[ActiveDir] GPO design

[Bart Vandyck]

Hi all,

I just wanted some feedback on this project I'm working on from people
with real world knowledge.

We have AD in place with and OU structure. I've been asked the make
plan to implement GPO's in this organization. I was thinking about
creating a GPO for each application we want to manage  and this in
combination with each OU level.
 For example:  GPO-Region-IE6-users
  GPO-Region-WINXPSP1-machine
 GPO-Site01-IE6-users
 GPO-Site02-IE6-machine
 GPO-Site01-winxpsp1-user

 
The site GPO will only be made or in effect if the need to overrule
settings made on the region level.

Is this a maintainable solutions or will  this become to complex in the end.

Anybody know some good descriptions or best practices about managing
software with GPO.  I've seen lots of stuff about creating GPO's,
troubleshoot them, etc.. but haven't found real implementations case
studies with  advantages and disadvantages..

rgds,

Bart
List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/

[ActiveDir] Authentication issue with Outlook 2003

[Manjeet]

The Outlook 2003 fails (running on a user's desktop) to authenticate with exchange 2003 (after restarting the Outlook  The user logon dialog comes up and despite putting correct credentials, it cannot connect to Exchange.
 
My Exchange is failing to do the Kerberos authentication with Outlook clients.Incidentally Outlook 2003 is the first OL client which uses Kerberos (if available). Also Exchange 2003 is the first Exchange which uses Kerberos for client authentication.  All other combinations (of OL and Exchg) always use NTLM.  My exchange has no problems authenticating over NTLM
 
Even Outlook 2003, when forced to use NTLM, succeeds to authenticate to exchange.On enabling extended Kerberos logging on the client machine, the exact error received is : (The kerberos client received a KRB_AP_ERR_MODIFIED error from the server host/aca-beta1-03.ca-beta-03.test.com. The target name used was exchangeRFR/PROD-BETA1-03.prod-beta-03.test.com. This indicates that the password used to encrypt the kerberos service ticket is different than that on the target server. Commonly, this is due to identically named machine accounts in the target realm (CA-BETA-03.test.COM), and the client realm. Please contact your system administrator.).
 
can I some how force my outlook clients to use NTLM ?
 
Thanks for yours valuable response.
 
Manjeet
		Do you Yahoo!? 
Yahoo! Search presents - Jib Jab's 'Second Term'

RE: [ActiveDir] GPO design

[Jorge de Almeida Pinto]

Hi,

Be carefull with creating a GPO for each application. If you have a lot of
apps and lets say all computers get those apps then those wokstations will
go through each GPO and then you may have performance issue. It may be
better to consolidate several apps that have similar "characteristics" into
one GPO.
If within a GPO the computer or user configuration is NOT used (not settings
defined) disable it accordingly. If it is disabled then it will not be
processed and that is good for performance!

The naming convention for GPOs I always use is:
* GPO

Where:
 = POL (policy settings) or SWD (software distribution)
 = C (computer) or U (user) or B (both) this one also tells me which
configuration is enabled without opening the GPO
 = can be anything such as location, region, department, etc.
 = what it is (e.g. default settings)

Examples:
GPO_POL_C_Dept01_DefaultSettings
GPO_SWD_U_Site01_AcrobatReader

As I think of it: don't go crazy on GPOs. GPOs provide lots of functionality
but may also kill performance

Cheers,
Jorge


-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Bart Vandyck
Sent: maandag 14 februari 2005 10:22
To: activedir@mail.activedir.org
Subject: [ActiveDir] GPO design

Hi all,

I just wanted some feedback on this project I'm working on from people with
real world knowledge.

We have AD in place with and OU structure. I've been asked the make plan to
implement GPO's in this organization. I was thinking about creating a GPO
for each application we want to manage  and this in combination with each OU
level.
 For example:  GPO-Region-IE6-users
  GPO-Region-WINXPSP1-machine
 GPO-Site01-IE6-users
 GPO-Site02-IE6-machine
 GPO-Site01-winxpsp1-user

 
The site GPO will only be made or in effect if the need to overrule settings
made on the region level.

Is this a maintainable solutions or will  this become to complex in the end.

Anybody know some good descriptions or best practices about managing
software with GPO.  I've seen lots of stuff about creating GPO's,
troubleshoot them, etc.. but haven't found real implementations case studies
with  advantages and disadvantages..

rgds,

Bart
List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/

This e-mail and any attachment is for authorised use by the intended 
recipient(s) only. It may contain proprietary material, confidential 
information and/or be subject to legal privilege. It should not be copied, 
disclosed to, retained or used by, any other party. If you are not an intended 
recipient then please promptly delete this e-mail and any attachment and all 
copies and inform the sender. Thank you.
List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/

RE: [ActiveDir] Authentication issue with Outlook 2003

[Jorge de Almeida Pinto]

HI,
 
As I know off clients and 
servers that can talk kerberos will talk kerberos. NTLM will only be used if the 
client or the server cannot use kerberos.
 
Are there other errors in the 
event log? (MRXSmb messages...)
 

0x29 (KRB_AP_ERR_MODIFIED) "Message stream modified"
This indicates that the server was unable to decrypt the ticket sent by a 
client meaning that the server does not know the secret key used to encrypt the 
ticket, or the client got the ticket from a KDC that did not know the server's 
key. This can be tested by determining if the server can obtain a ticket to 
itself, or if  anybody else can locate the server. The secure channel 
used by NTLM is also an indicator of the validity of the password on local 
machine accounts.
Try connecting to some share on that 
server to test connectivity and also try to connect from that server to some 
other server to test connectivityCheers

Jorge


From: [EMAIL PROTECTED] 
[mailto:[EMAIL PROTECTED] On Behalf Of 
ManjeetSent: maandag 14 februari 2005 10:41To: 
activedir@mail.activedir.orgSubject: [ActiveDir] Authentication issue 
with Outlook 2003 

The Outlook 2003 fails (running on a user's desktop) to authenticate with 
exchange 2003 (after restarting the Outlook  The user logon dialog comes up 
and despite putting correct credentials, it cannot connect to Exchange.
 
My Exchange is failing to do the Kerberos authentication with Outlook 
clients.Incidentally Outlook 2003 is the first OL client which uses Kerberos (if 
available). Also Exchange 2003 is the first Exchange which uses Kerberos 
for client authentication.  All other combinations (of OL and Exchg) always 
use NTLM.  My exchange has no problems authenticating over 
NTLM
 
Even Outlook 2003, when forced to use NTLM, succeeds to authenticate to 
exchange.On enabling extended Kerberos logging on the client machine, the exact 
error received is : (The kerberos client received a KRB_AP_ERR_MODIFIED 
error from the server host/aca-beta1-03.ca-beta-03.test.com. The target name 
used was exchangeRFR/PROD-BETA1-03.prod-beta-03.test.com. This indicates that 
the password used to encrypt the kerberos service ticket is different than that 
on the target server. Commonly, this is due to identically named machine 
accounts in the target realm (CA-BETA-03.test.COM), and the client realm. Please 
contact your system administrator.).
 
can I some how force my outlook clients 
to use NTLM ?
 
Thanks for yours valuable 
response.
 
Manjeet


Do you Yahoo!?Yahoo! Search presents - Jib 
Jab's 'Second Term'

This e-mail and any attachment is for authorised use by the intended recipient(s) only. It may contain proprietary material, confidential information and/or be subject to legal privilege. It should not be copied, disclosed to, retained or used by, any other party. If you are not an intended recipient then please promptly delete this e-mail and any attachment and all copies and inform the sender. Thank you.

RE: [ActiveDir] Authentication issue with Outlook 2003

[Peter Johnson]

I’ve seen something similar with
SMS. What’s your DNS scavenging set to in relation to your DHCP
lifecycle? I suspect that you have duplicate host names in your DNS table and
the exchange server is selecting the wrong target’s KDC key. I had exactly
the same issue with SMS server trying to connect to a client computer with the
incorrect credentials due to duplicate DNS host entries.

 

Regards

Peter Johnson

 









From:
[EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Jorge de Almeida Pinto
Sent: 14 February 2005 12:00
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir]
Authentication issue with Outlook 2003 



 

HI,

 

As I know
off clients and servers that can talk kerberos will talk kerberos. NTLM will
only be used if the client or the server cannot use kerberos.

 

Are there
other errors in the event log? (MRXSmb messages...)

 

0x29
(KRB_AP_ERR_MODIFIED) "Message stream modified"

This
indicates that the server was unable to decrypt the ticket sent by a client
meaning that the server does not know the secret key used to encrypt the
ticket, or the client got the ticket from a KDC that did not know the server's
key. This can be tested by determining if the server can obtain a ticket to
itself, or if  anybody else can locate the server. The secure
channel used by NTLM is also an indicator of the validity of the password on
local machine accounts.

Try
connecting to some share on that server to test connectivity and also try to
connect from that server to some other server to test connectivity
Cheers

Jorge







From:
[EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Manjeet
Sent: maandag 14 februari 2005
10:41
To: activedir@mail.activedir.org
Subject: [ActiveDir]
Authentication issue with Outlook 2003 



The Outlook 2003 fails (running on a user's desktop) to authenticate
with exchange 2003 (after restarting the Outlook  The user logon dialog
comes up and despite putting correct credentials, it cannot connect to
Exchange.





 





My Exchange is failing to do the Kerberos authentication with Outlook
clients.Incidentally Outlook 2003 is the first OL client which uses Kerberos
(if available). Also Exchange 2003 is the first Exchange which uses
Kerberos for client authentication.  All other combinations (of OL and
Exchg) always use NTLM.  My exchange has no problems
authenticating over NTLM





 





Even Outlook 2003, when forced to use NTLM, succeeds to authenticate to
exchange.On enabling extended Kerberos logging on the client machine, the exact
error received is : (The kerberos client
received a KRB_AP_ERR_MODIFIED error from the server
host/aca-beta1-03.ca-beta-03.test.com. The target name used was exchangeRFR/PROD-BETA1-03.prod-beta-03.test.com.
This indicates that the password used to encrypt the kerberos service ticket is
different than that on the target server. Commonly, this is due to identically
named machine accounts in the target realm (CA-BETA-03.test.COM), and the
client realm. Please contact your system administrator.).





 





can I some how force my outlook clients to use NTLM ?





 





Thanks for yours valuable response.





 





Manjeet









Do you Yahoo!?
Yahoo! Search presents - Jib
Jab's 'Second Term' 
This e-mail and any attachment is for authorised use by the intended
recipient(s) only. It may contain proprietary material, confidential
information and/or be subject to legal privilege. It should not be copied,
disclosed to, retained or used by, any other party. If you are not an intended
recipient then please promptly delete this e-mail and any attachment and all
copies and inform the sender. Thank you.

RE: [ActiveDir] Problem with SUS Group Policy

[Lucia Washaya]

Return Receipt
   
Your  RE: [ActiveDir] Problem with SUS Group Policy
document   
:  
   
was   Lucia Washaya/UNAMSIL
received   
by:
   
at:   14/02/2005 12:09:17 GMT  
   





List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/

RE: [ActiveDir] Display Computer Name on Desktop

[Salandra, Justin A.]

I am going to use the small script that someone sent me in a vbs script
during the login processing.

Thanks

Justin A. Salandra
MCSE Windows 2000 & 2003
Network and Technology Services Manager
Catholic Healthcare System
212.752.7300 - office
917.455.0110 - cell
[EMAIL PROTECTED]

-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Rick Kingslan
Sent: Sunday, February 13, 2005 4:00 PM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] Display Computer Name on Desktop

Justin - 

I'm going to try again because, IMHO, you're working WAY too hard at
this
one problem.

My current preference - 

http://www.kewlit.com/whoami/index2b.html

Great for the Data Center boxes connected via KVM.

If you haven't looked at this tool - you have NO IDEA what you're
missing.
Simply elegant.  Not as much info (or, as I've seen it on some systems -
flipping information OVERLOAD) as Sysinternals 'bginfo', but if you just
want the simple basics and a NAME, here it is.

Don't knock this one until you try it.

-rtk

P.S.  Ulf - love the reg hack, BTW...

-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Ulf B.
Simon-Weidner
Sent: Friday, February 11, 2005 6:03 PM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] Display Computer Name on Desktop

Hello Justin,

Apart from the scripting answers you got, here's a different solution:

Rename My Computer on any workstation to WHATEVER-I-DONT-GIVE-A-D. Open
up
regedit and search for WHATEVER-I-DONT-GIVE-A-D.

Create a new Key of the type Reg_expand_sz called WHATEVER, and put in
"%computername%" as value. Export the parent key (where
WHATEVER-I-DONT-GIVE-A-D was the default value) to a reg file.

Open up the regfile in notepad, and change it so that the value of
WHATEVER
of type reg_expand_sz is assigned to the default key "@".

Delete the old key in regedit, then doubleclick the regfile. The type of
the
key should now be reg_expand_sz (before it was reg_sz and would have
shown
%computername% instead of resolving it.

If you are nice, and want some more information, you can use this
regfile:

Windows Registry Editor Version 5.00

[HKEY_CLASSES_ROOT\CLSID\{20D04FE0-3AEA-1069-A2D8-08002B30309D}]
@=hex(2):25,00,75,00,73,00,65,00,72,00,6e,00,61,00,6d,00,65,00,25,00,20,
00,\
 
40,00,20,00,25,00,63,00,6f,00,6d,00,70,00,75,00,74,00,65,00,72,00,6e,00,
61,\
  00,6d,00,65,00,25,00,00,00

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\CL
SID\
{20D04FE0-3AEA-1069-A2D8-08002B30309D}]
@=hex(2):25,00,75,00,73,00,65,00,72,00,6e,00,61,00,6d,00,65,00,25,00,20,
00,\
 
40,00,20,00,25,00,63,00,6f,00,6d,00,70,00,75,00,74,00,65,00,72,00,6e,00,
61,\
  00,6d,00,65,00,25,00,00,00

Gruesse - Sincerely,
 
Ulf B. Simon-Weidner
 
  MVP-Book "Windows XP - Die Expertentipps":  http://tinyurl.com/44zcz 
  Weblog: http://msmvps.org/UlfBSimonWeidner
  WebSite: http://www.windowsserverfaq.org  
 

> -Original Message-
> From: [EMAIL PROTECTED] 
> [mailto:[EMAIL PROTECTED] On Behalf Of 
> Salandra, Justin A.
> Sent: Friday, February 11, 2005 7:41 PM
> To: ActiveDir@mail.activedir.org
> Cc: [EMAIL PROTECTED]
> Subject: [ActiveDir] Display Computer Name on Desktop
> 
> I have a question, is there a way to display the computer 
> name on the desktop either through a login script or via GPO?
> 
> Justin A. Salandra
> MCSE Windows 2000 & 2003
> Network and Technology Services Manager
> Catholic Healthcare System
> 212.752.7300 - office
> 917.455.0110 - cell
> [EMAIL PROTECTED]
> 
> 
> List info   : http://www.activedir.org/List.aspx
> List FAQ: http://www.activedir.org/ListFAQ.aspx
> List archive: 
> http://www.mail-archive.com/activedir%40mail.activedir.org/

List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive:
http://www.mail-archive.com/activedir%40mail.activedir.org/

List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive:
http://www.mail-archive.com/activedir%40mail.activedir.org/
List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/

RE: [ActiveDir] Add Computer to Domain

[Salandra, Justin A.]

I could follow method three couldn't I?  I could remove Authenticated
Users and add in my Helpdesk Staff Security Group into the DDC GPO
Policy and then modify this default setting to enable them to add many
computers to the domain.  

Someone please check my logic here.  Thanks

http://support.microsoft.com/kb/251335/EN-US/


Method 3: Override the Default Limit of the Number of Computers an
Authenticated User Can Join to a Domain
You can override the default limit, using either of the following
methods: * Use the Ldp (Ldp.exe) tool included in the Microsoft Windows
2000 Resource Kit. 
* Use an Active Directory Services Interface (ADSI) script to increase
or decrease the value of the Active Directory ms-DS-MachineAccountQuota
attribute. To do this:1. Install the Windows 2000 Support tools if they
have not already been installed. To install these tools, run Setup.exe
from the Support\Tools folder on the Windows 2000 Server or the Windows
2000 Professional CD-ROM.  
2. Run Adsiedit.msc as an administrator of the domain.  
3. Expand the Domain NC node. This node contains an object that begins
with "DC=" and reflects the correct domain name. Right-click this
object, and then click Properties. 
4. In the Select which properties to view box, click Both.  
5. In the Select a property to view box, click
ms-DS-MachineAccountQuota. 
6. In the Edit Attribute box, type a number. This number represents the
number of workstations that you want users to be able to maintain
concurrently. 
7. Click Set, and then click OK.  


-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Jorge de
Almeida Pinto
Sent: Sunday, February 13, 2005 5:27 PM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] Add Computer to Domain

To delegate the permissions -> yes

I would, however, consider removing authenticated users from the
privilege
"add workstations to domain" in the DDC GPO

Greetz
Jorge 

-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Salandra,
Justin A.
Sent: Friday, February 11, 2005 16:53
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] Add Computer to Domain

So I would have to use the delegation wizard at the OU level to add
workstations to the domain and ignore the user rights assignments at the
DC
Level?

-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Jorge de
Almeida
Pinto
Sent: Thursday, February 10, 2005 3:53 AM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] Add Computer to Domain


Justin,

The "Add workstations to domain" user right (configured at DC level) by
default assigns each authenticated user the right to add 10 computers
(default configured quota for this) to the domain. Those computers will
be
placed in the COMPUTERS CONTAINER and the default owner is "Domain
Admins".
However users can be granted an unlimited number of computers they can
add
to the domain if the permission has been granted to those users on a
certain
OU, independently of the user right "add workststations to domain" has
been
granted or not. The owner of the latter objects will be the accounts
that
created them.
Most of the time it is not acceptable that users add computers to the
domain
just like that. In the environment I created the design for, I removed
authenticated users from the user right, created a global group and
granted
that global group permissions over a certain OU to created computer
accounts.

If I'm correct the computer accounts need to be created first and then
you
can join the computer to the domain (as with the join dialog box there
is no
possibility to specify an OU) and with tools (e.g. NETDOM) where you
have
the possibility to directly add a computer I presume it is possible to
do
this without first creating the computeraccount

Cheers,
Jorge

-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Salandra,
Justin A.
Sent: Wednesday, February 09, 2005 19:15
To: ActiveDir@mail.activedir.org
Subject: [ActiveDir] Add Computer to Domain

If I wanted to grant a group the rights to join computers to the domain
should I configure the User Assignment setting of a GPO to do that and
if so
should I create that GPO on the OU I want them to join computers to or
do I
have to do it at the domain level or within the Domain Controllers
Policy? 

Justin A. Salandra
MCSE Windows 2000 & 2003
Network and Technology Services Manager
Catholic Healthcare System
212.752.7300 - office
917.455.0110 - cell
[EMAIL PROTECTED]


List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive:
http://www.mail-archive.com/activedir%40mail.activedir.org/

This e-mail and any attachment is for authorised use by the intended
recipient(s) only. It may contain proprietary material, confidential
information and/or be subject to legal privilege. It should not be
copied,
disclosed to, retained or used by, any other party. If you 

[ActiveDir] Extend This!

[Myrick, Todd (NIH/CC/DNA)]

Dude,

 

I love the marketing T-shirt for your new
GPO tool, how did you get that by?

 

Todd

RE: [ActiveDir] [Dreadfully OT]: Interesting little tidbit....

[Mulnick, Al]

I suppose the part that gets me, is the what would you use it for?  I'm not
seeing the application of such a concept exactly.

 

-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of [EMAIL PROTECTED]
Sent: Monday, February 14, 2005 2:01 AM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] [Dreadfully OT]: Interesting little tidbit

Actually, my malady is contagious :)
 
It's 4.7MB. I did not want to believe it would be that small when I first
look at it, that was why I was confused. But, from what I am reading, I can
see it's so small.
 
By the way, this does not appear to me to be any different from running
LINUX under a typical VM environment. So, what's new or so cool about that?
I guess I should play first before blabbing, eh? :). Downloading the Debian
image now.
 
 
Sincerely,

Dèjì Akómöláfé, MCSE+M MCSA+M MCP+I
Microsoft MVP - Directory Services
www.readymaids.com - we know IT
www.akomolafe.com
Do you now realize that Today is the Tomorrow you were worried about
Yesterday?  -anon



From: [EMAIL PROTECTED] on behalf of Rick Kingslan
Sent: Sun 2/13/2005 6:59 PM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] [Dreadfully OT]: Interesting little tidbit



Hallucination.  It's a 47MB compressed file system image...  No where
near as imposing as it looks.  It's in bytes - no Kbytes...  ;-)

-rtk

-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of [EMAIL PROTECTED]
Sent: Sunday, February 13, 2005 5:07 PM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] [Dreadfully OT]: Interesting little tidbit

I looked at it, and my eyes (almost) popped out. Is that really a 4.7Gig
distro, or am I hallucinating - again? :)


Sincerely,

Dèjì Akómöláfé, MCSE+M MCSA+M MCP+I
Microsoft MVP - Directory Services
www.readymaids.com - we know IT
www.akomolafe.com
Do you now realize that Today is the Tomorrow you were worried about
Yesterday?  -anon



From: [EMAIL PROTECTED] on behalf of Rick Kingslan
Sent: Sun 2/13/2005 1:08 PM
To: ActiveDir@mail.activedir.org; 'MVP Security Discussion'
Subject: [ActiveDir] [Dreadfully OT]: Interesting little tidbit



If you haven't looked at this yet - you really NEED to.   I have it
installed, working and am getting ready to toss X on, and get it
functioning.

This is one of those things that comes along and you look at it and think,
"Huh  that's really SUPER cool."

Check it out... it's worth the time.

http://www.colinux.org

Rick Kingslan  MCSE, MCSA, MCT, CISSP
Microsoft MVP:
Windows Server / Directory Services
Windows Server / Rights Management
Windows Security (Affiliate)
Associate Expert
Expert Zone - www.microsoft.com/windowsxp/expertzone
WebLog - www.msmvps.com/willhack4food

List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/


List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/

List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/


List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/

RE: [ActiveDir] Add Computer to Domain

[Jorge de Almeida Pinto]

 
Yep, that's one way to do it. I myself would prefer to remove Authenticated
Users from the DDC GPO, create a group and assign that group permissions on
the OU where the accounts should remain and additionally (if needed)
redirect computer account creation to that one OU (as mentioned in
http://www.microsoft.com/resources/documentation/WindowsServ/2003/all/deploy
guide/en-us/Default.asp?url=/resources/documentation/windowsserv/2003/all/de
ployguide/en-us/dssbf_upwn_pyog.asp)

Cheers
jorge
-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Salandra, Justin A.
Sent: maandag 14 februari 2005 15:47
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] Add Computer to Domain

I could follow method three couldn't I?  I could remove Authenticated Users
and add in my Helpdesk Staff Security Group into the DDC GPO Policy and then
modify this default setting to enable them to add many computers to the
domain.  

Someone please check my logic here.  Thanks

http://support.microsoft.com/kb/251335/EN-US/


Method 3: Override the Default Limit of the Number of Computers an
Authenticated User Can Join to a Domain You can override the default limit,
using either of the following
methods: * Use the Ldp (Ldp.exe) tool included in the Microsoft Windows 2000
Resource Kit. 
* Use an Active Directory Services Interface (ADSI) script to increase or
decrease the value of the Active Directory ms-DS-MachineAccountQuota
attribute. To do this:1. Install the Windows 2000 Support tools if they have
not already been installed. To install these tools, run Setup.exe from the
Support\Tools folder on the Windows 2000 Server or the Windows 2000
Professional CD-ROM.  
2. Run Adsiedit.msc as an administrator of the domain.  
3. Expand the Domain NC node. This node contains an object that begins with
"DC=" and reflects the correct domain name. Right-click this object, and
then click Properties. 
4. In the Select which properties to view box, click Both.  
5. In the Select a property to view box, click ms-DS-MachineAccountQuota. 
6. In the Edit Attribute box, type a number. This number represents the
number of workstations that you want users to be able to maintain
concurrently. 
7. Click Set, and then click OK.  


-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Jorge de Almeida
Pinto
Sent: Sunday, February 13, 2005 5:27 PM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] Add Computer to Domain

To delegate the permissions -> yes

I would, however, consider removing authenticated users from the privilege
"add workstations to domain" in the DDC GPO

Greetz
Jorge 

-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Salandra, Justin A.
Sent: Friday, February 11, 2005 16:53
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] Add Computer to Domain

So I would have to use the delegation wizard at the OU level to add
workstations to the domain and ignore the user rights assignments at the DC
Level?

-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Jorge de Almeida
Pinto
Sent: Thursday, February 10, 2005 3:53 AM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] Add Computer to Domain


Justin,

The "Add workstations to domain" user right (configured at DC level) by
default assigns each authenticated user the right to add 10 computers
(default configured quota for this) to the domain. Those computers will be
placed in the COMPUTERS CONTAINER and the default owner is "Domain Admins".
However users can be granted an unlimited number of computers they can add
to the domain if the permission has been granted to those users on a certain
OU, independently of the user right "add workststations to domain" has been
granted or not. The owner of the latter objects will be the accounts that
created them.
Most of the time it is not acceptable that users add computers to the domain
just like that. In the environment I created the design for, I removed
authenticated users from the user right, created a global group and granted
that global group permissions over a certain OU to created computer
accounts.

If I'm correct the computer accounts need to be created first and then you
can join the computer to the domain (as with the join dialog box there is no
possibility to specify an OU) and with tools (e.g. NETDOM) where you have
the possibility to directly add a computer I presume it is possible to do
this without first creating the computeraccount

Cheers,
Jorge

-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Salandra, Justin A.
Sent: Wednesday, February 09, 2005 19:15
To: ActiveDir@mail.activedir.org
Subject: [ActiveDir] Add Computer to Domain

If I wanted to grant a group the rights to join computers to the domain
should I configure the User Assignment setting of a GPO to do that and if so
should I create that GPO on the OU I want them to 

RE: [ActiveDir] Add Computer to Domain

[Salandra, Justin A.]

That is also a possibility, however I have multiple domains and
workstations exist in different OU's.  If I was to go through the
process of creating an OU and delegating authority, why not just remove
authenticated users, add in the group I want into the DDC GPO and then
modify the quota so they create accounts in the computer container.
Either way the computer accounts still have to be moved.

Thanks for your help.

Justin A. Salandra
MCSE Windows 2000 & 2003
Network and Technology Services Manager
Catholic Healthcare System
212.752.7300 - office
917.455.0110 - cell
[EMAIL PROTECTED]

-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Jorge de
Almeida Pinto
Sent: Monday, February 14, 2005 10:11 AM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] Add Computer to Domain

 
Yep, that's one way to do it. I myself would prefer to remove
Authenticated
Users from the DDC GPO, create a group and assign that group permissions
on
the OU where the accounts should remain and additionally (if needed)
redirect computer account creation to that one OU (as mentioned in
http://www.microsoft.com/resources/documentation/WindowsServ/2003/all/de
ploy
guide/en-us/Default.asp?url=/resources/documentation/windowsserv/2003/al
l/de
ployguide/en-us/dssbf_upwn_pyog.asp)

Cheers
jorge
-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Salandra,
Justin A.
Sent: maandag 14 februari 2005 15:47
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] Add Computer to Domain

I could follow method three couldn't I?  I could remove Authenticated
Users
and add in my Helpdesk Staff Security Group into the DDC GPO Policy and
then
modify this default setting to enable them to add many computers to the
domain.  

Someone please check my logic here.  Thanks

http://support.microsoft.com/kb/251335/EN-US/


Method 3: Override the Default Limit of the Number of Computers an
Authenticated User Can Join to a Domain You can override the default
limit,
using either of the following
methods: * Use the Ldp (Ldp.exe) tool included in the Microsoft Windows
2000
Resource Kit. 
* Use an Active Directory Services Interface (ADSI) script to increase
or
decrease the value of the Active Directory ms-DS-MachineAccountQuota
attribute. To do this:1. Install the Windows 2000 Support tools if they
have
not already been installed. To install these tools, run Setup.exe from
the
Support\Tools folder on the Windows 2000 Server or the Windows 2000
Professional CD-ROM.  
2. Run Adsiedit.msc as an administrator of the domain.  
3. Expand the Domain NC node. This node contains an object that begins
with
"DC=" and reflects the correct domain name. Right-click this object, and
then click Properties. 
4. In the Select which properties to view box, click Both.  
5. In the Select a property to view box, click
ms-DS-MachineAccountQuota. 
6. In the Edit Attribute box, type a number. This number represents the
number of workstations that you want users to be able to maintain
concurrently. 
7. Click Set, and then click OK.  


-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Jorge de
Almeida
Pinto
Sent: Sunday, February 13, 2005 5:27 PM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] Add Computer to Domain

To delegate the permissions -> yes

I would, however, consider removing authenticated users from the
privilege
"add workstations to domain" in the DDC GPO

Greetz
Jorge 

-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Salandra,
Justin A.
Sent: Friday, February 11, 2005 16:53
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] Add Computer to Domain

So I would have to use the delegation wizard at the OU level to add
workstations to the domain and ignore the user rights assignments at the
DC
Level?

-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Jorge de
Almeida
Pinto
Sent: Thursday, February 10, 2005 3:53 AM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] Add Computer to Domain


Justin,

The "Add workstations to domain" user right (configured at DC level) by
default assigns each authenticated user the right to add 10 computers
(default configured quota for this) to the domain. Those computers will
be
placed in the COMPUTERS CONTAINER and the default owner is "Domain
Admins".
However users can be granted an unlimited number of computers they can
add
to the domain if the permission has been granted to those users on a
certain
OU, independently of the user right "add workststations to domain" has
been
granted or not. The owner of the latter objects will be the accounts
that
created them.
Most of the time it is not acceptable that users add computers to the
domain
just like that. In the environment I created the design for, I removed
authenticated users from the user right, created a global group and
granted
that global group permissions over a ce

RE: [ActiveDir] AdFind V01.26.00 and general news

[Mulnick, Al]

"I guess one question I have in the realm of those apps is... How important
is a pretty GUI to you versus an app that works well and has good
performance? And do you really mean it? What I mean by that is when you look
at an app do you make any decisions about it because it is pretty before
actually running it in a lab and throwing a network sniffer at it to look at
what it is doing?"


>From what I've seen, decisions are made several ways: 1) does it do what I
need it to do/want it to do? 2) can my dumbest consumer of this concept do
it unsupervised (opens a whole can of worms, I know.. :) 3) will my company
purchasing policy support getting it and 4) would I be able to do it
in-house with same or better results faster and cheaper?

There's always 5) did the sales rep play golf with the CIO? But who really
counts that, right? 

Personally, I don't give a flip about the GUI for most apps.  Some apps need
it when they display complicated concepts that lead to a manual decision
being made. Most of the widget utilities don't need that and I could
personally care less if they have one. In fact, for many I prefer not to
have them especially if a repeatable process needs to be done.  Your
utilities are usually in the latter category and work well with repeatable
processes meaning that GUI is not wanted/desired. Being able to use them in
a script/batch and rely on them for quality is far more important to me.  

That said, I think you have a good idea if you go after the expense account
crowd and keep some of the free-ware stuff around as well.  Seems a workable
model. 

As for me, I guess I'll go update a few versions of adfind :)

Al



 

-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of joe
Sent: Saturday, February 12, 2005 1:32 AM
To: ActiveDir@mail.activedir.org
Subject: [ActiveDir] AdFind V01.26.00 and general news

Howdy.

Just wanted to let you all know I updated AdFind. The latest version is
V01.26.00. I know I said I wasn't going to update the version 1 code base
anymore but due to a bug fix in Windows Server 2003 SP1 a bug popped up in
AdFind. I chose to dust off the code and implement the fix versus waiting
for Version 2.0.0. Since I did that, I also fixed a couple of other bugs I
found and worked in some additional functionality I wanted added,
functionality that I think many will go "whoah, that is cool" about.


In general news, I have completed most of the code rewrite of my backend
modules. This included adding more functionality to them, looking for the
umpteenth time for leaks and/or security bugs, working towards having good
UNICODE support. I have to say that UNICODE and command line do not
necessarily work well together. There is a lot of pain in that area. The
hope is that the new modules will handle UNICODE better than it is currently
handled.

The rewrite of these new modules also helped me standardize some of the
internal naming and and remove some complexity which is always a good thing.
Complexity is a serious contributor to chaos and supportability issues.

The hope is now that I will be in a good position to write some tools and
solutions that I will sell for some moderate price. I am constantly
bombarded by software out there that is less than optimal but people are
paying incredible amounts of money for it anyway due to the lack of anything
else. I am wondering if I can put myself into a semi-retirement position
putting out good software for moderate amounts of money. I would love to be
in a position where I do joeware full time and full time is defined as how
much time I want to spend on it and play the rest of the time. 

What is the difference between incredible amounts versus moderate amounts?
Well I don't intend, at least initially, to charge anyone millions of
dollars for any of the programs. I would be incredibly shocked in myself if
I charged hundreds of thousands of dollars for any of the programs. I
visualize things more in the $100-$5000 range; the kind of range people in
companies can expense on their Corporate AmEX card easily. I recall many a
time I have been in meetings where we would have taken apps if we could do
that instead of trying to force a multimillion dollar or multi hundred
thousand dollar PO through the system.

We shall see how it all pans out and what I actually create. Time to dig
into my big folder of ideas I have been working on and collecting for years
and years. I don't know what I will create right now as the first app, but I
expect it will be related to Active Directory. :o)  Don't worry Tony, once I
start charging I won't advertise here on the list. ;o)

I guess one question I have in the realm of those apps is... How important
is a pretty GUI to you versus an app that works well and has good
performance? And do you really mean it? What I mean by that is when you look
at an app do you make any decisions about it because it is pretty before
actually running it in a lab and throwing a network sniffer at it 

[ActiveDir] computers in active directory

[Grumpy Nounet]

Hello,
I'm studying a compter network using active directory to authenticate the 
users.

I noticed that all the computers of the domain are listed in the directory, 
and I wonder if this has something to do with authentication.

I did not find it on the Internet, I hope someone will be able to help me 
here...

grumpy
PS: sorry for my English speaking
_
Nouveau MSN Hotmail : choisissez votre adresse @hotmail.fr ! 
http://www.msn.fr/newmsnhotmail

List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/

[ActiveDir] OT:Exchange 2003 TCP 18053

[Pelle, Joe]

Hello! 

 

When I do a netstat –an
on my Exchange 2003 server I see a lot of connections on TCP 18053.  All of our
email clients connect to this Exchange server and just about all of them appear
to have a connection via this port.  No one seems to have any idea what that
traffic could be… 

 

Does anyone have any ideas?  

Any help or insight is greatly appreciated! 

 

Joe
Pelle

Senior Infrastructure Architect

Information Technology

Valassis / IT

19975 Victor Parkway Livonia, MI
 48152

Tel 734.591.7324  Fax 734.632.6151

[EMAIL PROTECTED]

http://www.valassis.com/

 

This message may have included
proprietary or protected information.  This message and the information
contained herein are not to be further communicated without my express written
consent.

 

RE: [ActiveDir] Add Computer to Domain

[David Cliffe]

Just FYI -

We redirected our default "computer creation" OU.  The nice side
effect being that we can now apply policy to that OU (as opposed to the
built-in container, where you cannot).

Thanks...

-DaveC
Reuters America

-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Salandra,
Justin A.
Sent: Monday, February 14, 2005 10:20 AM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] Add Computer to Domain

That is also a possibility, however I have multiple domains and
workstations exist in different OU's.  If I was to go through the
process of creating an OU and delegating authority, why not just remove
authenticated users, add in the group I want into the DDC GPO and then
modify the quota so they create accounts in the computer container.
Either way the computer accounts still have to be moved.

Thanks for your help.

Justin A. Salandra
MCSE Windows 2000 & 2003
Network and Technology Services Manager
Catholic Healthcare System
212.752.7300 - office
917.455.0110 - cell
[EMAIL PROTECTED]

-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Jorge de
Almeida Pinto
Sent: Monday, February 14, 2005 10:11 AM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] Add Computer to Domain

 
Yep, that's one way to do it. I myself would prefer to remove
Authenticated Users from the DDC GPO, create a group and assign that
group permissions on the OU where the accounts should remain and
additionally (if needed) redirect computer account creation to that one
OU (as mentioned in
http://www.microsoft.com/resources/documentation/WindowsServ/2003/all/de
ploy
guide/en-us/Default.asp?url=/resources/documentation/windowsserv/2003/al
l/de
ployguide/en-us/dssbf_upwn_pyog.asp)

Cheers
jorge
-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Salandra,
Justin A.
Sent: maandag 14 februari 2005 15:47
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] Add Computer to Domain

I could follow method three couldn't I?  I could remove Authenticated
Users and add in my Helpdesk Staff Security Group into the DDC GPO
Policy and then modify this default setting to enable them to add many
computers to the domain.  

Someone please check my logic here.  Thanks

http://support.microsoft.com/kb/251335/EN-US/


Method 3: Override the Default Limit of the Number of Computers an
Authenticated User Can Join to a Domain You can override the default
limit, using either of the following
methods: * Use the Ldp (Ldp.exe) tool included in the Microsoft Windows
2000 Resource Kit. 
* Use an Active Directory Services Interface (ADSI) script to increase
or decrease the value of the Active Directory ms-DS-MachineAccountQuota
attribute. To do this:1. Install the Windows 2000 Support tools if they
have not already been installed. To install these tools, run Setup.exe
from the Support\Tools folder on the Windows 2000 Server or the Windows
2000 Professional CD-ROM.  
2. Run Adsiedit.msc as an administrator of the domain.  
3. Expand the Domain NC node. This node contains an object that begins
with "DC=" and reflects the correct domain name. Right-click this
object, and then click Properties. 
4. In the Select which properties to view box, click Both.  
5. In the Select a property to view box, click
ms-DS-MachineAccountQuota. 
6. In the Edit Attribute box, type a number. This number represents the
number of workstations that you want users to be able to maintain
concurrently. 
7. Click Set, and then click OK.  


-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Jorge de
Almeida Pinto
Sent: Sunday, February 13, 2005 5:27 PM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] Add Computer to Domain

To delegate the permissions -> yes

I would, however, consider removing authenticated users from the
privilege "add workstations to domain" in the DDC GPO

Greetz
Jorge 

-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Salandra,
Justin A.
Sent: Friday, February 11, 2005 16:53
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] Add Computer to Domain

So I would have to use the delegation wizard at the OU level to add
workstations to the domain and ignore the user rights assignments at the
DC Level?

-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Jorge de
Almeida Pinto
Sent: Thursday, February 10, 2005 3:53 AM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] Add Computer to Domain


Justin,

The "Add workstations to domain" user right (configured at DC level) by
default assigns each authenticated user the right to add 10 computers
(default configured quota for this) to the domain. Those computers will
be placed in the COMPUTERS CONTAINER and the default owner is "Domain
Admins".
However users can be granted an unlimited number of computers they can
add to the domain if the permission

RE: [ActiveDir] OT:Exchange 2003 TCP 18053

[Tony Murray]

Could be that you have a statically mapped
port assignment for a particular service (NSPI Proxy, IS, SRS, etc.).  Check
out the following article.  You can the look for the corresponding registry
entries.

 

http://support.microsoft.com/kb/270836

 

Tony

 









From:
[EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Pelle, Joe
Sent: 14 February 2005 16:28
To: ActiveDir@mail.activedir.org
Subject: [ActiveDir] OT:Exchange
2003 TCP 18053



 

Hello! 

 

When I do a netstat
–an on my Exchange 2003 server I see a lot of connections on
TCP 18053.  All of our email clients connect to this Exchange server and
just about all of them appear to have a connection via this port.  No one
seems to have any idea what that traffic could be… 

 

Does anyone have any ideas?  

Any help or insight is greatly appreciated! 

 

Joe
Pelle

Senior Infrastructure Architect

Information Technology

Valassis / IT

19975 Victor Parkway Livonia, MI
 48152

Tel 734.591.7324  Fax 734.632.6151

[EMAIL PROTECTED]

http://www.valassis.com/

 

This message may have included
proprietary or protected information.  This message and the information
contained herein are not to be further communicated without my express written
consent.

 

RE: [ActiveDir] computers in active directory

[Gil Kirkpatrick]

Domain-member computers are security principals in Windows networks, which 
means they have names in Active Directory, and authenticate to Active Directory 
when they boot up.
 
-gil



From: [EMAIL PROTECTED] on behalf of Grumpy Nounet
Sent: Mon 2/14/2005 8:24 AM
To: ActiveDir@mail.activedir.org
Subject: [ActiveDir] computers in active directory



Hello,

I'm studying a compter network using active directory to authenticate the
users.

I noticed that all the computers of the domain are listed in the directory,
and I wonder if this has something to do with authentication.

I did not find it on the Internet, I hope someone will be able to help me
here...


grumpy


PS: sorry for my English speaking

_
Nouveau MSN Hotmail : choisissez votre adresse @hotmail.fr !
http://www.msn.fr/newmsnhotmail

List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/


<>

Re: [ActiveDir] computers in active directory

[Tomasz Onyszko]

Grumpy Nounet wrote:
Hello,
I'm studying a compter network using active directory to authenticate 
the users.

I noticed that all the computers of the domain are listed in the 
directory, and I wonder if this has something to do with authentication.

I did not find it on the Internet, I hope someone will be able to help 
me here...
The computer accounts anables computer to authenticate against AD and to 
participate as a mamber in a domain. You have to remeber that in AD 
computer account is also security principal, which means that You can 
assign permissions to the computer account - to do thata it has to have 
an account in a domain.
To authenticate users against AD and process scripts and GPOs computer 
also has to be a member of a domain, thus it has to have an account 
(user is able to authenticate against AD and gain access to the domain 
resources even from the computer which is not a part of a domain when 
the user will supply correct domain credentials)

So You can say - yes, computer accounts have something to deal with 
authentication in AD

--
Tomasz Onyszko [MVP]
[EMAIL PROTECTED]
http://www.w2k.pl
List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/

RE: [ActiveDir] computers in active directory

[Za Vue]

This forum may be a little hard for you to comprehend. Maybe you need to go
buy some "Complete Idiot's Guide" books.

Z.V.

-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Grumpy Nounet
Sent: Monday, February 14, 2005 10:24 AM
To: ActiveDir@mail.activedir.org
Subject: [ActiveDir] computers in active directory

Hello,

I'm studying a compter network using active directory to authenticate the
users.

I noticed that all the computers of the domain are listed in the directory,
and I wonder if this has something to do with authentication.

I did not find it on the Internet, I hope someone will be able to help me
here...


grumpy


PS: sorry for my English speaking

_
Nouveau MSN Hotmail : choisissez votre adresse @hotmail.fr ! 
http://www.msn.fr/newmsnhotmail

List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/


List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/

RE: [ActiveDir] OT:Exchange 2003 TCP 18053

[Pelle, Joe]

Tony,

 

Thanks for the quick response!  It doesn’t
appear that we have a static port assigned though.

 



Joe
Pelle

Senior Infrastructure Architect

Information Technology

Valassis / IT

19975 Victor Parkway Livonia, MI
 48152

Tel 734.591.7324  Fax 734.632.6151

[EMAIL PROTECTED]

http://www.valassis.com/

 

This message may have included
proprietary or protected information.  This message and the information
contained herein are not to be further communicated without my express written
consent.



 









From: Tony Murray
[mailto:[EMAIL PROTECTED] 
Sent: Monday, February 14, 2005
10:36 AM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir]
OT:Exchange 2003 TCP 18053



 

Could be that you have a statically mapped
port assignment for a particular service (NSPI Proxy, IS, SRS, etc.).
 Check out the following article.  You can the look for the
corresponding registry entries.

 

http://support.microsoft.com/kb/270836

 

Tony

 









From:
[EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Pelle, Joe
Sent: 14 February 2005 16:28
To: ActiveDir@mail.activedir.org
Subject: [ActiveDir] OT:Exchange
2003 TCP 18053



 

Hello! 

 

When I do a netstat
–an on my Exchange 2003 server I see a lot of connections on
TCP 18053.  All of our email clients connect to this Exchange server and
just about all of them appear to have a connection via this port.  No one
seems to have any idea what that traffic could be… 

 

Does anyone have any ideas?  

Any help or insight is greatly appreciated! 

 

Joe
Pelle

Senior Infrastructure Architect

Information Technology

Valassis / IT

19975 Victor Parkway Livonia, MI
 48152

Tel 734.591.7324  Fax 734.632.6151

[EMAIL PROTECTED]

http://www.valassis.com/

 

This message may have included
proprietary or protected information.  This message and the information
contained herein are not to be further communicated without my express written
consent.

 

RE: [ActiveDir] VERY VERY OT: DEC and Vancouver/Canada

[Gil Kirkpatrick]

Couldn't have said it better myself.
 
FWIW, I've already polled a sufficient sample re: a Joeware preso; there's 
plenty of interest. Even more important is the interests of those who have 
never heard of joeware.
 
And corporate affiliation doesn't matter either.
 
But I'm not paying for a cross-dresser, except as part of the entertainment at 
the reception. And you better be a damn good cross-dresser!
 
(sitting in Stockholm, no cellphone, no luggage, no jacket, its snowing, dark, 
and cold. But at least I've got broadband... :)
 
-g



From: [EMAIL PROTECTED] on behalf of [EMAIL PROTECTED]
Sent: Sun 2/13/2005 4:01 PM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] VERY VERY OT: DEC and Vancouver/Canada



Dissecting 

>>> Its Vancouver in March...
Yeah, so? Can't be much worse than MI in March.

>>> I am pretty tied up with 
Lame, so lame I'm tempted to not comment :) I am sure most presenters are in
the same boat. I am personally in that boat. I am not even sure HOW I will
get to DEC yet, because I am not sure which city I will find myself in around
that time. So, can't book a flight yet because I don't know where I would be
flying in from. So, there try something else :p

>>> There is also the whole issue of who do I go as?
I would think that going in as Joe would be sufficient. I already told you
this before - you don't seem to know how much regards you command within the
community. WRT who foots the bill, I'd assume that Gil is ponying up the
money either way (either as Joeware or JoeHP), so that should really not be a
factor. More so, I am sure Gil will be footing your bill even if you show up
as Joe-the-cross-dresser. But, I will let Gil speak for himself on that point
:)

>>> I am not an ethereal guru
I did not know that Gil was looking for gurus. I certainly I'm not a guru in
anything, and I would take a back seat to you any day when talking about
Exchange security. But, I am going, and you are not. So, there again :) Why
am I going? Because I think I have seen and done some things on Exchange
security that the attendees "MAY" be interested in listening to. I am
definitely not bringing anything revolutionary or earth-shattering. I am only
hoping that I will say something that will get some of the attendees to go
back to their bases and rethink what they have or implement something (if
they haven't). My position on conferences and teaching and stuff like this is
that I don't go there hoping to meet wizards and have them implant knowledge
into my medula oblongata. I do not expect that most people go there for this
reason either. I think re-enforcement and pointers and things that get people
thinking carry much more weight than just looking to spoon-feed people
information. Are you expecting to transform the attendees into Ether-sniffing
K-9 in the span of 90 minutes? Wake up, Joe. So, I chalk this down to the
"Lame" category.

>>> Possibly Gil can take some informal poll at the event on who would like
to see a joeware presentation at a future event
Yeah, right. So that you could wiggle your way out of it again. You need no
poll, Joe. And I know that you know that I know that you knew that. Gil
already floated the idea, so I don't see the need to get Gallup involved at
this point.

>>> Interesting all the MVPs coming out of the wordwork saying they are going
now
They are probably signing up in large numbers, hoping their massive presence
will be enough reason to compell you to show up. Or they could be signing up
because they heard that Joe was there the last time around and they want to
be able to claim to have seen you in person. Look at it as a bribe, or
peer-presure or something. They could also just be going for the beer, who
knows?



>>> Anyone who has knowledge on some of the more evil ways of breaking into a
forest try to keep mum
I can certainly say, with absolute truth, Boy's Scout's honor, that I have no
clue what you are talking about. Yet, I am supposed to be a Security MVP :)
Ironic, uh? This is why I miss you, man. I remember you explaining 1B and 1C
records to me back in 99 and me looking at you like "WTF is he talking about?
what do this have to do with WINS?"


Sincerely,

Dèjì Akómöláfé, MCSE+M MCSA+M MCP+I
Microsoft MVP - Directory Services
www.readymaids.com - we know IT
www.akomolafe.com
Do you now realize that Today is the Tomorrow you were worried about
Yesterday?  -anon



From: [EMAIL PROTECTED] on behalf of joe
Sent: Sun 2/13/2005 9:05 AM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] VERY VERY OT: DEC and Vancouver/Canada



LOL with all of you.

Its Vancouver in March... Even DC in March was pushing it, March is Lousiana
or Florida or Arizona or Texas. Seriously though, I am pretty tied up with a
customer right now with fun issues with Exchange and third party tools where
I at the point of monitoring every change to all user objects as a
non-admin. There is also the whole issu

RE: [ActiveDir] computers in active directory [List Owner]

[Tony Murray-Smith]

Z.V.

That's not a helpful response and it's somewhat insulting. There's no
minimum level for questions on this list.  Remember that nearly all of us
started out with little or no knowledge of AD.

Tony 
ActiveDir List Owner

-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Za Vue
Sent: 14 February 2005 16:44
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] computers in active directory

This forum may be a little hard for you to comprehend. Maybe you need to go
buy some "Complete Idiot's Guide" books.

Z.V.

-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Grumpy Nounet
Sent: Monday, February 14, 2005 10:24 AM
To: ActiveDir@mail.activedir.org
Subject: [ActiveDir] computers in active directory

Hello,

I'm studying a compter network using active directory to authenticate the
users.

I noticed that all the computers of the domain are listed in the directory,
and I wonder if this has something to do with authentication.

I did not find it on the Internet, I hope someone will be able to help me
here...


grumpy


PS: sorry for my English speaking

_
Nouveau MSN Hotmail : choisissez votre adresse @hotmail.fr ! 
http://www.msn.fr/newmsnhotmail

List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/


List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/

List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/

RE: [ActiveDir] OT:Exchange 2003 TCP 18053

[Mulnick, Al]

Joe, can you confirm the app that's listening on that port?  

Do you have other applications on the client that might be using that port
to connect? 

What kind of traffic do you see destined for that port on the wire?

There's no set reason that port would be used out of the box that I'm aware
of other than just luck.

One other thing to check: Windows XP SP2/Ol2003 have a way to get around the
update port used without specifying the server to listen on a particular
port. This allows UDP notifications even with the firewall enabled.  What
they do is pre-seed the registration of the client for new mail notification
via GPO settings.  I haven't looked on the wire to see if the client will
poll the server on that same port in the case of not getting a new mail
notification after a certain amount of time, but I suppose that's possible.
It's supposed to result in the client listening on a predetermined UDP port
vs. talking to the server on a predetermined TCP port.





-ajm 

-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Pelle, Joe
Sent: Monday, February 14, 2005 10:52 AM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] OT:Exchange 2003 TCP 18053

Tony,

 

Thanks for the quick response!  It doesn't appear that we have a static port
assigned though.

 

Joe Pelle

Senior Infrastructure Architect

Information Technology

Valassis / IT

19975 Victor Parkway Livonia, MI 48152

Tel 734.591.7324  Fax 734.632.6151

[EMAIL PROTECTED]  

http://www.valassis.com/  

 

This message may have included proprietary or protected information.  This
message and the information contained herein are not to be further
communicated without my express written consent.

 



From: Tony Murray [mailto:[EMAIL PROTECTED]
Sent: Monday, February 14, 2005 10:36 AM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] OT:Exchange 2003 TCP 18053

 

Could be that you have a statically mapped port assignment for a particular
service (NSPI Proxy, IS, SRS, etc.).  Check out the following article.  You
can the look for the corresponding registry entries.

 

http://support.microsoft.com/kb/270836

 

Tony

 



From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Pelle, Joe
Sent: 14 February 2005 16:28
To: ActiveDir@mail.activedir.org
Subject: [ActiveDir] OT:Exchange 2003 TCP 18053

 

Hello! 

 

When I do a netstat -an on my Exchange 2003 server I see a lot of
connections on TCP 18053.  All of our email clients connect to this Exchange
server and just about all of them appear to have a connection via this port.
No one seems to have any idea what that traffic could be... 

 

Does anyone have any ideas?  

Any help or insight is greatly appreciated! 

 

Joe Pelle

Senior Infrastructure Architect

Information Technology

Valassis / IT

19975 Victor Parkway Livonia, MI 48152

Tel 734.591.7324  Fax 734.632.6151

[EMAIL PROTECTED]  

http://www.valassis.com/  

 

This message may have included proprietary or protected information.  This
message and the information contained herein are not to be further
communicated without my express written consent.

 

List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/

RE: [ActiveDir] OT:Exchange 2003 TCP 18053

[Coleman, Hunter]

Sounds like this is the port that Exchange has chosen for 
RPC traffic with the Outlook clients. Unless you make a registry change on the 
server, Exchange will pick ports above 1024 (more or less randomly) for RPC 
with clients. http://support.microsoft.com/kb/155831 has 
a passing mention of this.
 
Hunter


From: [EMAIL PROTECTED] 
[mailto:[EMAIL PROTECTED] On Behalf Of Pelle, 
JoeSent: Monday, February 14, 2005 8:52 AMTo: 
ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] OT:Exchange 2003 
TCP 18053


Tony,
 
Thanks for the quick 
response!  It doesn’t appear that we have a static port assigned 
though.
 

Joe 
Pelle
Senior Infrastructure 
Architect
Information 
Technology
Valassis / 
IT
19975 
Victor Parkway 
Livonia, MI 
48152
Tel 734.591.7324  
Fax 734.632.6151
[EMAIL PROTECTED]
http://www.valassis.com/
 
This message may have 
included proprietary or protected information.  This message and the 
information contained herein are not to be further communicated without my 
express written consent.
 




From: Tony 
Murray [mailto:[EMAIL PROTECTED] Sent: Monday, February 14, 2005 10:36 
AMTo: 
ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] OT:Exchange 2003 
TCP 18053
 
Could be that you have 
a statically mapped port assignment for a particular service (NSPI Proxy, IS, 
SRS, etc.).  Check out the following article.  You can the look for 
the corresponding registry entries.
 
http://support.microsoft.com/kb/270836
 
Tony
 




From: 
[EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] 
On Behalf Of Pelle, 
JoeSent: 14 February 2005 
16:28To: ActiveDir@mail.activedir.orgSubject: [ActiveDir] OT:Exchange 2003 TCP 
18053
 
Hello! 
 
When I do a netstat –an on my Exchange 2003 server I 
see a lot of connections on TCP 18053.  All of our email clients connect to 
this Exchange server and just about all of them appear to have a connection via 
this port.  No one seems to have any idea what that traffic could be… 

 
Does anyone have any ideas?  

Any help or insight is greatly 
appreciated! 
 
Joe 
Pelle
Senior Infrastructure 
Architect
Information 
Technology
Valassis / 
IT
19975 
Victor Parkway 
Livonia, MI 
48152
Tel 734.591.7324  
Fax 734.632.6151
[EMAIL PROTECTED]
http://www.valassis.com/
 
This message may have 
included proprietary or protected information.  This message and the 
information contained herein are not to be further communicated without my 
express written consent.
 

[ActiveDir] override default domain policy

[cflesher]

I was in a meeting 
last week and the issue came up if it is possible to override the default domain 
policy and set policies on each domain. I always understood that you couldn't do 
this. But if you block inheritance and apply another policy on an OU, what 
happens? Furthermore is supposed to happen if the default domain policy is 
disabled? 
 
I'm going to test 
this, but it would be nice to hear from the experts. I did look back in the 
archives for this list, but it seemed like there was mixed feelings on the 
possiblities. 
 
Thanks.
 
Chris Flesher
The University of Chicago
NSIT/DCS
(773)-834-8477
 

[ActiveDir] suggestions for tombstoned DC recovery?

[Thommes, Michael M.]

One of our admins restored a DC from a backup greater than 60 days old.
There are no newer backup copies.  Replication is not working - "Access
denied".  Also, the restored DC cannot be dcpromo'd out.  Rebuilding the
computer from scratch is not an option.  Repadmin and nltest operations
are unsuccessful.  Does anyone have any tricks up their sleeve for
getting this once-working DC to "play nice again"?  I keep thinking that
an nltest with a secure channel reset option, followed by a repadmin
operation with a force option using the one good DC as an authoritative
source - should be the answer.  But it doesn't seem to work.  Any help
is appreciated!  Thanks.

Mike Thommes
List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/

RE: [ActiveDir] suggestions for tombstoned DC recovery?

[Mulnick, Al]

Why is DCPROMO not an option? 

-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Thommes, Michael M.
Sent: Monday, February 14, 2005 12:27 PM
To: ActiveDir@mail.activedir.org
Subject: [ActiveDir] suggestions for tombstoned DC recovery?

One of our admins restored a DC from a backup greater than 60 days old.
There are no newer backup copies.  Replication is not working - "Access
denied".  Also, the restored DC cannot be dcpromo'd out.  Rebuilding the
computer from scratch is not an option.  Repadmin and nltest operations are
unsuccessful.  Does anyone have any tricks up their sleeve for getting this
once-working DC to "play nice again"?  I keep thinking that an nltest with a
secure channel reset option, followed by a repadmin operation with a force
option using the one good DC as an authoritative source - should be the
answer.  But it doesn't seem to work.  Any help is appreciated!  Thanks.

Mike Thommes
List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/

RE: [ActiveDir] override default domain policy

[Darren Mar-Elia]

In general, any GPO linked to the domain will have 
conflicting settings overriden if a container (OU) down the tree sets block 
inheritance. The DDP is no different. However, some policies, like account 
policy, will not be affected by block inheritance on regulard OUs since it 
will be processed by domain controllers that (presumably) reside in the DC OU. 
If you were to set block inheritance on the DC OU, that would be bad. Disabling 
the DDP is not bad in and of itself, just not recommended. By default, this GPO 
delivers domain account policy (if you don't have any other domain-linked GPOs 
doing this). So disabling it without an alternative means that you have no way 
to centrally manage account policy. In that case, whatever the default account 
policy is on your DCs will be the one in effect--probably not a great thing. One 
thing I have recommended in the past is, in whichever domain-linked GPO you 
implement domain account policy, set that link as No Override (aka Enforced). 
That way you always know that no matter happens downstream, no one can futz up 
your account policy. 
 
Darren  


From: [EMAIL PROTECTED] 
[mailto:[EMAIL PROTECTED] On Behalf Of 
cflesherSent: Monday, February 14, 2005 9:05 AMTo: 
ActiveDir@mail.activedir.orgSubject: [ActiveDir] override default 
domain policy

I was in a meeting 
last week and the issue came up if it is possible to override the default domain 
policy and set policies on each domain. I always understood that you couldn't do 
this. But if you block inheritance and apply another policy on an OU, what 
happens? Furthermore is supposed to happen if the default domain policy is 
disabled? 
 
I'm going to test 
this, but it would be nice to hear from the experts. I did look back in the 
archives for this list, but it seemed like there was mixed feelings on the 
possiblities. 
 
Thanks.
 
Chris Flesher
The University of Chicago
NSIT/DCS
(773)-834-8477
 

RE: [ActiveDir] VERY VERY OT: DEC and Vancouver/Canada

[Fugleberg, David A]

Title: Message



Careful, Gil...if they keep you there in those conditions long enough 
you'll start to identify with your captors and protect them (see Stockholm 
Syndrome).
 
Joe, 
you should be retained just for the entertainment value during breaks and such - 
I learned stuff just listening to you at the table last year (not necessarily 
AD-related, but entertaining nonetheless)
 
Seriously, some show and tell with the Joeware tools would easily be a 
hit - you could show some of us a thing or three about how to use the tools to 
find stuff, pipe the output to other tools, etc.  There's rarely a week 
that goes by on this list without somebody asking "how do I..." and getting an 
answer from you (or others !) that involves a joeware tool with a specific set 
of switches.
 
Sadly, 
I've not yet gotten approval to get there this year, but I'm working on 
it.
Dave

  
  -Original Message-From: 
  [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] 
  On Behalf Of Gil KirkpatrickSent: Monday, February 14, 2005 
  9:52 AMTo: ActiveDir@mail.activedir.orgSubject: RE: 
  [ActiveDir] VERY VERY OT: DEC and Vancouver/Canada
  
  Couldn't have said it 
  better myself.
   
  FWIW, I've already polled a sufficient 
  sample re: a Joeware preso; there's plenty of interest. Even more important is 
  the interests of those who have never heard of joeware.
   
  And corporate affiliation doesn't matter 
  either.
   
  But I'm not paying for a cross-dresser, 
  except as part of the entertainment at the reception. And you better be a damn 
  good cross-dresser!
   
  (sitting in Stockholm, no cellphone, no 
  luggage, no jacket, its snowing, dark, and cold. But at least I've got 
  broadband... :)
   
  -g
  
  
  From: [EMAIL PROTECTED] on 
  behalf of [EMAIL PROTECTED]Sent: Sun 2/13/2005 4:01 
  PMTo: ActiveDir@mail.activedir.orgSubject: RE: 
  [ActiveDir] VERY VERY OT: DEC and Vancouver/Canada
  
  Dissecting >>> Its 
  Vancouver in March...Yeah, so? Can't be much worse than MI in 
  March.>>> I am pretty tied up with Lame, so lame I'm 
  tempted to not comment :) I am sure most presenters are inthe same boat. I 
  am personally in that boat. I am not even sure HOW I willget to DEC yet, 
  because I am not sure which city I will find myself in aroundthat time. 
  So, can't book a flight yet because I don't know where I would beflying in 
  from. So, there try something else :p>>> There is also 
  the whole issue of who do I go as?I would think that going in as Joe would 
  be sufficient. I already told youthis before - you don't seem to know how 
  much regards you command within thecommunity. WRT who foots the bill, I'd 
  assume that Gil is ponying up themoney either way (either as Joeware or 
  JoeHP), so that should really not be afactor. More so, I am sure Gil will 
  be footing your bill even if you show upas Joe-the-cross-dresser. But, I 
  will let Gil speak for himself on that point:)>>> I am 
  not an ethereal guruI did not know that Gil was looking for gurus. I 
  certainly I'm not a guru inanything, and I would take a back seat to you 
  any day when talking aboutExchange security. But, I am going, and you are 
  not. So, there again :) Whyam I going? Because I think I have seen and 
  done some things on Exchangesecurity that the attendees "MAY" be 
  interested in listening to. I amdefinitely not bringing anything 
  revolutionary or earth-shattering. I am onlyhoping that I will say 
  something that will get some of the attendees to goback to their bases and 
  rethink what they have or implement something (ifthey haven't). My 
  position on conferences and teaching and stuff like this isthat I don't go 
  there hoping to meet wizards and have them implant knowledgeinto my medula 
  oblongata. I do not expect that most people go there for thisreason 
  either. I think re-enforcement and pointers and things that get 
  peoplethinking carry much more weight than just looking to spoon-feed 
  peopleinformation. Are you expecting to transform the attendees into 
  Ether-sniffingK-9 in the span of 90 minutes? Wake up, Joe. So, I chalk 
  this down to the"Lame" category.>>> Possibly Gil can take 
  some informal poll at the event on who would liketo see a joeware 
  presentation at a future eventYeah, right. So that you could wiggle your 
  way out of it again. You need nopoll, Joe. And I know that you know that I 
  know that you knew that. Gilalready floated the idea, so I don't see the 
  need to get Gallup involved atthis point.>>> Interesting 
  all the MVPs coming out of the wordwork saying they are goingnowThey 
  are probably signing up in large numbers, hoping their massive 
  presencewill be enough reason to compell you to show up. Or they could be 
  signing upbecause they heard that Joe was there the last time around and 
  they want tobe able to claim to have seen you in person. Look at it as a 
  bribe, orpeer-presure or something. They could also just be going for the 
  beer, whokno

[ActiveDir] remote control users desktop

[Ben D. Kusa]

I think I am missing something obvious, It looks like there
is an option to remote control a computer with active directory and it gives
the option of interacting with the users session. I can never get it interact
with the users session it always locks the users screen and then gives me
control. I’m using the ts client to connect to the computer, should I be
using some other clients to view their session? Or am I not going to be able to
have an interactive session.

 

Ben Kusa

Simpson Gumpertz Heger, Inc.

41 Seyon St

Building 1 Suite 500

Waltham, MA 02453

Main:   781-907-9000

Direct: 781-907-9256

Cell:    781-424-8148

Fax:    781-907-9009

 

RE: [ActiveDir] suggestions for tombstoned DC recovery?

[Ruston, Neil]

If a bare metal machine rebuild is not an option, then why not change the
tombstone period to >60 days and then restore your DC again? [i.e. if your
restore is 80 days old, then set the tombstone value to 81]

Modify the tombstonelifetime attribute value in
cn=DirectoryServices,cn=WindowsNT,cn=Services,cn=Configuration,dc=

Caveat: I'm not sure if this is possible, feasible or supported, but is the
only option I can see which meets all your (stringent) requirements :)

I would prefer to use dcpromo after having performed a metadata cleanup,
personally.


HTH,
neil

-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Thommes, Michael M.
Sent: 14 February 2005 17:27
To: ActiveDir@mail.activedir.org
Subject: [ActiveDir] suggestions for tombstoned DC recovery?


One of our admins restored a DC from a backup greater than 60 days old. There
are no newer backup copies.  Replication is not working - "Access denied".
Also, the restored DC cannot be dcpromo'd out.  Rebuilding the computer from
scratch is not an option.  Repadmin and nltest operations are unsuccessful.
Does anyone have any tricks up their sleeve for getting this once-working DC
to "play nice again"?  I keep thinking that an nltest with a secure channel
reset option, followed by a repadmin operation with a force option using the
one good DC as an authoritative source - should be the answer.  But it doesn't
seem to work.  Any help is appreciated!  Thanks.

Mike Thommes
List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/

==
This message is for the sole use of the intended recipient. If you received
this message in error please delete it and notify us. If this message was
misdirected, CSFB does not waive any confidentiality or privilege. CSFB
retains and monitors electronic communications sent through its network.
Instructions transmitted over this system are not binding on CSFB until they
are confirmed by us. Message transmission is not guaranteed to be secure.
==

List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/

Re: [ActiveDir] GPO design

[Bart Vandyck]

Hi Jorge,

Great input.. But do i understand you correct that performance is
depended on the amount of different GPO instead of the settings done
by these gpo's?

rgds,

Bart


On Mon, 14 Feb 2005 10:47:43 +0100, Jorge de Almeida Pinto
<[EMAIL PROTECTED]> wrote:
> Hi,
> 
> Be carefull with creating a GPO for each application. If you have a lot of
> apps and lets say all computers get those apps then those wokstations will
> go through each GPO and then you may have performance issue. It may be
> better to consolidate several apps that have similar "characteristics" into
> one GPO.
> If within a GPO the computer or user configuration is NOT used (not settings
> defined) disable it accordingly. If it is disabled then it will not be
> processed and that is good for performance!
> 
> The naming convention for GPOs I always use is:
> * GPO
> 
> Where:
>  = POL (policy settings) or SWD (software distribution)
>  = C (computer) or U (user) or B (both) this one also tells me which
> configuration is enabled without opening the GPO
>  = can be anything such as location, region, department, etc.
>  = what it is (e.g. default settings)
> 
> Examples:
> GPO_POL_C_Dept01_DefaultSettings
> GPO_SWD_U_Site01_AcrobatReader
> 
> As I think of it: don't go crazy on GPOs. GPOs provide lots of functionality
> but may also kill performance
> 
> Cheers,
> Jorge
> 
> 
> -Original Message-
> From: [EMAIL PROTECTED]
> [mailto:[EMAIL PROTECTED] On Behalf Of Bart Vandyck
> Sent: maandag 14 februari 2005 10:22
> To: activedir@mail.activedir.org
> Subject: [ActiveDir] GPO design
> 
> Hi all,
> 
> I just wanted some feedback on this project I'm working on from people with
> real world knowledge.
> 
> We have AD in place with and OU structure. I've been asked the make plan to
> implement GPO's in this organization. I was thinking about creating a GPO
> for each application we want to manage  and this in combination with each OU
> level.
>  For example:  GPO-Region-IE6-users
>   GPO-Region-WINXPSP1-machine
>  GPO-Site01-IE6-users
>  GPO-Site02-IE6-machine
>  GPO-Site01-winxpsp1-user
> 
> The site GPO will only be made or in effect if the need to overrule settings
> made on the region level.
> 
> Is this a maintainable solutions or will  this become to complex in the end.
> 
> Anybody know some good descriptions or best practices about managing
> software with GPO.  I've seen lots of stuff about creating GPO's,
> troubleshoot them, etc.. but haven't found real implementations case studies
> with  advantages and disadvantages..
> 
> rgds,
> 
> Bart
> List info   : http://www.activedir.org/List.aspx
> List FAQ: http://www.activedir.org/ListFAQ.aspx
> List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
> 
> This e-mail and any attachment is for authorised use by the intended 
> recipient(s) only. It may contain proprietary material, confidential 
> information and/or be subject to legal privilege. It should not be copied, 
> disclosed to, retained or used by, any other party. If you are not an 
> intended recipient then please promptly delete this e-mail and any attachment 
> and all copies and inform the sender. Thank you.
> List info   : http://www.activedir.org/List.aspx
> List FAQ: http://www.activedir.org/ListFAQ.aspx
> List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
>
List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/

Re: [ActiveDir] remote control users desktop

[Tomasz Onyszko]

Ben D. Kusa wrote:
I think I am missing something obvious, It looks like there is an option 
to remote control a computer with active directory and it gives the 
option of interacting with the users session. I can never get it 
interact with the users session it always locks the users screen and 
then gives me control. I’m using the ts client to connect to the 
computer, should I be using some other clients to view their session? Or 
am I not going to be able to have an interactive session.
If You are connecting to the Windows XP on clients side it is expected 
behaviour - to share session with the client You have to use remote 
assistance tool

--
Tomasz Onyszko [MVP]
[EMAIL PROTECTED]
http://www.w2k.pl
List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/

RE: [ActiveDir] override default domain policy

[Perdue David J Contr InDyne/Enterprise IT]

Personally, instead of blocking the default domain policy I 
would create seperate policy objects with the settings that I wanted 
filtered/blocked.  But your "set policies on each domain" leads me to 
believe that there are multiple domains in the forest involved here?  
Domains by their nature have different security policies.
 
//SIGNED//
David J. 
PerdueNetwork Security Engineer, 
InDyne Inc Comm: (805) 606-4597    DSN: 276-4597 

 


From: [EMAIL PROTECTED] 
[mailto:[EMAIL PROTECTED] On Behalf Of 
cflesherSent: Monday, February 14, 2005 09:05 AMTo: 
ActiveDir@mail.activedir.orgSubject: [ActiveDir] override default 
domain policy

I was in a meeting 
last week and the issue came up if it is possible to override the default domain 
policy and set policies on each domain. I always understood that you couldn't do 
this. But if you block inheritance and apply another policy on an OU, what 
happens? Furthermore is supposed to happen if the default domain policy is 
disabled? 
 
I'm going to test 
this, but it would be nice to hear from the experts. I did look back in the 
archives for this list, but it seemed like there was mixed feelings on the 
possiblities. 
 
Thanks.
 
Chris Flesher
The University of Chicago
NSIT/DCS
(773)-834-8477
 

RE: [ActiveDir] override default domain policy

[cflesher]

Well, I think faster than I type. What I meant to say is 
"set policies on each OU". I'm pretty sure that changes the response a little 
bit.


From: [EMAIL PROTECTED] 
[mailto:[EMAIL PROTECTED] On Behalf Of Perdue David J 
Contr InDyne/Enterprise ITSent: Monday, February 14, 2005 12:42 
PMTo: ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] 
override default domain policy

Personally, instead of blocking the default domain policy I 
would create seperate policy objects with the settings that I wanted 
filtered/blocked.  But your "set policies on each domain" leads me to 
believe that there are multiple domains in the forest involved here?  
Domains by their nature have different security policies.
 
//SIGNED//
David J. 
PerdueNetwork Security Engineer, 
InDyne Inc Comm: (805) 606-4597    DSN: 276-4597 

 


From: [EMAIL PROTECTED] 
[mailto:[EMAIL PROTECTED] On Behalf Of 
cflesherSent: Monday, February 14, 2005 09:05 AMTo: 
ActiveDir@mail.activedir.orgSubject: [ActiveDir] override default 
domain policy

I was in a meeting 
last week and the issue came up if it is possible to override the default domain 
policy and set policies on each domain. I always understood that you couldn't do 
this. But if you block inheritance and apply another policy on an OU, what 
happens? Furthermore is supposed to happen if the default domain policy is 
disabled? 
 
I'm going to test 
this, but it would be nice to hear from the experts. I did look back in the 
archives for this list, but it seemed like there was mixed feelings on the 
possiblities. 
 
Thanks.
 
Chris Flesher
The University of Chicago
NSIT/DCS
(773)-834-8477
 

RE: [ActiveDir] suggestions for tombstoned DC recovery?

[Thommes, Michael M.]

It's not that DCPROMO was not an option, it just didn't work - also
"access denied".

Mike Thommes

-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Mulnick, Al
Sent: Monday, February 14, 2005 11:39 AM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] suggestions for tombstoned DC recovery?

Why is DCPROMO not an option? 

-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Thommes,
Michael M.
Sent: Monday, February 14, 2005 12:27 PM
To: ActiveDir@mail.activedir.org
Subject: [ActiveDir] suggestions for tombstoned DC recovery?

One of our admins restored a DC from a backup greater than 60 days old.
There are no newer backup copies.  Replication is not working - "Access
denied".  Also, the restored DC cannot be dcpromo'd out.  Rebuilding the
computer from scratch is not an option.  Repadmin and nltest operations
are
unsuccessful.  Does anyone have any tricks up their sleeve for getting
this
once-working DC to "play nice again"?  I keep thinking that an nltest
with a
secure channel reset option, followed by a repadmin operation with a
force
option using the one good DC as an authoritative source - should be the
answer.  But it doesn't seem to work.  Any help is appreciated!  Thanks.

Mike Thommes
List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive:
http://www.mail-archive.com/activedir%40mail.activedir.org/
List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive:
http://www.mail-archive.com/activedir%40mail.activedir.org/


List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/

RE: [ActiveDir] GPO design

[Chandra Burra]

I suggest have SUS or WUS in the business and create one GP for
implementation of all patches and updates from MS at one go...

Other applications consolidate into one and publish.



-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] Behalf Of Bart Vandyck
Sent: 14 February 2005 18:25
To: ActiveDir@mail.activedir.org
Subject: Re: [ActiveDir] GPO design


Hi Jorge,

Great input.. But do i understand you correct that performance is
depended on the amount of different GPO instead of the settings done
by these gpo's?

rgds,

Bart


On Mon, 14 Feb 2005 10:47:43 +0100, Jorge de Almeida Pinto
<[EMAIL PROTECTED]> wrote:
> Hi,
>
> Be carefull with creating a GPO for each application. If you have a lot of
> apps and lets say all computers get those apps then those wokstations will
> go through each GPO and then you may have performance issue. It may be
> better to consolidate several apps that have similar "characteristics"
into
> one GPO.
> If within a GPO the computer or user configuration is NOT used (not
settings
> defined) disable it accordingly. If it is disabled then it will not be
> processed and that is good for performance!
>
> The naming convention for GPOs I always use is:
> * GPO
>
> Where:
>  = POL (policy settings) or SWD (software distribution)
>  = C (computer) or U (user) or B (both) this one also tells me
which
> configuration is enabled without opening the GPO
>  = can be anything such as location, region, department, etc.
>  = what it is (e.g. default settings)
>
> Examples:
> GPO_POL_C_Dept01_DefaultSettings
> GPO_SWD_U_Site01_AcrobatReader
>
> As I think of it: don't go crazy on GPOs. GPOs provide lots of
functionality
> but may also kill performance
>
> Cheers,
> Jorge
>
>
> -Original Message-
> From: [EMAIL PROTECTED]
> [mailto:[EMAIL PROTECTED] On Behalf Of Bart Vandyck
> Sent: maandag 14 februari 2005 10:22
> To: activedir@mail.activedir.org
> Subject: [ActiveDir] GPO design
>
> Hi all,
>
> I just wanted some feedback on this project I'm working on from people
with
> real world knowledge.
>
> We have AD in place with and OU structure. I've been asked the make plan
to
> implement GPO's in this organization. I was thinking about creating a GPO
> for each application we want to manage  and this in combination with each
OU
> level.
>  For example:  GPO-Region-IE6-users
>   GPO-Region-WINXPSP1-machine
>  GPO-Site01-IE6-users
>  GPO-Site02-IE6-machine
>  GPO-Site01-winxpsp1-user
>
> The site GPO will only be made or in effect if the need to overrule
settings
> made on the region level.
>
> Is this a maintainable solutions or will  this become to complex in the
end.
>
> Anybody know some good descriptions or best practices about managing
> software with GPO.  I've seen lots of stuff about creating GPO's,
> troubleshoot them, etc.. but haven't found real implementations case
studies
> with  advantages and disadvantages..
>
> rgds,
>
> Bart
> List info   : http://www.activedir.org/List.aspx
> List FAQ: http://www.activedir.org/ListFAQ.aspx
> List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
>
> This e-mail and any attachment is for authorised use by the intended
recipient(s) only. It may contain proprietary material, confidential
information and/or be subject to legal privilege. It should not be copied,
disclosed to, retained or used by, any other party. If you are not an
intended recipient then please promptly delete this e-mail and any
attachment and all copies and inform the sender. Thank you.
> List info   : http://www.activedir.org/List.aspx
> List FAQ: http://www.activedir.org/ListFAQ.aspx
> List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
>
List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/

List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/

RE: [ActiveDir] remote control users desktop

[Ben D. Kusa]

Is there anyway to share a session without having users intervention? Or
do you have to use third-party? It is client side I am looking to
control, what I am looking for is a helpdesk remote control utility.

Thanks
Ben Kusa
Simpson Gumpertz Heger
> -Original Message-
> From: [EMAIL PROTECTED] [mailto:ActiveDir-
> [EMAIL PROTECTED] On Behalf Of Tomasz Onyszko
> Sent: Monday, February 14, 2005 1:45 PM
> To: ActiveDir@mail.activedir.org
> Subject: Re: [ActiveDir] remote control users desktop
> 
> Ben D. Kusa wrote:
> > I think I am missing something obvious, It looks like there is an
option
> > to remote control a computer with active directory and it gives the
> > option of interacting with the users session. I can never get it
> > interact with the users session it always locks the users screen and
> > then gives me control. I'm using the ts client to connect to the
> > computer, should I be using some other clients to view their
session? Or
> > am I not going to be able to have an interactive session.
> 
> If You are connecting to the Windows XP on clients side it is expected
> behaviour - to share session with the client You have to use remote
> assistance tool
> 
> --
> Tomasz Onyszko [MVP]
> [EMAIL PROTECTED]
> http://www.w2k.pl
> 
> List info   : http://www.activedir.org/List.aspx
> List FAQ: http://www.activedir.org/ListFAQ.aspx
> List archive:
http://www.mail-archive.com/activedir%40mail.activedir.org/
List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/

[ActiveDir] DC - rebuld issues

[Chandra Burra]

Hi,

I have a typical issue with re-building a DC.


I am currently in the stage of re-creating a AD domain for DR documentation.
Have installed W2k server --> trying to restore for a backup tape from the
live system ( whole C drive and the System state) --> make registry changes
for RPC and NTFRS

Issue here is that after completely restoring and re-starting --> prompted
with the login of the local system and not the domain ...mostly if i login
with the local admin - nothing comes upexplorer.exe does not start up.


Any ideas and suggetions please.


Regards,
Chandra

List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/

RE: [ActiveDir] suggestions for tombstoned DC recovery?

[Mulnick, Al]

So...technically, after the restore, the dc doesn't really exist in the
organization anymore (well, it's been cleaned up) but likely has some
remnants from the restore.  Is that correct? 

What I'm getting at is that DCPROMO shouldn't work because that DC
technically doesn't exist.  It's an island that shouldn't be there. 

To verify, check the other DC's and verify that they have no existing copy
of the DC. 

I can't think of a reason I'd try to shoehorn in a DC that's that old.  I'd
be more apt to bring up a clean DC and promote into the environment instead.
If I needed data from the old one, I *might* consider restoring it
off-network so I could get that information and manually transition it over.

Al 

-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Thommes, Michael M.
Sent: Monday, February 14, 2005 2:22 PM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] suggestions for tombstoned DC recovery?

It's not that DCPROMO was not an option, it just didn't work - also "access
denied".

Mike Thommes

-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Mulnick, Al
Sent: Monday, February 14, 2005 11:39 AM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] suggestions for tombstoned DC recovery?

Why is DCPROMO not an option? 

-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Thommes, Michael M.
Sent: Monday, February 14, 2005 12:27 PM
To: ActiveDir@mail.activedir.org
Subject: [ActiveDir] suggestions for tombstoned DC recovery?

One of our admins restored a DC from a backup greater than 60 days old.
There are no newer backup copies.  Replication is not working - "Access
denied".  Also, the restored DC cannot be dcpromo'd out.  Rebuilding the
computer from scratch is not an option.  Repadmin and nltest operations are
unsuccessful.  Does anyone have any tricks up their sleeve for getting this
once-working DC to "play nice again"?  I keep thinking that an nltest with a
secure channel reset option, followed by a repadmin operation with a force
option using the one good DC as an authoritative source - should be the
answer.  But it doesn't seem to work.  Any help is appreciated!  Thanks.

Mike Thommes
List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive:
http://www.mail-archive.com/activedir%40mail.activedir.org/
List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive:
http://www.mail-archive.com/activedir%40mail.activedir.org/


List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/

[ActiveDir] Automate Computer Name Changes

[Dan DeStefano]

I have not been able to find a way to sufficiently solve the
following problem: automatically changing computer names after imaging. I would
like to reassign computer names based on a company naming convention plus
variable. So a computer name would be something like “dny01pd***”,
with the asterisks representing an automatically assigned number. As far as I know,
Sysprep does not allow this; it will only allow you to assign a random name,
which is not acceptable. I am not using unattended installations so I cannot
use .udb files to assign computer names. I have been using GhostWalker to
rename and join the PCs to a domain after imaging, but it just randomly-assigns
numbers for the variables. This is a little better, but GhostWalker doesn’t
increment the numbers, nor does it check the network for duplicate names (or so
I’m told by Symantec support).

 

Ideally, what I would like is some program or script or
whatever, that can be run after imaging that will assign computer names
consecutively or will consult a file for a list of names; then go and check on
the network for a duplicate name preferably by fqdn – and ideally, be
able to join the PC to a domain and assign it to a specific OU as icing on the
cake. Does anyone know of a tool that will do this? (Are you working on
something like this, Joe?)

 

I am also curious about how others currently handle imaging
and automatic computer naming.

 

 

 

Dan DeStefano

RE: [ActiveDir] suggestions for tombstoned DC recovery?

[Grillenmeier, Guido]

really depends on how much issues you'd want afterwards - if you have
another DC in your domain, why is it so critical to bring this one back?
Sounds like you have some Apps on it that you need to keep - but you
should be able to get rid of AD. 

If so, the safest method is to demote it forcefully via "DCPROMO
/forceremoval" (need Win2k SP4 or Win2003), then do a metadata cleanup
on another DC (removing that server-object). If this was a FSMO
role-holder, you'll need to seize the roles to another DC (can also be
done via NTDSutil). Afterwards you're ready to re-promote it to a DC.  

Doable, but very risky is to increase the tombstone lifetime in the
forest to a large enough number (on another working DC _and_ the broken
DC), but you're asking for trouble if you're going to do this
(poltergeists etc.).

BTW, Win2003 SP1 will increase the default Tombstone Lifetime (for new
forests) to 180 days to avoid more potential issues of this kind.  Not
so great for the size of the DIT, but likely less issues with
recovery...

/Guido

-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Thommes,
Michael M.
Sent: Monday, February 14, 2005 6:27 PM
To: ActiveDir@mail.activedir.org
Subject: [ActiveDir] suggestions for tombstoned DC recovery?

One of our admins restored a DC from a backup greater than 60 days old.
There are no newer backup copies.  Replication is not working - "Access
denied".  Also, the restored DC cannot be dcpromo'd out.  Rebuilding the
computer from scratch is not an option.  Repadmin and nltest operations
are unsuccessful.  Does anyone have any tricks up their sleeve for
getting this once-working DC to "play nice again"?  I keep thinking that
an nltest with a secure channel reset option, followed by a repadmin
operation with a force option using the one good DC as an authoritative
source - should be the answer.  But it doesn't seem to work.  Any help
is appreciated!  Thanks.

Mike Thommes
List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive:
http://www.mail-archive.com/activedir%40mail.activedir.org/
List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/

Re: [ActiveDir] remote control users desktop

[Jason B]

You'll need a third party app to do *exactly* what you're asking.  VNC does 
it, and it's free.  http://www.realvnc.com/

- Original Message - 
From: "Ben D. Kusa" <[EMAIL PROTECTED]>
To: 
Sent: Monday, February 14, 2005 12:34 PM
Subject: RE: [ActiveDir] remote control users desktop

Is there anyway to share a session without having users intervention? Or
do you have to use third-party? It is client side I am looking to
control, what I am looking for is a helpdesk remote control utility.
Thanks
Ben Kusa
Simpson Gumpertz Heger
-Original Message-
From: [EMAIL PROTECTED] [mailto:ActiveDir-
[EMAIL PROTECTED] On Behalf Of Tomasz Onyszko
Sent: Monday, February 14, 2005 1:45 PM
To: ActiveDir@mail.activedir.org
Subject: Re: [ActiveDir] remote control users desktop
Ben D. Kusa wrote:
> I think I am missing something obvious, It looks like there is an
option
> to remote control a computer with active directory and it gives the
> option of interacting with the users session. I can never get it
> interact with the users session it always locks the users screen and
> then gives me control. I'm using the ts client to connect to the
> computer, should I be using some other clients to view their
session? Or
> am I not going to be able to have an interactive session.
If You are connecting to the Windows XP on clients side it is expected
behaviour - to share session with the client You have to use remote
assistance tool
--
Tomasz Onyszko [MVP]
[EMAIL PROTECTED]
http://www.w2k.pl
List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive:
http://www.mail-archive.com/activedir%40mail.activedir.org/
List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/

RE: [ActiveDir] suggestions for tombstoned DC recovery?

[Cace, Andrew]

 
If DCPROMO won't work, even with the /FORCEREMOVAL flag, the following
MS KB Article has a reghack that will allow you to remove the domain
controller.  We had to do this at a remote site in Europe, where the
technical guys had "gone home for the day".

http://support.microsoft.com/default.aspx?scid=kb;en-us;332199

-Andrew

-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Thommes,
Michael M.
Sent: Monday, February 14, 2005 1:22 PM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] suggestions for tombstoned DC recovery?

It's not that DCPROMO was not an option, it just didn't work - also
"access denied".

Mike Thommes

-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Mulnick, Al
Sent: Monday, February 14, 2005 11:39 AM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] suggestions for tombstoned DC recovery?

Why is DCPROMO not an option? 

-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Thommes,
Michael M.
Sent: Monday, February 14, 2005 12:27 PM
To: ActiveDir@mail.activedir.org
Subject: [ActiveDir] suggestions for tombstoned DC recovery?

One of our admins restored a DC from a backup greater than 60 days old.
There are no newer backup copies.  Replication is not working - "Access
denied".  Also, the restored DC cannot be dcpromo'd out.  Rebuilding the
computer from scratch is not an option.  Repadmin and nltest operations
are unsuccessful.  Does anyone have any tricks up their sleeve for
getting this once-working DC to "play nice again"?  I keep thinking that
an nltest with a secure channel reset option, followed by a repadmin
operation with a force option using the one good DC as an authoritative
source - should be the answer.  But it doesn't seem to work.  Any help
is appreciated!  Thanks.

Mike Thommes
List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive:
http://www.mail-archive.com/activedir%40mail.activedir.org/
List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive:
http://www.mail-archive.com/activedir%40mail.activedir.org/


List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive:
http://www.mail-archive.com/activedir%40mail.activedir.org/
List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/

RE: [ActiveDir] Automate Computer Name Changes

[Brian Desmond]

Dan-
 
You can certainly script this with netdom. If you want to use sysprep, you 
could set the compnay name to be that dny01pd, and then sysprep will populate 
the rest with random crap. 
 
--Brian Desmond
[EMAIL PROTECTED]
Payton on the web! www.wpcp.org
 
v - 773.534.0034 x135
f - 773.534.8101



From: [EMAIL PROTECTED] on behalf of Dan DeStefano
Sent: Mon 2/14/2005 2:04 PM
To: ActiveDir@mail.activedir.org
Subject: [ActiveDir] Automate Computer Name Changes



I have not been able to find a way to sufficiently solve the following problem: 
automatically changing computer names after imaging. I would like to reassign 
computer names based on a company naming convention plus variable. So a 
computer name would be something like "dny01pd***", with the asterisks 
representing an automatically assigned number. As far as I know, Sysprep does 
not allow this; it will only allow you to assign a random name, which is not 
acceptable. I am not using unattended installations so I cannot use .udb files 
to assign computer names. I have been using GhostWalker to rename and join the 
PCs to a domain after imaging, but it just randomly-assigns numbers for the 
variables. This is a little better, but GhostWalker doesn't increment the 
numbers, nor does it check the network for duplicate names (or so I'm told by 
Symantec support).

 

Ideally, what I would like is some program or script or whatever, that can be 
run after imaging that will assign computer names consecutively or will consult 
a file for a list of names; then go and check on the network for a duplicate 
name preferably by fqdn - and ideally, be able to join the PC to a domain and 
assign it to a specific OU as icing on the cake. Does anyone know of a tool 
that will do this? (Are you working on something like this, Joe?)

 

I am also curious about how others currently handle imaging and automatic 
computer naming.

 

 

 

Dan DeStefano

<>

RE: [ActiveDir] Automate Computer Name Changes

[Michael Wassell]

Is it safe to assume that RIS is not an 
option?


From: [EMAIL PROTECTED] 
[mailto:[EMAIL PROTECTED] On Behalf Of Brian 
DesmondSent: Monday, February 14, 2005 3:44 PMTo: 
ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] Automate 
Computer Name Changes


Dan-
 
You can certainly 
script this with netdom. If you want to use sysprep, you could set the compnay 
name to be that dny01pd, and then sysprep will populate the rest with random 
crap. 
 

--Brian 
Desmond[EMAIL PROTECTED]Payton on the web! 
www.wpcp.org v - 773.534.0034 x135f - 
773.534.8101


From: [EMAIL PROTECTED] on 
behalf of Dan DeStefanoSent: Mon 2/14/2005 2:04 PMTo: 
ActiveDir@mail.activedir.orgSubject: [ActiveDir] Automate Computer 
Name Changes


I have not been able to find a way 
to sufficiently solve the following problem: automatically changing computer 
names after imaging. I would like to reassign computer names based on a company 
naming convention plus variable. So a computer name would be something like 
“dny01pd***”, with the asterisks representing an automatically assigned number. 
As far as I know, Sysprep does not allow this; it will only allow you to assign 
a random name, which is not acceptable. I am not using unattended installations 
so I cannot use .udb files to assign computer names. I have been using 
GhostWalker to rename and join the PCs to a domain after imaging, but it just 
randomly-assigns numbers for the variables. This is a little better, but 
GhostWalker doesn’t increment the numbers, nor does it check the network for 
duplicate names (or so I’m told by Symantec support).
 
Ideally, what I would like is some 
program or script or whatever, that can be run after imaging that will assign 
computer names consecutively or will consult a file for a list of names; then go 
and check on the network for a duplicate name preferably by fqdn – and ideally, 
be able to join the PC to a domain and assign it to a specific OU as icing on 
the cake. Does anyone know of a tool that will do this? (Are you working on 
something like this, Joe?)
 
I am also curious about how others 
currently handle imaging and automatic computer naming.
 
 
 
Dan 
DeStefano

RE: [ActiveDir] DC - rebuld issues

[Fuller, Stuart]

I have seen a similar thing while using Ntbackup during our DR drills.

The first restore goes along and doesn't really complete (no log file
pops up and no warning - ntbackup simply stops and exits somewhere in
the AD portion of the restore).  You reboot the server and you login
with local admin credentials instead getting a choice to use AD.  This
second login can take a while because it has to fail on a bunch of
partially restored stuff. If you simply run the full restore again after
reboot then that works and the DC comes up just fine.  This occurs with
the target server set to AD Disaster Recovery safe mode or just booted
normally.  

-Stuart Fuller   

-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Chandra Burra
Sent: Monday, February 14, 2005 12:51 PM
To: ActiveDir@mail.activedir.org
Subject: [ActiveDir] DC - rebuld issues
Importance: High


Hi,

I have a typical issue with re-building a DC.


I am currently in the stage of re-creating a AD domain for DR
documentation.
Have installed W2k server --> trying to restore for a backup tape from
the
live system ( whole C drive and the System state) --> make registry
changes
for RPC and NTFRS

Issue here is that after completely restoring and re-starting -->
prompted
with the login of the local system and not the domain ...mostly if i
login
with the local admin - nothing comes upexplorer.exe does not start
up.


Any ideas and suggetions please.


Regards,
Chandra

List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive:
http://www.mail-archive.com/activedir%40mail.activedir.org/
List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/

Re: [ActiveDir] Question: AD Group Policy not taking effect

[Umer Y.]

Where do I enable detailed reporting? At the server, or at the client?
How do I do it?
Thanks for the help.
Anyone else has any further ideas?
Thanks.
From: <[EMAIL PROTECTED]>
Reply-To: ActiveDir@mail.activedir.org
To: 
Subject: Re: [ActiveDir] Question: AD Group Policy not taking effect
Date: Mon, 14 Feb 2005 07:16:28 +1100
Hi,
The best way to check this out is to activate detailed logging, reboot &
logon and look at the log in:-
%windir%\Debug\UserMode\userenv.log.
We have written a free utility that will allow you to activate detailed
logging and will display the log in a meaningful way.
http://www.sysprosoft.com/index.php?ref=activedir&f=policyreporter.shtml
If you still have problems, mail me the log offline and I will look at it
for you.
 Alan Cuthbertson
 Policy Management Software:-
http://www.sysprosoft.com/index.php?ref=activedir&f=pol_summary.shtml
ADM Template Editor:-
http://www.sysprosoft.com/index.php?ref=activedir&f=adm_summary.shtml
Policy Log Reporter(Free)
http://www.sysprosoft.com/index.php?ref=activedir&f=policyreporter.shtml

- Original Message -
From: "Umer Y." <[EMAIL PROTECTED]>
To: 
Sent: Sunday, February 13, 2005 10:40 AM
Subject: RE: [ActiveDir] Question: AD Group Policy not taking effect
> What do you mean, a chance to replicate? Can you please explain a bit
more?
>
> I was working with the user portion of GPO.
>
> I created a user account in OU.
>
> The client is XP, and the server is W2K3.
>
> I tried secedit by chandra, but it doesn't accept the /refreshpolicy. I
have
> already tried gpupdate /force. It goes through, without any results on 
the
> client side.
>
> Any other suggestions?
>
> Thanks for the help.
>
> From: "Perdue David J Contr InDyne/Enterprise IT"
> <[EMAIL PROTECTED]>
> Reply-To: ActiveDir@mail.activedir.org
> To: 
> Subject: RE: [ActiveDir] Question: AD Group Policy not taking effect
> Date: Fri, 11 Feb 2005 14:06:16 -0800
>
> Did the OU and the GPO have a chance to replicate?
> The policy that you created, did you configure the computer or user
> portion of the policy object?
> Do you have a user account or a computer account in the OU?
> What OS is the client computer?  If it's Win2k or lower did you
> configure a WinXP Policy Attribute?
> Did you try a GPUPDATE on WinXP or a SECEDIT to update the the policy
> applied to the System?
>
> Dave
>
>
>
> //SIGNED//
> 
> David J. Perdue
> Network Security Engineer, InDyne Inc
> Comm: (805) 606-4597DSN: 276-4597
> 
>
> -Original Message-
> From: [EMAIL PROTECTED]
> [mailto:[EMAIL PROTECTED] On Behalf Of Umer Y.
> Sent: Friday, February 11, 2005 13:38 PM
> To: ActiveDir@mail.activedir.org
> Subject: [ActiveDir] Question: AD Group Policy not taking effect
>
> Hello,
>
> I added an OU. Added a test user.
>
> I added a group policy by clicking 'add' under 'group policy' in OU's
> properties.
>
> Changed a couple of things around.
>
> Logged onto a test client. Group policy wouldn't take effect.
>
> What am I missing?
>
> I will appreciate your help in this regard.
>
> Thanks.
>
>
>
>
> ... you don't know what you've got 'till it's gone..
>
> - Joni Mitchell
>
>
> List info   : http://www.activedir.org/List.aspx
> List FAQ: http://www.activedir.org/ListFAQ.aspx
> List archive:
> http://www.mail-archive.com/activedir%40mail.activedir.org/
> List info   : http://www.activedir.org/List.aspx
> List FAQ: http://www.activedir.org/ListFAQ.aspx
> List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
>
>
>
>
>
> ... you don't know what you've got 'till it's gone..
>
> - Joni Mitchell
>
>
> List info   : http://www.activedir.org/List.aspx
> List FAQ: http://www.activedir.org/ListFAQ.aspx
> List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
>
>

List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/


... you don't know what you've got 'till it's gone..
- Joni Mitchell
List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/

Re: [ActiveDir] remote control users desktop

[James_Day]

Hi Ben

Try using remote assistance.  There are two ways to use it.  First, user
requests assistance, in which case the user must send a request file to the
helpdesk (either via. email, MSN, or put a file on the network and access
it).  The second way is to let the helpdesk initiate - at which time the
user gets a request on screen to either accept assistance or deny it.  A
second request comes in when the help desk wishes to take over the desktop.

We use the offer remote assitance here regularly, and have set up group
policy to allow for offering assistance.

Computer Configuration\Administrative Templates\System\Remote Assistance.
Enable the Offer Remote Assistance and add your help desk group with the
permit control button.

Regards;

James R. Day
Active Directory Core Team
Office of the Chief Information Officer
National Park Service
(202) 354-1464 (direct)
(202) 371-1549 (fax)
[EMAIL PROTECTED]


|-+-->
| |   "Jason B"  |
| |   <[EMAIL PROTECTED]|
| |   .com>  |
| |   Sent by:   |
| |   [EMAIL PROTECTED]|
| |   tivedir.org|
| |  |
| |  |
| |   02/14/2005 01:25 PM MST|
| |   Please respond to  |
| |   ActiveDir  |
|-+-->
  
>--|
  | 
 |
  |   To: 
 |
  |   cc:   (bcc: James Day/Contractor/NPS) 
 |
  |   Subject:  Re: [ActiveDir] remote control users desktop
 |
  
>--|




You'll need a third party app to do *exactly* what you're asking.  VNC does

it, and it's free.  http://www.realvnc.com/

- Original Message -
From: "Ben D. Kusa" <[EMAIL PROTECTED]>
To: 
Sent: Monday, February 14, 2005 12:34 PM
Subject: RE: [ActiveDir] remote control users desktop


Is there anyway to share a session without having users intervention? Or
do you have to use third-party? It is client side I am looking to
control, what I am looking for is a helpdesk remote control utility.

Thanks
Ben Kusa
Simpson Gumpertz Heger
> -Original Message-
> From: [EMAIL PROTECTED] [mailto:ActiveDir-
> [EMAIL PROTECTED] On Behalf Of Tomasz Onyszko
> Sent: Monday, February 14, 2005 1:45 PM
> To: ActiveDir@mail.activedir.org
> Subject: Re: [ActiveDir] remote control users desktop
>
> Ben D. Kusa wrote:
> > I think I am missing something obvious, It looks like there is an
option
> > to remote control a computer with active directory and it gives the
> > option of interacting with the users session. I can never get it
> > interact with the users session it always locks the users screen and
> > then gives me control. I'm using the ts client to connect to the
> > computer, should I be using some other clients to view their
session? Or
> > am I not going to be able to have an interactive session.
>
> If You are connecting to the Windows XP on clients side it is expected
> behaviour - to share session with the client You have to use remote
> assistance tool
>
> --
> Tomasz Onyszko [MVP]
> [EMAIL PROTECTED]
> http://www.w2k.pl
>
> List info   : http://www.activedir.org/List.aspx
> List FAQ: http://www.activedir.org/ListFAQ.aspx
> List archive:
http://www.mail-archive.com/activedir%40mail.activedir.org/
List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/


List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/

RE: [ActiveDir] remote control users desktop

[Jorge de Almeida Pinto]

Ik you're using winxp, you 
should use Remote Assistance instead of using Remote Desktop
http://www.microsoft.com/technet/prodtechnol/winxppro/maintain/rmassist.mspx
http://www.microsoft.com/windowsxp/using/helpandsupport/learnmore/remoteassist/intro.mspx
Cheers
jorge


From: [EMAIL PROTECTED] 
[mailto:[EMAIL PROTECTED] On Behalf Of Ben D. 
KusaSent: maandag 14 februari 2005 18:56To: 
ActiveDir@mail.activedir.orgSubject: [ActiveDir] remote control users 
desktop


I think I am missing something 
obvious, It looks like there is an option to remote control a computer with 
active directory and it gives the option of interacting with the users session. 
I can never get it interact with the users session it always locks the users 
screen and then gives me control. I’m using the ts client to connect to the 
computer, should I be using some other clients to view their session? Or am I 
not going to be able to have an interactive 
session.
 
Ben 
Kusa
Simpson Gumpertz Heger, 
Inc.
41 Seyon 
St
Building 1 
Suite 500
Waltham, MA 02453
Main:   
781-907-9000
Direct: 
781-907-9256
Cell:    
781-424-8148
Fax:    
781-907-9009
 

This e-mail and any attachment is for authorised use by the intended recipient(s) only. It may contain proprietary material, confidential information and/or be subject to legal privilege. It should not be copied, disclosed to, retained or used by, any other party. If you are not an intended recipient then please promptly delete this e-mail and any attachment and all copies and inform the sender. Thank you.

RE: [ActiveDir] GPO design

[Jorge de Almeida Pinto]

Yep Lets say you some apps that ALL users get and you have a lot of
apps. In that case I think it is better to create one GPO with those
"default available apps" instead of creating a GPO for each app. This
depends on how many apps you and you to distribute with AD
Cheers
Jorge

-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Chandra Burra
Sent: maandag 14 februari 2005 20:26
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] GPO design


I suggest have SUS or WUS in the business and create one GP for
implementation of all patches and updates from MS at one go...

Other applications consolidate into one and publish.



-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] Behalf Of Bart Vandyck
Sent: 14 February 2005 18:25
To: ActiveDir@mail.activedir.org
Subject: Re: [ActiveDir] GPO design


Hi Jorge,

Great input.. But do i understand you correct that performance is depended
on the amount of different GPO instead of the settings done by these gpo's?

rgds,

Bart


On Mon, 14 Feb 2005 10:47:43 +0100, Jorge de Almeida Pinto
<[EMAIL PROTECTED]> wrote:
> Hi,
>
> Be carefull with creating a GPO for each application. If you have a 
> lot of apps and lets say all computers get those apps then those 
> wokstations will go through each GPO and then you may have performance 
> issue. It may be better to consolidate several apps that have similar
"characteristics"
into
> one GPO.
> If within a GPO the computer or user configuration is NOT used (not
settings
> defined) disable it accordingly. If it is disabled then it will not be 
> processed and that is good for performance!
>
> The naming convention for GPOs I always use is:
> * GPO
>
> Where:
>  = POL (policy settings) or SWD (software distribution)  
> = C (computer) or U (user) or B (both) this one also tells me
which
> configuration is enabled without opening the GPO  = can be 
> anything such as location, region, department, etc.
>  = what it is (e.g. default settings)
>
> Examples:
> GPO_POL_C_Dept01_DefaultSettings
> GPO_SWD_U_Site01_AcrobatReader
>
> As I think of it: don't go crazy on GPOs. GPOs provide lots of
functionality
> but may also kill performance
>
> Cheers,
> Jorge
>
>
> -Original Message-
> From: [EMAIL PROTECTED]
> [mailto:[EMAIL PROTECTED] On Behalf Of Bart Vandyck
> Sent: maandag 14 februari 2005 10:22
> To: activedir@mail.activedir.org
> Subject: [ActiveDir] GPO design
>
> Hi all,
>
> I just wanted some feedback on this project I'm working on from people
with
> real world knowledge.
>
> We have AD in place with and OU structure. I've been asked the make 
> plan
to
> implement GPO's in this organization. I was thinking about creating a 
> GPO for each application we want to manage  and this in combination 
> with each
OU
> level.
>  For example:  GPO-Region-IE6-users
>   GPO-Region-WINXPSP1-machine
>  GPO-Site01-IE6-users
>  GPO-Site02-IE6-machine
>  GPO-Site01-winxpsp1-user
>
> The site GPO will only be made or in effect if the need to overrule
settings
> made on the region level.
>
> Is this a maintainable solutions or will  this become to complex in 
> the
end.
>
> Anybody know some good descriptions or best practices about managing 
> software with GPO.  I've seen lots of stuff about creating GPO's, 
> troubleshoot them, etc.. but haven't found real implementations case
studies
> with  advantages and disadvantages..
>
> rgds,
>
> Bart
> List info   : http://www.activedir.org/List.aspx
> List FAQ: http://www.activedir.org/ListFAQ.aspx
> List archive: 
> http://www.mail-archive.com/activedir%40mail.activedir.org/
>
> This e-mail and any attachment is for authorised use by the intended
recipient(s) only. It may contain proprietary material, confidential
information and/or be subject to legal privilege. It should not be copied,
disclosed to, retained or used by, any other party. If you are not an
intended recipient then please promptly delete this e-mail and any
attachment and all copies and inform the sender. Thank you.
> List info   : http://www.activedir.org/List.aspx
> List FAQ: http://www.activedir.org/ListFAQ.aspx
> List archive: 
> http://www.mail-archive.com/activedir%40mail.activedir.org/
>
List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/

List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/

This e-mail and any attachment is for authorised use by the intended 
recipient(s) only. It may contain proprietary material, confidential 
information and/or be subject to legal privilege. It should not be copied, 
disclosed to, retained or used by, any other party. If you are not an intended 
recipient then please

RE: [ActiveDir] Automate Computer Name Changes

[Dan DeStefano]

I would prefer not to use RIS as there are
a lot of customizations that I make to the OS, many of which cannot be done
with unattended installation via RIS (or, at least I do not know or any way).

 

Dan

 









From:
[EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Michael Wassell
Sent: Monday, February 14, 2005
3:48 PM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] Automate
Computer Name Changes



 

Is it safe to assume that
RIS is not an option?

 







From:
[EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Brian Desmond
Sent: Monday, February 14, 2005
3:44 PM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] Automate
Computer Name Changes





Dan-





 





You can certainly script this with netdom. If you want to use
sysprep, you could set the compnay name to be that dny01pd, and then sysprep
will populate the rest with random crap. 





 









--Brian
Desmond
[EMAIL PROTECTED]
Payton on the web!
www.wpcp.org
 
v - 773.534.0034
x135
f - 773.534.8101







 







From:
[EMAIL PROTECTED] on behalf of Dan DeStefano
Sent: Mon 2/14/2005 2:04 PM
To: ActiveDir@mail.activedir.org
Subject: [ActiveDir] Automate
Computer Name Changes





I have not been able to find a way
to sufficiently solve the following problem: automatically changing computer
names after imaging. I would like to reassign computer names based on a company
naming convention plus variable. So a computer name would be something like
“dny01pd***”, with the asterisks representing an automatically
assigned number. As far as I know, Sysprep does not allow this; it will only
allow you to assign a random name, which is not acceptable. I am not using
unattended installations so I cannot use .udb files to assign computer names. I
have been using GhostWalker to rename and join the PCs to a domain after
imaging, but it just randomly-assigns numbers for the variables. This is a
little better, but GhostWalker doesn’t increment the numbers, nor does it
check the network for duplicate names (or so I’m told by Symantec
support).

 

Ideally, what I would like is some
program or script or whatever, that can be run after imaging that will assign
computer names consecutively or will consult a file for a list of names; then
go and check on the network for a duplicate name preferably by fqdn – and
ideally, be able to join the PC to a domain and assign it to a specific OU as
icing on the cake. Does anyone know of a tool that will do this? (Are you
working on something like this, Joe?)

 

I am also curious about how others
currently handle imaging and automatic computer naming.

 

 

 

Dan DeStefano

RE: [ActiveDir] RIS Unattended (Was: Automate Computer Name Changes)

[Crawford, Scott]

I’d be interested in the
customizations you’re unable to make using RIS.

 









From:
[EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Dan DeStefano
Sent: Monday, February 14, 2005
3:23 PM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] Automate
Computer Name Changes



 

I would prefer not to use RIS as there are
a lot of customizations that I make to the OS, many of which cannot be done
with unattended installation via RIS (or, at least I do not know or any way).

 

Dan

 













From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On
Behalf Of Michael Wassell
Sent: Monday, February 14, 2005
3:48 PM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] Automate
Computer Name Changes



 

Is it safe to assume that
RIS is not an option?

 











From:
[EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Brian Desmond
Sent: Monday, February 14, 2005
3:44 PM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] Automate
Computer Name Changes





Dan-





 





You can certainly script this with netdom. If you want to use
sysprep, you could set the compnay name to be that dny01pd, and then sysprep
will populate the rest with random crap. 





 









--Brian
Desmond
[EMAIL PROTECTED]
Payton on the web!
www.wpcp.org
 
v - 773.534.0034
x135
f - 773.534.8101







 











From:
[EMAIL PROTECTED] on behalf of Dan DeStefano
Sent: Mon 2/14/2005 2:04 PM
To: ActiveDir@mail.activedir.org
Subject: [ActiveDir] Automate
Computer Name Changes





I have not been able to find a way
to sufficiently solve the following problem: automatically changing computer
names after imaging. I would like to reassign computer names based on a company
naming convention plus variable. So a computer name would be something like
“dny01pd***”, with the asterisks representing an automatically
assigned number. As far as I know, Sysprep does not allow this; it will only
allow you to assign a random name, which is not acceptable. I am not using unattended
installations so I cannot use .udb files to assign computer names. I have been
using GhostWalker to rename and join the PCs to a domain after imaging, but it
just randomly-assigns numbers for the variables. This is a little better, but
GhostWalker doesn’t increment the numbers, nor does it check the network
for duplicate names (or so I’m told by Symantec support).

 

Ideally, what I would like is some
program or script or whatever, that can be run after imaging that will assign
computer names consecutively or will consult a file for a list of names; then
go and check on the network for a duplicate name preferably by fqdn – and
ideally, be able to join the PC to a domain and assign it to a specific OU as
icing on the cake. Does anyone know of a tool that will do this? (Are you
working on something like this, Joe?)

 

I am also curious about how others
currently handle imaging and automatic computer naming.

 

 

 

Dan DeStefano

RE: [ActiveDir] suggestions for tombstoned DC recovery?

[Grillenmeier, Guido]

I'm very surprised to see that reghack still listed in a public KB - it
was to be taken out many months ago - this is obviously the "last
resort" to do and is very risky when used by the "wrong type" of people.

/Guido

-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Cace, Andrew
Sent: Monday, February 14, 2005 9:32 PM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] suggestions for tombstoned DC recovery?

 
If DCPROMO won't work, even with the /FORCEREMOVAL flag, the following
MS KB Article has a reghack that will allow you to remove the domain
controller.  We had to do this at a remote site in Europe, where the
technical guys had "gone home for the day".

http://support.microsoft.com/default.aspx?scid=kb;en-us;332199

-Andrew

-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Thommes,
Michael M.
Sent: Monday, February 14, 2005 1:22 PM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] suggestions for tombstoned DC recovery?

It's not that DCPROMO was not an option, it just didn't work - also
"access denied".

Mike Thommes

-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Mulnick, Al
Sent: Monday, February 14, 2005 11:39 AM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] suggestions for tombstoned DC recovery?

Why is DCPROMO not an option? 

-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Thommes,
Michael M.
Sent: Monday, February 14, 2005 12:27 PM
To: ActiveDir@mail.activedir.org
Subject: [ActiveDir] suggestions for tombstoned DC recovery?

One of our admins restored a DC from a backup greater than 60 days old.
There are no newer backup copies.  Replication is not working - "Access
denied".  Also, the restored DC cannot be dcpromo'd out.  Rebuilding the
computer from scratch is not an option.  Repadmin and nltest operations
are unsuccessful.  Does anyone have any tricks up their sleeve for
getting this once-working DC to "play nice again"?  I keep thinking that
an nltest with a secure channel reset option, followed by a repadmin
operation with a force option using the one good DC as an authoritative
source - should be the answer.  But it doesn't seem to work.  Any help
is appreciated!  Thanks.

Mike Thommes
List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive:
http://www.mail-archive.com/activedir%40mail.activedir.org/
List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive:
http://www.mail-archive.com/activedir%40mail.activedir.org/


List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive:
http://www.mail-archive.com/activedir%40mail.activedir.org/
List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive:
http://www.mail-archive.com/activedir%40mail.activedir.org/
List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/

RE: [ActiveDir] RIS Unattended (Was: Automate Computer Name Changes)

[Michael Wassell]

You may want to do a bit of research into RIS Dan, more 
specifically the [Components] portion if that is the type of customization you 
are referring to.
 
Here is a URL that I keep handy:
 
http://tinyurl.com/3p8g9
 
As for any registry changes, that can be scripted fairly 
easily.
 
Software deployment can be accomplished a number of 
ways.  If you want to keep it simple you could use Riprep but I personally 
am not very keen on it.
 
Keep in mind though, your machines have to have 
PXE-compatible nic's, or a NIC that is supported by the RIS boot 
floppy.


From: [EMAIL PROTECTED] 
[mailto:[EMAIL PROTECTED] On Behalf Of Crawford, 
ScottSent: Monday, February 14, 2005 4:30 PMTo: 
ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] RIS Unattended 
(Was: Automate Computer Name Changes)


I’d be interested in 
the customizations you’re unable to make using RIS.
 




From: 
[EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] 
On Behalf Of Dan 
DeStefanoSent: Monday, 
February 14, 2005 3:23 PMTo: 
ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] Automate Computer 
Name Changes
 
I would prefer not to 
use RIS as there are a lot of customizations that I make to the OS, many of 
which cannot be done with unattended installation via RIS (or, at least I do not 
know or any way).
 
Dan
 





From: 
[EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] 
On Behalf Of Michael 
WassellSent: Monday, February 
14, 2005 3:48 PMTo: 
ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] Automate Computer 
Name Changes
 
Is it safe 
to assume that RIS is not an option?
 




From: 
[EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] 
On Behalf Of Brian 
DesmondSent: Monday, February 
14, 2005 3:44 PMTo: 
ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] Automate Computer 
Name Changes


Dan-

 

You can 
certainly script this with netdom. If you want to use sysprep, you could set the 
compnay name to be that dny01pd, and then sysprep will populate the rest with 
random crap. 

 


--Brian 
Desmond[EMAIL PROTECTED]Payton on the web! 
www.wpcp.org v - 773.534.0034 
x135f - 
773.534.8101

 




From: 
[EMAIL PROTECTED] on behalf of Dan DeStefanoSent: Mon 2/14/2005 2:04 PMTo: ActiveDir@mail.activedir.orgSubject: [ActiveDir] Automate Computer Name 
Changes

I have not been able to find a way 
to sufficiently solve the following problem: automatically changing computer 
names after imaging. I would like to reassign computer names based on a company 
naming convention plus variable. So a computer name would be something like 
“dny01pd***”, with the asterisks representing an automatically assigned number. 
As far as I know, Sysprep does not allow this; it will only allow you to assign 
a random name, which is not acceptable. I am not using unattended installations 
so I cannot use .udb files to assign computer names. I have been using 
GhostWalker to rename and join the PCs to a domain after imaging, but it just 
randomly-assigns numbers for the variables. This is a little better, but 
GhostWalker doesn’t increment the numbers, nor does it check the network for 
duplicate names (or so I’m told by Symantec 
support).
 
Ideally, what I would like is some 
program or script or whatever, that can be run after imaging that will assign 
computer names consecutively or will consult a file for a list of names; then go 
and check on the network for a duplicate name preferably by fqdn – and ideally, 
be able to join the PC to a domain and assign it to a specific OU as icing on 
the cake. Does anyone know of a tool that will do this? (Are you working on 
something like this, Joe?)
 
I am also curious about how others 
currently handle imaging and automatic computer 
naming.
 
 
 
Dan 
DeStefano

RE: [ActiveDir] suggestions for tombstoned DC recovery?

[Jorge de Almeida Pinto]

I agree with Guido that the FORCEREMOVAL option is the safest one besides
reinstalling a DC. However I understand that some apps don't like (or not
supprted) the DC there installed on is demoted and again promoted (e.g.
Exchange)

There is another way accept replication with a DC that has been disconnected
from the network for more than the tombstone lifetime

See the user action (option 2 AND 3) mentioned below or see
http://www.eventid.net/display.asp?eventid=2042&eventno=3428&source=NTDS%20R
eplication&phase=1

NOTE:  --> BE VERY CAREFULL WITH THIS AND USE IT AT YOUR OWN RISK! TEST
FIRST!

Good luck!
Jorge

I think you may have the following event:

Event Type: Error 
Event Source: NTDS Replication 
Event Category: Replication 
Event ID: 2042 
Date: 2004.10.08. 
Time: 16:04:09 
User: NT AUTHORITY\ANONYMOUS LOGON 
Computer: SERVERSCALA 
Description: 
It has been too long since this machine last replicated with the named
source machine. The time between replications with this source has exceeded
the tombstone lifetime. Replication has been stopped with this source. 
The reason that replication is not allowed to continue is that the two
machine's views of deleted objects may now be different. The source machine
may still have copies of objects that have been deleted (and garbage
collected) on this machine. If they were allowed to replicate, the source
machine might return objects which have already been deleted. 
Time of last successful replication: 
2004-07-11 12:20:39 
Invocation ID of source: 
0594f6cc-f6bc-0594-b00c-070610bbe605 
Name of source: 
c53993aa-c571-479d-9df8-84aa799c56a1._msdcs.blabla.com
Tombstone lifetime (days): 
60 

The replication operation has failed. 

User Action: 

Determine which of the two machines was disconnected from the forest and is
now out of date. You have three options: 

1. Demote or reinstall the machine(s) that were disconnected. 
2. Use the "repadmin /removelingeringobjects" tool to remove inconsistent
deleted objects and then resume replication. 
3. Resume replication. Inconsistent deleted objects may be introduced. You
can continue replication by using the following registry key. Once the
systems replicate once, it is recommended that you remove the key to
reinstate the protection. 
Registry Key: 
HKLM\System\CurrentControlSet\Services\NTDS\Parameters\Allow Replication
With Divergent and Corrupt Partner


-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Grillenmeier, Guido
Sent: maandag 14 februari 2005 20:21
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] suggestions for tombstoned DC recovery?

really depends on how much issues you'd want afterwards - if you have
another DC in your domain, why is it so critical to bring this one back?
Sounds like you have some Apps on it that you need to keep - but you should
be able to get rid of AD. 

If so, the safest method is to demote it forcefully via "DCPROMO
/forceremoval" (need Win2k SP4 or Win2003), then do a metadata cleanup on
another DC (removing that server-object). If this was a FSMO role-holder,
you'll need to seize the roles to another DC (can also be done via
NTDSutil). Afterwards you're ready to re-promote it to a DC.  

Doable, but very risky is to increase the tombstone lifetime in the forest
to a large enough number (on another working DC _and_ the broken DC), but
you're asking for trouble if you're going to do this (poltergeists etc.).

BTW, Win2003 SP1 will increase the default Tombstone Lifetime (for new
forests) to 180 days to avoid more potential issues of this kind.  Not so
great for the size of the DIT, but likely less issues with recovery...

/Guido

-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Thommes, Michael M.
Sent: Monday, February 14, 2005 6:27 PM
To: ActiveDir@mail.activedir.org
Subject: [ActiveDir] suggestions for tombstoned DC recovery?

One of our admins restored a DC from a backup greater than 60 days old.
There are no newer backup copies.  Replication is not working - "Access
denied".  Also, the restored DC cannot be dcpromo'd out.  Rebuilding the
computer from scratch is not an option.  Repadmin and nltest operations are
unsuccessful.  Does anyone have any tricks up their sleeve for getting this
once-working DC to "play nice again"?  I keep thinking that an nltest with a
secure channel reset option, followed by a repadmin operation with a force
option using the one good DC as an authoritative source - should be the
answer.  But it doesn't seem to work.  Any help is appreciated!  Thanks.

Mike Thommes
List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive:
http://www.mail-archive.com/activedir%40mail.activedir.org/
List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive: http://www.mail-archive.com/activedir%40mail.activedi

Re: [ActiveDir] GPO design

[Bart Vandyck]

I'm not gonna do software distrubution or patches with GPO.  We have
started an SMS 2003 upgrade project for that..

I think only basic software will be managed: Windows XP, IE 6, Office
XP & 2003,...


thnks,

Bart


On Mon, 14 Feb 2005 22:16:57 +0100, Jorge de Almeida Pinto
<[EMAIL PROTECTED]> wrote:
> Yep Lets say you some apps that ALL users get and you have a lot of
> apps. In that case I think it is better to create one GPO with those
> "default available apps" instead of creating a GPO for each app. This
> depends on how many apps you and you to distribute with AD
> Cheers
> Jorge
> 
> -Original Message-
> From: [EMAIL PROTECTED]
> [mailto:[EMAIL PROTECTED] On Behalf Of Chandra Burra
> Sent: maandag 14 februari 2005 20:26
> To: ActiveDir@mail.activedir.org
> Subject: RE: [ActiveDir] GPO design
> 
> I suggest have SUS or WUS in the business and create one GP for
> implementation of all patches and updates from MS at one go...
> 
> Other applications consolidate into one and publish.
> 
> -Original Message-
> From: [EMAIL PROTECTED]
> [mailto:[EMAIL PROTECTED] Behalf Of Bart Vandyck
> Sent: 14 February 2005 18:25
> To: ActiveDir@mail.activedir.org
> Subject: Re: [ActiveDir] GPO design
> 
> Hi Jorge,
> 
> Great input.. But do i understand you correct that performance is depended
> on the amount of different GPO instead of the settings done by these gpo's?
> 
> rgds,
> 
> Bart
> 
> On Mon, 14 Feb 2005 10:47:43 +0100, Jorge de Almeida Pinto
> <[EMAIL PROTECTED]> wrote:
> > Hi,
> >
> > Be carefull with creating a GPO for each application. If you have a
> > lot of apps and lets say all computers get those apps then those
> > wokstations will go through each GPO and then you may have performance
> > issue. It may be better to consolidate several apps that have similar
> "characteristics"
> into
> > one GPO.
> > If within a GPO the computer or user configuration is NOT used (not
> settings
> > defined) disable it accordingly. If it is disabled then it will not be
> > processed and that is good for performance!
> >
> > The naming convention for GPOs I always use is:
> > * GPO
> >
> > Where:
> >  = POL (policy settings) or SWD (software distribution) 
> > = C (computer) or U (user) or B (both) this one also tells me
> which
> > configuration is enabled without opening the GPO  = can be
> > anything such as location, region, department, etc.
> >  = what it is (e.g. default settings)
> >
> > Examples:
> > GPO_POL_C_Dept01_DefaultSettings
> > GPO_SWD_U_Site01_AcrobatReader
> >
> > As I think of it: don't go crazy on GPOs. GPOs provide lots of
> functionality
> > but may also kill performance
> >
> > Cheers,
> > Jorge
> >
> >
> > -Original Message-
> > From: [EMAIL PROTECTED]
> > [mailto:[EMAIL PROTECTED] On Behalf Of Bart Vandyck
> > Sent: maandag 14 februari 2005 10:22
> > To: activedir@mail.activedir.org
> > Subject: [ActiveDir] GPO design
> >
> > Hi all,
> >
> > I just wanted some feedback on this project I'm working on from people
> with
> > real world knowledge.
> >
> > We have AD in place with and OU structure. I've been asked the make
> > plan
> to
> > implement GPO's in this organization. I was thinking about creating a
> > GPO for each application we want to manage  and this in combination
> > with each
> OU
> > level.
> >  For example:  GPO-Region-IE6-users
> >   GPO-Region-WINXPSP1-machine
> >  GPO-Site01-IE6-users
> >  GPO-Site02-IE6-machine
> >  GPO-Site01-winxpsp1-user
> >
> > The site GPO will only be made or in effect if the need to overrule
> settings
> > made on the region level.
> >
> > Is this a maintainable solutions or will  this become to complex in
> > the
> end.
> >
> > Anybody know some good descriptions or best practices about managing
> > software with GPO.  I've seen lots of stuff about creating GPO's,
> > troubleshoot them, etc.. but haven't found real implementations case
> studies
> > with  advantages and disadvantages..
> >
> > rgds,
> >
> > Bart
> > List info   : http://www.activedir.org/List.aspx
> > List FAQ: http://www.activedir.org/ListFAQ.aspx
> > List archive:
> > http://www.mail-archive.com/activedir%40mail.activedir.org/
> >
> > This e-mail and any attachment is for authorised use by the intended
> recipient(s) only. It may contain proprietary material, confidential
> information and/or be subject to legal privilege. It should not be copied,
> disclosed to, retained or used by, any other party. If you are not an
> intended recipient then please promptly delete this e-mail and any
> attachment and all copies and inform the sender. Thank you.
> > List info   : http://www.activedir.org/List.aspx
> > List FAQ: http://www.activedir.org/ListFAQ.aspx
> > List archive:
> > http://www.mail-archive.com/activedir%40mail.activedir.org/
> >
> List info   : http://www.activedir.org/List.aspx
> List FAQ: http://www.activedir.org/ListFAQ.aspx
> List arch

RE: [ActiveDir] Two little tools ...

[Dean Wells]

Title: Message



Neil 
quickly observed that the script wasn't written to deal with W2K ... for those 
interested, I've enclosed a version that is.
 
Dean
--Dean WellsMSEtechnology* Email: dwells@msetechnology.comhttp://msetechnology.com
 


From: [EMAIL PROTECTED] 
[mailto:[EMAIL PROTECTED] On Behalf Of Ruston, 
NeilSent: Friday, February 11, 2005 10:14 AMTo: 
'ActiveDir@mail.activedir.org'Subject: RE: [ActiveDir] Two little 
tools ...

I have 
not had time to debug the FFL script, but it reports incorrect data when run in 
my environment.
 
All domains are at w2k native mode, yet the 
script reports w2k mixed.
 
Log file contents below.
 
Any 
ideas?
 
neil 
PS I 
appreciate the disclaimer, but thought the feedback might be of some help 
:)
 
 
 
dn: 
CN=Partitions,CN=Configuration,DC=xxx,DC=comchangetype: add
 
dn: CN=,CN=Partitions,CN=Configuration,DC=xxx,DC=comchangetype: addnCName: 
DC=,DC=xxx,DC=com
 
dn: CN=,CN=Partitions,CN=Configuration,DC=xxx,DC=comchangetype: addnCName: 
DC=,DC=xxx,DC=com
 
dn: CN=,CN=Partitions,CN=Configuration,DC=xxx,DC=comchangetype: addnCName: 
DC=,DC=xxx,DC=com
 
dn: CN=xxx,CN=Partitions,CN=Configuration,DC=xxx,DC=comchangetype: addnCName: 
DC=xxx,DC=com

  
  -Original Message-From: 
  [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] 
  On Behalf Of Dean WellsSent: 09 February 2005 
  18:13To: Send - AD mailing listSubject: [ActiveDir] Two 
  little tools ...
  I've enclosed two 
  shell scripts (as text files) that I was either asked or volunteered to write, 
  I find them useful and thought you might too ... so here they 
  are.
   
  Hopefully, the 
  enclosed zip won't get stripped by Tony "I HATE FILE ENCLOSURES" Murray  
  just teasing Tony! :-)
   
  fll - functional 
  level list tool
      * self explanatory methinks
   
  dirsize - scans 
  supplied drive/directory for directories > or < supplied 
  size
      * if nothing is supplied, just lists sizes
   
  Hope they prove 
  useful!
   
  DISCLAIMER - They 
  might erase everything on your entire hard drive ... or phrased another way; 
  run at your own risk!
   
  Deano
  --Dean 
  WellsMSEtechnology( Tel: +1 
  (954) 501-4307* Email: dwells@msetechnology.comhttp://msetechnology.com
   
==This 
message is for the sole use of the intended recipient. If you received this 
message in error please delete it and notify us. If this message was 
misdirected, CSFB does not waive any confidentiality or privilege. CSFB retains 
and monitors electronic communications sent through its network. Instructions 
transmitted over this system are not binding on CSFB until they are confirmed by 
us. Message transmission is not guaranteed to be 
secure.==
:: List Forest/Domain Functional levels / Dean Wells / MSEtechnology / Feb. 2005

@echo off

if "%1"=="" goto :HELP
if "%1"=="/?" goto :HELP

setlocal ENABLEDELAYEDEXPANSION

cls
echo/

:: Locate critical executables
for %%e in (ldifde.exe findstr.exe find.exe) do (
set where="%%~$PATH:e"
if "!where!"== (
echo ERROR - Required executable, "%%e", not located within the 
path
goto :END
)
)

set TEMPFILE1=%TEMP%\~fllone.tmp
set TEMPFILE2=%TEMP%\~flltwo.tmp
set FQDN=%1
set ROOT=DC=%fqdn:.=,DC=%
set W2M=Windows 2000 Mixed
set W2N=Windows 2000 Native
set W2K30=Windows 2000 or '0'
set W2K31=Interim or '1'
set W2K32=2003 Native or '2'
set NUMBERDOMS=ERROR [non-root Domain?]
set SCHEMAREV=ERROR [non-root Domain?]

:: Obtain list of domain partitions from the forest
echo STATUS - Determining configuration for Forest: %ROOT%

:: Determine schema revision
ldifde -j %TEMP% -w 10 -s %FQDN% -p base -d "cn=schema,cn=configuration,%ROOT%" 
-r "objectClass=dMD" -l objectVersion -f %TEMPFILE1% >nul
if errorlevel 1 (
echo/
echo ERROR - LDAP query failed determining schema revision from Forest: 
%ROOT%
goto :END
)

for /f "tokens=2 delims=: skip=2" %%v in (%TEMPFILE1%) do (
set /a SCHEMAREV=%%v-1+1
)

:: Define required attributes to be read from directory service based on schema 
revision
if "%SCHEMAREV%" LSS "30" (
set ATTRS=nTMixedDomain
) else (
set ATTRS=msDS-Behavior-Version,nTMixedDomain
)

:: Count domain partitions
ldifde -j %TEMP% -w 10 -s %FQDN% -p onelevel -d 
cn=partitions,cn=configuration,%ROOT% -r 
(^|(systemFlags=3)(objectClass=crossRefContainer)) -l dnsRoot -f %TEMPFILE1% 
>nul
if errorlevel 1 (
echo/
echo ERROR - LDAP query failed obtaining list of Domain partitions from 
Forest: %ROOT%
goto :END
)

for /f %%c in ('type %TEMPFILE1% ^| find /i /c "dnsRoot"') do (
if "%%c" GTR "0" set NUMBERDOMS=%%c
)
:: Obtain forest functional level if schema revision indicates forest has 2003 
or later schema
echo/
echo   Forest: %FQDN%
echo   - # of Domains: %NUMBERDOMS%
set /p=

RE: [ActiveDir] VERY VERY OT: DEC and Vancouver/Canada

[joe]

Ouch, I'm actually bleeding...

On the MI in March. It definitely isn't fun. But if you get on a plane, you
tend to want to end up someplace which is considerably better. :o)



 

-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of [EMAIL PROTECTED]
Sent: Sunday, February 13, 2005 6:02 PM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] VERY VERY OT: DEC and Vancouver/Canada

Dissecting 
 
>>> Its Vancouver in March... 
Yeah, so? Can't be much worse than MI in March.
 
>>> I am pretty tied up with 
Lame, so lame I'm tempted to not comment :) I am sure most presenters are in
the same boat. I am personally in that boat. I am not even sure HOW I will
get to DEC yet, because I am not sure which city I will find myself in
around that time. So, can't book a flight yet because I don't know where I
would be flying in from. So, there try something else :p
 
>>> There is also the whole issue of who do I go as?
I would think that going in as Joe would be sufficient. I already told you
this before - you don't seem to know how much regards you command within the
community. WRT who foots the bill, I'd assume that Gil is ponying up the
money either way (either as Joeware or JoeHP), so that should really not be
a factor. More so, I am sure Gil will be footing your bill even if you show
up as Joe-the-cross-dresser. But, I will let Gil speak for himself on that
point
:)
 
>>> I am not an ethereal guru
I did not know that Gil was looking for gurus. I certainly I'm not a guru in
anything, and I would take a back seat to you any day when talking about
Exchange security. But, I am going, and you are not. So, there again :) Why
am I going? Because I think I have seen and done some things on Exchange
security that the attendees "MAY" be interested in listening to. I am
definitely not bringing anything revolutionary or earth-shattering. I am
only hoping that I will say something that will get some of the attendees to
go back to their bases and rethink what they have or implement something (if
they haven't). My position on conferences and teaching and stuff like this
is that I don't go there hoping to meet wizards and have them implant
knowledge into my medula oblongata. I do not expect that most people go
there for this reason either. I think re-enforcement and pointers and things
that get people thinking carry much more weight than just looking to
spoon-feed people information. Are you expecting to transform the attendees
into Ether-sniffing
K-9 in the span of 90 minutes? Wake up, Joe. So, I chalk this down to the
"Lame" category.
 
>>> Possibly Gil can take some informal poll at the event on who would 
>>> like
to see a joeware presentation at a future event Yeah, right. So that you
could wiggle your way out of it again. You need no poll, Joe. And I know
that you know that I know that you knew that. Gil already floated the idea,
so I don't see the need to get Gallup involved at this point.
 
>>> Interesting all the MVPs coming out of the wordwork saying they are 
>>> going
now
They are probably signing up in large numbers, hoping their massive presence
will be enough reason to compell you to show up. Or they could be signing up
because they heard that Joe was there the last time around and they want to
be able to claim to have seen you in person. Look at it as a bribe, or
peer-presure or something. They could also just be going for the beer, who
knows?
 

 
>>> Anyone who has knowledge on some of the more evil ways of breaking 
>>> into a
forest try to keep mum
I can certainly say, with absolute truth, Boy's Scout's honor, that I have
no clue what you are talking about. Yet, I am supposed to be a Security MVP
:) Ironic, uh? This is why I miss you, man. I remember you explaining 1B and
1C records to me back in 99 and me looking at you like "WTF is he talking
about?
what do this have to do with WINS?"
 
 
Sincerely,

Dèjì Akómöláfé, MCSE+M MCSA+M MCP+I
Microsoft MVP - Directory Services
www.readymaids.com - we know IT
www.akomolafe.com
Do you now realize that Today is the Tomorrow you were worried about
Yesterday?  -anon



From: [EMAIL PROTECTED] on behalf of joe
Sent: Sun 2/13/2005 9:05 AM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] VERY VERY OT: DEC and Vancouver/Canada



LOL with all of you.

Its Vancouver in March... Even DC in March was pushing it, March is Lousiana
or Florida or Arizona or Texas. Seriously though, I am pretty tied up with a
customer right now with fun issues with Exchange and third party tools where
I at the point of monitoring every change to all user objects as a
non-admin. There is also the whole issue of who do I go as? Do I go as joe
from joeware or Joe Richards Senior Consultant for a major Technology
company. Completely different roles that I have to be careful with on both
sides of the fence. Most people in the world know me as joe of joeware not
as Joe Richards Consultant so I should go as joe the

RE: [ActiveDir] suggestions for tombstoned DC recovery?

[joe]

Wow, I can't believe they actually still have that hack officially
documented. I recall when someone asked Kwan about it at last year's spring
DEC he about tripped over his own tongue and nearly fell off the podium
trying to spit out how unsupported that was but he understood the reasoning
behind it for the single user mode issue with /forceremoval. Basically if
you do this, don't forget the steps of promoing into a bogus Domain and back
out after the fact. It works great though I had heard once that someone lost
a machine doing this. Probably a typo in the registry mod or the machine was
just screwed anyway. 

  joe  


-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Cace, Andrew
Sent: Monday, February 14, 2005 3:32 PM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] suggestions for tombstoned DC recovery?

 
If DCPROMO won't work, even with the /FORCEREMOVAL flag, the following MS KB
Article has a reghack that will allow you to remove the domain controller.
We had to do this at a remote site in Europe, where the technical guys had
"gone home for the day".

http://support.microsoft.com/default.aspx?scid=kb;en-us;332199

-Andrew

-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Thommes, Michael M.
Sent: Monday, February 14, 2005 1:22 PM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] suggestions for tombstoned DC recovery?

It's not that DCPROMO was not an option, it just didn't work - also "access
denied".

Mike Thommes

-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Mulnick, Al
Sent: Monday, February 14, 2005 11:39 AM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] suggestions for tombstoned DC recovery?

Why is DCPROMO not an option? 

-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Thommes, Michael M.
Sent: Monday, February 14, 2005 12:27 PM
To: ActiveDir@mail.activedir.org
Subject: [ActiveDir] suggestions for tombstoned DC recovery?

One of our admins restored a DC from a backup greater than 60 days old.
There are no newer backup copies.  Replication is not working - "Access
denied".  Also, the restored DC cannot be dcpromo'd out.  Rebuilding the
computer from scratch is not an option.  Repadmin and nltest operations are
unsuccessful.  Does anyone have any tricks up their sleeve for getting this
once-working DC to "play nice again"?  I keep thinking that an nltest with a
secure channel reset option, followed by a repadmin operation with a force
option using the one good DC as an authoritative source - should be the
answer.  But it doesn't seem to work.  Any help is appreciated!  Thanks.

Mike Thommes
List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive:
http://www.mail-archive.com/activedir%40mail.activedir.org/
List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive:
http://www.mail-archive.com/activedir%40mail.activedir.org/


List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive:
http://www.mail-archive.com/activedir%40mail.activedir.org/
List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/

List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/

RE: [ActiveDir] VERY VERY OT: DEC and Vancouver/Canada

[joe]

Title: Message



Thanks David. I didn't think of it from the Entertainment 
standpoint. :o)
 
I am usually just trying to keep myself entertained. 

 
Seriously though, glad you found my jabbering 
useful/interesting/entertaining. The idea that my presence alone was helpful or 
useful to the point that you consider valuable is very complimentary. Thank 
you.
 
  joe
 
 


From: [EMAIL PROTECTED] 
[mailto:[EMAIL PROTECTED] On Behalf Of Fugleberg, David 
ASent: Monday, February 14, 2005 12:44 PMTo: 
ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] VERY VERY OT: 
DEC and Vancouver/Canada

Careful, Gil...if they keep you there in those conditions long enough 
you'll start to identify with your captors and protect them (see Stockholm 
Syndrome).
 
Joe, 
you should be retained just for the entertainment value during breaks and such - 
I learned stuff just listening to you at the table last year (not necessarily 
AD-related, but entertaining nonetheless)
 
Seriously, some show and tell with the Joeware tools would easily be a 
hit - you could show some of us a thing or three about how to use the tools to 
find stuff, pipe the output to other tools, etc.  There's rarely a week 
that goes by on this list without somebody asking "how do I..." and getting an 
answer from you (or others !) that involves a joeware tool with a specific set 
of switches.
 
Sadly, 
I've not yet gotten approval to get there this year, but I'm working on 
it.
Dave

  
  -Original Message-From: 
  [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] 
  On Behalf Of Gil KirkpatrickSent: Monday, February 14, 2005 
  9:52 AMTo: ActiveDir@mail.activedir.orgSubject: RE: 
  [ActiveDir] VERY VERY OT: DEC and Vancouver/Canada
  
  Couldn't have said it 
  better myself.
   
  FWIW, I've already polled a sufficient 
  sample re: a Joeware preso; there's plenty of interest. Even more important is 
  the interests of those who have never heard of joeware.
   
  And corporate affiliation doesn't matter 
  either.
   
  But I'm not paying for a cross-dresser, 
  except as part of the entertainment at the reception. And you better be a damn 
  good cross-dresser!
   
  (sitting in Stockholm, no cellphone, no 
  luggage, no jacket, its snowing, dark, and cold. But at least I've got 
  broadband... :)
   
  -g
  
  
  From: [EMAIL PROTECTED] on 
  behalf of [EMAIL PROTECTED]Sent: Sun 2/13/2005 4:01 
  PMTo: ActiveDir@mail.activedir.orgSubject: RE: 
  [ActiveDir] VERY VERY OT: DEC and Vancouver/Canada
  
  Dissecting >>> Its 
  Vancouver in March...Yeah, so? Can't be much worse than MI in 
  March.>>> I am pretty tied up with Lame, so lame I'm 
  tempted to not comment :) I am sure most presenters are inthe same boat. I 
  am personally in that boat. I am not even sure HOW I willget to DEC yet, 
  because I am not sure which city I will find myself in aroundthat time. 
  So, can't book a flight yet because I don't know where I would beflying in 
  from. So, there try something else :p>>> There is also 
  the whole issue of who do I go as?I would think that going in as Joe would 
  be sufficient. I already told youthis before - you don't seem to know how 
  much regards you command within thecommunity. WRT who foots the bill, I'd 
  assume that Gil is ponying up themoney either way (either as Joeware or 
  JoeHP), so that should really not be afactor. More so, I am sure Gil will 
  be footing your bill even if you show upas Joe-the-cross-dresser. But, I 
  will let Gil speak for himself on that point:)>>> I am 
  not an ethereal guruI did not know that Gil was looking for gurus. I 
  certainly I'm not a guru inanything, and I would take a back seat to you 
  any day when talking aboutExchange security. But, I am going, and you are 
  not. So, there again :) Whyam I going? Because I think I have seen and 
  done some things on Exchangesecurity that the attendees "MAY" be 
  interested in listening to. I amdefinitely not bringing anything 
  revolutionary or earth-shattering. I am onlyhoping that I will say 
  something that will get some of the attendees to goback to their bases and 
  rethink what they have or implement something (ifthey haven't). My 
  position on conferences and teaching and stuff like this isthat I don't go 
  there hoping to meet wizards and have them implant knowledgeinto my medula 
  oblongata. I do not expect that most people go there for thisreason 
  either. I think re-enforcement and pointers and things that get 
  peoplethinking carry much more weight than just looking to spoon-feed 
  peopleinformation. Are you expecting to transform the attendees into 
  Ether-sniffingK-9 in the span of 90 minutes? Wake up, Joe. So, I chalk 
  this down to the"Lame" category.>>> Possibly Gil can take 
  some informal poll at the event on who would liketo see a joeware 
  presentation at a future eventYeah, right. So that you could wiggle your 
  way out of it again. You need nopoll, Joe. And I know that you know that I 
  know that yo

RE: [ActiveDir] computers in active directory [List Owner]

[joe]

Heck I like those Idiot books. Those are generally very well written. I
think I still have a copy of some Idiot's guide to AD laying about and have
been known to open it and look things up even after I wrote my first AD
program.

  

-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Tony Murray-Smith
Sent: Monday, February 14, 2005 10:54 AM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] computers in active directory [List Owner]

Z.V.

That's not a helpful response and it's somewhat insulting. There's no
minimum level for questions on this list.  Remember that nearly all of us
started out with little or no knowledge of AD.

Tony
ActiveDir List Owner

-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Za Vue
Sent: 14 February 2005 16:44
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] computers in active directory

This forum may be a little hard for you to comprehend. Maybe you need to go
buy some "Complete Idiot's Guide" books.

Z.V.

-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Grumpy Nounet
Sent: Monday, February 14, 2005 10:24 AM
To: ActiveDir@mail.activedir.org
Subject: [ActiveDir] computers in active directory

Hello,

I'm studying a compter network using active directory to authenticate the
users.

I noticed that all the computers of the domain are listed in the directory,
and I wonder if this has something to do with authentication.

I did not find it on the Internet, I hope someone will be able to help me
here...


grumpy


PS: sorry for my English speaking

_
Nouveau MSN Hotmail : choisissez votre adresse @hotmail.fr ! 
http://www.msn.fr/newmsnhotmail

List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/


List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/

List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/

List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/

RE: [ActiveDir] VERY VERY OT: DEC and Vancouver/Canada

[joe]

Well for part of this Guido woudn't be bad for... He would just have to get
rid of that five o'clock shadow. 
 
 

  _  

From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Gil Kirkpatrick
Sent: Monday, February 14, 2005 10:52 AM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] VERY VERY OT: DEC and Vancouver/Canada


Couldn't have said it better myself.
 
FWIW, I've already polled a sufficient sample re: a Joeware preso; there's
plenty of interest. Even more important is the interests of those who have
never heard of joeware.
 
And corporate affiliation doesn't matter either.
 
But I'm not paying for a cross-dresser, except as part of the entertainment
at the reception. And you better be a damn good cross-dresser!
 
(sitting in Stockholm, no cellphone, no luggage, no jacket, its snowing,
dark, and cold. But at least I've got broadband... :)
 
-g

  _  

From: [EMAIL PROTECTED] on behalf of [EMAIL PROTECTED]
Sent: Sun 2/13/2005 4:01 PM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] VERY VERY OT: DEC and Vancouver/Canada



Dissecting 

>>> Its Vancouver in March...
Yeah, so? Can't be much worse than MI in March.

>>> I am pretty tied up with 
Lame, so lame I'm tempted to not comment :) I am sure most presenters are in
the same boat. I am personally in that boat. I am not even sure HOW I will
get to DEC yet, because I am not sure which city I will find myself in
around
that time. So, can't book a flight yet because I don't know where I would be
flying in from. So, there try something else :p

>>> There is also the whole issue of who do I go as?
I would think that going in as Joe would be sufficient. I already told you
this before - you don't seem to know how much regards you command within the
community. WRT who foots the bill, I'd assume that Gil is ponying up the
money either way (either as Joeware or JoeHP), so that should really not be
a
factor. More so, I am sure Gil will be footing your bill even if you show up
as Joe-the-cross-dresser. But, I will let Gil speak for himself on that
point
:)

>>> I am not an ethereal guru
I did not know that Gil was looking for gurus. I certainly I'm not a guru in
anything, and I would take a back seat to you any day when talking about
Exchange security. But, I am going, and you are not. So, there again :) Why
am I going? Because I think I have seen and done some things on Exchange
security that the attendees "MAY" be interested in listening to. I am
definitely not bringing anything revolutionary or earth-shattering. I am
only
hoping that I will say something that will get some of the attendees to go
back to their bases and rethink what they have or implement something (if
they haven't). My position on conferences and teaching and stuff like this
is
that I don't go there hoping to meet wizards and have them implant knowledge
into my medula oblongata. I do not expect that most people go there for this
reason either. I think re-enforcement and pointers and things that get
people
thinking carry much more weight than just looking to spoon-feed people
information. Are you expecting to transform the attendees into
Ether-sniffing
K-9 in the span of 90 minutes? Wake up, Joe. So, I chalk this down to the
"Lame" category.

>>> Possibly Gil can take some informal poll at the event on who would like
to see a joeware presentation at a future event
Yeah, right. So that you could wiggle your way out of it again. You need no
poll, Joe. And I know that you know that I know that you knew that. Gil
already floated the idea, so I don't see the need to get Gallup involved at
this point.

>>> Interesting all the MVPs coming out of the wordwork saying they are
going
now
They are probably signing up in large numbers, hoping their massive presence
will be enough reason to compell you to show up. Or they could be signing up
because they heard that Joe was there the last time around and they want to
be able to claim to have seen you in person. Look at it as a bribe, or
peer-presure or something. They could also just be going for the beer, who
knows?



>>> Anyone who has knowledge on some of the more evil ways of breaking into
a
forest try to keep mum
I can certainly say, with absolute truth, Boy's Scout's honor, that I have
no
clue what you are talking about. Yet, I am supposed to be a Security MVP :)
Ironic, uh? This is why I miss you, man. I remember you explaining 1B and 1C
records to me back in 99 and me looking at you like "WTF is he talking
about?
what do this have to do with WINS?"


Sincerely,

Dèjì Akómöláfé, MCSE+M MCSA+M MCP+I
Microsoft MVP - Directory Services
www.readymaids.com - we know IT
www.akomolafe.com
Do you now realize that Today is the Tomorrow you were worried about
Yesterday?  -anon



From: [EMAIL PROTECTED] on behalf of joe
Sent: Sun 2/13/2005 9:05 AM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] VERY VERY OT: DEC and Vancouver/Canada



LOL with all of you.

Its Vancouver in Ma

RE: [ActiveDir] [Dreadfully OT]: Interesting little tidbit....

[Rick Kingslan]

Ahh... but I just said that it was cool - not useful.  I'm impressed by the
simple fact that it runs.

You might say from a purely technical aspect it's cool.  Utilitarian - maybe
not so much.

Many times, it's just the "Wow" factor, and nothing else.

-rtk

-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Mulnick, Al
Sent: Monday, February 14, 2005 9:07 AM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] [Dreadfully OT]: Interesting little tidbit

I suppose the part that gets me, is the what would you use it for?  I'm not
seeing the application of such a concept exactly.

 

-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of [EMAIL PROTECTED]
Sent: Monday, February 14, 2005 2:01 AM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] [Dreadfully OT]: Interesting little tidbit

Actually, my malady is contagious :)
 
It's 4.7MB. I did not want to believe it would be that small when I first
look at it, that was why I was confused. But, from what I am reading, I can
see it's so small.
 
By the way, this does not appear to me to be any different from running
LINUX under a typical VM environment. So, what's new or so cool about that?
I guess I should play first before blabbing, eh? :). Downloading the Debian
image now.
 
 
Sincerely,

Dèjì Akómöláfé, MCSE+M MCSA+M MCP+I
Microsoft MVP - Directory Services
www.readymaids.com - we know IT
www.akomolafe.com
Do you now realize that Today is the Tomorrow you were worried about
Yesterday?  -anon



From: [EMAIL PROTECTED] on behalf of Rick Kingslan
Sent: Sun 2/13/2005 6:59 PM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] [Dreadfully OT]: Interesting little tidbit



Hallucination.  It's a 47MB compressed file system image...  No where
near as imposing as it looks.  It's in bytes - no Kbytes...  ;-)

-rtk

-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of [EMAIL PROTECTED]
Sent: Sunday, February 13, 2005 5:07 PM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] [Dreadfully OT]: Interesting little tidbit

I looked at it, and my eyes (almost) popped out. Is that really a 4.7Gig
distro, or am I hallucinating - again? :)


Sincerely,

Dèjì Akómöláfé, MCSE+M MCSA+M MCP+I
Microsoft MVP - Directory Services
www.readymaids.com - we know IT
www.akomolafe.com
Do you now realize that Today is the Tomorrow you were worried about
Yesterday?  -anon



From: [EMAIL PROTECTED] on behalf of Rick Kingslan
Sent: Sun 2/13/2005 1:08 PM
To: ActiveDir@mail.activedir.org; 'MVP Security Discussion'
Subject: [ActiveDir] [Dreadfully OT]: Interesting little tidbit



If you haven't looked at this yet - you really NEED to.   I have it
installed, working and am getting ready to toss X on, and get it
functioning.

This is one of those things that comes along and you look at it and think,
"Huh  that's really SUPER cool."

Check it out... it's worth the time.

http://www.colinux.org

Rick Kingslan  MCSE, MCSA, MCT, CISSP
Microsoft MVP:
Windows Server / Directory Services
Windows Server / Rights Management
Windows Security (Affiliate)
Associate Expert
Expert Zone - www.microsoft.com/windowsxp/expertzone
WebLog - www.msmvps.com/willhack4food

List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/


List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/

List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/


List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/

List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/

RE: [ActiveDir] Two little tools ...

[Michael B. Smith]

Title: Message



Twenty years ago I could write /bin/sh scripts in svr3, but 
Windows batch files - I never really "got" them.
 
People like you who can produce these types of things in 
cmd/batch are quite admirable.


From: [EMAIL PROTECTED] 
[mailto:[EMAIL PROTECTED] On Behalf Of Dean 
WellsSent: Monday, February 14, 2005 6:51 PMTo: Send - AD 
mailing listSubject: RE: [ActiveDir] Two little tools 
...

Neil 
quickly observed that the script wasn't written to deal with W2K ... for those 
interested, I've enclosed a version that is.
 
Dean
--Dean WellsMSEtechnology* Email: dwells@msetechnology.comhttp://msetechnology.com
 


From: [EMAIL PROTECTED] 
[mailto:[EMAIL PROTECTED] On Behalf Of Ruston, 
NeilSent: Friday, February 11, 2005 10:14 AMTo: 
'ActiveDir@mail.activedir.org'Subject: RE: [ActiveDir] Two little 
tools ...

I have 
not had time to debug the FFL script, but it reports incorrect data when run in 
my environment.
 
All domains are at w2k native mode, yet the 
script reports w2k mixed.
 
Log file contents below.
 
Any 
ideas?
 
neil 
PS I 
appreciate the disclaimer, but thought the feedback might be of some help 
:)
 
 
 
dn: 
CN=Partitions,CN=Configuration,DC=xxx,DC=comchangetype: add
 
dn: CN=,CN=Partitions,CN=Configuration,DC=xxx,DC=comchangetype: addnCName: 
DC=,DC=xxx,DC=com
 
dn: CN=,CN=Partitions,CN=Configuration,DC=xxx,DC=comchangetype: addnCName: 
DC=,DC=xxx,DC=com
 
dn: CN=,CN=Partitions,CN=Configuration,DC=xxx,DC=comchangetype: addnCName: 
DC=,DC=xxx,DC=com
 
dn: CN=xxx,CN=Partitions,CN=Configuration,DC=xxx,DC=comchangetype: addnCName: 
DC=xxx,DC=com

  
  -Original Message-From: 
  [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] 
  On Behalf Of Dean WellsSent: 09 February 2005 
  18:13To: Send - AD mailing listSubject: [ActiveDir] Two 
  little tools ...
  I've enclosed two 
  shell scripts (as text files) that I was either asked or volunteered to write, 
  I find them useful and thought you might too ... so here they 
  are.
   
  Hopefully, the 
  enclosed zip won't get stripped by Tony "I HATE FILE ENCLOSURES" Murray  
  just teasing Tony! :-)
   
  fll - functional 
  level list tool
      * self explanatory methinks
   
  dirsize - scans 
  supplied drive/directory for directories > or < supplied 
  size
      * if nothing is supplied, just lists sizes
   
  Hope they prove 
  useful!
   
  DISCLAIMER - They 
  might erase everything on your entire hard drive ... or phrased another way; 
  run at your own risk!
   
  Deano
  --Dean 
  WellsMSEtechnology( Tel: +1 
  (954) 501-4307* Email: dwells@msetechnology.comhttp://msetechnology.com
   
==This 
message is for the sole use of the intended recipient. If you received this 
message in error please delete it and notify us. If this message was 
misdirected, CSFB does not waive any confidentiality or privilege. CSFB retains 
and monitors electronic communications sent through its network. Instructions 
transmitted over this system are not binding on CSFB until they are confirmed by 
us. Message transmission is not guaranteed to be 
secure.==

RE: [ActiveDir] Two little tools ...

[Rick Kingslan]

Title: Message








You haven’t met Dean face to face,
have you?  

 



 

-rtk

 









From:
[EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Michael B. Smith
Sent: Monday, February 14, 2005
8:27 PM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] Two
little tools ...



 

Twenty years ago I could write /bin/sh
scripts in svr3, but Windows batch files - I never really "got"
them.

 

People like you who can produce these
types of things in cmd/batch are quite admirable.

 







From:
[EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Dean Wells
Sent: Monday, February 14, 2005
6:51 PM
To: Send - AD mailing list
Subject: RE: [ActiveDir] Two
little tools ...



Neil quickly observed that the script
wasn't written to deal with W2K ... for those interested, I've enclosed a
version that is.





 





Dean



--
Dean Wells
MSEtechnology
* Email: [EMAIL PROTECTED]
http://msetechnology.com



 



 







From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On
Behalf Of Ruston,
Neil
Sent: Friday, February 11, 2005
10:14 AM
To: 'ActiveDir@mail.activedir.org'
Subject: RE: [ActiveDir] Two
little tools ...



I have not had time to debug the FFL
script, but it reports incorrect data when run in my environment.





 





All domains are at w2k native mode, yet
the script reports w2k mixed.





 





Log file contents below.





 





Any ideas?





 





neil 





PS I appreciate the disclaimer, but
thought the feedback might be of some help :)





 





 





 





dn:
CN=Partitions,CN=Configuration,DC=xxx,DC=com
changetype: add





 





dn:
CN=,CN=Partitions,CN=Configuration,DC=xxx,DC=com
changetype: add
nCName: DC=,DC=xxx,DC=com





 





dn:
CN=,CN=Partitions,CN=Configuration,DC=xxx,DC=com
changetype: add
nCName: DC=,DC=xxx,DC=com





 





dn:
CN=,CN=Partitions,CN=Configuration,DC=xxx,DC=com
changetype: add
nCName: DC=,DC=xxx,DC=com





 





dn:
CN=xxx,CN=Partitions,CN=Configuration,DC=xxx,DC=com
changetype: add
nCName: DC=xxx,DC=com





-Original Message-
From:
[EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Dean Wells
Sent: 09 February 2005 18:13
To: Send - AD mailing list
Subject: [ActiveDir] Two little
tools ...



I've enclosed two shell scripts (as text files) that I was
either asked or volunteered to write, I find them useful and thought you might
too ... so here they are.





 





Hopefully, the enclosed zip won't get stripped by Tony
"I HATE FILE ENCLOSURES" Murray
 just teasing Tony! :-)





 





fll - functional level list tool





    * self explanatory methinks





 





dirsize - scans supplied drive/directory for directories
> or < supplied size





    * if nothing is supplied, just lists
sizes





 





Hope they prove useful!





 





DISCLAIMER - They might erase everything on your entire hard
drive ... or phrased another way; run at your own risk!





 





Deano





--
Dean Wells
MSEtechnology
( Tel: +1 (954) 501-4307
* Email: [EMAIL PROTECTED]
http://msetechnology.com



 





==
This message is for the sole use of the intended recipient. If you received
this message in error please delete it and notify us. If this message was
misdirected, CSFB does not waive any confidentiality or privilege. CSFB retains
and monitors electronic communications sent through its network. Instructions
transmitted over this system are not binding on CSFB until they are confirmed
by us. Message transmission is not guaranteed to be secure.
==

RE: [ActiveDir] Display Computer Name on Desktop

[Cothern Jeff D. Team EITC]

I don't know a lot about scripting or vbs.  But can I take the below
Lines of text starting at CONST and paste that into a notepad and save
it as .vbs does that work or do I need to use some vbs program?




-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Devan Pala
Sent: Friday, February 11, 2005 2:02 PM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] Display Computer Name on Desktop

The code would help right.8-)

Const MY_COMPUTER = &H11&
Set objNetwork = CreateObject("Wscript.Network")
objComputerName = objNetwork.ComputerName
Set objShell = CreateObject("Shell.Application")
Set objFolder = objShell.Namespace(MY_COMPUTER)
Set objFolderItem = objFolder.Self
objFolderItem.Name = objComputerName


Original Message Follows
From: "Salandra, Justin A." <[EMAIL PROTECTED]>
Reply-To: ActiveDir@mail.activedir.org
To: 
CC: <[EMAIL PROTECTED]>
Subject: [ActiveDir] Display Computer Name on Desktop
Date: Fri, 11 Feb 2005 13:41:15 -0500

I have a question, is there a way to display the computer name on the
desktop either through a login script or via GPO?

Justin A. Salandra
MCSE Windows 2000 & 2003
Network and Technology Services Manager
Catholic Healthcare System
212.752.7300 - office
917.455.0110 - cell
[EMAIL PROTECTED]



List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/

RE: [ActiveDir] Display Computer Name on Desktop

[Brian Desmond]

Thats enough. Windows knows what program to use to execute them.
 
To run frm a commandline - cscript myscript.vbs :)
 
--Brian Desmond
[EMAIL PROTECTED]
Payton on the web! www.wpcp.org
 
v - 773.534.0034 x135
f - 773.534.8101



From: [EMAIL PROTECTED] on behalf of Cothern Jeff D. Team EITC
Sent: Mon 2/14/2005 9:36 PM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] Display Computer Name on Desktop



I don't know a lot about scripting or vbs.  But can I take the below
Lines of text starting at CONST and paste that into a notepad and save
it as .vbs does that work or do I need to use some vbs program?




-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Devan Pala
Sent: Friday, February 11, 2005 2:02 PM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] Display Computer Name on Desktop

The code would help right.8-)

Const MY_COMPUTER = &H11&
Set objNetwork = CreateObject("Wscript.Network")
objComputerName = objNetwork.ComputerName
Set objShell = CreateObject("Shell.Application")
Set objFolder = objShell.Namespace(MY_COMPUTER)
Set objFolderItem = objFolder.Self
objFolderItem.Name = objComputerName


Original Message Follows
From: "Salandra, Justin A." <[EMAIL PROTECTED]>
Reply-To: ActiveDir@mail.activedir.org
To: 
CC: <[EMAIL PROTECTED]>
Subject: [ActiveDir] Display Computer Name on Desktop
Date: Fri, 11 Feb 2005 13:41:15 -0500

I have a question, is there a way to display the computer name on the
desktop either through a login script or via GPO?

Justin A. Salandra
MCSE Windows 2000 & 2003
Network and Technology Services Manager
Catholic Healthcare System
212.752.7300 - office
917.455.0110 - cell
[EMAIL PROTECTED]



List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/


<>

[ActiveDir] Invitation

[Manjeet Jakhar]

Title: Invitation from Manjeet Jakhar









	
	
	
	
		
		activedir@mail.activedir.org,
		
		
		Come join my network at hi5!
		
		I now have over 2 friends in my network!  You can meet all of them,
		plus more than 7 million other Hi5 members!Once you join, you will immediately
		be connected to all the people in my circle of friends.
		Hi5 is an online service that lets you meet new people, view photos,
		browse profiles, and chat with your friends.
			
		
		I'll see you inside,
		
		Manjeet Jakhar
		
		
		
		already has more than 7 million members!
		
		
		
		
		
		
		
		
		
		
		
			
		Gender/Age:
			Male/24
			
			
			
			
			
		Location:
			Delhi
			
			
			
			
			
		
		
		
	
	
	
	








This invitation was sent to activedir@mail.activedir.org on behalf of Manjeet Jakhar ([EMAIL PROTECTED]).


If you do not wish to receive invitations from hi5 members, click on the link below:

http://www.hi5.com/friend/displayBlockInvite.do?inviteId=223244532

RE: [ActiveDir] GPO design

[John Reijnders]

Hi Bart,

The *main* performance hit is caused by the actual settings set in a GPO,
*not* the number of GPO's. However, besides performance, managebility is
important thing to consider when you're designing your GPO structure.

A limit you have to take into account is the maximum number of GPO's that
can be applied to a client is 999. But let's be honest ... if you have more
than 999 GPO applied to a client, you have a different kind of problem ;-).

Cheers,
John

-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Bart Vandyck
Sent: maandag 14 februari 2005 19:25
To: ActiveDir@mail.activedir.org
Subject: Re: [ActiveDir] GPO design

Hi Jorge,

Great input.. But do i understand you correct that performance is
depended on the amount of different GPO instead of the settings done
by these gpo's?

rgds,

Bart


On Mon, 14 Feb 2005 10:47:43 +0100, Jorge de Almeida Pinto
<[EMAIL PROTECTED]> wrote:
> Hi,
> 
> Be carefull with creating a GPO for each application. If you have a lot of
> apps and lets say all computers get those apps then those wokstations will
> go through each GPO and then you may have performance issue. It may be
> better to consolidate several apps that have similar "characteristics"
into
> one GPO.
> If within a GPO the computer or user configuration is NOT used (not
settings
> defined) disable it accordingly. If it is disabled then it will not be
> processed and that is good for performance!
> 
> The naming convention for GPOs I always use is:
> * GPO
> 
> Where:
>  = POL (policy settings) or SWD (software distribution)
>  = C (computer) or U (user) or B (both) this one also tells me
which
> configuration is enabled without opening the GPO
>  = can be anything such as location, region, department, etc.
>  = what it is (e.g. default settings)
> 
> Examples:
> GPO_POL_C_Dept01_DefaultSettings
> GPO_SWD_U_Site01_AcrobatReader
> 
> As I think of it: don't go crazy on GPOs. GPOs provide lots of
functionality
> but may also kill performance
> 
> Cheers,
> Jorge
> 
> 
> -Original Message-
> From: [EMAIL PROTECTED]
> [mailto:[EMAIL PROTECTED] On Behalf Of Bart Vandyck
> Sent: maandag 14 februari 2005 10:22
> To: activedir@mail.activedir.org
> Subject: [ActiveDir] GPO design
> 
> Hi all,
> 
> I just wanted some feedback on this project I'm working on from people
with
> real world knowledge.
> 
> We have AD in place with and OU structure. I've been asked the make plan
to
> implement GPO's in this organization. I was thinking about creating a GPO
> for each application we want to manage  and this in combination with each
OU
> level.
>  For example:  GPO-Region-IE6-users
>   GPO-Region-WINXPSP1-machine
>  GPO-Site01-IE6-users
>  GPO-Site02-IE6-machine
>  GPO-Site01-winxpsp1-user
> 
> The site GPO will only be made or in effect if the need to overrule
settings
> made on the region level.
> 
> Is this a maintainable solutions or will  this become to complex in the
end.
> 
> Anybody know some good descriptions or best practices about managing
> software with GPO.  I've seen lots of stuff about creating GPO's,
> troubleshoot them, etc.. but haven't found real implementations case
studies
> with  advantages and disadvantages..
> 
> rgds,
> 
> Bart
> List info   : http://www.activedir.org/List.aspx
> List FAQ: http://www.activedir.org/ListFAQ.aspx
> List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
> 
> This e-mail and any attachment is for authorised use by the intended
recipient(s) only. It may contain proprietary material, confidential
information and/or be subject to legal privilege. It should not be copied,
disclosed to, retained or used by, any other party. If you are not an
intended recipient then please promptly delete this e-mail and any
attachment and all copies and inform the sender. Thank you.
> List info   : http://www.activedir.org/List.aspx
> List FAQ: http://www.activedir.org/ListFAQ.aspx
> List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
>
List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/

This e-mail and any attachment is for authorised use by the intended 
recipient(s) only. It may contain proprietary material, confidential 
information and/or be subject to legal privilege. It should not be copied, 
disclosed to, retained or used by, any other party. If you are not an intended 
recipient then please promptly delete this e-mail and any attachment and all 
copies and inform the sender. Thank you.
List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/