server which is backed up regularly 2. When an ADM is to be altered, alter the master copy and then copy it toa folder on a DC (ideally the same DC each time for consistency - let's say the PDCe) 3. Edit the GPO on the PDCe[where the ADM is used] and remove the old version, then add the new version. (I use version numbers within the file names) 4. Make any necessary changes to the new ADM settings and close the GP editor (thus saving the changes) This new ADM will be replicated to all DCs (via SYSVOL/FRS replication) and all clients will apply the changes when they next refresh their GP settings (every 60 mins for servers/workstations and 60 mins for DCs) assuming their 'local' DC has received the changes via FRS. WRT the relationship between ADMs and GPOs - think of the ADMs as supplying the supported settings to each GPO. If you need to add a new setting (not supported out of the box) you could add the setting to an existing ADM or (preferred) create a new ADM and add that to the GPO. HTH, neil -Original Message-From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Abbiss, MarkSent: 13 December 2004 10:39To: '[EMAIL PROTECTED]'Subject: [ActiveDir] Distributing Administrative templates I have been searching around for a clear and definitive explanation of how to replicate updated ADM files around my Windows 2003 domain. I an currently trying to update my ADM files to the latest version so that I can support a roll-out of Windows XP SP2. However, I cannot remember or find instructions explaining how I achieve a replication of these files around all my domain controllers. As I understand, the SYSVOL folder is automatically replicated around the domain but the ADM files are held in the %systemfolder%\INF directory. Am I misunderstanding the basic idea ? If I update one DC with the new ADM files (i.e.replace the existing files in the INF directory) and then create on this DCthe GPO I need, will thenecessary ADM updates be replicated around the domain ? I have to admit to a certain amount of confusion just how ADM files and the GPO fit together. Are the new ADM files needed on all the DC's ? Thanks for any pointers. Mark Abbiss ==This message is for the sole use of the
Re: [ActiveDir] Making a user a Domain Administrator
If your users have local admin rights on their machine, be very careful with restricted groups. Use a logon script instead. Dennis On Mon, 13 Dec 2004 11:26:50 +0100, Jimmy [EMAIL PROTECTED] wrote: You can use Restricted Groups in a Policy to do this. Regards, /Jimmy - Jimmy Andersson, Q Advice AB Principal Advisor Microsoft MVP - Directory Services -- www.qadvice.com -- -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Peter Johnson Sent: Monday, December 13, 2004 11:10 AM To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] Making a user a Domain Administrator Add the user to the local administrator group on each machine in the domain. This can be done via script for example. Does anyone know if this can be done by GPO? Regards Peter Johnson -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Oluwaseyi Owoeye Sent: 13 December 2004 12:10 To: [EMAIL PROTECTED] Subject: [ActiveDir] Making a user a Domain Administrator Hi Guys, By Default the Domain Admin is an administrator on every client system in the domain. Suppose I want to extend this functionality, i.e. having a particular user who is not a domain administrator but has administrator rights on every client machine in the domain. How can I achieve this? Cheers Seyi List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
RE: [ActiveDir] Making a user a Domain Administrator
Return Receipt Your RE: [ActiveDir] Making a user a Domain Administrator document : was Bradley Schutter/Hill Holliday Advertising Inc./US received by: at: 12/13/2004 09:20:37 AM List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
RE: [ActiveDir] Making a user a Domain Administrator
Return Receipt Your RE: [ActiveDir] Making a user a Domain Administrator document : was Bradley Schutter/Hill Holliday Advertising Inc./US received by: at: 12/13/2004 09:20:39 AM List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
RE: [ActiveDir] Making a user a Domain Administrator
The following fragment in the machine startup script adds 3 domain groups to the local admins group; we then just add users to the domain groups and they will then be local admins as needed. It's a bit kludged - it ought to check for membership first rather than just try and add... Steve sDomain=domainname Set oNet=createobject(wscript.network) sComputer=oNet.computername sLocalGroup=administrators Set oComputer = GetObject(WinNT:// sComputer) Set oLocalGroup = oComputer.GetObject(Group, sLocalGroup) On error resume next oLocalGroup.Add (WinNT:// sDomain / informationguidance) oLocalGroup.Add (WinNT:// sDomain / workexp) oLocalGroup.Add (WinNT:// sDomain / SAS) On error goto 0 -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Oluwaseyi Owoeye Sent: 13 December 2004 10:19 To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] Making a user a Domain Administrator I have a domain with over 1000 computers and can't possibly go round the machines doing this. DO you have a sample script that can achieve this? List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
RE: [ActiveDir] Distributing Administrative templates
Title: Message Mark- You've gotten some good advice but I wanted to add one clarification. When you edit a new GPO, the ADM files that reside in the %windir%\inf folder on the machine where you are editing the GPO are automatically copied to the SYSVOL policies folder for that GPO on the DC that the GP Editor is currently focused on. That's a mouthful but essentially my point is that you should not need to copy any ADMs to your DC unless you are actually editing the new GPO from the console (or via TS) of the DC and the ADMs that reside in the %windir%\inf folder on that DC are not the ones you want to use. Darren From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Abbiss, MarkSent: Monday, December 13, 2004 3:42 AMTo: '[EMAIL PROTECTED]'Subject: RE: [ActiveDir] Distributing Administrative templates Many thanks for the information and pointers. Having read them, can someone then tell me if I have got this correct. If I copy the latest ADM files to one of my DC's (In my case my local site DC, which has no FSMO roles) and then create a new GPO and assign it to an OU, the following statementswill betrue :- 1. A new policy object will appear under the SYSVOL directory on my DC 2. The ADM files used by the GPO will be stored inthe ADM subdirectory of the GPO 3. The final GPO will then be replicated around the domain to all other DC's 4. The locally stored versions ofADM files held on each DC in the %systemroot%\INF directory, will haveno bearing on how the GPO will be processed, as the ADM files located in the SYSVOL structure will be used during GPO processing. Therefore, I do not need to ensure that identical versions of the ADM files exist on all DC's in the domain ? Many thanks for the help, Mark -Original Message-From: Ruston, Neil [mailto:[EMAIL PROTECTED] Sent: Montag, 13. Dezember 2004 12:06To: '[EMAIL PROTECTED]'Subject: RE: [ActiveDir] Distributing Administrative templates I find the following approach works for me: 1. Keep a master copy of all ADM files on a server which is backed up regularly 2. When an ADM is to be altered, alter the master copy and then copy it toa folder on a DC (ideally the same DC each time for consistency - let's say the PDCe) 3. Edit the GPO on the PDCe[where the ADM is used] and remove the old version, then add the new version. (I use version numbers within the file names) 4. Make any necessary changes to the new ADM settings and close the GP editor (thus saving the changes) This new ADM will be replicated to all DCs (via SYSVOL/FRS replication) and all clients will apply the changes when they next refresh their GP settings (every 60 mins for servers/workstations and 60 mins for DCs) assuming their 'local' DC has received the changes via FRS. WRT the relationship between ADMs and GPOs - think of the ADMs as supplying the supported settings to each GPO. If you need to add a new setting (not supported out of the box) you could add the setting to an existing ADM or (preferred) create a new ADM and add that to the GPO. HTH, neil -Original Message-From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Abbiss, MarkSent: 13 December 2004 10:39To: '[EMAIL PROTECTED]'Subject: [ActiveDir] Distributing Administrative templates I have been searching around for a clear and definitive explanation of how to replicate updated ADM files around my Windows 2003 domain. I an currently trying to update my ADM files to the latest version so that I can support a roll-out of Windows XP SP2. However, I cannot remember or find instructions explaining how I achieve a replication of these files around all my domain controllers. As I understand, the SYSVOL folder is automatically replicated around the domain but the ADM files are held in the %systemfolder%\INF directory. Am I misunderstanding the basic idea ? If I update one DC with the new ADM files (i.e.replace the existing files in the INF directory) and then create on this DCthe GPO I need, will thenecessary ADM updates be replicated around the domain ? I have to admit to a certain amount of confusion just how ADM files and the GPO fit together. Are the new ADM files needed on all the DC's ? Thanks for any pointers. Mark Abbiss ==This message is for the sole use of the intended recipient. If you received this message in error please delete it and notify us. If this message was misdirected, CSFB does not waive any confidentiality or privilege. CSFB retains and monitors electronic communications sent through its network. Instructions transmitted over this system are not binding on CSFB until they are confirmed by
[ActiveDir] adfind most frequent user
Is there some way with adfind to find the most frequently logged on user to a client machine? What I am trying to do is map machine names to their owner. The only way I would know how to do this is to find the user that most frequently logs on to each machine. Just knowing the last user to logon or logoff would even get me most of the way there, but the only attribute I see for such a thing is lastLogon and lastLogonTimestamp. Here is what I am using right now: Adfind -b dc=domain,dc=com -f operatingSystemServicePack=Service Pack 1 sAMAccountName Now if I could only find which user has that machine (I know, I know, I should have documented that).
RE: [ActiveDir] Distributing Administrative templates
Title: Message Just wanted to say thanks for all the help. I have now successfully configured GPto control the new XP SP2 roll-out. Hopefully the Boss will be pleased. Cheers again for the pointers and comments. Mark -Original Message-From: Darren Mar-Elia [mailto:[EMAIL PROTECTED] Sent: Montag, 13. Dezember 2004 16:33To: [EMAIL PROTECTED]Subject: RE: [ActiveDir] Distributing Administrative templates Mark- You've gotten some good advice but I wanted to add one clarification. When you edit a new GPO, the ADM files that reside in the %windir%\inf folder on the machine where you are editing the GPO are automatically copied to the SYSVOL policies folder for that GPO on the DC that the GP Editor is currently focused on. That's a mouthful but essentially my point is that you should not need to copy any ADMs to your DC unless you are actually editing the new GPO from the console (or via TS) of the DC and the ADMs that reside in the %windir%\inf folder on that DC are not the ones you want to use. Darren From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Abbiss, MarkSent: Monday, December 13, 2004 3:42 AMTo: '[EMAIL PROTECTED]'Subject: RE: [ActiveDir] Distributing Administrative templates Many thanks for the information and pointers. Having read them, can someone then tell me if I have got this correct. If I copy the latest ADM files to one of my DC's (In my case my local site DC, which has no FSMO roles) and then create a new GPO and assign it to an OU, the following statementswill betrue :- 1. A new policy object will appear under the SYSVOL directory on my DC 2. The ADM files used by the GPO will be stored inthe ADM subdirectory of the GPO 3. The final GPO will then be replicated around the domain to all other DC's 4. The locally stored versions ofADM files held on each DC in the %systemroot%\INF directory, will haveno bearing on how the GPO will be processed, as the ADM files located in the SYSVOL structure will be used during GPO processing. Therefore, I do not need to ensure that identical versions of the ADM files exist on all DC's in the domain ? Many thanks for the help, Mark -Original Message-From: Ruston, Neil [mailto:[EMAIL PROTECTED] Sent: Montag, 13. Dezember 2004 12:06To: '[EMAIL PROTECTED]'Subject: RE: [ActiveDir] Distributing Administrative templates I find the following approach works for me: 1. Keep a master copy of all ADM files on a server which is backed up regularly 2. When an ADM is to be altered, alter the master copy and then copy it toa folder on a DC (ideally the same DC each time for consistency - let's say the PDCe) 3. Edit the GPO on the PDCe[where the ADM is used] and remove the old version, then add the new version. (I use version numbers within the file names) 4. Make any necessary changes to the new ADM settings and close the GP editor (thus saving the changes) This new ADM will be replicated to all DCs (via SYSVOL/FRS replication) and all clients will apply the changes when they next refresh their GP settings (every 60 mins for servers/workstations and 60 mins for DCs) assuming their 'local' DC has received the changes via FRS. WRT the relationship between ADMs and GPOs - think of the ADMs as supplying the supported settings to each GPO. If you need to add a new setting (not supported out of the box) you could add the setting to an existing ADM or (preferred) create a new ADM and add that to the GPO. HTH, neil -Original Message-From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Abbiss, MarkSent: 13 December 2004 10:39To: '[EMAIL PROTECTED]'Subject: [ActiveDir] Distributing Administrative templates I have been searching around for a clear and definitive explanation of how to replicate updated ADM files around my Windows 2003 domain. I an currently trying to update my ADM files to the latest version so that I can support a roll-out of Windows XP SP2. However, I cannot remember or find instructions explaining how I achieve a replication of these files around all my domain controllers. As I understand, the SYSVOL folder is automatically replicated around the domain but the ADM files are held in the %systemfolder%\INF directory. Am I misunderstanding the basic idea ? If I update one DC with the new ADM files (i.e.replace the existing files in the INF directory) and then create on this DCthe GPO I need, will thenecessary ADM updates be replicated around the domain ? I have to admit to a certain
RE: [ActiveDir] Making a user a Domain Administrator
It depends. We had a long conversation on the use of restricted groups and the changes made in various SPs previously on this list. To summarize that conversation, with proper use of This group is a member of you will avoid the replacing of the contents. But you need to make sure you scope the GPOs properly. Please see the archives for this discussion unless someone wants to dig up the old note and post it. joe -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Perdue David J Contr InDyne/Enterprise IT Sent: Monday, December 13, 2004 11:11 AM To: '[EMAIL PROTECTED]' Subject: RE: [ActiveDir] Making a user a Domain Administrator There is a danger to using restricted groups. It will replace the contents of the group with whatever you specify in the GPO. The only excpetion is the default local admin account. If you have a lot of users in the local admin, they will be removed when this gets applied. If you add a user to the local admin group, they will be removed based on your policy refresh cycle. Dave David J. Perdue Network Security Engineer, InDyne Inc Comm: (805) 606-4597DSN: 276-4597 -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of joe Sent: Monday, December 13, 2004 06:17 AM To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] Making a user a Domain Administrator 1. Use restricted groups. 2. Use startup scripts. Simply add some other group from the domain to the local administrators group of the machines. 3. Use a script or batch file that goes through all machines and adds the user. One thousand machines isn't many, but it is well beyond the number that you should already be pretty familiar with scripting. If you aren't, make that a high priority. At this point you should be doing most daily admin through scripts and command line tools, not GUI. joe -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Oluwaseyi Owoeye Sent: Monday, December 13, 2004 5:10 AM To: [EMAIL PROTECTED] Subject: [ActiveDir] Making a user a Domain Administrator Hi Guys, By Default the Domain Admin is an administrator on every client system in the domain. Suppose I want to extend this functionality, i.e. having a particular user who is not a domain administrator but has administrator rights on every client machine in the domain. How can I achieve this? Cheers Seyi List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
RE: [ActiveDir] DSget Contacts in AD
Maybe use tee, if dsget is killing the whole command line, it may give you the exact object at the end of the file ... finding tee.exe, excercise for the reader. It could be that dsquery doesn't handle paged searches, and you don't have more than 500 users, but you do have more than 500 contacts (IIRC users are contacts, as well as other stuff, soo this may make sense). Is the paged search limit default 500? Or am I remembering wrong, and it is 1000? I don't like the ds* tools, b/c they try to hide LDAP names ... and thus create uncertainty and doubt when debugging something where everyone could've learned the LDAP names. The level of indirection, IMNHO was unnecessary. Alternatively ... these commands: repadmin /showattr . OU=companies,DC=domain,DC=com /subtree /filter:(objectClass=user) /atts:displayName,mail,physicalDeliveryOfficeName,accountExpires repadmin /showattr . OU=companies,DC=domain,DC=com /subtree /filter:(objectClass=contact) /atts:displayName,mail,physicalDeliveryOfficeName,accountExpires I think will do something similar to these dsquery/dsget lines: dsquery user ou=companies,dc=domain,dc=com -limit 0 | dsget user -display -email -office -acctexpires d:\temp\dsquery.txt dsquery contact ou=companies,dc=domain,dc=com -limit 1000 | dsget contact -display -email -office d:\temp\dsquerycontacts.txt I'm not actually sure what user and contact expand to, an objectClass or a more specific objectCategory? But of course repadmin will not be in the dsget format ... if that is important to you. You will want to index objectClass in your AD. Repadmin won't however make 2 or more trips if necessary, so this will however be more efficient ... though that might not matter. This time, I'll give you help finding the command ... the best version of repadmin is definately in ADAM: http://www.microsoft.com/downloads/details.aspx?FamilyId=9688F8B9-1034-4EF6-A3E5-2A2A57B5C8E4displaylang=en You want ADAMretailX86.exe. Extract the data to somewhere convienent, say dir1. Then go into that dir1, and run adamsetup /t:dir2. In dir2 is a good repadmin. Cheers, -BrettSh (msft) This message is AS IS, and I'm sure the advice above technically breaks EULAs, and soo I guess I should say I don't endorse that or something. But who really cares if you copy the tools out of the install package to where is convient for you. Or maybe it is supported I don't know. On Mon, 13 Dec 2004, Dan HINCKLEY wrote: Without the pipe to dsget it does not choke. At 19:05 12/10/2004, you wrote: One thing that bothers me is that DSQUERY should have brought back all the entries and you should have been able to use it as expected. I'm trying to figure out why DSQUERY chokes on the amount. Can you verify that it's the amount that's causing it to choke? Can you run it without piping the results to dsget and see if you get the same results? Al -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of joe Sent: Friday, December 10, 2004 12:14 PM To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] DSget Contacts in AD How about Command | grep Or do you mean the dn: string prefixing the dn being returned? If the latter, you can have it returned distinguishedname as one of the attributes and then use the command above but you will still get the attribute labels. If you just want DN strings, you can use the -dsq option but you won't get attributes output at all then. joe -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Dan HINCKLEY Sent: Friday, December 10, 2004 10:14 AM To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] DSget Contacts in AD Any way to exclude the DN from the output? At 15:44 12/10/2004, you wrote: C:\adfind -b ou=companies,dc=domain,dc=com -f ((objectcategory=Person)(objectClass=contact )) cn createTimeStamp AdFind V01.17.00cpp Joe Richards ([EMAIL PROTECTED]) May 2004 Using server: wil-dc01.bbtnet.com dn:CN=Test User,CN=Users,DC=bbtnet,DC=com createTimeStamp: 20041210144136.0Z cn: Test User 1 Objects returned Specifying the attribute list tells ADFIND to return those attributes only. In your case, you'd use displayname, mail, and physicaldeliveryofficename for the attributes you want. Al -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Dan HINCKLEY Sent: Friday, December 10, 2004 9:27 AM To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] DSget Contacts in AD I had it set to 500 because for any limit size above that (0, or 1500, etc.) it fails with that error. I've read through the ADfind docs and must not be alert enough to see how to spec the attribs I want. How is it done? At 15:17 12/10/2004, you wrote: You may misunderstand ADFIND. It will allow you to specify the attribs you want vs. which one's you
RE: [ActiveDir] wireless AP scanner
Title: Account name as Common Name If you have the hardware and/or funds then a great solution would consist of an iPAQ with a GPS card and Mini-Stumbler (from the folks who make Netstumbler). I have an iPAQ with MiniStumbler and it picks up things nicely around the office (they arent supposed to have wireless setup here!) and around my home (where myself and several neighbors apparently have wireless networks set up). I dont have the GPS card, but one of these days*sigh* J r/ Lou -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Tyson Leslie Sent: Monday, December 13, 2004 1:07 PM To: '[EMAIL PROTECTED]' Subject: RE: [ActiveDir] wireless AP scanner It depends on how your network is built. If you have a fully switched network, you can look for ports with multiple MAC addresses. You can also look for MAC addresses that may belong to AP vendors or wireless nics, but that's a tad cumbersome, and quite unreliable. The best way though, is to grab your laptop and go for a walk... TL From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Douglas M. Long Sent: Sunday, December 12, 2004 5:28 PM To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] wireless AP scanner It looks as though you have to walk around looking for APs with this. Are there scanners that actually scan the network and detect wireless devices with some sort of pre-determined footprinting that has been done? From: [EMAIL PROTECTED] on behalf of Gil Kirkpatrick Sent: Fri 12/10/2004 10:52 AM To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] wireless AP scanner NetStumbler http://www.netstumbler.com/downloads/ -gil From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Douglas M. Long Sent: Thursday, December 09, 2004 11:16 PM To: [EMAIL PROTECTED] Subject: OT: wireless AP scanner Does anyone know of any free wireless access point scanners. Is it even possible to detect a wireless access point on the network without wardriving?
RE: [ActiveDir] wireless AP scanner
Title: Account name as Common Name It depends on how your network is built. If you have a fully switched network, you can look for ports with multiple MAC addresses. You can also look for MAC addresses that may belong to AP vendors or wireless nics, but that's a tad cumbersome, and quite unreliable. The best way though, is to grab your laptop and go for a walk... TL From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Douglas M. LongSent: Sunday, December 12, 2004 5:28 PMTo: [EMAIL PROTECTED]Subject: RE: [ActiveDir] wireless AP scanner It looks as though you have to walk around looking for APs with this. Are there scanners that actually scan the network and detect wireless devices with some sort of pre-determined footprinting that has been done? From: [EMAIL PROTECTED] on behalf of Gil KirkpatrickSent: Fri 12/10/2004 10:52 AMTo: [EMAIL PROTECTED]Subject: RE: [ActiveDir] wireless AP scanner NetStumbler http://www.netstumbler.com/downloads/ -gil From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Douglas M. LongSent: Thursday, December 09, 2004 11:16 PMTo: [EMAIL PROTECTED]Subject: OT: wireless AP scanner Does anyone know of any free wireless access point scanners. Is it even possible to detect a wireless access point on the network without wardriving?
RE: [ActiveDir] Making a user a Domain Administrator
You can set this up via group policy, but beware - unlike most GPO settings, setting the admin group membership is a permanent change, and will overwrite whatever the existing group membership is. TL -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Oluwaseyi Owoeye Sent: Monday, December 13, 2004 3:10 AM To: [EMAIL PROTECTED] Subject: [ActiveDir] Making a user a Domain Administrator Hi Guys, By Default the Domain Admin is an administrator on every client system in the domain. Suppose I want to extend this functionality, i.e. having a particular user who is not a domain administrator but has administrator rights on every client machine in the domain. How can I achieve this? Cheers Seyi List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
[ActiveDir] term services printer redirection(again)
I posted earlier(last week) but didin't resolve my issue. I'm running a win2k term server in app mode and i have users connecting remotely over a vpn(pptp via rras). They can connect to the server fine but client side printer redirection does not work. the clients are all windows xp sp1. the local printers do not show up in the printer folder on the term server. i know the driver names have to match so i edited the ntprint.inf file and entered the name of the printer and driver but still no go.also, these are all LPT printers and not usb. i tried to add the driver on the term server but the session ts session port doesn't show up in the add printer wizard. any ideas? thanks List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
RE: [ActiveDir] Printing Distribution Lists
You'd need to write something custom to actually output a text file or something like that. Here's my cheap but effective way though: Give the user Outlook 2003 Have them compose a new message In the To box, put the DL in, and hit the little plus button to expand it Print the unsent message, all members are listed in the To area. --Brian Desmond [EMAIL PROTECTED] Payton on the web! www.wpcp.org v - 773.534.0034 x135 f - 773.534.8101 From: [EMAIL PROTECTED] on behalf of Christine Allen Sent: Mon 12/13/2004 1:48 PM To: '[EMAIL PROTECTED]' Subject: [ActiveDir] Printing Distribution Lists Running Exchange 2003 and ad 2000 (not on the same box). Is there a way to allow user to print out DL membership? Thanks. -Christine Christine N. Allen Citrix/Windows 2000 Engineer BMC Healthnet Plan One Design Center Place Boston, MA 02210 Work: 617-748-6034 Cell: 617-290-4407 winmail.dat
RE: [ActiveDir] Printing Distribution Lists
here's my "I'm not a programmer but I
play one on TV" approach... Dumps to an excel spreadsheet. Easily
modifiable to even the programming challenged like me...
Diane
---
On Error Resume Next
CRLF=CHR(13)+CHR(10)
strADName = InputBox("Enter Complete LDAP DN for desired group","Group
Name?","CN=Listname,OU=Groups,DC=Company,DC=COM")Set GroupObj =
GetObject("LDAP://" strADname)
wscript.echo ("Getting group Membership for "
strADName)
if Err.Number 0
thenwscript.echo "Failed to connect to "
strADNamewscript.quitend if
set
memberlist=GroupObj.MembersSet objExcel =
WScript.CreateObject("Excel.Application")objExcel.Visible =
TrueobjExcel.Workbooks.Add
objExcel.ActiveSheet.Name =
GroupObj.SAMAccountNameobjExcel.ActiveSheet.Range("A1").ActivateobjExcel.ActiveCell.Value
= "ID"'col header 1objExcel.ActiveCell.Offset(0,1).Value =
"Last Name"'col header 2objExcel.ActiveCell.Offset(0,2).Value = "First
Name"'col header 3objExcel.ActiveCell.Offset(0,3).Value =
"Address"'col header 4objExcel.ActiveCell.Offset(0,4).Value =
"Office"'col header 5objExcel.ActiveCell.Offset(0,5).Value = "Internal
Phone"'col header 6objExcel.ActiveCell.Offset(0,6).Value = "External
Phone"'col header 7objExcel.ActiveCell.Offset(0,7).Value =
"Mobile"'col header
8objExcel.ActiveCell.Offset(1,0).Activate'move 1
down
for each member in
memberlistIf Len(member.SAMaccountName)=4
thenobjExcel.ActiveCell.Value =
member.SAMAccountNameobjExcel.ActiveCell.Offset(0,1).Value =
member.snobjExcel.ActiveCell.Offset(0,2).Value =
member.givenNameobjExcel.ActiveCell.Offset(0,3).Value =
member.streetAddressobjExcel.ActiveCell.Offset(0,4).Value =
member.physicalDeliveryOfficeNameobjExcel.ActiveCell.Offset(0,5).Value
= member.telephoneNumberobjExcel.ActiveCell.Offset(0,6).Value =
member.otherHomePHoneobjExcel.ActiveCell.Offset(0,7).Value =
member.mobileobjExcel.ActiveCell.Offset(1,0).ActivateEnd
ifnext
set GroupObj =
Nothing
wscript.echo
"Done"wscript.quit
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Christine
AllenSent: Monday, December 13, 2004 11:49 AMTo:
'[EMAIL PROTECTED]'Subject: [ActiveDir] Printing
Distribution Lists
Running Exchange
2003 and ad 2000 (not on the same box).
Is there a way to
allow user to print out DL membership? Thanks.
-ChristineChristine N. AllenCitrix/Windows 2000
EngineerBMC Healthnet PlanOne Design Center PlaceBoston, MA
02210Work: 617-748-6034Cell:
617-290-4407
RE: [ActiveDir] Printing Distribution Lists
Hey Michael I am sensing royalties.
:o)
LOL J/K.
Ok a
couple of items, get ready to edit. ;o)
1.Change your objectclass=group to
objectcategory=group in those queries...
2.This filter has an issue - "objectclass=group,mail=*"
3.
Adfind defaults to subtree so you don't have to specify it, obviously specifying
it doesn't hurt anything except for the wear and tear on the nubs at the ends of
your hands.
4. AD
Distribution groups DON'T always have mail attribute set. Only if they are DLs
for mail delivery - mail enabled in Exchange parlance. I know of a couple of
companies that actually use DLs for security groups in UNIX apps. They don't
need the NT Security enabled because it is all handled within the UNIX app
andupdating the Windowssecurity token does nothing for UNIX.It
is good to just use DLs if you can as it decreases kerb cert and token bloat as
you have some hard limits there... That is one of the reason why you should
clean up sidhistories as fast as you can. I realize that you are talking about
DLs as directly related to Exchange, but good to make clear distinction as
someone else may not be using Exchange but using DLs and come uponacross
thisblog and go WTF! when it doesn't seem to do what they expect.
5.
Security groups CAN have the mail attribute set. Any DL that ANYONE inan
Org decides to apply to a folder for permissioning gets changed to a security
groupautomagically. The only way I am aware of to prevent this is to take
away Exchange's ability to modify the grouptype attribute. I am not sure I would
do this. Exchange has blown itself to bits for lesser
things.
Here
is a quick run through for a DL...
Step 1: Check an existing DL. Note the that
mail isn't set and your grouptype and samaccounttype values (note that -samdc on
adfind v01.25.xx will decode those values to
strings...
F:\DEV\cpp\AdFindadfind -b
CN=DLTEST,CN=Users,DC=joe,DC=com
AdFind V01.25.01cpp Joe Richards ([EMAIL PROTECTED]) December
2004
Using server: 2k3dc01.joe.comDirectory: Windows
Server 2003
dn:CN=DLTEST,CN=Users,DC=joe,DC=comobjectClass:
topobjectClass: groupcn: DLTESTdistinguishedName:
CN=DLTEST,CN=Users,DC=joe,DC=cominstanceType: 4whenCreated:
20040311144823.0ZwhenChanged: 20040625234655.0ZuSNCreated:
20573uSNChanged: 20573name: DLTESTobjectGUID:
{F2FE5F60-0BE6-4E29-ACEE-DA5706972661}objectSid:
S-1-5-21-1862701446-4008382571-2198042679-1113sAMAccountName:
DLTESTsAMAccountType: 268435457groupType:
2objectCategory:
CN=Group,CN=Schema,CN=Configuration,DC=joe,DC=com
1
Objects returned
The
command completed successfully.
Step 2: mail enable
DL.
F:\DEV\cpp\AdFindexchmbx -b
CN=DLTEST,CN=Users,DC=joe,DC=com -me
ExchMbx V01.00.00cpp Joe Richards ([EMAIL PROTECTED]) August 2004
Using server: 2k3dc01.joe.comDN Count: 1Mail Enabling
Objects... DN: cn=dltest,cn=users,dc=joe,dc=com...
The command completed
successfully.
Step 3: verify mail enable occurred, note that
not all mail attributes will be set yet. RUS hasn't swung through
yet.
F:\DEV\cpp\AdFindadfind
-b CN=DLTEST,CN=Users,DC=joe,DC=com
AdFind V01.25.01cpp Joe
Richards ([EMAIL PROTECTED]) December 2004
Using server:
2k3dc01.joe.comDirectory: Windows Server 2003
dn:CN=DLTEST,CN=Users,DC=joe,DC=commailNickname:
DLTESTreportToOriginator: TRUEobjectClass:
topobjectClass: groupcn: DLTESTdistinguishedName:
CN=DLTEST,CN=Users,DC=joe,DC=cominstanceType: 4whenCreated:
20040311144823.0ZwhenChanged: 20041213203144.0ZdisplayName:
dltestuSNCreated: 20573uSNChanged: 811817name:
DLTESTobjectGUID:
{F2FE5F60-0BE6-4E29-ACEE-DA5706972661}objectSid:
S-1-5-21-1862701446-4008382571-2198042679-1113sAMAccountName:
DLTESTsAMAccountType: 268435457legacyExchangeDN:
/o=joeware/ou=First Administrative
Group/cn=Recipients/cn=DLTESTgroupType: 2objectCategory:
CN=Group,CN=Schema,CN=Configuration,DC=joe,DC=com
1
Objects returned
The
command completed successfully.
Step 4:
RUS swings through and stamps object with more Exchange attribs. Object is now
ready to go, at least on any Exchange machines that use the DC the info has
replicated to.
F:\DEV\cpp\AdFindadfind -b
CN=DLTEST,CN=Users,DC=joe,DC=com
AdFind V01.25.01cpp Joe
Richards ([EMAIL PROTECTED]) December 2004
Using server:
2k3dc01.joe.comDirectory: Windows Server 2003
dn:CN=DLTEST,CN=Users,DC=joe,DC=commsExchALObjectVersion:
21msExchPoliciesIncluded:
{3A872370-0BE8-441A-B275-69F9B3FC83A9},{26491CFC-9E50-4857-861B-0CB8DF22B5D7}mailNickname:
DLTESTreportToOriginator: TRUEobjectClass:
topobjectClass: groupcn: DLTESTdistinguishedName:
CN=DLTEST,CN=Users,DC=joe,DC=cominstanceType: 4whenCreated:
20040311144823.0ZwhenChanged: 20041213203216.0ZdisplayName:
dltestuSNCreated: 20573uSNChanged: 811823proxyAddresses:
smtp:[EMAIL PROTECTED]proxyAddresses:
SMTP:[EMAIL PROTECTED]proxyAddresses: X400:c=US;a=
;p=joeware;o=Exchange;s=DLTEST;name: DLTESTobjectGUID:
{F2FE5F60-0BE6-4E29-ACEE-DA5706972661}objectSid:
RE: [ActiveDir] Printing Distribution Lists
Well, here's a way: http://blogs.brnets.com/michael/archive/2004/06/24/168.aspx From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Brian DesmondSent: Monday, December 13, 2004 3:08 PMTo: [EMAIL PROTECTED]Subject: RE: [ActiveDir] Printing Distribution Lists You'd need to write something custom to actually output a text file or something like that. Here's my cheap but effective way though: Give the user Outlook 2003 Have them compose a new message In the To box, put the DL in, and hit the little plus button to expand it Print the unsent message, all members are listed in the To area. --Brian Desmond[EMAIL PROTECTED]Payton on the web! www.wpcp.orgv - 773.534.0034 x135f - 773.534.8101 From: [EMAIL PROTECTED] on behalf of Christine AllenSent: Mon 12/13/2004 1:48 PMTo: '[EMAIL PROTECTED]'Subject: [ActiveDir] Printing Distribution Lists Running Exchange 2003 and ad 2000 (not on the same box). Is there a way to allow user to print out DL membership? Thanks. -ChristineChristine N. AllenCitrix/Windows 2000 EngineerBMC Healthnet PlanOne Design Center PlaceBoston, MA 02210Work: 617-748-6034Cell: 617-290-4407
RE: [ActiveDir] Printing Distribution Lists
I KNEW you'd have something to say. :-)
I hesitated to post...thanks for the feedback. I'll update
later tonite.
M
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of
joeSent: Monday, December 13, 2004 3:55 PMTo:
[EMAIL PROTECTED]Subject: RE: [ActiveDir] Printing
Distribution Lists
Hey Michael I am sensing royalties.
:o)
LOL J/K.
Ok a
couple of items, get ready to edit. ;o)
1.Change your objectclass=group to
objectcategory=group in those queries...
2.This filter has an issue - "objectclass=group,mail=*"
3.
Adfind defaults to subtree so you don't have to specify it, obviously specifying
it doesn't hurt anything except for the wear and tear on the nubs at the ends of
your hands.
4. AD
Distribution groups DON'T always have mail attribute set. Only if they are DLs
for mail delivery - mail enabled in Exchange parlance. I know of a couple of
companies that actually use DLs for security groups in UNIX apps. They don't
need the NT Security enabled because it is all handled within the UNIX app
andupdating the Windowssecurity token does nothing for UNIX.It
is good to just use DLs if you can as it decreases kerb cert and token bloat as
you have some hard limits there... That is one of the reason why you should
clean up sidhistories as fast as you can. I realize that you are talking about
DLs as directly related to Exchange, but good to make clear distinction as
someone else may not be using Exchange but using DLs and come uponacross
thisblog and go WTF! when it doesn't seem to do what they expect.
5.
Security groups CAN have the mail attribute set. Any DL that ANYONE inan
Org decides to apply to a folder for permissioning gets changed to a security
groupautomagically. The only way I am aware of to prevent this is to take
away Exchange's ability to modify the grouptype attribute. I am not sure I would
do this. Exchange has blown itself to bits for lesser
things.
Here
is a quick run through for a DL...
Step 1: Check an existing DL. Note the that
mail isn't set and your grouptype and samaccounttype values (note that -samdc on
adfind v01.25.xx will decode those values to
strings...
F:\DEV\cpp\AdFindadfind -b
CN=DLTEST,CN=Users,DC=joe,DC=com
AdFind V01.25.01cpp Joe Richards ([EMAIL PROTECTED]) December
2004
Using server: 2k3dc01.joe.comDirectory: Windows
Server 2003
dn:CN=DLTEST,CN=Users,DC=joe,DC=comobjectClass:
topobjectClass: groupcn: DLTESTdistinguishedName:
CN=DLTEST,CN=Users,DC=joe,DC=cominstanceType: 4whenCreated:
20040311144823.0ZwhenChanged: 20040625234655.0ZuSNCreated:
20573uSNChanged: 20573name: DLTESTobjectGUID:
{F2FE5F60-0BE6-4E29-ACEE-DA5706972661}objectSid:
S-1-5-21-1862701446-4008382571-2198042679-1113sAMAccountName:
DLTESTsAMAccountType: 268435457groupType:
2objectCategory:
CN=Group,CN=Schema,CN=Configuration,DC=joe,DC=com
1
Objects returned
The
command completed successfully.
Step 2: mail enable
DL.
F:\DEV\cpp\AdFindexchmbx -b
CN=DLTEST,CN=Users,DC=joe,DC=com -me
ExchMbx V01.00.00cpp Joe Richards ([EMAIL PROTECTED]) August 2004
Using server: 2k3dc01.joe.comDN Count: 1Mail Enabling
Objects... DN: cn=dltest,cn=users,dc=joe,dc=com...
The command completed
successfully.
Step 3: verify mail enable occurred, note that
not all mail attributes will be set yet. RUS hasn't swung through
yet.
F:\DEV\cpp\AdFindadfind
-b CN=DLTEST,CN=Users,DC=joe,DC=com
AdFind V01.25.01cpp Joe
Richards ([EMAIL PROTECTED]) December 2004
Using server:
2k3dc01.joe.comDirectory: Windows Server 2003
dn:CN=DLTEST,CN=Users,DC=joe,DC=commailNickname:
DLTESTreportToOriginator: TRUEobjectClass:
topobjectClass: groupcn: DLTESTdistinguishedName:
CN=DLTEST,CN=Users,DC=joe,DC=cominstanceType: 4whenCreated:
20040311144823.0ZwhenChanged: 20041213203144.0ZdisplayName:
dltestuSNCreated: 20573uSNChanged: 811817name:
DLTESTobjectGUID:
{F2FE5F60-0BE6-4E29-ACEE-DA5706972661}objectSid:
S-1-5-21-1862701446-4008382571-2198042679-1113sAMAccountName:
DLTESTsAMAccountType: 268435457legacyExchangeDN:
/o=joeware/ou=First Administrative
Group/cn=Recipients/cn=DLTESTgroupType: 2objectCategory:
CN=Group,CN=Schema,CN=Configuration,DC=joe,DC=com
1
Objects returned
The
command completed successfully.
Step 4:
RUS swings through and stamps object with more Exchange attribs. Object is now
ready to go, at least on any Exchange machines that use the DC the info has
replicated to.
F:\DEV\cpp\AdFindadfind -b
CN=DLTEST,CN=Users,DC=joe,DC=com
AdFind V01.25.01cpp Joe
Richards ([EMAIL PROTECTED]) December 2004
Using server:
2k3dc01.joe.comDirectory: Windows Server 2003
dn:CN=DLTEST,CN=Users,DC=joe,DC=commsExchALObjectVersion:
21msExchPoliciesIncluded:
{3A872370-0BE8-441A-B275-69F9B3FC83A9},{26491CFC-9E50-4857-861B-0CB8DF22B5D7}mailNickname:
DLTESTreportToOriginator: TRUEobjectClass:
topobjectClass: groupcn: DLTESTdistinguishedName:
CN=DLTEST,CN=Users,DC=joe,DC=cominstanceType: 4whenCreated:
20040311144823.0ZwhenChanged:
RE: [ActiveDir] Printing Distribution Lists
Never hesitate.Best way to learn is to hang your
knowledge out there and see who salutes. :o)
I am sure there
aren't less than 10 people who are happy you posted that response on this list
and who knows how many from the blog entry.
joe
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Michael B.
SmithSent: Monday, December 13, 2004 4:04 PMTo:
[EMAIL PROTECTED]Subject: RE: [ActiveDir] Printing
Distribution Lists
I KNEW you'd have something to say. :-)
I hesitated to post...thanks for the feedback. I'll update
later tonite.
M
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of
joeSent: Monday, December 13, 2004 3:55 PMTo:
[EMAIL PROTECTED]Subject: RE: [ActiveDir] Printing
Distribution Lists
Hey Michael I am sensing royalties.
:o)
LOL J/K.
Ok a
couple of items, get ready to edit. ;o)
1.Change your objectclass=group to
objectcategory=group in those queries...
2.This filter has an issue - "objectclass=group,mail=*"
3.
Adfind defaults to subtree so you don't have to specify it, obviously specifying
it doesn't hurt anything except for the wear and tear on the nubs at the ends of
your hands.
4. AD
Distribution groups DON'T always have mail attribute set. Only if they are DLs
for mail delivery - mail enabled in Exchange parlance. I know of a couple of
companies that actually use DLs for security groups in UNIX apps. They don't
need the NT Security enabled because it is all handled within the UNIX app
andupdating the Windowssecurity token does nothing for UNIX.It
is good to just use DLs if you can as it decreases kerb cert and token bloat as
you have some hard limits there... That is one of the reason why you should
clean up sidhistories as fast as you can. I realize that you are talking about
DLs as directly related to Exchange, but good to make clear distinction as
someone else may not be using Exchange but using DLs and come uponacross
thisblog and go WTF! when it doesn't seem to do what they expect.
5.
Security groups CAN have the mail attribute set. Any DL that ANYONE inan
Org decides to apply to a folder for permissioning gets changed to a security
groupautomagically. The only way I am aware of to prevent this is to take
away Exchange's ability to modify the grouptype attribute. I am not sure I would
do this. Exchange has blown itself to bits for lesser
things.
Here
is a quick run through for a DL...
Step 1: Check an existing DL. Note the that
mail isn't set and your grouptype and samaccounttype values (note that -samdc on
adfind v01.25.xx will decode those values to
strings...
F:\DEV\cpp\AdFindadfind -b
CN=DLTEST,CN=Users,DC=joe,DC=com
AdFind V01.25.01cpp Joe Richards ([EMAIL PROTECTED]) December
2004
Using server: 2k3dc01.joe.comDirectory: Windows
Server 2003
dn:CN=DLTEST,CN=Users,DC=joe,DC=comobjectClass:
topobjectClass: groupcn: DLTESTdistinguishedName:
CN=DLTEST,CN=Users,DC=joe,DC=cominstanceType: 4whenCreated:
20040311144823.0ZwhenChanged: 20040625234655.0ZuSNCreated:
20573uSNChanged: 20573name: DLTESTobjectGUID:
{F2FE5F60-0BE6-4E29-ACEE-DA5706972661}objectSid:
S-1-5-21-1862701446-4008382571-2198042679-1113sAMAccountName:
DLTESTsAMAccountType: 268435457groupType:
2objectCategory:
CN=Group,CN=Schema,CN=Configuration,DC=joe,DC=com
1
Objects returned
The
command completed successfully.
Step 2: mail enable
DL.
F:\DEV\cpp\AdFindexchmbx -b
CN=DLTEST,CN=Users,DC=joe,DC=com -me
ExchMbx V01.00.00cpp Joe Richards ([EMAIL PROTECTED]) August 2004
Using server: 2k3dc01.joe.comDN Count: 1Mail Enabling
Objects... DN: cn=dltest,cn=users,dc=joe,dc=com...
The command completed
successfully.
Step 3: verify mail enable occurred, note that
not all mail attributes will be set yet. RUS hasn't swung through
yet.
F:\DEV\cpp\AdFindadfind
-b CN=DLTEST,CN=Users,DC=joe,DC=com
AdFind V01.25.01cpp Joe
Richards ([EMAIL PROTECTED]) December 2004
Using server:
2k3dc01.joe.comDirectory: Windows Server 2003
dn:CN=DLTEST,CN=Users,DC=joe,DC=commailNickname:
DLTESTreportToOriginator: TRUEobjectClass:
topobjectClass: groupcn: DLTESTdistinguishedName:
CN=DLTEST,CN=Users,DC=joe,DC=cominstanceType: 4whenCreated:
20040311144823.0ZwhenChanged: 20041213203144.0ZdisplayName:
dltestuSNCreated: 20573uSNChanged: 811817name:
DLTESTobjectGUID:
{F2FE5F60-0BE6-4E29-ACEE-DA5706972661}objectSid:
S-1-5-21-1862701446-4008382571-2198042679-1113sAMAccountName:
DLTESTsAMAccountType: 268435457legacyExchangeDN:
/o=joeware/ou=First Administrative
Group/cn=Recipients/cn=DLTESTgroupType: 2objectCategory:
CN=Group,CN=Schema,CN=Configuration,DC=joe,DC=com
1
Objects returned
The
command completed successfully.
Step 4:
RUS swings through and stamps object with more Exchange attribs. Object is now
ready to go, at least on any Exchange machines that use the DC the info has
replicated to.
F:\DEV\cpp\AdFindadfind -b
CN=DLTEST,CN=Users,DC=joe,DC=com
AdFind V01.25.01cpp Joe
Richards ([EMAIL PROTECTED])
RE: [ActiveDir] Making a user a Domain Administrator
As I mentioned earlier, it depends on how you do things. See http://support.microsoft.com/default.aspx?scid=kb;en-us;Q810076 Also from the list archives look for the thread [ActiveDir] [Slightly OT] Delete inhibit DOMAIN\Remote Manage ment group from local admins... From March. I think there was another conversation previous to that as well but can't recall the details. Hey Tony, how about updating the ActiveDir Org GPO FAQ? joe -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Tyson Leslie Sent: Monday, December 13, 2004 1:08 PM To: '[EMAIL PROTECTED]' Subject: RE: [ActiveDir] Making a user a Domain Administrator You can set this up via group policy, but beware - unlike most GPO settings, setting the admin group membership is a permanent change, and will overwrite whatever the existing group membership is. TL -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Oluwaseyi Owoeye Sent: Monday, December 13, 2004 3:10 AM To: [EMAIL PROTECTED] Subject: [ActiveDir] Making a user a Domain Administrator Hi Guys, By Default the Domain Admin is an administrator on every client system in the domain. Suppose I want to extend this functionality, i.e. having a particular user who is not a domain administrator but has administrator rights on every client machine in the domain. How can I achieve this? Cheers Seyi List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
RE: [ActiveDir] terminal service printing
its going thru a vpn. the ports are open for vpn. i assume all activity is in the vpn tunnel so i don't need to open anymore ports except for pptp access. also, under configure port, its a ts port finally, the client printer never shows up in the printer folder. the client can connect to the ts server and outlook and everything else so i don't think its a firewall issue. -Original Message- From: Meneses, Arturo [mailto:[EMAIL PROTECTED] Sent: Monday, December 13, 2004 4:31 PM To: '[EMAIL PROTECTED]' Subject: RE: [ActiveDir] terminal service printing You may need to open the correct ports on your firewall for the printer to work. Go to Printer properties-Ports-Configure port and see what port the printer uses, then open that port in the firewall for the clients. AM -Original Message- From: Kern, Tom [mailto:[EMAIL PROTECTED] Sent: Friday, December 10, 2004 2:45 PM To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] terminal service printing a local printer on their side -Original Message- From: Meneses, Arturo [mailto:[EMAIL PROTECTED] Sent: Friday, December 10, 2004 3:22 PM To: '[EMAIL PROTECTED]' Subject: RE: [ActiveDir] terminal service printing Are the clients printing to a remote printer on their site? or to a printer on the server side? AM -Original Message- From: Kern, Tom [mailto:[EMAIL PROTECTED] Sent: Friday, December 10, 2004 1:46 PM To: ActiveDir (E-mail) Subject: [ActiveDir] terminal service printing I'm running a Win2k term server in app mode. i have users(client is XP) connecting via vpn(PPTP) Win2k RRAS server. They can connect to all resources including the term server but client-side printing on the term server does not seem to work. The event id i sometimes get is 61- document failed to print. win32 error code is 3003(0xbbb). A lookup on eventid.net claims this to be an incorrect ip address or printer name/port. However i don't think thats the issue. any help would be great thanks List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ -- --- This message has been inspected by DynaComm i:mail 5.0 --- -- -- FutureSoft, Inc. 12012 Wickchester Lane, Suite 600 Houston, TX 77079 If you no longer want to receive commercial e-mail correspondence from FutureSoft, you may remove your address from our records by visiting www.futuresoft.com/emailremoval.asp -- List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ -- --- This message has been inspected by DynaComm i:mail 5.0 --- -- -- FutureSoft, Inc. 12012 Wickchester Lane, Suite 600 Houston, TX 77079 If you no longer want to receive commercial e-mail correspondence from FutureSoft, you may remove your address from our records by visiting www.futuresoft.com/emailremoval.asp -- List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
RE: [ActiveDir] term services printer redirection(again)
IN 2000 the print driver must be native to 2000. no guarantees printing terminaly. The real solution is Citrix. Ive been playing with printer redirection in 2000 terminal for months. Microsoft never intended to rectify problem. If local printer is native, than 95% chance you can print. Hehe I set up terminal printers via local/tcpip and then just share that with whoever. PERFORMANCE MATERIALS CORPORATION Dan Morentin Network Administrator 805-482-1722 x231 cell: 818-445-7834 -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Kern, Tom Sent: Monday, December 13, 2004 12:04 PM To: ActiveDir (E-mail) Subject: [ActiveDir] term services printer redirection(again) I posted earlier(last week) but didin't resolve my issue. I'm running a win2k term server in app mode and i have users connecting remotely over a vpn(pptp via rras). They can connect to the server fine but client side printer redirection does not work. the clients are all windows xp sp1. the local printers do not show up in the printer folder on the term server. i know the driver names have to match so i edited the ntprint.inf file and entered the name of the printer and driver but still no go.also, these are all LPT printers and not usb. i tried to add the driver on the term server but the session ts session port doesn't show up in the add printer wizard. any ideas? thanks List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
[ActiveDir] OT: intrusion prevention
my company is looking at getting cisco security agent for intrusion prevention. Personally, at $60,000, I think its a bit much. does anyone have any cheap intrusion prevention software they use out there? or can you lockdown your desktops enough via GPO's and good AV? we get alot of bots lately on our network. these bots infect fully patched boxes and start making outbound requests on ports 445 and 6667 flooding our network to a crawl and sometimes even DOSing our firewall. as i've said, they even infect patched pc's with fully updated AV defs(Symantec corporate 9.0). the attraction to cisco is that(according to cisco marketing..), an client agent is installed which will stop the action of any unauthorized app or service from running and alert an admin. still, i think there's got to be a cheaper way to stop this stuff. any ideas(or personal experience with cisco agent)? thanks List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
RE: [ActiveDir] OT: intrusion prevention
There is an alternative that we are looking into called Lightspeed - www.lightspeedsystems.com. Their Total Traffic Control appliance comes complete with a CSA-like agent. We are about to start testing it so I can't really tell you how it works but it is a lot cheaper. Brian -Original Message- From: Kern, Tom [mailto:[EMAIL PROTECTED] Sent: Monday, December 13, 2004 3:06 PM To: ActiveDir (E-mail) Subject: [ActiveDir] OT: intrusion prevention my company is looking at getting cisco security agent for intrusion prevention. Personally, at $60,000, I think its a bit much. does anyone have any cheap intrusion prevention software they use out there? or can you lockdown your desktops enough via GPO's and good AV? we get alot of bots lately on our network. these bots infect fully patched boxes and start making outbound requests on ports 445 and 6667 flooding our network to a crawl and sometimes even DOSing our firewall. as i've said, they even infect patched pc's with fully updated AV defs(Symantec corporate 9.0). the attraction to cisco is that(according to cisco marketing..), an client agent is installed which will stop the action of any unauthorized app or service from running and alert an admin. still, i think there's got to be a cheaper way to stop this stuff. any ideas(or personal experience with cisco agent)? thanks List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
RE: [ActiveDir] Distributing Administrative templates
Title: Message "...you should not need to copy any ADMs to your DC unless you are actually editing the new GPO from the console (or via TS) of the DC and the ADMs that reside in the %windir%\inf folder on that DC are not the ones you want to use." I should have pointed out that this additional step was added so the task of "ADM editing" could be abstracted from the task of "GPO editing". i.e. the ADM editor would, when finished, copy the ADM to a location where the domain admins have access (in the example given, a share on a DC). neil -Original Message-From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Darren Mar-EliaSent: 13 December 2004 15:33To: [EMAIL PROTECTED]Subject: RE: [ActiveDir] Distributing Administrative templates Mark- You've gotten some good advice but I wanted to add one clarification. When you edit a new GPO, the ADM files that reside in the %windir%\inf folder on the machine where you are editing the GPO are automatically copied to the SYSVOL policies folder for that GPO on the DC that the GP Editor is currently focused on. That's a mouthful but essentially my point is that you should not need to copy any ADMs to your DC unless you are actually editing the new GPO from the console (or via TS) of the DC and the ADMs that reside in the %windir%\inf folder on that DC are not the ones you want to use. Darren From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Abbiss, MarkSent: Monday, December 13, 2004 3:42 AMTo: '[EMAIL PROTECTED]'Subject: RE: [ActiveDir] Distributing Administrative templates Many thanks for the information and pointers. Having read them, can someone then tell me if I have got this correct. If I copy the latest ADM files to one of my DC's (In my case my local site DC, which has no FSMO roles) and then create a new GPO and assign it to an OU, the following statementswill betrue :- 1. A new policy object will appear under the SYSVOL directory on my DC 2. The ADM files used by the GPO will be stored inthe ADM subdirectory of the GPO 3. The final GPO will then be replicated around the domain to all other DC's 4. The locally stored versions ofADM files held on each DC in the %systemroot%\INF directory, will haveno bearing on how the GPO will be processed, as the ADM files located in the SYSVOL structure will be used during GPO processing. Therefore, I do not need to ensure that identical versions of the ADM files exist on all DC's in the domain ? Many thanks for the help, Mark -Original Message-From: Ruston, Neil [mailto:[EMAIL PROTECTED] Sent: Montag, 13. Dezember 2004 12:06To: '[EMAIL PROTECTED]'Subject: RE: [ActiveDir] Distributing Administrative templates I find the following approach works for me: 1. Keep a master copy of all ADM files on a server which is backed up regularly 2. When an ADM is to be altered, alter the master copy and then copy it toa folder on a DC (ideally the same DC each time for consistency - let's say the PDCe) 3. Edit the GPO on the PDCe[where the ADM is used] and remove the old version, then add the new version. (I use version numbers within the file names) 4. Make any necessary changes to the new ADM settings and close the GP editor (thus saving the changes) This new ADM will be replicated to all DCs (via SYSVOL/FRS replication) and all clients will apply the changes when they next refresh their GP settings (every 60 mins for servers/workstations and 60 mins for DCs) assuming their 'local' DC has received the changes via FRS. WRT the relationship between ADMs and GPOs - think of the ADMs as supplying the supported settings to each GPO. If you need to add a new setting (not supported out of the box) you could add the setting to an existing ADM or (preferred) create a new ADM and add that to the GPO. HTH, neil -Original Message-From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Abbiss, MarkSent: 13 December 2004 10:39To: '[EMAIL PROTECTED]'Subject: [ActiveDir] Distributing Administrative templates I have been searching around for a clear and definitive explanation of how to replicate updated ADM files around my Windows 2003 domain. I an currently trying to update my ADM files to the latest version so that I can support a roll-out of Windows XP SP2. However, I cannot remember or find instructions explaining how I achieve a replication of these files around all my domain controllers. As I understand, the SYSVOL folder is automatically replicated around the domain but the ADM files are held in the %systemfolder%\INF
[ActiveDir] Domain Name and DNS Problems
Hello Everyone. I have an ongoing problem and would like to get some assistance please. The domain that I am currently responsible for is the first domain that I have ever configured. As a result there was a lot of trial and error and most things were resolved but there remains this one problem that still lingers. I will try to explain as best as I can the scenario. I work for a company (mycompany.net) and we host many web servers out on the public Internet. Our servers follow a naming scheme that is dependent on the type of OS or special purpose for that server. i.e. w39322.mycompany.net for Windows Web Servers and l23841.mycompany.net for Linux servers. There are other naming conventions that is not important for this topic. Throughout the every day work environment we are constantly accessing these servers for trouble shooting, investigations or other general use. The web servers are authoritative to public name servers ns1.mycompany.net and ns2.mycompany.net When the domain was put online within our internal network, I used mycompany.net as the domain name. I also have DNS services for the domain on a one of the DC's. Since I have named our internal domain the same as our public domain, we ran into problems where we were no longer able to connect to our web servers on the Internet. As a workaround solution we wrote a Perl script that goes out to our public name servers and reads the mycompany.net zone and grabs any information that it does not have. The data is then written to a text file that then runs DNSCMD to import the data into the DC's DNS zone for mycompany.net This is okay but still problematic and ultimately not the solution that I would like to have. Our domain consists of: 1. 2 Win2K3 Standard DC's 2. 1 Win2K3 Standard File Server 3. 1 Win2K Exchange Server with Exchange 2000 4. Win2K Professional Workstations >From what I understand Win2K3 has a new feature that will allow for you to change the domain name of an already configured network. But this will not apply to me since I have Win2K Pro Clients and an Exchange 2K Server. We do have an internal name server but it is a caching name server for the authoritative public name server. It is my understanding that AD requires for the nameserver to be authoritative for the domain and support SRV records. SRV records are not a problem but the authoritative part is since our public name server hold that role and it is not able to be changed. Also, to make the server authoritative would mean that our internal systems could be known by the public Internet. Can anyone offer any suggestions to overcome this problem? Ultimately, what I would like to have done is for the mycompany.net zone on the AD DNS Server only to contain entries for our internal network. Any requests not resolved by the AD DNS server then get forwarded to the public name server. This would allow me to then clean up the zone for the AD DNS server and still have the functionality that we require. Is this possible? Thank you all for your replies.
RE: [ActiveDir] Domain Name and DNS Problems
Why dont you just duplicate the records in the public DNS zone to the private zone. That is what I do since both my internal and external namespaces are the same. -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Edwin Sent: Tuesday, December 14, 2004 9:04 AM To: [EMAIL PROTECTED] Subject: [ActiveDir] Domain Name and DNS Problems Hello Everyone. I have an ongoing problem and would like to get some assistance please. The domain that I am currently responsible for is the first domain that I have ever configured. As a result there was a lot of trial and error and most things were resolved but there remains this one problem that still lingers. I will try to explain as best as I can the scenario. I work for a company (mycompany.net) and we host many web servers out on the public Internet. Our servers follow a naming scheme that is dependent on the type of OS or special purpose for that server. i.e. w39322.mycompany.net for Windows Web Servers and l23841.mycompany.net for Linux servers. There are other naming conventions that is not important for this topic. Throughout the every day work environment we are constantly accessing these servers for trouble shooting, investigations or other general use. The web servers are authoritative to public name servers ns1.mycompany.net and ns2.mycompany.net When the domain was put online within our internal network, I used mycompany.net as the domain name. I also have DNS services for the domain on a one of the DC's. Since I have named our internal domain the same as our public domain, we ran into problems where we were no longer able to connect to our web servers on the Internet. As a workaround solution we wrote a Perl script that goes out to our public name servers and reads the mycompany.net zone and grabs any information that it does not have. The data is then written to a text file that then runs DNSCMD to import the data into the DC's DNS zone for mycompany.net This is okay but still problematic and ultimately not the solution that I would like to have. Our domain consists of: 1. 2 Win2K3 Standard DC's 2. 1 Win2K3 Standard File Server 3. 1 Win2K Exchange Server with Exchange 2000 4. Win2K Professional Workstations From what I understand Win2K3 has a new feature that will allow for you to change the domain name of an already configured network. But this will not apply to me since I have Win2K Pro Clients and an Exchange 2K Server. We do have an internal name server but it is a caching name server for the authoritative public name server. It is my understanding that AD requires for the nameserver to be authoritative for the domain and support SRV records. SRV records are not a problem but the authoritative part is since our public name server hold that role and it is not able to be changed. Also, to make the server authoritative would mean that our internal systems could be known by the public Internet. Can anyone offer any suggestions to overcome this problem? Ultimately, what I would like to have done is for the mycompany.net zone on the AD DNS Server only to contain entries for our internal network. Any requests not resolved by the AD DNS server then get forwarded to the public name server. This would allow me to then clean up the zone for the AD DNS server and still have the functionality that we require. Is this possible? Thank you all for your replies.
RE: [ActiveDir] OT: intrusion prevention
Intrusion detection and prevention are two different things in my experience. IDS is used to detect the intrusion. Prevention is a process lifecycle all it's own. If you have the opportunity to have something that does both with a single code-base that would be a good thing IMHO. AV is always going to be latent in it's ability to protect. That's the nature. It's one of the reasons that AV products are starting to come with personal firewalls which help to prevent outbound comm as well as inbound comm from occuring. Still comes down to user education and proper tuning no matter what they sell you. These are just one more tool to help you enforce those policies and reinforce the education. My 2 cents (USD) anyway. -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Kern, Tom Sent: Monday, December 13, 2004 6:06 PM To: ActiveDir (E-mail) Subject: [ActiveDir] OT: intrusion prevention my company is looking at getting cisco security agent for intrusion prevention. Personally, at $60,000, I think its a bit much. does anyone have any cheap intrusion prevention software they use out there? or can you lockdown your desktops enough via GPO's and good AV? we get alot of bots lately on our network. these bots infect fully patched boxes and start making outbound requests on ports 445 and 6667 flooding our network to a crawl and sometimes even DOSing our firewall. as i've said, they even infect patched pc's with fully updated AV defs(Symantec corporate 9.0). the attraction to cisco is that(according to cisco marketing..), an client agent is installed which will stop the action of any unauthorized app or service from running and alert an admin. still, i think there's got to be a cheaper way to stop this stuff. any ideas(or personal experience with cisco agent)? thanks List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
[ActiveDir] making another domain forest root
Hi, Ive a little question: is it possible to make another domain forest root? I mean: domain X is now forest root domain, and I want to make domain Y forest root domain. If it is possible, how do I do this? (Actually, I want to shut down domain X, but I cant since it is forest root domain.) Many thanks in advance, Stijn Calders
RE: [ActiveDir] What is the LDAPS port?
Also see: MS-KBQ224196_Restricting Active Directory Replication Traffic to a Specific Port MS-KBQ319553_How to Restrict FRS Replication Traffic to a Specific Static Port Regards, Jorge From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Paul van GeldropSent: Thursday, December 09, 2004 16:47To: '[EMAIL PROTECTED]'Subject: RE: [ActiveDir] What is the LDAPS port? If I'm not mistaken, it should be port 636. Also, keep in mind that FRS uses a selection of random ports, so make sure to include these if you're going to configure a firewall to allow for replication. This article contains a list you might find helpful: http://support.microsoft.com/default.aspx?scid=kb;en-us;832017 Regards, Paul. From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Geary, Simon (Computer People)Sent: donderdag 9 december 2004 16:29To: '[EMAIL PROTECTED]'Subject: [ActiveDir] What is the LDAPS port? I have seen LDAP over SSL listed variously as both port 636 and 686. Can anyone give me a definitive answer? Or are both valid in different situations and I am just missing something? The background is that I want to get a list of all the ports required to run AD replication and FRSthrough a Firewall. I have seen the various docs from Microsoft on this but they don't seem to be consistent.This e-mail and any attachment is for authorised use by the intended recipient(s) only. It may contain proprietary material, confidential information and/or be subject to legal privilege. It should not be copied, disclosed to, retained or used by, any other party. If you are not an intended recipient then please promptly delete this e-mail and any attachment and all copies and inform the sender. Thank you. This e-mail and any attachment is for authorised use by the intended recipient(s) only. It may contain proprietary material, confidential information and/or be subject to legal privilege. It should not be copied, disclosed to, retained or used by, any other party. If you are not an intended recipient then please promptly delete this e-mail and any attachment and all copies and inform the sender. Thank you.
RE: [ActiveDir] Making a user a Domain Administrator
You can use the Restricted Groups settings in Group Policy to make particular users a member of the local administrators group without giving them any extra rights on the domain. http://support.microsoft.com/default.aspx?scid=kb;en-us;Q279301 -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Oluwaseyi Owoeye Sent: 13 December 2004 10:10 To: [EMAIL PROTECTED] Subject: [ActiveDir] Making a user a Domain Administrator Hi Guys, By Default the Domain Admin is an administrator on every client system in the domain. Suppose I want to extend this functionality, i.e. having a particular user who is not a domain administrator but has administrator rights on every client machine in the domain. How can I achieve this? Cheers Seyi List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
RE: [ActiveDir] Making a user a Domain Administrator
If you would like to make a user ADMIN of all workstations you could one of the following: * Make that user a Domain Admin - very easy to achieve but I would NOT RECOMMEND this for security sake (to much for what that user eally needs) * I prefer the following: * Create a GLOBAL GROUP in the AD DOMAIN (something like: gsgADMonCLI) * Create a GPO and link that GPO (or use an existing GPO that's linked to the OU with the computer accounts) to the OU with computer accounts * Within that GPO use the Restricted Groups (Computer Configuration\Windows Settings\Security Settings\Restricted Groups) feature: Assign the group name YourDomain\gsgADMonCLI as a member of the group ADMINISTRATORS * make everyone that needs it (local admin on computers) a member of the group YourDomain\gsgADMonCLI * Wait until the computers have updated their GPO (reboot the computers, or force a refresh, or wait for about 90 min.) Regards, Jorge NOTE: This posting is provided AS IS with no warranties and with no rights! -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Oluwaseyi Owoeye Sent: maandag 13 december 2004 11:10 To: [EMAIL PROTECTED] Subject: [ActiveDir] Making a user a Domain Administrator Hi Guys, By Default the Domain Admin is an administrator on every client system in the domain. Suppose I want to extend this functionality, i.e. having a particular user who is not a domain administrator but has administrator rights on every client machine in the domain. How can I achieve this? Cheers Seyi List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ This e-mail and any attachment is for authorised use by the intended recipient(s) only. It may contain proprietary material, confidential information and/or be subject to legal privilege. It should not be copied, disclosed to, retained or used by, any other party. If you are not an intended recipient then please promptly delete this e-mail and any attachment and all copies and inform the sender. Thank you. List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
Re: [ActiveDir] Distributing Administrative templates
On Mon, 13 Dec 2004 11:38:35 +0100, Abbiss, Mark wrote Am I misunderstanding the basic idea ? If I update one DC with the new ADM files (i.e. replace the existing files in the INF directory) and then create on this DC the GPO I need, will the necessary ADM updates be replicated around the domain ? I have to admit to a certain amount of confusion just how ADM files and the GPO fit together. Are the new ADM files needed on all the DC's ? Hope this article will claryfi some things for You: http://www.jsiinc.com/SUBK/tip5000/rh5052.htm You can use copy of ADM files from one location, requests for adm files will be redirected to PDC emulator role holder (by default) in Your network: http://support.microsoft.com/?kbid=813338 Some time ago this topic was discussed on this list so look in the archives. -- Tomasz Onyszko - [EMAIL PROTECTED] http://www.w2k.pl List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
RE: [ActiveDir] Making a user a Domain Administrator
I have a domain with over 1000 computers and can't possibly go round the machines doing this. DO you have a sample script that can achieve this? -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Peter Johnson Sent: Monday, December 13, 2004 11:10 AM To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] Making a user a Domain Administrator Add the user to the local administrator group on each machine in the domain. This can be done via script for example. Does anyone know if this can be done by GPO? Regards Peter Johnson -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Oluwaseyi Owoeye Sent: 13 December 2004 12:10 To: [EMAIL PROTECTED] Subject: [ActiveDir] Making a user a Domain Administrator Hi Guys, By Default the Domain Admin is an administrator on every client system in the domain. Suppose I want to extend this functionality, i.e. having a particular user who is not a domain administrator but has administrator rights on every client machine in the domain. How can I achieve this? Cheers Seyi List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
RE: [ActiveDir] Making a user a Domain Administrator
Add the user to the local administrator group on each machine in the domain. This can be done via script for example. Does anyone know if this can be done by GPO? Regards Peter Johnson -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Oluwaseyi Owoeye Sent: 13 December 2004 12:10 To: [EMAIL PROTECTED] Subject: [ActiveDir] Making a user a Domain Administrator Hi Guys, By Default the Domain Admin is an administrator on every client system in the domain. Suppose I want to extend this functionality, i.e. having a particular user who is not a domain administrator but has administrator rights on every client machine in the domain. How can I achieve this? Cheers Seyi List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
[ActiveDir] Distributing Administrative templates
Title: Message I have been searching around for a clear and definitive explanation of how to replicate updated ADM files around my Windows 2003 domain. I an currently trying to update my ADM files to the latest version so that I can support a roll-out of Windows XP SP2. However, I cannot remember or find instructions explaining how I achieve a replication of these files around all my domain controllers. As I understand, the SYSVOL folder is automatically replicated around the domain but the ADM files are held in the %systemfolder%\INF directory. Am I misunderstanding the basic idea ? If I update one DC with the new ADM files (i.e.replace the existing files in the INF directory) and then create on this DCthe GPO I need, will thenecessary ADM updates be replicated around the domain ? I have to admit to a certain amount of confusion just how ADM files and the GPO fit together. Are the new ADM files needed on all the DC's ? Thanks for any pointers. Mark Abbiss
RE: [ActiveDir] Distributing Administrative templates
On Mon, 13 Dec 2004 12:42:11 +0100, Abbiss, Mark wrote Many thanks for the information and pointers. Having read them, can someone then tell me if I have got this correct. (...) Therefore, I do not need to ensure that identical versions of the ADM files exist on all DC's in the domain ? This should work in thath way :) -- Tomasz Onyszko - [EMAIL PROTECTED] http://www.w2k.pl List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
Re: [ActiveDir] Making a user a Domain Administrator
Create a startup group. Place the following command in the startup script: Net Group Administrators GlobalGroupToAdd /add. This should work, but please test it first. Dennis On Mon, 13 Dec 2004 11:18:52 +0100, Oluwaseyi Owoeye [EMAIL PROTECTED] wrote: I have a domain with over 1000 computers and can't possibly go round the machines doing this. DO you have a sample script that can achieve this? -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Peter Johnson Sent: Monday, December 13, 2004 11:10 AM To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] Making a user a Domain Administrator Add the user to the local administrator group on each machine in the domain. This can be done via script for example. Does anyone know if this can be done by GPO? Regards Peter Johnson -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Oluwaseyi Owoeye Sent: 13 December 2004 12:10 To: [EMAIL PROTECTED] Subject: [ActiveDir] Making a user a Domain Administrator Hi Guys, By Default the Domain Admin is an administrator on every client system in the domain. Suppose I want to extend this functionality, i.e. having a particular user who is not a domain administrator but has administrator rights on every client machine in the domain. How can I achieve this? Cheers Seyi List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
RE: [ActiveDir] Making a user a Domain Administrator
Return Receipt Your RE: [ActiveDir] Making a user a Domain Administrator document : was Lucia Washaya/UNAMSIL received by: at: 13/12/2004 13:35:53 GMT List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
RE: [ActiveDir] Making a user a Domain Administrator
Return Receipt Your RE: [ActiveDir] Making a user a Domain Administrator document : was Lucia Washaya/UNAMSIL received by: at: 13/12/2004 13:35:47 GMT List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
RE: [ActiveDir] Making a user a Domain Administrator
1. Use restricted groups. 2. Use startup scripts. Simply add some other group from the domain to the local administrators group of the machines. 3. Use a script or batch file that goes through all machines and adds the user. One thousand machines isn't many, but it is well beyond the number that you should already be pretty familiar with scripting. If you aren't, make that a high priority. At this point you should be doing most daily admin through scripts and command line tools, not GUI. joe -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Oluwaseyi Owoeye Sent: Monday, December 13, 2004 5:10 AM To: [EMAIL PROTECTED] Subject: [ActiveDir] Making a user a Domain Administrator Hi Guys, By Default the Domain Admin is an administrator on every client system in the domain. Suppose I want to extend this functionality, i.e. having a particular user who is not a domain administrator but has administrator rights on every client machine in the domain. How can I achieve this? Cheers Seyi List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
RE: [ActiveDir] List object mode
This is a guess but... You have two rights/permissions associated with listing an object. 1.ADS_RIGHT_ACTRL_DS_LIST- list child (aka list contents). This is a permission that would be set on an OU to say that a secprin had the ability to list subobjects of the OU. 2. ADS_RIGHT_DS_LIST_OBJECT - list object. Thi sis the permission that is set on specific objects to say that a secprin can list that object. This second right/perm is the one enabled/disabled with the dsheuristics setting. This would seemingly logically mean you have at least two objectsto check ACLs on to ALLOW the ability to list the object. I would further surmisethat if you have multiple objects within a subOU or subOU structure you would have to check every subobject's ACL instead of just the OU's ACL to list the DNs of the objects directlyunder an OU (i.e. one level). At best if you had n objects at a single level within an OU you would have n+1 checks. One check for the OU and one check for every single object. At worst that would be n*2 with the OU being checked every time an object is also checked. joe From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Grillenmeier, GuidoSent: Monday, December 13, 2004 4:26 AMTo: [EMAIL PROTECTED]Subject: RE: [ActiveDir] List object mode there is always something new to learn ;-) Thanks Eric, I wasn't aware of that one (but I can confirm that I've never noticed any difference in performance myself). Can you elaborate a little as to why a double ACL check is required? /Guido From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Eric FleischmanSent: Monday, December 13, 2004 3:52 AMTo: [EMAIL PROTECTED]Subject: RE: [ActiveDir] List object mode The typical negative thing associated with list_object mode is the double ACL check required which can have a performance overhead. I couldnt quantify what perf overhead means as frankly Ive never seen a number from the test team on what that overhead is, but it is exists, and perhaps in some cases is measurable. It is probably quite small in the aggregate though. I would venture to guess that in order to really feel the overhead one would need a pretty serious load, and single instance store of SDs makes this even more true (caching benefits felt there), and youd need a query load that lends itself to having this overhead (some probably do not). But that last bit is speculation on my part. ~Eric From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Grillenmeier, GuidoSent: Sunday, December 12, 2004 2:06 PMTo: [EMAIL PROTECTED]Subject: RE: [ActiveDir] List object mode Hello Mika - I have not found any negative effects by List object mode on other apps whatsoever. Andthere shouldn't be any either, since it doesn't change the underlying security mechanisms at all. It merely gives you the option to distinguish between the list contentand list object permission, which would otherwise always be applied in parallel (i.e. you don't even see the list object permission, but it's always applied when you grant the list content right, e.g. when you grant read permissions on an OU). I've used it for quitea few companies already and it works like a charm. Realize that the theory behind the list object permission is rather easy (allows you to distinguish which objects someone can see in an OU - such as only specific sub-OUs). However, correctly leveraging list object mode does add complexity to the overall security modell and requires people that really know what they're doing. People need to fully understand the various permissions granted by default in AD and then need to take some of these away (mainly the Read-Permission for Auth. Users on OUs) before they can take advantage of the list object permissions in the first place. They also need to understandthe impact on GPOs, as the required permissions to read GPOs are usually granted via the Auth. User permission on an OU... - so you need to mimikthese permissions as well (not only for users, but also for the computer accounts). Usually it's those companies that have a distinct desire to tighten security in AD - these will also invest in the extra time needed to plan the security model and to manage it in the longrun. Thus, the list object permission is nothing that you'd just want to leverage for the fun of it or because it's cool - if there's a business case (i.e. need to restrict what people can see in AD), then it makes sense, otherwise it doesn't. /Guido From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Mika SeitsonenSent: Sunday, December 12, 2004 6:16 PMTo: [EMAIL PROTECTED]Subject: [ActiveDir] List object mode I haven't found too many comments discussing the use of list object mode in production environments. Anybody care to share their experiences when enabling the list object mode. Has it affected applications running on top of AD such as Exchange SMS?
[ActiveDir] Mac accessing Hidden Shares
Is anyone else having anissue with Mac machines accessing hidden shares on a DC? Other than not hidden the shares, is there a work around? Thank you, -Z.V.
RE: [ActiveDir] adfind most frequent user
There is no mapping in AD for the users to the machines they use unless you specify restricted logons to specific machines and that is a manual process. The query below will tell you the computer name of all machines running Service Pack 1. It could W2K machines, XP machines, K3 with Beta SP1 machines, etc One way of doing this is to set up a logon script that updates a database somewhere or send an email to an alias monitored by a script that then inserts the info into a database. Basically you send the logon time/date, machine name, user name. joe From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Douglas M. LongSent: Monday, December 13, 2004 10:39 AMTo: [EMAIL PROTECTED]Subject: [ActiveDir] adfind most frequent user Is there some way with adfind to find the most frequently logged on user to a client machine? What I am trying to do is map machine names to their owner. The only way I would know how to do this is to find the user that most frequently logs on to each machine. Just knowing the last user to logon or logoff would even get me most of the way there, but the only attribute I see for such a thing is lastLogon and lastLogonTimestamp. Here is what I am using right now: Adfind -b dc=domain,dc=com -f "operatingSystemServicePack=Service Pack 1" sAMAccountName Now if I could only find which user has that machine (I know, I know, I should have documented that).
RE: [ActiveDir] Making a user a Domain Administrator
There is a danger to using restricted groups. It will replace the contents of the group with whatever you specify in the GPO. The only excpetion is the default local admin account. If you have a lot of users in the local admin, they will be removed when this gets applied. If you add a user to the local admin group, they will be removed based on your policy refresh cycle. Dave David J. Perdue Network Security Engineer, InDyne Inc Comm: (805) 606-4597DSN: 276-4597 -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of joe Sent: Monday, December 13, 2004 06:17 AM To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] Making a user a Domain Administrator 1. Use restricted groups. 2. Use startup scripts. Simply add some other group from the domain to the local administrators group of the machines. 3. Use a script or batch file that goes through all machines and adds the user. One thousand machines isn't many, but it is well beyond the number that you should already be pretty familiar with scripting. If you aren't, make that a high priority. At this point you should be doing most daily admin through scripts and command line tools, not GUI. joe -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Oluwaseyi Owoeye Sent: Monday, December 13, 2004 5:10 AM To: [EMAIL PROTECTED] Subject: [ActiveDir] Making a user a Domain Administrator Hi Guys, By Default the Domain Admin is an administrator on every client system in the domain. Suppose I want to extend this functionality, i.e. having a particular user who is not a domain administrator but has administrator rights on every client machine in the domain. How can I achieve this? Cheers Seyi List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
RE: [ActiveDir] List object mode
Joe is pretty much there. So list object mode really just makes a second chance check. So if you dont have list children on the parent, we then also check if you have list_object on each child object and return them if you do. So instead of making one check (for list children on the parent) we now do 1+N where N is the # of child objects. Is the perf hit huge? Small? I have no idea. Depends upon a lot of things really (2k vs. 2k03, # of child objects in your env (IE is your tree tall or wide), % of times list children is not present that we have to do the extra checks, etc.). But in some cases perhaps measurable. Really, I shouldnt say double acl check as double implies twice the #. In actuality it can be far more than twice. But thats a good way to think about it in the simple case. ~Eric From: joe [mailto:[EMAIL PROTECTED] Sent: Monday, December 13, 2004 9:00 AM To: [EMAIL PROTECTED] Cc: Eric Fleischman Subject: RE: [ActiveDir] List object mode This is a guess but... You have two rights/permissions associated with listing an object. 1.ADS_RIGHT_ACTRL_DS_LIST- list child (aka list contents). This is a permission that would be set on an OU to say that a secprin had the ability to list subobjects of the OU. 2. ADS_RIGHT_DS_LIST_OBJECT - list object. Thi sis the permission that is set on specific objects to say that a secprin can list that object. This second right/perm is the one enabled/disabled with the dsheuristics setting. This would seemingly logically mean you have at least two objectsto check ACLs on to ALLOW the ability to list the object. I would further surmisethat if you have multiple objects within a subOU or subOU structure you would have to check every subobject's ACL instead of just the OU's ACL to list the DNs of the objects directlyunder an OU (i.e. one level). At best if you had n objects at a single level within an OU you would have n+1 checks. One check for the OU and one check for every single object. At worst that would be n*2 with the OU being checked every time an object is also checked. joe From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Grillenmeier, Guido Sent: Monday, December 13, 2004 4:26 AM To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] List object mode there is always something new to learn ;-) Thanks Eric, I wasn't aware of that one (but I can confirm that I've never noticed any difference in performance myself). Can you elaborate a little as to why a double ACL check is required? /Guido From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Eric Fleischman Sent: Monday, December 13, 2004 3:52 AM To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] List object mode The typical negative thing associated with list_object mode is the double ACL check required which can have a performance overhead. I couldnt quantify what perf overhead means as frankly Ive never seen a number from the test team on what that overhead is, but it is exists, and perhaps in some cases is measurable. It is probably quite small in the aggregate though. I would venture to guess that in order to really feel the overhead one would need a pretty serious load, and single instance store of SDs makes this even more true (caching benefits felt there), and youd need a query load that lends itself to having this overhead (some probably do not). But that last bit is speculation on my part. ~Eric From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Grillenmeier, Guido Sent: Sunday, December 12, 2004 2:06 PM To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] List object mode Hello Mika - I have not found any negative effects by List object mode on other apps whatsoever. Andthere shouldn't be any either, since it doesn't change the underlying security mechanisms at all. It merely gives you the option to distinguish between the list contentand list object permission, which would otherwise always be applied in parallel (i.e. you don't even see the list object permission, but it's always applied when you grant the list content right, e.g. when you grant read permissions on an OU). I've used it for quitea few companies already and it works like a charm. Realize that the theory behind the list object permission is rather easy (allows you to distinguish which objects someone can see in an OU - such as only specific sub-OUs). However, correctly leveraging list object mode does add complexity to the overall security modell and requires people that really know what they're doing. People need to fully understand the various permissions granted by default in AD and then need to take some of these away (mainly the Read-Permission for Auth. Users on OUs) before they can take advantage of the list object permissions in the first place. They also need to understandthe impact on GPOs, as the required permissions to read GPOs are usually granted via the Auth. User permission on an OU...
RE: [ActiveDir] DSget Contacts in AD
Is it possible then that you have missing data for some of the users? Can you run dsquery and check the results? -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Dan HINCKLEY Sent: Monday, December 13, 2004 3:34 AM To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] DSget Contacts in AD Without the pipe to dsget it does not choke. At 19:05 12/10/2004, you wrote: One thing that bothers me is that DSQUERY should have brought back all the entries and you should have been able to use it as expected. I'm trying to figure out why DSQUERY chokes on the amount. Can you verify that it's the amount that's causing it to choke? Can you run it without piping the results to dsget and see if you get the same results? Al -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of joe Sent: Friday, December 10, 2004 12:14 PM To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] DSget Contacts in AD How about Command | grep Or do you mean the dn: string prefixing the dn being returned? If the latter, you can have it returned distinguishedname as one of the attributes and then use the command above but you will still get the attribute labels. If you just want DN strings, you can use the -dsq option but you won't get attributes output at all then. joe -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Dan HINCKLEY Sent: Friday, December 10, 2004 10:14 AM To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] DSget Contacts in AD Any way to exclude the DN from the output? At 15:44 12/10/2004, you wrote: C:\adfind -b ou=companies,dc=domain,dc=com -f ((objectcategory=Person)(objectClass=contact )) cn createTimeStamp AdFind V01.17.00cpp Joe Richards ([EMAIL PROTECTED]) May 2004 Using server: wil-dc01.bbtnet.com dn:CN=Test User,CN=Users,DC=bbtnet,DC=com createTimeStamp: 20041210144136.0Z cn: Test User 1 Objects returned Specifying the attribute list tells ADFIND to return those attributes only. In your case, you'd use displayname, mail, and physicaldeliveryofficename for the attributes you want. Al -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Dan HINCKLEY Sent: Friday, December 10, 2004 9:27 AM To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] DSget Contacts in AD I had it set to 500 because for any limit size above that (0, or 1500, etc.) it fails with that error. I've read through the ADfind docs and must not be alert enough to see how to spec the attribs I want. How is it done? At 15:17 12/10/2004, you wrote: You may misunderstand ADFIND. It will allow you to specify the attribs you want vs. which one's you don't want last I checked. As for your DSQUERY command, why are you limiting to 1000 on the one that doesn't work? Why not leave it at 0 ? Al -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Dan HINCKLEY Sent: Friday, December 10, 2004 8:16 AM To: [EMAIL PROTECTED] Subject: [ActiveDir] DSget Contacts in AD I find DSget works like a charm retrieving user info like this: dsquery user ou=companies,dc=domain,dc=com -limit 0 | dsget user -display -email -office -acctexpires d:\temp\dsquery.txt But when I try to retrieve more than about 500 contacts like this: dsquery contact ou=companies,dc=domain,dc=com -limit 1000 | dsget contact -display -email -office d:\temp\dsquerycontacts.txt I get this error: dsget failed:Value for `Target object for this command' has incorrect format The Contacts folder has a series of subfolders and a few distribution groups mixed in; might they cause this? ADfind doesn't seem to give me the option to specify which fields I wnat to retrieve, only to exclude fields, and there are too many to do that. Dan Hinckleyt: (41 22) 999 0183 Information Management Groupf: (41 22) 999 0010 IUCN, The World Conservation Union e: [EMAIL PROTECTED] 1196 Gland, Switzerland w: http://iucn.org/ List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info :
[ActiveDir] ADR Backup Question
Everyone, If I had a external Harddrive that connected to the server via a USB port, would the ASR Backup be able to identify it when you are going through the ASR Restore? Justin A. Salandra, MCSE Senior Network Engineer Catholic Healthcare System 212.752.7300 - office 917.455.0110 - cell [EMAIL PROTECTED] List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
[ActiveDir] Printing Distribution Lists
Running Exchange 2003 and ad 2000 (not on the same box). Is there a way to allow user to print out DL membership? Thanks. -ChristineChristine N. AllenCitrix/Windows 2000 EngineerBMC Healthnet PlanOne Design Center PlaceBoston, MA 02210Work: 617-748-6034Cell: 617-290-4407
RE: [ActiveDir] terminal service printing
You may need to open the correct ports on your firewall for the printer to work. Go to Printer properties-Ports-Configure port and see what port the printer uses, then open that port in the firewall for the clients. AM -Original Message- From: Kern, Tom [mailto:[EMAIL PROTECTED] Sent: Friday, December 10, 2004 2:45 PM To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] terminal service printing a local printer on their side -Original Message- From: Meneses, Arturo [mailto:[EMAIL PROTECTED] Sent: Friday, December 10, 2004 3:22 PM To: '[EMAIL PROTECTED]' Subject: RE: [ActiveDir] terminal service printing Are the clients printing to a remote printer on their site? or to a printer on the server side? AM -Original Message- From: Kern, Tom [mailto:[EMAIL PROTECTED] Sent: Friday, December 10, 2004 1:46 PM To: ActiveDir (E-mail) Subject: [ActiveDir] terminal service printing I'm running a Win2k term server in app mode. i have users(client is XP) connecting via vpn(PPTP) Win2k RRAS server. They can connect to all resources including the term server but client-side printing on the term server does not seem to work. The event id i sometimes get is 61- document failed to print. win32 error code is 3003(0xbbb). A lookup on eventid.net claims this to be an incorrect ip address or printer name/port. However i don't think thats the issue. any help would be great thanks List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ -- --- This message has been inspected by DynaComm i:mail 5.0 --- -- -- FutureSoft, Inc. 12012 Wickchester Lane, Suite 600 Houston, TX 77079 If you no longer want to receive commercial e-mail correspondence from FutureSoft, you may remove your address from our records by visiting www.futuresoft.com/emailremoval.asp -- List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ -- --- This message has been inspected by DynaComm i:mail 5.0 --- -- -- FutureSoft, Inc. 12012 Wickchester Lane, Suite 600 Houston, TX 77079 If you no longer want to receive commercial e-mail correspondence from FutureSoft, you may remove your address from our records by visiting www.futuresoft.com/emailremoval.asp -- List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
[ActiveDir] Need AD DNS help ASAP
So I have a Domain called domain.com All computers log on to Domain.com but the DNS Suffix on all systems points to corp.domain.com. In DNS there is a Zone for domain.com that was obviously setup when the domain was initial setup. there is also a Zone called corp.domain.com, most all resources live in the corp.domain.com all Zones are AD integrated zones and replicated on all Domain controllers. All controllers are Windows 2003 running AD 2003. (My goal is to install exchange 2003 for the entire WAN. I cant install it until DNS and AD are running properly). There is also several DNS BIND servers in the company and allot of DNS records for the resources in the BIND server have been hand created in AD. I plan on leaving the BIND servers in place and creating stub zones that point to them under domain.com, if I can move the records in those Zones. I want to combine all records into the Domain.com and delete all other zones, so every resources live under Domain.com Is there a way to export all records and re-import into the domain.com Zone? If I can do that I would change the TTL and DHCP scopes and push out the new Suffix info via Group policy.. Any help or suggestions on how I can clean up this DNS mess would be greatly appreciated. Thanks Mike List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
[ActiveDir] Need AD DNS Help ASAP
So I have a Domain called domain.com All computers log on to Domain.com but the DNS Suffix on all systems points to corp.domain.com. In DNS there is a Zone for domain.com that was obviously setup when the domain was initial setup. there is also a Zone called corp.domain.com, most all resources live in the corp.domain.com all Zones are AD integrated zones and replicated on all Domain controllers. All controllers are Windows 2003 running AD 2003. (My goal is to install exchange 2003 for the entire WAN. I cant install it until DNS and AD are running properly). There is also several DNS BIND servers in the company and allot of DNS records for the resources in the BIND server have been hand created in AD. I plan on leaving the BIND servers in place and creating stub zones that point to them under domain.com, if I can move the records in those Zones. I want to combine all records into the Domain.com and delete all other zones, so every resources live under Domain.com Is there a way to export all records and re-import into the domain.com Zone? If I can do that I would change the TTL and DHCP scopes and push out the new Suffix info via Group policy.. Any help or suggestions on how I can clean up this DNS mess would be greatly appreciated. Thanks Mike List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
