Re: [ActiveDir] Active Directory Permissions

[Mark Parris]

I will take a copy of this script please and I will also utilise the other 
script posted, 


Markp
-Original Message-
From: "Sakari Kouti" <[EMAIL PROTECTED]>
Date: Thu, 1 Sep 2005 02:04:21 
To:
Subject: RE: [ActiveDir] Active Directory Permissions

Hi Mark, 
 
When writing our book (Inside Active Directory), I wrote a script that dumps 
all the ACEs of a domain to an Excel spreadsheet. 
 
The script has some fixed names and it's not "production quality" by any means, 
but if you want, I can e-mail it to you. 
 
Or, if another person on the list asks, I can also put it on 
http://www.kouti.com 
 
Yours, Sakari 
 
 
   
 From: [EMAIL PROTECTED]   [mailto:[EMAIL PROTECTED] On Behalf Of Mark   
Parris
Sent: Wednesday, August 31, 2005 9:08 PM
To:   ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] Active   Directory Permissions

   
   
   
My preference is a   tool that does it for me  but I will put together a script 
now that I know   there is not a tool to do it.
   
 
   
Many   thanks.
   
 
   
Mark
   
 
   
   
   
From: [EMAIL PROTECTED]   [mailto:[EMAIL PROTECTED]   On Behalf Of Al   Mulnick
Sent: 31 August 2005   17:58
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] Active Directory   Permissions
   
 
   
   
   
when you run it, use   a command file. 
   
   
 
   
   
dsacls   ou1
   
   
dsacls   ou2
   
   
dsacls   ou3
   
   
 
   
   
That of course would not get the   sub OU's, but if they are relatively static, 
it would be fast to put together   and it would keep your output fairly 
constant with what you have now.   
   
   
 
   
   
If not, you could root around on   joeware.net and see if there is something 
there (note: I could really use a   t-shirt to help me remember about joeware 
tools when I reply to these :) or   you could write a script. You could even 
use something like a script that   gathers the OU and then shells to dsacls or 
something that stays script only.   The list goes on.
   
   
 
   
   
Do you have a preference on the   approach? 
   
   
 
   
   
Al
   
   
 
   
   
From:   [EMAIL PROTECTED] on   behalf of Mark Parris
Sent:   Wed 8/31/2005 1:28 PM
To:   ActiveDir.org
Subject: Re:   [ActiveDir] Active Directory Permissions
   
   
DSACLS,   but it would be nice for the whole tree.

Mark
-Original   Message-
From: "Al Mulnick" <[EMAIL PROTECTED]>
Date: Tue,   30 Aug 2005 20:19:03
To:
Subject: RE:   [ActiveDir] Active Directory Permissions

What are you using now for   that single OU?



-Original Message-
From:   [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED]   On Behalf Of Mark Parris
Sent: Tuesday, August 30, 2005 7:21 AM
To:   ActiveDir.org
Subject: [ActiveDir] Active Directory   Permissions

Hi,

What utility can I use to list the entire OU   structure for a Domain and
all permissions set on each OU?

I can   manage to do it for a single OU but not say set it to DC=X,DC=Y
and dump   the whole structure.

Regards

Mark
List info   : http://www.activedir.org/List.aspx
List   FAQ: http://www.activedir.org/ListFAQ.aspx
List   archive:
http://www.mail-archive.com/activedir%40mail.activedir.org/
List   info   : http://www.activedir.org/List.aspx
List   FAQ: http://www.activedir.org/ListFAQ.aspx
List   archive: http://www.mail-archive.com/activedir%40mail.activedir.org/

List   info   : http://www.activedir.org/List.aspx
List   FAQ: http://www.activedir.org/ListFAQ.aspx
List   archive: http://www.mail-archive.com/activedir%40mail.activedir.org/

List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/

Re: [ActiveDir] Active Directory Permissions

[Kamlesh Parmar]

I had already posted the recursive command for DSACLS to dump the full
structure...

Here it goes again.. Put it in a batch file

For /F "Tokens=1* Delims=*" %%A in ('dsquery ou -limit 0') do dsacls
%%A > %%A.log


This will recursive go to each OU and dump its permissions in logfile
named by the OU.


On 9/1/05, Sakari Kouti <[EMAIL PROTECTED]> wrote:
> Hi Mark,
>  
> When writing our book (Inside Active Directory), I wrote a script that dumps
> all the ACEs of a domain to an Excel spreadsheet.
>  
> The script has some fixed names and it's not "production quality" by any
> means, but if you want, I can e-mail it to you.
>  
> Or, if another person on the list asks, I can also put it on
> http://www.kouti.com
>  
> Yours, Sakari
>  
>  
> 
> 
> From: [EMAIL PROTECTED]
> [mailto:[EMAIL PROTECTED] On Behalf Of
> Mark Parris
> Sent: Wednesday, August 31, 2005 9:08 PM
> 
> To: ActiveDir@mail.activedir.org
> Subject: RE: [ActiveDir] Active Directory Permissions
> 
> 
> 
> 
> My preference is a tool that does it for me – but I will put together a
> script now that I know there is not a tool to do it.
> 
>  
> 
> Many thanks.
> 
>  
> 
> Mark
> 
>  
> 
> 
> 
> From: [EMAIL PROTECTED]
> [mailto:[EMAIL PROTECTED] On Behalf Of Al
> Mulnick
> Sent: 31 August 2005 17:58
> To: ActiveDir@mail.activedir.org
> Subject: RE: [ActiveDir] Active Directory Permissions
> 
>  
> 
> 
> when you run it, use a command file. 
> 
> 
>  
> 
> 
> dsacls ou1
> 
> 
> dsacls ou2
> 
> 
> dsacls ou3
> 
> 
>  
> 
> 
> That of course would not get the sub OU's, but if they are relatively
> static, it would be fast to put together and it would keep your output
> fairly constant with what you have now. 
> 
> 
>  
> 
> 
> If not, you could root around on joeware.net and see if there is something
> there (note: I could really use a t-shirt to help me remember about joeware
> tools when I reply to these :) or you could write a script. You could even
> use something like a script that gathers the OU and then shells to dsacls or
> something that stays script only. The list goes on.
> 
> 
>  
> 
> 
> Do you have a preference on the approach? 
> 
> 
>  
> 
> 
> Al
> 
> 
>  
> 
> 
> 
> From: [EMAIL PROTECTED] on behalf of Mark
> Parris
> Sent: Wed 8/31/2005 1:28 PM
> To: ActiveDir.org
> Subject: Re: [ActiveDir] Active Directory Permissions
> 
> 
> DSACLS, but it would be nice for the whole tree.
> 
> Mark
> -Original Message-
> From: "Al Mulnick" <[EMAIL PROTECTED]>
> Date: Tue, 30 Aug 2005 20:19:03
> To:
> Subject: RE: [ActiveDir] Active Directory Permissions
> 
> What are you using now for that single OU?
> 
> 
> 
> -Original Message-
> From: [EMAIL PROTECTED]
> [mailto:[EMAIL PROTECTED] On Behalf Of
> Mark Parris
> Sent: Tuesday, August 30, 2005 7:21 AM
> To: ActiveDir.org
> Subject: [ActiveDir] Active Directory Permissions
> 
> Hi,
> 
> What utility can I use to list the entire OU structure for a Domain and
> all permissions set on each OU?
> 
> I can manage to do it for a single OU but not say set it to DC=X,DC=Y
> and dump the whole structure.
> 
> Regards
> 
> Mark
> List info   : http://www.activedir.org/List.aspx
> List FAQ: http://www.activedir.org/ListFAQ.aspx
> List archive:
> http://www.mail-archive.com/activedir%40mail.activedir.org/
> List info   : http://www.activedir.org/List.aspx
> List FAQ: http://www.activedir.org/ListFAQ.aspx
> List archive:
> http://www.mail-archive.com/activedir%40mail.activedir.org/
> 
> List info   : http://www.activedir.org/List.aspx
> List FAQ: http://www.activedir.org/ListFAQ.aspx
> List archive:
> http://www.mail-archive.com/activedir%40mail.activedir.org/


-- 
--
~~~
"Fortune and Love befriend the bold"
~~~

RE: [ActiveDir] Time on server

[Eric Fleischman]

And please be sure to note the part of Michael's mail below here he said
"stable". I once talked to a customer who was syncing DCs to an external
clock that rolled back ~20 years. I assure you that was not the best day
ever for this admin. :)

~Eric


-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Tony Murray
Sent: Wednesday, August 31, 2005 6:00 PM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] Time on server

Yes, the recommendation is to use an internal hardware clock:

http://support.microsoft.com/default.aspx?scid=816042

Tony 

-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Thommes,
Michael M.
Sent: Thursday, 1 September 2005 12:28 p.m.
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] Time on server

How about synch'ing it with an internal source that is stable?  Remember
that it needs port UDP 123 open.  I wonder why you wouldn't want to use
an external source, like http://tycho.usno.navy.mil/ntp.html?
 
Mike Thommes



From: [EMAIL PROTECTED] on behalf of Patrick Paul
Sent: Wed 8/31/2005 11:27 PM
To: ActiveDir@mail.activedir.org
Subject: [ActiveDir] Time on server



The time on my server is constantly increasing and is clearly wrong. I
do not want to sync with and external source!

Help appreciated!

Windows 2000 advance server

List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive:
http://www.mail-archive.com/activedir%40mail.activedir.org/


This e-mail message has been scanned for Viruses and Content and cleared
by NetIQ MailMarshal at Gen-i Limited



List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive:
http://www.mail-archive.com/activedir%40mail.activedir.org/
List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/

Re: [ActiveDir] Time on server

[ASB]

Why don't you want to sync externally?

Your BIOS battery is probably going south.



-ASB
 FAST, CHEAP, SECURE: Pick Any TWO
 http://www.ultratech-llc.com/KB/


On 9/1/05, Patrick Paul <[EMAIL PROTECTED]> wrote:
> 
> 
> The time on my server is constantly increasing and is clearly wrong. I do
> not want to sync with and external source!
> 
> Help appreciated!
> 
> Windows 2000 advance server
List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/

RE: [ActiveDir] DC authentication

[joe]

The switch /sc_query only shows you your secure channel DC, it doesn't
necessarily tell you what DC you are using for LDAP ops currently. They are
usually the same but don't have to be. 

 

-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Cace, Andrew
Sent: Wednesday, August 31, 2005 6:19 PM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] DC authentication

 
Our TAM has been beating using nltest instead of "set l" into our heads for
almost two years now.  The set command echoes a variable that is set at
startup and doesn't change when your authenticating server changes.  

The only problem with using nltest with the /sc_query option is that it also
checks a cached value.  If you truly want to determine which DC is currently
authenticating a PC, you should use the /sc_reset option of nltest.  This
will reset the secure channel between the workstation and the DC and report
the status of the secure channel.

-Andrew

-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Tony Murray
Sent: Wednesday, August 31, 2005 4:09 PM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] DC authentication

Hi Christine

This will show you the secure channel for given machine:

nltest /sc_query: /server: 

Tony

-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Christine Allen
Sent: Thursday, 1 September 2005 8:58 a.m.
To: ActiveDir@mail.activedir.org
Subject: [ActiveDir] DC authentication

Sorry, I'm have a brain hiccup.  Does anyone know the command line utility
that tells you which dc authenticates you?

-Christine

Christine N. Allen
Systems Engineer
BMC HealthNet Plan
2 Copley Place
Boston, MA 02216

617-748-6034
617-293-4407
[EMAIL PROTECTED]

List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive:
http://www.mail-archive.com/activedir%40mail.activedir.org/


This e-mail message has been scanned for Viruses and Content and cleared by
NetIQ MailMarshal at Gen-i Limited



List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/

List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/

RE: [ActiveDir] Time on server

[Tony Murray]

Yes, the recommendation is to use an internal hardware clock:

http://support.microsoft.com/default.aspx?scid=816042

Tony 

-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Thommes,
Michael M.
Sent: Thursday, 1 September 2005 12:28 p.m.
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] Time on server

How about synch'ing it with an internal source that is stable?  Remember
that it needs port UDP 123 open.  I wonder why you wouldn't want to use
an external source, like http://tycho.usno.navy.mil/ntp.html?
 
Mike Thommes



From: [EMAIL PROTECTED] on behalf of Patrick Paul
Sent: Wed 8/31/2005 11:27 PM
To: ActiveDir@mail.activedir.org
Subject: [ActiveDir] Time on server



The time on my server is constantly increasing and is clearly wrong. I
do not want to sync with and external source!

Help appreciated!

Windows 2000 advance server

List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive:
http://www.mail-archive.com/activedir%40mail.activedir.org/


This e-mail message has been scanned for Viruses and Content and cleared
by NetIQ MailMarshal at Gen-i Limited



List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/

RE: [ActiveDir] Time on server

[joe]

Then you better be resetting the clock manually until you 
find what is wrong with the server. If it isn't syncing with anything, then its 
internal clock is fubar. 
 
How is tomorrow BTW, looks like you are sending this a good 
4 hours before I am responding. :o)
 
   joe


From: [EMAIL PROTECTED] 
[mailto:[EMAIL PROTECTED] On Behalf Of Patrick 
PaulSent: Thursday, September 01, 2005 12:27 AMTo: 
ActiveDir@mail.activedir.orgSubject: [ActiveDir] Time on 
server


The time on my server is constantly 
increasing and is clearly wrong. I do not want to sync with and external 
source!
Help 
appreciated!
Windows 2000 advance 
server

RE: [ActiveDir] Help to Explain how a Domain Controller could be Overwritten by a Member Server

[joe]

The only way I can visualize this happening is if someone 
reset the computer account on Domain Controller A. Otherwise when the new 
machine joined the domain, it couldn't "slide into" the machine account for the 
existing domain controller A.
 
   joe


From: [EMAIL PROTECTED] 
[mailto:[EMAIL PROTECTED] On Behalf Of Dan 
PilloffSent: Tuesday, August 30, 2005 8:57 PMTo: 
ActiveDir@mail.activedir.orgSubject: [ActiveDir] Help to Explain how 
a Domain Controller could be Overwritten by a Member Server


I was hoping somebody might be able 
to explain how the following occurred.  A member server was built with the 
same name as an existing Domain Controller, Domain Controller A.  The 
server was somehow put in the domain, and rebooted.  In addition, I believe 
the server was then renamed to Domain Controller B (just a name as it was not 
dcpromoed). while still in the domain.  The end result was that the 
existing Domain controller, Domain Controller A was somehow overwritten by the 
member server, and, its display name in ADUC changed to this new name Domain 
Controller B.  The offending Domain Controller B was then deleted from the 
domain controllers OU.  The event logged for the change shows  “Target 
Account Name: Domain Controller B but Target Account ID Domain Controller A, 
they are mismatched.  I believe the same event was displayed for the 
delete.  I entered this issue after all the above had occurred and 
performed an authoritative restore of the object (original Domain Controller A) 
and stopped the KDC, replicated, and got the domain controller back.  I 
have researched this issue, and tried to recreate the issue many different ways 
in a test lab but cannot recreate it.  Has anyone ever seen anything like 
this?  I am absolutely 
dumbfounded.

RE: [ActiveDir] Time on server

[Thommes, Michael M.]

How about synch'ing it with an internal source that is stable?  Remember that 
it needs port UDP 123 open.  I wonder why you wouldn't want to use an external 
source, like http://tycho.usno.navy.mil/ntp.html?
 
Mike Thommes



From: [EMAIL PROTECTED] on behalf of Patrick Paul
Sent: Wed 8/31/2005 11:27 PM
To: ActiveDir@mail.activedir.org
Subject: [ActiveDir] Time on server



The time on my server is constantly increasing and is clearly wrong. I do not 
want to sync with and external source!

Help appreciated!

Windows 2000 advance server

List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/

[ActiveDir] Time on server

[Patrick Paul]

The time on my server is constantly increasing and is
clearly wrong. I do not want to sync with and external source!

Help appreciated!

Windows 2000 advance server

RE: [ActiveDir] VBscript to set a password for a user in AD but ran from a non domain member

[Al Mulnick]

It might at that. :)
 
I ran this at home and it was the translation that was causing me issues. 
 
I changed the code to be more like this: 
 
Const ADS_SECURE_AUTHENTICATION = 1
strUserDN = "cn=Administrator,cn=Users,dc=Clusterdomain,dc=com"
strPassword = "Super_Secret_and_complex_Password"
Set objRoot = GetObject("LDAP:")
Set objDomain = _
 objRoot.OpenDSObject("LDAP://SRVR/dc=Clusterdomain,dc=com", _
 strUserDN, strPassword, ADS_SECURE_AUTHENTICATION)

'// This is where you can open the object.  You have to know the DN of the 
object which infers that you've 
'// previously searched and found the object DN.  I didn't include that here, 
but it wouldn't be too tough.
Set objUser = 
objRoot.OpenDSObject("LDAP://SRVR/cn=Student2,OU=Students,dc=Clusterdomain,dc=com",
 _
 strUserDN, strPassword, ADS_SECURE_AUTHENTICATION)
objUser.setpassword ("slslslslsls.1")
 
If it's not in the domain, you must use a method that allows you to pass 
credentials.  OpenDSObject is that method. 
 
Winnt provider might work so long as you can pass the credentials properly, but 
I hate to look back and use it that way. Easier to search for the object and 
return the DN and then set the password. 
 
Note that iads::setpassword was used vs. changepassword.  I think Shawn 
mentioned that the user does not know the password. 
 
Al
 



From: [EMAIL PROTECTED] on behalf of Darren Mar-Elia
Sent: Wed 8/31/2005 6:15 PM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] VBscript to set a password for a user in AD but ran 
from a non domain member



I wonder if, in this case, it might not be easier to just use the
WINNT:// ADSI provider to reset the user's password? You might avoid
some of these issues. 

-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of joe
Sent: Thursday, September 01, 2005 7:18 AM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] VBscript to set a password for a user in AD but
ran from a non domain member

I would wonder if the Name Translation is failing, does it have the
security context to do the lookup? I am not in a position to test it at
the moment but I would make sure it is working properly.


-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Shawn Hayes
Sent: Wednesday, August 31, 2005 3:33 PM
To: ActiveDir@mail.activedir.org; [EMAIL PROTECTED]
Subject: RE: [ActiveDir] VBscript to set a password for a user in AD but
ran from a non domain member

Thanks for the reply Al.

strNetbiosdomain is a variable I set

script dies before line 61

A web front-end is where we were leaning.

Shawn

>>> "Al Mulnick" <[EMAIL PROTECTED]> 08/31/05 03:19PM >>>
How does the non-domain member find strNetBIOSDomain ?

On line 61, how about having it echo to the user what the
strNetBIOSDomain and strUserName1 variables result in?

Does it match what you think it should be?  Is it possible to find that
information from the workstation it's running on? Any reason you
wouldn't run this as a web page from a domain member instead?

Al



From: [EMAIL PROTECTED] on behalf of Shawn Hayes
Sent: Wed 8/31/2005 2:26 PM
To: ActiveDir@mail.activedir.org
Subject: [ActiveDir] VBscript to set a password for a user in AD but ran
from a non domain member



I am trying to write a script to set a user password and the script must
be run from a machine that is not a domain member.

Background:
We are migrating to Exchange from Groupwise in 12 days.  We still have a
ton of machines that are not part of AD, still in NDS.  Users all have
accounts and mailboxes in AD.  Many Novell users have not logged into
AD.  During our migration we would like the techs to quickly reset user
passwords for those that do not know their AD passwords.  Techs will be
in the field at distributed locations to help with outlook connectivity.
They will not know the existing password.

When i run this from a non domain member I get "The specified domain
either does not exist or could not be contacted".  It runs fine from a
domain member

Here is the code - thanks to anyone that can help.

'Set a Users password
'Written by: Shawn Hayes
'Date: 8-31-05

'Variables
Dim strUserName, strUserDN, strDNSDomain, strNetBiosDomain, strpassword,
strpassword1, strpassword2 Dim strUserName1, strUserName2, strmsgresult,
strcontinue, stradminID, stradminpwd, stradminpwd1, stradminpwd2
strNetBiosDomain = "ourdomainname\"
Const ADS_NAME_INITTYPE_GC = 3
Const ADS_NAME_TYPE_NT4 = 3
Const ADS_NAME_TYPE_1779 = 1
Const ADS_PROPERTY_CLEAR = 1
Const ADS_SECURE_AUTHENTICATION = 1

  'Input box prompts for UserID
msgbox ("You must enter a userid with privledges in AD to change
user
passwords!")
stradminID = InputBox ("Enter Your Admin account name used to
connect to AD", "Enter Your Admin account name used to connect to AD",
"")
  'Input box prompts for admins password
  Do
stradminpwd1 = InputBox ("Enter the Admin Password", " Admin
Pas

RE: [ActiveDir] Active Directory Permissions

[Sakari Kouti]

Title: Re: [ActiveDir] Active Directory Permissions



Hi Mark,
 
When writing our book (Inside Active Directory), I wrote a 
script that dumps all the ACEs of a domain to an Excel 
spreadsheet.
 
The script has some fixed names and it's not "production 
quality" by any means, but if you want, I can e-mail it to 
you.
 
Or, if another person on the list asks, I can also 
put it on http://www.kouti.com
 
Yours, Sakari
 
 

  
  
  From: [EMAIL PROTECTED] 
  [mailto:[EMAIL PROTECTED] On Behalf Of Mark 
  ParrisSent: Wednesday, August 31, 2005 9:08 PMTo: 
  ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] Active 
  Directory Permissions
  
  
  My preference is a 
  tool that does it for me – but I will put together a script now that I know 
  there is not a tool to do it.
   
  Many 
  thanks.
   
  Mark
   
  
  
  
  
  From: [EMAIL PROTECTED] 
  [mailto:[EMAIL PROTECTED]] 
  On Behalf Of Al 
  MulnickSent: 31 August 2005 
  17:58To: ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] Active Directory 
  Permissions
   
  
  
  when you run it, use 
  a command file. 
  
   
  
  dsacls 
  ou1
  
  dsacls 
  ou2
  
  dsacls 
  ou3
  
   
  
  That of course would not get the 
  sub OU's, but if they are relatively static, it would be fast to put together 
  and it would keep your output fairly constant with what you have now. 
  
  
   
  
  If not, you could root around on 
  joeware.net and see if there is something there (note: I could really use a 
  t-shirt to help me remember about joeware tools when I reply to these :) or 
  you could write a script. You could even use something like a script that 
  gathers the OU and then shells to dsacls or something that stays script only. 
  The list goes on.
  
   
  
  Do you have a preference on the 
  approach? 
  
   
  
  Al
  
   
  
  
  
  From: 
  [EMAIL PROTECTED] on 
  behalf of Mark ParrisSent: 
  Wed 8/31/2005 1:28 PMTo: 
  ActiveDir.orgSubject: Re: 
  [ActiveDir] Active Directory Permissions
  
  DSACLS, 
  but it would be nice for the whole tree.Mark-Original 
  Message-From: "Al Mulnick" <[EMAIL PROTECTED]>Date: Tue, 
  30 Aug 2005 20:19:03To:Subject: RE: 
  [ActiveDir] Active Directory PermissionsWhat are you using now for 
  that single OU?-Original Message-From: 
  [EMAIL PROTECTED][mailto:[EMAIL PROTECTED]] 
  On Behalf Of Mark ParrisSent: Tuesday, August 30, 2005 7:21 AMTo: 
  ActiveDir.orgSubject: [ActiveDir] Active Directory 
  PermissionsHi,What utility can I use to list the entire OU 
  structure for a Domain andall permissions set on each OU?I can 
  manage to do it for a single OU but not say set it to DC=X,DC=Yand dump 
  the whole structure.RegardsMarkList info   : http://www.activedir.org/List.aspxList 
  FAQ    : http://www.activedir.org/ListFAQ.aspxList 
  archive:http://www.mail-archive.com/activedir%40mail.activedir.org/List 
  info   : http://www.activedir.org/List.aspxList 
  FAQ    : http://www.activedir.org/ListFAQ.aspxList 
  archive: http://www.mail-archive.com/activedir%40mail.activedir.org/List 
  info   : http://www.activedir.org/List.aspxList 
  FAQ    : http://www.activedir.org/ListFAQ.aspxList 
  archive: http://www.mail-archive.com/activedir%40mail.activedir.org/

RE: [ActiveDir] DC authentication

[Cace, Andrew]

 
Our TAM has been beating using nltest instead of "set l" into our heads for
almost two years now.  The set command echoes a variable that is set at
startup and doesn't change when your authenticating server changes.  

The only problem with using nltest with the /sc_query option is that it also
checks a cached value.  If you truly want to determine which DC is currently
authenticating a PC, you should use the /sc_reset option of nltest.  This
will reset the secure channel between the workstation and the DC and report
the status of the secure channel.

-Andrew

-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Tony Murray
Sent: Wednesday, August 31, 2005 4:09 PM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] DC authentication

Hi Christine

This will show you the secure channel for given machine:

nltest /sc_query: /server: 

Tony

-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Christine Allen
Sent: Thursday, 1 September 2005 8:58 a.m.
To: ActiveDir@mail.activedir.org
Subject: [ActiveDir] DC authentication

Sorry, I'm have a brain hiccup.  Does anyone know the command line utility
that tells you which dc authenticates you?

-Christine

Christine N. Allen
Systems Engineer
BMC HealthNet Plan
2 Copley Place
Boston, MA 02216

617-748-6034
617-293-4407
[EMAIL PROTECTED]

List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive:
http://www.mail-archive.com/activedir%40mail.activedir.org/


This e-mail message has been scanned for Viruses and Content and cleared by
NetIQ MailMarshal at Gen-i Limited



List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/


smime.p7s
Description: S/MIME cryptographic signature

RE: [ActiveDir] VBscript to set a password for a user in AD but ran from a non domain member

[Darren Mar-Elia]

I wonder if, in this case, it might not be easier to just use the
WINNT:// ADSI provider to reset the user's password? You might avoid
some of these issues.  

-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of joe
Sent: Thursday, September 01, 2005 7:18 AM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] VBscript to set a password for a user in AD but
ran from a non domain member

I would wonder if the Name Translation is failing, does it have the
security context to do the lookup? I am not in a position to test it at
the moment but I would make sure it is working properly.
 

-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Shawn Hayes
Sent: Wednesday, August 31, 2005 3:33 PM
To: ActiveDir@mail.activedir.org; [EMAIL PROTECTED]
Subject: RE: [ActiveDir] VBscript to set a password for a user in AD but
ran from a non domain member

Thanks for the reply Al.

strNetbiosdomain is a variable I set

script dies before line 61

A web front-end is where we were leaning.

Shawn

>>> "Al Mulnick" <[EMAIL PROTECTED]> 08/31/05 03:19PM >>>
How does the non-domain member find strNetBIOSDomain ?

On line 61, how about having it echo to the user what the
strNetBIOSDomain and strUserName1 variables result in?

Does it match what you think it should be?  Is it possible to find that
information from the workstation it's running on? Any reason you
wouldn't run this as a web page from a domain member instead? 

Al



From: [EMAIL PROTECTED] on behalf of Shawn Hayes
Sent: Wed 8/31/2005 2:26 PM
To: ActiveDir@mail.activedir.org
Subject: [ActiveDir] VBscript to set a password for a user in AD but ran
from a non domain member



I am trying to write a script to set a user password and the script must
be run from a machine that is not a domain member.

Background:
We are migrating to Exchange from Groupwise in 12 days.  We still have a
ton of machines that are not part of AD, still in NDS.  Users all have
accounts and mailboxes in AD.  Many Novell users have not logged into
AD.  During our migration we would like the techs to quickly reset user
passwords for those that do not know their AD passwords.  Techs will be
in the field at distributed locations to help with outlook connectivity.
They will not know the existing password.

When i run this from a non domain member I get "The specified domain
either does not exist or could not be contacted".  It runs fine from a
domain member

Here is the code - thanks to anyone that can help.

'Set a Users password
'Written by: Shawn Hayes
'Date: 8-31-05

'Variables
Dim strUserName, strUserDN, strDNSDomain, strNetBiosDomain, strpassword,
strpassword1, strpassword2 Dim strUserName1, strUserName2, strmsgresult,
strcontinue, stradminID, stradminpwd, stradminpwd1, stradminpwd2
strNetBiosDomain = "ourdomainname\"
Const ADS_NAME_INITTYPE_GC = 3
Const ADS_NAME_TYPE_NT4 = 3
Const ADS_NAME_TYPE_1779 = 1
Const ADS_PROPERTY_CLEAR = 1
Const ADS_SECURE_AUTHENTICATION = 1

  'Input box prompts for UserID
msgbox ("You must enter a userid with privledges in AD to change
user
passwords!")
stradminID = InputBox ("Enter Your Admin account name used to
connect to AD", "Enter Your Admin account name used to connect to AD",
"")
  'Input box prompts for admins password
  Do
stradminpwd1 = InputBox ("Enter the Admin Password", " Admin
Password",
"")
stradminpwd2 = InputBox ("Reenter the Admin password", "Admin
Password",
"")
If stradminpwd1 <> stradminpwd2 then
  msgbox ("Admin Passwords do not match")
  strpassword = "nothing"
Else
  strpassword = "equal"
End IF
  Loop until strpassword = "equal"

strpassword = "nothing"

'User information
Do
  'Input box prompts for UserID
strUsername1 = InputBox ("Enter the Active Directory UserID", "Enter
the Users Active Directory UserID", "")
  'Input box prompts for users new password
  Do
strPassword1 = InputBox ("Enter the new Password", "Password", "")
strPassword2 = InputBox ("Reenter the password", "Password", "")
If strpassword1 <> strpassword2 then
  msgbox ("Passwords do not match")
  strpassword = "nothing"
Else
  strpassword = "equal"
End IF
  Loop until strpassword = "equal"

  Set objNetwork = CreateObject("Wscript.Network")

  'Connect to RootDSE
  'Set objRoot =
GetObject("LDAP://domaincontroller.ourdomain.com/RootDSE")
  'Set objroot = GetObject("LDAP:")
  'Set objDomain = objRoot.OpenDSObject("LDAP://cn=domain
controller,OU=domain controllers,dc=ourdomain,dc=com", strNetBiosDomain
& stradminID, stradminpwd1, ADS_SECURE_AUTHENTICATION)
  'Set objDomain = objRoot.OpenDSObject("LDAP://dc=ourdomain,dc=com",
strNetBiosDomain & stradminID, stradminpwd1, ADS_SECURE_AUTHENTICATION)
  'strDNSDomain = objRootDSE.Get("defaultNamingContext")
  'strDNSDomain = objdomain.Get("defaultNamingContext")

  'Determine UsersDN from netbios name
  Set objTrans = CreateObject("NameTranslate")

RE: [ActiveDir] Companies splitting - where to start with Active Directory, DNS, DHCP, etc.

[joe]

Yes.

Someone followed the MS book examples pretty explicitly. :o)

 

-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Danny
Sent: Wednesday, August 31, 2005 3:52 PM
To: ActiveDir@mail.activedir.org
Subject: Re: [ActiveDir] Companies splitting - where to start with Active
Directory, DNS, DHCP, etc.

On 8/31/05, Al Mulnick <[EMAIL PROTECTED]> wrote:
> Finding the root.  I believe it was Dean who posted this a little while
back.
> "... another thought, to determine your forest root in order to 
> validate the dn you're supplying, the following single-line command 
> line syntax will help -
> 
> portqry -n  -e 389 | find "root"
> Run that on both domains and compare.

portqry -n dc2 -e 389 | find "root"
rootDomainNamingContext: DC=Dom,DC=example,DC=org
 
portqry -n dc1 -e 389 | find "root
rootDomainNamingContext: DC=Dom,DC=contoso,DC=com

Safe to say - seperate forests?

...D
List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/

List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/

RE: [ActiveDir] DC authentication

[Crawford, Scott]

Setprfdc from NT4 allows you to specify a DC to use, but if you're
actually looking for what you're asking for, the other answers posted
are what you're looking for.

-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Christine Allen
Sent: Wednesday, August 31, 2005 3:58 PM
To: ActiveDir@mail.activedir.org
Subject: [ActiveDir] DC authentication

Sorry, I'm have a brain hiccup.  Does anyone know the command line
utility that tells you which dc authenticates you?

-Christine

Christine N. Allen
Systems Engineer
BMC HealthNet Plan
2 Copley Place
Boston, MA 02216

617-748-6034
617-293-4407
[EMAIL PROTECTED]

List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive:
http://www.mail-archive.com/activedir%40mail.activedir.org/
List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/

RE: [ActiveDir] VBscript to set a password for a user in AD but ran from a non domain member

[joe]

I would wonder if the Name Translation is failing, does it have the security
context to do the lookup? I am not in a position to test it at the moment
but I would make sure it is working properly.
 

-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Shawn Hayes
Sent: Wednesday, August 31, 2005 3:33 PM
To: ActiveDir@mail.activedir.org; [EMAIL PROTECTED]
Subject: RE: [ActiveDir] VBscript to set a password for a user in AD but ran
from a non domain member

Thanks for the reply Al.

strNetbiosdomain is a variable I set

script dies before line 61

A web front-end is where we were leaning.

Shawn

>>> "Al Mulnick" <[EMAIL PROTECTED]> 08/31/05 03:19PM >>>
How does the non-domain member find strNetBIOSDomain ?

On line 61, how about having it echo to the user what the strNetBIOSDomain
and strUserName1 variables result in?

Does it match what you think it should be?  Is it possible to find that
information from the workstation it's running on? Any reason you wouldn't
run this as a web page from a domain member instead? 

Al



From: [EMAIL PROTECTED] on behalf of Shawn Hayes
Sent: Wed 8/31/2005 2:26 PM
To: ActiveDir@mail.activedir.org
Subject: [ActiveDir] VBscript to set a password for a user in AD but ran
from a non domain member



I am trying to write a script to set a user password and the script must be
run from a machine that is not a domain member.

Background:
We are migrating to Exchange from Groupwise in 12 days.  We still have a ton
of machines that are not part of AD, still in NDS.  Users all have accounts
and mailboxes in AD.  Many Novell users have not logged into AD.  During our
migration we would like the techs to quickly reset user passwords for those
that do not know their AD passwords.  Techs will be in the field at
distributed locations to help with outlook connectivity.  They will not know
the existing password.

When i run this from a non domain member I get "The specified domain either
does not exist or could not be contacted".  It runs fine from a domain
member

Here is the code - thanks to anyone that can help.

'Set a Users password
'Written by: Shawn Hayes
'Date: 8-31-05

'Variables
Dim strUserName, strUserDN, strDNSDomain, strNetBiosDomain, strpassword,
strpassword1, strpassword2 Dim strUserName1, strUserName2, strmsgresult,
strcontinue, stradminID, stradminpwd, stradminpwd1, stradminpwd2
strNetBiosDomain = "ourdomainname\"
Const ADS_NAME_INITTYPE_GC = 3
Const ADS_NAME_TYPE_NT4 = 3
Const ADS_NAME_TYPE_1779 = 1
Const ADS_PROPERTY_CLEAR = 1
Const ADS_SECURE_AUTHENTICATION = 1

  'Input box prompts for UserID
msgbox ("You must enter a userid with privledges in AD to change user
passwords!")
stradminID = InputBox ("Enter Your Admin account name used to connect to
AD", "Enter Your Admin account name used to connect to AD", "")
  'Input box prompts for admins password
  Do
stradminpwd1 = InputBox ("Enter the Admin Password", " Admin Password",
"")
stradminpwd2 = InputBox ("Reenter the Admin password", "Admin Password",
"")
If stradminpwd1 <> stradminpwd2 then
  msgbox ("Admin Passwords do not match")
  strpassword = "nothing"
Else
  strpassword = "equal"
End IF
  Loop until strpassword = "equal"

strpassword = "nothing"

'User information
Do
  'Input box prompts for UserID
strUsername1 = InputBox ("Enter the Active Directory UserID", "Enter the
Users Active Directory UserID", "")
  'Input box prompts for users new password
  Do
strPassword1 = InputBox ("Enter the new Password", "Password", "")
strPassword2 = InputBox ("Reenter the password", "Password", "")
If strpassword1 <> strpassword2 then
  msgbox ("Passwords do not match")
  strpassword = "nothing"
Else
  strpassword = "equal"
End IF
  Loop until strpassword = "equal"

  Set objNetwork = CreateObject("Wscript.Network")

  'Connect to RootDSE
  'Set objRoot = GetObject("LDAP://domaincontroller.ourdomain.com/RootDSE")
  'Set objroot = GetObject("LDAP:")
  'Set objDomain = objRoot.OpenDSObject("LDAP://cn=domain
controller,OU=domain controllers,dc=ourdomain,dc=com", strNetBiosDomain &
stradminID, stradminpwd1, ADS_SECURE_AUTHENTICATION)
  'Set objDomain = objRoot.OpenDSObject("LDAP://dc=ourdomain,dc=com",
strNetBiosDomain & stradminID, stradminpwd1, ADS_SECURE_AUTHENTICATION)
  'strDNSDomain = objRootDSE.Get("defaultNamingContext")
  'strDNSDomain = objdomain.Get("defaultNamingContext")

  'Determine UsersDN from netbios name
  Set objTrans = CreateObject("NameTranslate")
  objTrans.Set ADS_NAME_TYPE_NT4, strNetBIOSDomain & strUserName1
  strUserDN = objTrans.Get(ADS_NAME_TYPE_1779)
  strmsgresult = msgbox ("OK to change this user's password? " & struserdn,
vbyesno)
  'msgbox (strmsgresult)
  If strmsgresult = "6" then
'Set the Users Password
'Set objUser = GetObject ("LDAP://" & strUserDN)
Set ObjDomain = GetObject ("LDAP:")
Set objuser =
ObjDomain.OpenDSObject("LDAP://domaincon

RE: [ActiveDir] DC authentication

[Cariglia, Daniel]

"Set l" will return your logon server.

Dan Cariglia
Systems Analyst
Concerto Software, Inc.
6 Technology Park Drive
Westford, MA 01886
(978)952-0618  
Ext. 20618
email: [EMAIL PROTECTED]




-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Christine Allen
Sent: Wednesday, August 31, 2005 4:58 PM
To: ActiveDir@mail.activedir.org
Subject: [ActiveDir] DC authentication

Sorry, I'm have a brain hiccup.  Does anyone know the command line
utility that tells you which dc authenticates you?

-Christine

Christine N. Allen
Systems Engineer
BMC HealthNet Plan
2 Copley Place
Boston, MA 02216

617-748-6034
617-293-4407
[EMAIL PROTECTED]

List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive:
http://www.mail-archive.com/activedir%40mail.activedir.org/
List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/

RE: [ActiveDir] DC authentication

[Tony Murray]

Hi Christine

This will show you the secure channel for given machine:

nltest /sc_query: /server: 

Tony

-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Christine Allen
Sent: Thursday, 1 September 2005 8:58 a.m.
To: ActiveDir@mail.activedir.org
Subject: [ActiveDir] DC authentication

Sorry, I'm have a brain hiccup.  Does anyone know the command line
utility that tells you which dc authenticates you?

-Christine

Christine N. Allen
Systems Engineer
BMC HealthNet Plan
2 Copley Place
Boston, MA 02216

617-748-6034
617-293-4407
[EMAIL PROTECTED]

List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive:
http://www.mail-archive.com/activedir%40mail.activedir.org/


This e-mail message has been scanned for Viruses and Content and cleared
by NetIQ MailMarshal at Gen-i Limited



List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/

RE: [ActiveDir] DC authentication

[Ryan A. Conrad]

echo %logonserver%

-Ryan

-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Christine Allen
Sent: Wednesday, August 31, 2005 4:58 PM
To: ActiveDir@mail.activedir.org
Subject: [ActiveDir] DC authentication

Sorry, I'm have a brain hiccup.  Does anyone know the command line utility
that tells you which dc authenticates you?

-Christine

Christine N. Allen
Systems Engineer
BMC HealthNet Plan
2 Copley Place
Boston, MA 02216

617-748-6034
617-293-4407
[EMAIL PROTECTED]

List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/

List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/

RE: [ActiveDir] DC authentication

[Brian Desmond]

Echo %logonserver%

Thanks,
Brian Desmond
[EMAIL PROTECTED]
 
c - 312.731.3132
 
 
-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Christine Allen
Sent: Wednesday, August 31, 2005 4:58 PM
To: ActiveDir@mail.activedir.org
Subject: [ActiveDir] DC authentication

Sorry, I'm have a brain hiccup.  Does anyone know the command line utility
that tells you which dc authenticates you?

-Christine

Christine N. Allen
Systems Engineer
BMC HealthNet Plan
2 Copley Place
Boston, MA 02216

617-748-6034
617-293-4407
[EMAIL PROTECTED]

List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/

List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/

RE: [ActiveDir] DC authentication

[joe]

How about...

set logonserver
 

-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Christine Allen
Sent: Wednesday, August 31, 2005 4:58 PM
To: ActiveDir@mail.activedir.org
Subject: [ActiveDir] DC authentication

Sorry, I'm have a brain hiccup.  Does anyone know the command line utility
that tells you which dc authenticates you?

-Christine

Christine N. Allen
Systems Engineer
BMC HealthNet Plan
2 Copley Place
Boston, MA 02216

617-748-6034
617-293-4407
[EMAIL PROTECTED]

List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/

List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/

RE: [ActiveDir] DC authentication

[Thommes, Michael M.]

SET LOGONSERVER at the command line should be enough.

Mike Thommes

-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Jennifer
Fountain
Sent: Wednesday, August 31, 2005 4:05 PM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] DC authentication

I think the "set" command will give you that information.  There might
be a better tool - I would be interested in that as well :)

I use this command -  set | find "LOGONSERVER" - to parse out the rest
of the info.

HTH



Thank you for your time! 
Jennifer
-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Christine Allen
Sent: Wednesday, August 31, 2005 4:58 PM
To: ActiveDir@mail.activedir.org
Subject: [ActiveDir] DC authentication

Sorry, I'm have a brain hiccup.  Does anyone know the command line
utility that tells you which dc authenticates you?

-Christine

Christine N. Allen
Systems Engineer
BMC HealthNet Plan
2 Copley Place
Boston, MA 02216

617-748-6034
617-293-4407
[EMAIL PROTECTED]

List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive:
http://www.mail-archive.com/activedir%40mail.activedir.org/




*
The information transmitted is intended only for the person or entity to
which 
it is addressed and may contain confidential and/or privileged material.
Any 
review, retransmission, dissemination or other use of, or taking of any
action 
in reliance upon, this information by persons or entities other than the
intended 
recipient is prohibited. If you received this in error, please contact
the sender 
and delete the material from any computer



List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive:
http://www.mail-archive.com/activedir%40mail.activedir.org/

List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/

RE: [ActiveDir] DC authentication

[Jennifer Fountain]

I think the "set" command will give you that information.  There might
be a better tool - I would be interested in that as well :)

I use this command -  set | find "LOGONSERVER" - to parse out the rest
of the info.

HTH



Thank you for your time! 
Jennifer
-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Christine Allen
Sent: Wednesday, August 31, 2005 4:58 PM
To: ActiveDir@mail.activedir.org
Subject: [ActiveDir] DC authentication

Sorry, I'm have a brain hiccup.  Does anyone know the command line
utility that tells you which dc authenticates you?

-Christine

Christine N. Allen
Systems Engineer
BMC HealthNet Plan
2 Copley Place
Boston, MA 02216

617-748-6034
617-293-4407
[EMAIL PROTECTED]

List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive:
http://www.mail-archive.com/activedir%40mail.activedir.org/



*
The information transmitted is intended only for the person or entity to which
it is addressed and may contain confidential and/or privileged material.  Any
review, retransmission, dissemination or other use of, or taking of any action
in reliance upon, this information by persons or entities other than the 
intended
recipient is prohibited. If you received this in error, please contact the 
sender
and delete the material from any computer



List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/

[ActiveDir] DC authentication

[Christine Allen]

Sorry, I'm have a brain hiccup.  Does anyone know the command line utility that 
tells you which dc authenticates you?

-Christine

Christine N. Allen
Systems Engineer
BMC HealthNet Plan
2 Copley Place
Boston, MA 02216

617-748-6034
617-293-4407
[EMAIL PROTECTED]

List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/

Re: [ActiveDir] Companies splitting - where to start with Active Directory, DNS, DHCP, etc.

[Danny]

On 8/31/05, Al Mulnick <[EMAIL PROTECTED]> wrote:
> Finding the root.  I believe it was Dean who posted this a little while back.
> "... another thought, to determine your forest root in order to validate
> the dn you're supplying, the following single-line command line syntax
> will help -
> 
> portqry -n  -e 389 | find "root"
> Run that on both domains and compare.

portqry -n dc2 -e 389 | find "root"
rootDomainNamingContext: DC=Dom,DC=example,DC=org
 
portqry -n dc1 -e 389 | find "root
rootDomainNamingContext: DC=Dom,DC=contoso,DC=com

Safe to say - seperate forests?

...D
List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/

RE: [ActiveDir] VBscript to set a password for a user in AD but ran from a non domain member

[Shawn Hayes]

Thanks for the reply Al.

strNetbiosdomain is a variable I set

script dies before line 61

A web front-end is where we were leaning.

Shawn

>>> "Al Mulnick" <[EMAIL PROTECTED]> 08/31/05 03:19PM >>>
How does the non-domain member find strNetBIOSDomain ?

On line 61, how about having it echo to the user what the strNetBIOSDomain and 
strUserName1 variables result in?

Does it match what you think it should be?  Is it possible to find that 
information from the workstation it's running on? Any reason you wouldn't run 
this as a web page from a domain member instead? 

Al



From: [EMAIL PROTECTED] on behalf of Shawn Hayes
Sent: Wed 8/31/2005 2:26 PM
To: ActiveDir@mail.activedir.org
Subject: [ActiveDir] VBscript to set a password for a user in AD but ran from a 
non domain member



I am trying to write a script to set a user password and the script must be run 
from a machine that is not a domain member.

Background:
We are migrating to Exchange from Groupwise in 12 days.  We still have a ton of 
machines that are not part of AD, still in NDS.  Users all have accounts and 
mailboxes in AD.  Many Novell users have not logged into AD.  During our 
migration we would like the techs to quickly reset user passwords for those 
that do not know their AD passwords.  Techs will be in the field at distributed 
locations to help with outlook connectivity.  They will not know the existing 
password.

When i run this from a non domain member I get "The specified domain either 
does not exist or could not be contacted".  It runs fine from a domain member

Here is the code - thanks to anyone that can help.

'Set a Users password
'Written by: Shawn Hayes
'Date: 8-31-05

'Variables
Dim strUserName, strUserDN, strDNSDomain, strNetBiosDomain, strpassword, 
strpassword1, strpassword2
Dim strUserName1, strUserName2, strmsgresult, strcontinue, stradminID, 
stradminpwd, stradminpwd1, stradminpwd2
strNetBiosDomain = "ourdomainname\"
Const ADS_NAME_INITTYPE_GC = 3
Const ADS_NAME_TYPE_NT4 = 3
Const ADS_NAME_TYPE_1779 = 1
Const ADS_PROPERTY_CLEAR = 1
Const ADS_SECURE_AUTHENTICATION = 1

  'Input box prompts for UserID
msgbox ("You must enter a userid with privledges in AD to change user 
passwords!")
stradminID = InputBox ("Enter Your Admin account name used to connect to 
AD", "Enter Your Admin account name used to connect to AD", "")
  'Input box prompts for admins password
  Do
stradminpwd1 = InputBox ("Enter the Admin Password", " Admin Password", "")
stradminpwd2 = InputBox ("Reenter the Admin password", "Admin Password", "")
If stradminpwd1 <> stradminpwd2 then
  msgbox ("Admin Passwords do not match")
  strpassword = "nothing"
Else
  strpassword = "equal"
End IF
  Loop until strpassword = "equal"

strpassword = "nothing"

'User information
Do
  'Input box prompts for UserID
strUsername1 = InputBox ("Enter the Active Directory UserID", "Enter the 
Users Active Directory UserID", "")
  'Input box prompts for users new password
  Do
strPassword1 = InputBox ("Enter the new Password", "Password", "")
strPassword2 = InputBox ("Reenter the password", "Password", "")
If strpassword1 <> strpassword2 then
  msgbox ("Passwords do not match")
  strpassword = "nothing"
Else
  strpassword = "equal"
End IF
  Loop until strpassword = "equal"

  Set objNetwork = CreateObject("Wscript.Network")

  'Connect to RootDSE
  'Set objRoot = GetObject("LDAP://domaincontroller.ourdomain.com/RootDSE")
  'Set objroot = GetObject("LDAP:")
  'Set objDomain = objRoot.OpenDSObject("LDAP://cn=domain controller,OU=domain 
controllers,dc=ourdomain,dc=com", strNetBiosDomain & stradminID, stradminpwd1, 
ADS_SECURE_AUTHENTICATION)
  'Set objDomain = objRoot.OpenDSObject("LDAP://dc=ourdomain,dc=com", 
strNetBiosDomain & stradminID, stradminpwd1, ADS_SECURE_AUTHENTICATION)
  'strDNSDomain = objRootDSE.Get("defaultNamingContext")
  'strDNSDomain = objdomain.Get("defaultNamingContext")

  'Determine UsersDN from netbios name
  Set objTrans = CreateObject("NameTranslate")
  objTrans.Set ADS_NAME_TYPE_NT4, strNetBIOSDomain & strUserName1
  strUserDN = objTrans.Get(ADS_NAME_TYPE_1779)
  strmsgresult = msgbox ("OK to change this user's password? " & struserdn, 
vbyesno)
  'msgbox (strmsgresult)
  If strmsgresult = "6" then
'Set the Users Password
'Set objUser = GetObject ("LDAP://" & strUserDN)
Set ObjDomain = GetObject ("LDAP:")
Set objuser = 
ObjDomain.OpenDSObject("LDAP://domaincontroller.ourdomain.com/" & strUserDN, 
strNetBiosDomain & stradminID, stradminpwd1, ADS_SECURE_AUTHENTICATION)
   
   
objUser.SetPassword strpassword1
Msgbox ("Password Set!")
wscript.quit
  Else
strcontinue = Msgbox ("Password not set, would you like to reenter the 
UserID?", vbyesno)
If strcontinue <> "6" then
  wscript.quit
End IF
  End IF
Loop





Thanks for the reply Al.
 
strNetbiosdomain is a variable I set
 
script dies before line 61

RE: [ActiveDir] VBscript to set a password for a user in AD but ran from a non domain member

[Al Mulnick]

How does the non-domain member find strNetBIOSDomain ?
 
On line 61, how about having it echo to the user what the strNetBIOSDomain and 
strUserName1 variables result in?
 
Does it match what you think it should be?  Is it possible to find that 
information from the workstation it's running on? Any reason you wouldn't run 
this as a web page from a domain member instead? 
 
Al



From: [EMAIL PROTECTED] on behalf of Shawn Hayes
Sent: Wed 8/31/2005 2:26 PM
To: ActiveDir@mail.activedir.org
Subject: [ActiveDir] VBscript to set a password for a user in AD but ran from a 
non domain member



I am trying to write a script to set a user password and the script must be run 
from a machine that is not a domain member.

Background:
We are migrating to Exchange from Groupwise in 12 days.  We still have a ton of 
machines that are not part of AD, still in NDS.  Users all have accounts and 
mailboxes in AD.  Many Novell users have not logged into AD.  During our 
migration we would like the techs to quickly reset user passwords for those 
that do not know their AD passwords.  Techs will be in the field at distributed 
locations to help with outlook connectivity.  They will not know the existing 
password.

When i run this from a non domain member I get "The specified domain either 
does not exist or could not be contacted".  It runs fine from a domain member

Here is the code - thanks to anyone that can help.

'Set a Users password
'Written by: Shawn Hayes
'Date: 8-31-05

'Variables
Dim strUserName, strUserDN, strDNSDomain, strNetBiosDomain, strpassword, 
strpassword1, strpassword2
Dim strUserName1, strUserName2, strmsgresult, strcontinue, stradminID, 
stradminpwd, stradminpwd1, stradminpwd2
strNetBiosDomain = "ourdomainname\"
Const ADS_NAME_INITTYPE_GC = 3
Const ADS_NAME_TYPE_NT4 = 3
Const ADS_NAME_TYPE_1779 = 1
Const ADS_PROPERTY_CLEAR = 1
Const ADS_SECURE_AUTHENTICATION = 1

  'Input box prompts for UserID
msgbox ("You must enter a userid with privledges in AD to change user 
passwords!")
stradminID = InputBox ("Enter Your Admin account name used to connect to 
AD", "Enter Your Admin account name used to connect to AD", "")
  'Input box prompts for admins password
  Do
stradminpwd1 = InputBox ("Enter the Admin Password", " Admin Password", "")
stradminpwd2 = InputBox ("Reenter the Admin password", "Admin Password", "")
If stradminpwd1 <> stradminpwd2 then
  msgbox ("Admin Passwords do not match")
  strpassword = "nothing"
Else
  strpassword = "equal"
End IF
  Loop until strpassword = "equal"

strpassword = "nothing"

'User information
Do
  'Input box prompts for UserID
strUsername1 = InputBox ("Enter the Active Directory UserID", "Enter the 
Users Active Directory UserID", "")
  'Input box prompts for users new password
  Do
strPassword1 = InputBox ("Enter the new Password", "Password", "")
strPassword2 = InputBox ("Reenter the password", "Password", "")
If strpassword1 <> strpassword2 then
  msgbox ("Passwords do not match")
  strpassword = "nothing"
Else
  strpassword = "equal"
End IF
  Loop until strpassword = "equal"
 
  Set objNetwork = CreateObject("Wscript.Network")
 
  'Connect to RootDSE
  'Set objRoot = GetObject("LDAP://domaincontroller.ourdomain.com/RootDSE")
  'Set objroot = GetObject("LDAP:")
  'Set objDomain = objRoot.OpenDSObject("LDAP://cn=domain controller,OU=domain 
controllers,dc=ourdomain,dc=com", strNetBiosDomain & stradminID, stradminpwd1, 
ADS_SECURE_AUTHENTICATION)
  'Set objDomain = objRoot.OpenDSObject("LDAP://dc=ourdomain,dc=com", 
strNetBiosDomain & stradminID, stradminpwd1, ADS_SECURE_AUTHENTICATION)
  'strDNSDomain = objRootDSE.Get("defaultNamingContext")
  'strDNSDomain = objdomain.Get("defaultNamingContext")
 
  'Determine UsersDN from netbios name
  Set objTrans = CreateObject("NameTranslate")
  objTrans.Set ADS_NAME_TYPE_NT4, strNetBIOSDomain & strUserName1
  strUserDN = objTrans.Get(ADS_NAME_TYPE_1779)
  strmsgresult = msgbox ("OK to change this user's password? " & struserdn, 
vbyesno)
  'msgbox (strmsgresult)
  If strmsgresult = "6" then
'Set the Users Password
'Set objUser = GetObject ("LDAP://" & strUserDN)
Set ObjDomain = GetObject ("LDAP:")
Set objuser = 
ObjDomain.OpenDSObject("LDAP://domaincontroller.ourdomain.com/" & strUserDN, 
strNetBiosDomain & stradminID, stradminpwd1, ADS_SECURE_AUTHENTICATION)
   
   
objUser.SetPassword strpassword1
Msgbox ("Password Set!")
wscript.quit
  Else
strcontinue = Msgbox ("Password not set, would you like to reenter the 
UserID?", vbyesno)
If strcontinue <> "6" then
  wscript.quit
End IF
  End IF
Loop


<>

[ActiveDir] VBscript to set a password for a user in AD but ran from a non domain member

[Shawn Hayes]

I am trying to write a script to set a user password and the script must be run 
from a machine that is not a domain member.

Background:
We are migrating to Exchange from Groupwise in 12 days.  We still have a ton of 
machines that are not part of AD, still in NDS.  Users all have accounts and 
mailboxes in AD.  Many Novell users have not logged into AD.  During our 
migration we would like the techs to quickly reset user passwords for those 
that do not know their AD passwords.  Techs will be in the field at distributed 
locations to help with outlook connectivity.  They will not know the existing 
password.

When i run this from a non domain member I get "The specified domain either 
does not exist or could not be contacted".  It runs fine from a domain member

Here is the code - thanks to anyone that can help.

'Set a Users password
'Written by: Shawn Hayes
'Date: 8-31-05

'Variables
Dim strUserName, strUserDN, strDNSDomain, strNetBiosDomain, strpassword, 
strpassword1, strpassword2
Dim strUserName1, strUserName2, strmsgresult, strcontinue, stradminID, 
stradminpwd, stradminpwd1, stradminpwd2
strNetBiosDomain = "ourdomainname\"
Const ADS_NAME_INITTYPE_GC = 3
Const ADS_NAME_TYPE_NT4 = 3
Const ADS_NAME_TYPE_1779 = 1
Const ADS_PROPERTY_CLEAR = 1 
Const ADS_SECURE_AUTHENTICATION = 1

  'Input box prompts for UserID
msgbox ("You must enter a userid with privledges in AD to change user 
passwords!")
stradminID = InputBox ("Enter Your Admin account name used to connect to 
AD", "Enter Your Admin account name used to connect to AD", "")
  'Input box prompts for admins password
  Do
stradminpwd1 = InputBox ("Enter the Admin Password", " Admin Password", "")
stradminpwd2 = InputBox ("Reenter the Admin password", "Admin Password", "")
If stradminpwd1 <> stradminpwd2 then
  msgbox ("Admin Passwords do not match")
  strpassword = "nothing"
Else
  strpassword = "equal"
End IF
  Loop until strpassword = "equal"

strpassword = "nothing"

'User information
Do
  'Input box prompts for UserID
strUsername1 = InputBox ("Enter the Active Directory UserID", "Enter the 
Users Active Directory UserID", "")
  'Input box prompts for users new password
  Do
strPassword1 = InputBox ("Enter the new Password", "Password", "")
strPassword2 = InputBox ("Reenter the password", "Password", "")
If strpassword1 <> strpassword2 then
  msgbox ("Passwords do not match")
  strpassword = "nothing"
Else
  strpassword = "equal"
End IF
  Loop until strpassword = "equal"
  
  Set objNetwork = CreateObject("Wscript.Network") 
  
  'Connect to RootDSE
  'Set objRoot = GetObject("LDAP://domaincontroller.ourdomain.com/RootDSE")
  'Set objroot = GetObject("LDAP:")
  'Set objDomain = objRoot.OpenDSObject("LDAP://cn=domain controller,OU=domain 
controllers,dc=ourdomain,dc=com", strNetBiosDomain & stradminID, stradminpwd1, 
ADS_SECURE_AUTHENTICATION)
  'Set objDomain = objRoot.OpenDSObject("LDAP://dc=ourdomain,dc=com", 
strNetBiosDomain & stradminID, stradminpwd1, ADS_SECURE_AUTHENTICATION)
  'strDNSDomain = objRootDSE.Get("defaultNamingContext")
  'strDNSDomain = objdomain.Get("defaultNamingContext")
  
  'Determine UsersDN from netbios name
  Set objTrans = CreateObject("NameTranslate")
  objTrans.Set ADS_NAME_TYPE_NT4, strNetBIOSDomain & strUserName1
  strUserDN = objTrans.Get(ADS_NAME_TYPE_1779)
  strmsgresult = msgbox ("OK to change this user's password? " & struserdn, 
vbyesno)
  'msgbox (strmsgresult)
  If strmsgresult = "6" then 
'Set the Users Password
'Set objUser = GetObject ("LDAP://" & strUserDN)
Set ObjDomain = GetObject ("LDAP:")
Set objuser = 
ObjDomain.OpenDSObject("LDAP://domaincontroller.ourdomain.com/" & strUserDN, 
strNetBiosDomain & stradminID, stradminpwd1, ADS_SECURE_AUTHENTICATION)


objUser.SetPassword strpassword1
Msgbox ("Password Set!")
wscript.quit
  Else 
strcontinue = Msgbox ("Password not set, would you like to reenter the 
UserID?", vbyesno)
If strcontinue <> "6" then
  wscript.quit
End IF
  End IF
Loop 



I am trying to write a script to set a user password and the script must be 
run from a machine that is not a domain member.
 
Background:
We are migrating to Exchange from Groupwise in 12 days.  We still have 
a ton of machines that are not part of AD, still in NDS.  Users all have 
accounts and mailboxes in AD.  Many Novell users have not logged into 
AD.  During our migration we would like the techs to quickly reset 
user passwords for those that do not know their AD passwords.  Techs will 
be in the field at distributed locations to help with outlook 
connectivity.  They will not know the existing password.
 
When i run this from a non domain member I get "The specified domain either 
does not exist or could not be contacted".  It runs fine from a domain 
member
 
Here is the code - thanks to anyone that can help.
 
'Set a Users password'Written by: Shawn Hayes'Date: 8

RE: [ActiveDir] Help to Explain how a Domain Controller could be Overwritten by a Member Server

[Mark Parris]

Dan.

 

I seem to remember from a security course
that I did that you had to write an ADM to prevent this happening in certain
circumstances – it was to do with NetBIOS.

 

This is the snippet of my custom ADM and
was meant to be configured on internet facing machines only.

 

POLICY "Release NetBIOS name on
request"    

EXPLAIN "Internet Facing Machines
Only. Release NetBIOS name on request. Recommended Value is Disabled"

VALUENAME
"NoNameReleaseOnDemand"

VALUEON NUMERIC 0 

VALUEOFF NUMERIC 1

END POLICY

 

This was a Windows 2000 policy setting and
is documented in http://support.microsoft.com/kb/315669/EN-US/

 

Regards

 

Mark

 

 

 

 









From:
[EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED]]
On Behalf Of Dan Pilloff
Sent: 31 August 2005 00:57
To: ActiveDir@mail.activedir.org
Subject: [ActiveDir] Help to
Explain how a Domain Controller could be Overwritten by a Member Server



 

I was hoping somebody might be able to explain how
the following occurred.  A member server was built with the same name as
an existing Domain Controller, Domain Controller A.  The server was
somehow put in the domain, and rebooted.  In addition, I believe the
server was then renamed to Domain Controller B (just a name as it was not
dcpromoed). while still in the domain.  The end result was that the
existing Domain controller, Domain Controller A was somehow overwritten by the
member server, and, its display name in ADUC changed to this new name Domain
Controller B.  The offending Domain Controller B was then deleted from the
domain controllers OU.  The event logged for the change shows
 “Target Account Name: Domain Controller B but Target Account ID
Domain Controller A, they are mismatched.  I believe the same event was
displayed for the delete.  I entered this issue after all the above had
occurred and performed an authoritative restore of the object (original Domain
Controller A) and stopped the KDC, replicated, and got the domain controller
back.  I have researched this issue, and tried to recreate the issue many
different ways in a test lab but cannot recreate it.  Has anyone ever seen
anything like this?  I am absolutely dumbfounded.

RE: [ActiveDir] Active Directory Permissions

[Mark Parris]

My preference is a tool that does it for me - but I will put together a
script now that I know there is not a tool to do it.

 

Many thanks.

 

Mark

 

  _  

From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Al Mulnick
Sent: 31 August 2005 17:58
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] Active Directory Permissions

 

when you run it, use a command file. 

 

dsacls ou1

dsacls ou2

dsacls ou3

 

That of course would not get the sub OU's, but if they are relatively
static, it would be fast to put together and it would keep your output
fairly constant with what you have now. 

 

If not, you could root around on joeware.net and see if there is something
there (note: I could really use a t-shirt to help me remember about joeware
tools when I reply to these :) or you could write a script. You could even
use something like a script that gathers the OU and then shells to dsacls or
something that stays script only. The list goes on.

 

Do you have a preference on the approach? 

 

Al

 

  _  

From: [EMAIL PROTECTED] on behalf of Mark Parris
Sent: Wed 8/31/2005 1:28 PM
To: ActiveDir.org
Subject: Re: [ActiveDir] Active Directory Permissions

DSACLS, but it would be nice for the whole tree.

Mark
-Original Message-
From: "Al Mulnick" <[EMAIL PROTECTED]>
Date: Tue, 30 Aug 2005 20:19:03
To:
Subject: RE: [ActiveDir] Active Directory Permissions

What are you using now for that single OU?



-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Mark Parris
Sent: Tuesday, August 30, 2005 7:21 AM
To: ActiveDir.org
Subject: [ActiveDir] Active Directory Permissions

Hi,

What utility can I use to list the entire OU structure for a Domain and
all permissions set on each OU?

I can manage to do it for a single OU but not say set it to DC=X,DC=Y
and dump the whole structure.

Regards

Mark
List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive:
http://www.mail-archive.com/activedir%40mail.activedir.org/
List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/

List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/

<>

RE: [ActiveDir] Companies splitting - where to start with Active Directory, DNS, DHCP, etc.

[Al Mulnick]

Finding the root.  I believe it was Dean who posted this a little while back.
"... another thought, to determine your forest root in order to validate 
the dn you're supplying, the following single-line command line syntax 
will help - 

portqry -n  -e 389 | find "root"  
Run that on both domains and compare.  
 
 
If DHCP is shared, then the network is likely as well.  My approach would be to 
start from the bottom of the stack, at the physical level and figure it out 
from there taking care to deal with each level at a time. For starters, you'll 
have to figure out how to modify the networks to separate them.  That leads to 
the DHCP servers, DNS, Active Directory etc. 
 
However, let's find out about the forest topology first.  If they're the same, 
then your process might vary slightly from the above. 
 
Al
 



From: [EMAIL PROTECTED] on behalf of Danny
Sent: Wed 8/31/2005 11:37 AM
To: ActiveDir@mail.activedir.org
Subject: Re: [ActiveDir] Companies splitting - where to start with Active 
Directory, DNS, DHCP, etc.



On 8/30/05, Al Mulnick <[EMAIL PROTECTED]> wrote:
> What is it you need to accomplish then?  If they're already separate,
> what's to separate other than name resolution and DHCP/network services?

>From an Active Directory point of view, the AD trust will need to be
broken, but I would like to know what it might break - I am new to
this specific environment, so I don't know what is currently relying
on the trust.

DHCP is shared, many AD sites are as well.  Shared WAN and firewall,
as well as many frame relay connections to remote offices.

> Can you get more clarifiction of the topology? Confirm it's two separate
> forests and not two separate domains in the same forest (dijointed
> namespace)?

External trust, non-transitive. How can I confirm these are two
seperate forests - besides looking in ADD&T?

Thanks,

...D
List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/


<>

RE: [ActiveDir] Active Directory Permissions

[Al Mulnick]

when you run it, use a command file. 
 
dsacls ou1
dsacls ou2
dsacls ou3
 
That of course would not get the sub OU's, but if they are relatively static, 
it would be fast to put together and it would keep your output fairly constant 
with what you have now. 
 
If not, you could root around on joeware.net and see if there is something 
there (note: I could really use a t-shirt to help me remember about joeware 
tools when I reply to these :) or you could write a script. You could even use 
something like a script that gathers the OU and then shells to dsacls or 
something that stays script only. The list goes on.
 
Do you have a preference on the approach? 
 
Al



From: [EMAIL PROTECTED] on behalf of Mark Parris
Sent: Wed 8/31/2005 1:28 PM
To: ActiveDir.org
Subject: Re: [ActiveDir] Active Directory Permissions



DSACLS, but it would be nice for the whole tree.

Mark
-Original Message-
From: "Al Mulnick" <[EMAIL PROTECTED]>
Date: Tue, 30 Aug 2005 20:19:03
To:
Subject: RE: [ActiveDir] Active Directory Permissions

What are you using now for that single OU?



-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Mark Parris
Sent: Tuesday, August 30, 2005 7:21 AM
To: ActiveDir.org
Subject: [ActiveDir] Active Directory Permissions

Hi,

What utility can I use to list the entire OU structure for a Domain and
all permissions set on each OU?

I can manage to do it for a single OU but not say set it to DC=X,DC=Y
and dump the whole structure.

Regards

Mark
List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive:
http://www.mail-archive.com/activedir%40mail.activedir.org/
List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/

List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/


<>

RE: [ActiveDir] Domain Password Policies

[Cothern Jeff D. Team EITC]

Have worked with this tool and it works well.  You 
have to make a few changes to the domain password policy during the 
implementation of this program but it was rather painless.  I do believe 
you can get an eval copy for a test environment to see how it is configured 
etc.. 
 
Jeff
 


From: [EMAIL PROTECTED] 
[mailto:[EMAIL PROTECTED] On Behalf Of mike 
klineSent: Wednesday, August 31, 2005 8:08 AMTo: 
ActiveDir@mail.activedir.orgSubject: [ActiveDir] Domain Password 
Policies

I know that Microsoft states that there can only be one password policy per 
domain.  Earlier this month Joe started a thread about AD Gripes and 
several people mentioned the password issue. 
 
We are dealing with the same thing.  I would like to have a more 
restrictive policy on our admin accounts OU.  Has anyone used a third party 
product and been successful?
 
For example 
 
http://www.anixis.com/products/ppe/features.htm
 
That product claims to do it but I'm wondering if anyone on this list has 
worked with that or any other product that could help out.
 
ThanksMike

Re: [ActiveDir] Active Directory Permissions

[Mark Parris]

DSACLS, but it would be nice for the whole tree.

Mark
-Original Message-
From: "Al Mulnick" <[EMAIL PROTECTED]>
Date: Tue, 30 Aug 2005 20:19:03 
To:
Subject: RE: [ActiveDir] Active Directory Permissions

What are you using now for that single OU?

 

-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Mark Parris
Sent: Tuesday, August 30, 2005 7:21 AM
To: ActiveDir.org
Subject: [ActiveDir] Active Directory Permissions

Hi,

What utility can I use to list the entire OU structure for a Domain and
all permissions set on each OU?

I can manage to do it for a single OU but not say set it to DC=X,DC=Y
and dump the whole structure.

Regards

Mark
List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive:
http://www.mail-archive.com/activedir%40mail.activedir.org/
List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/

List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/

RE: [ActiveDir] Permissions for a user to add users to a group

[Fugleberg, David A]

Sorry. should have been more specific.  If you do a search for 'people',
but type a group name in there, it'll find it.  Not very intuitive, I
know, but it works.  If you type a partial group name you'll get all the
groups that start with that string.  This can be handy if your group
naming convention uses prefixes that mean something to you

I know this works fine on Win2K and XP Pro, but the search dialog is a
bit different between the two if you're not using the 'classic;
interface on XP.

Dave

-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Cothern Jeff D.
Team EITC
Sent: Wednesday, August 31, 2005 6:32 AM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] Permissions for a user to add users to a group


Ok looking thru the search function I cannot find any specific thing to
look for groups.  I see the find people but that is looking for contact
information not a particular group.  Perhaps I am missing something. 

Jeff
 

-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Fugleberg,
David A
Sent: Monday, August 29, 2005 11:50 AM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] Permissions for a user to add users to a group

A taskpad is one way to do it.  Another way is to tell the manager to
find the group using the Search function on the start menu - when they
double-click the group, the membership list is displayed and buttons are
provided to add and remove members.  The buttons are only active if they
have the permissions to do so, as mentioned below.  No additional
software install/config required.

Dave 

-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Cothern Jeff D.
Team EITC
Sent: Monday, August 29, 2005 7:45 AM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] Permissions for a user to add users to a group


Ok that is what I figured.  SO if I install just aduc from the adminpak
and create a custom task pad for the manager.  It would be the easier
and best method to alliviate confusion etc?

Jeff
 

-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of joe
Sent: Saturday, August 27, 2005 2:59 AM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] Permissions for a user to add users to a group

It means the manager can add or remove DNs to the member attribute of
the group. So they will be able to add or remove members of the group.
They won't actually be able to add/remove users from AD with just those
rights.

ADUC can be used, as can a script or anything else that modifies the
member attribute of the group in question.

  joe

 

-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Cothern Jeff D.
Team EITC
Sent: Friday, August 26, 2005 10:24 AM
To: ActiveDir@mail.activedir.org
Subject: [ActiveDir] Permissions for a user to add users to a group

If I set a group to managed by to a particular user and check the box
Manger can update member list.  

That means the Manager can add or delete users correct?

Does he need ADUC or is there another way he can add those users?  


Thanks

Jeff


List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive:
http://www.mail-archive.com/activedir%40mail.activedir.org/

List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive:
http://www.mail-archive.com/activedir%40mail.activedir.org/


List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive:
http://www.mail-archive.com/activedir%40mail.activedir.org/
List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive:
http://www.mail-archive.com/activedir%40mail.activedir.org/


List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive:
http://www.mail-archive.com/activedir%40mail.activedir.org/
List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/

RE: [ActiveDir] determine number of users logged on last 60 days

[Brian Desmond]

MS Audit Collection Services, which should be out of beta soon, is also
great for this sort of thing. 

 

Thanks,
Brian Desmond

  [EMAIL PROTECTED]

 

c - 312.731.3132

 

 

  _  

From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Al Mulnick
Sent: Wednesday, August 31, 2005 7:52 AM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] determine number of users logged on last 60 days

 

MOM would be a great tool to investigate for information collection and
trending reports based on that information. 

 

You could automate it by counting the users in the same manner I described,
and then iterating through what's left discounting the service accounts if
you wanted. 

 

You could also use the dsquery tools to do this because it's likely you
don't need precision in this case but rather a rough estimate.  Using
dsquery you can get the information pretty quickly and then you just need to
count the objects it returns. 

 

Al

 

  _  

From: [EMAIL PROTECTED] on behalf of Cothern Jeff D. Team
EITC
Sent: Wed 8/31/2005 7:34 AM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] determine number of users logged on last 60 days

Unsure what the data is going to be used for. I just got the question of
how many users logged into the network in the last 60 days.  If I can
have this in an automated way were they can pull up the infromation
easily it would be great.  I think they are wanting it for metrics.

Jeff


-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Al Mulnick
Sent: Monday, August 29, 2005 11:23 AM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] determine number of users logged on last 60
days

It's possible, but not absolute.  Are you trying to automate user
management?
Can you give some more details about what you want and what you want to
do with the data?  That might help to spur some better information.

Basically, you can use lastlogontimestamp (dsquery makes it pretty easy
if you want to use that) to find out about when the last time a user
logged on assuming they triggered an update to this.  Some actions don't
trigger this update so a second data point is a useful thing to have to
narrow it down even more.  pwdLastSet is a useful data point IIRC.

Al

-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Cothern Jeff D.
Team EITC
Sent: Monday, August 29, 2005 10:11 AM
To: ActiveDir@mail.activedir.org
Subject: [ActiveDir] determine number of users logged on last 60 days

Is there query I could run that would tell me the number of users -minus
service accounts (guess filter by OU) that have logged on in the last 60
days.

Jeff Cothern

List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive:
http://www.mail-archive.com/activedir%40mail.activedir.org/
List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive:
http://www.mail-archive.com/activedir%40mail.activedir.org/


List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/

<>

Re: [ActiveDir] Companies splitting - where to start with Active Directory, DNS, DHCP, etc.

[Danny]

On 8/30/05, Al Mulnick <[EMAIL PROTECTED]> wrote:
> What is it you need to accomplish then?  If they're already separate,
> what's to separate other than name resolution and DHCP/network services?

>From an Active Directory point of view, the AD trust will need to be
broken, but I would like to know what it might break - I am new to
this specific environment, so I don't know what is currently relying
on the trust.

DHCP is shared, many AD sites are as well.  Shared WAN and firewall,
as well as many frame relay connections to remote offices.

> Can you get more clarifiction of the topology? Confirm it's two separate
> forests and not two separate domains in the same forest (dijointed
> namespace)?

External trust, non-transitive. How can I confirm these are two
seperate forests - besides looking in ADD&T?

Thanks,

...D
List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/

RE: [ActiveDir] Rename User Accounts

[Salandra, Justin A.]

Windows 2003 no Service Pack but updated security patches is what the
member server is.

-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Al Mulnick
Sent: Tuesday, August 30, 2005 6:12 PM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] Rename User Accounts

I don't think that solves Justin's original issue of the member server
not updating the name it displays in the ACL list.  

Not sure I've seen that before.  And you can recreate that all the time?
What version is the member server? Patch level, third party apps, etc?

 

-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Crawford, Scott
Sent: Tuesday, August 30, 2005 4:47 PM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] Rename User Accounts

When I rename accounts here, I change FirstName, LastName, FullName,
EmailAddress, mailNickName, samAccountName, userPrincipalName and clear
the values for proxyaddresses and legacyExchangeDN and simply let them
be regenerated.

joe's[1] stated several times not to change the legacyExchangeDN because
it will break the ability for people to reply to old Exchange messages
and various other Exchange functions like meeting attendees and
delegates.  There may be other reasons, but those are the ones I'm aware
of.  However, my philosophy is when somebody changes their name,
replying to an old email of theirs *should* fail since the reply is to
the old name.  In addition, if LEDN isn't reset, the old name shows up
in the To: line in Outlook causing at least one lady here to complain
that her maiden name was still in the system.  It may be that we're in a
small enough environment or that we don't leverage exchange enough [2]
to have these issues be a major problem, but for several years now, this
has worked well for us.

One other thing I do (instead of creating an additional SMTP proxy
address) is create a distribution group with the same name as the former
username and add the new username to the group.  All these groups are in
a single OU.  This allows me to see all the additional addresses for
renamed users in one spot and allows for emails sent from offsite to the
old address to temporarily work until the user lets me know that they're
not getting anymore mails to the old name.

[1] I hope the lowercase 'j' is appreciated since Outlook sure didn't
like the beginning of the sentence not being capitalized.

[2] I'm sure we're just waiting for them to straighten out the
AD/Exchange permissions scheme.



-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Salandra,
Justin A.
Sent: Tuesday, August 30, 2005 3:01 PM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] Rename User Accounts

The samaccount name was also changed but it still doesn't work.

-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Al Mulnick
Sent: Tuesday, August 30, 2005 1:28 PM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] Rename User Accounts

You say you renamed the account.  Did you also change the samaccount
name (Windows 2000 login name?) Can the user now logon with
domain\evasquez ? Or does it still require domain\jvasquez?

Al 

-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Salandra,
Justin A.
Sent: Tuesday, August 30, 2005 1:14 PM
To: ActiveDir@mail.activedir.org
Subject: [ActiveDir] Rename User Accounts

I have a Windows 2000 Active Directory forest, Exchange 2003 and when I
try to rename a user account I am able to.  I can successfully rename
the account and username, but when it comes to the users home directory,
I cannot get the name the appears on the ACL of folders to show the
correct newly changed name.

I have forced replication, I have even removed and added the user
account to the ACL of the folder but it will still not say the right
name.

For Example,

Vasquez, Jackie was renamed to Vasquez, Evelyn and the user name was
changed from jvasquez to evasquez.  When I go to the ACL for a folder,
the user is listed as DOMAIN\jvasquez and I cannot get it to change.
What could the problem be?

Justin A. Salandra
MCSE Windows 2000 & 2003
Network and Technology Services Manager
Catholic Healthcare System
646.505.3681 - office
917.455.0110 - cell
[EMAIL PROTECTED]


List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive:
http://www.mail-archive.com/activedir%40mail.activedir.org/
List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive:
http://www.mail-archive.com/activedir%40mail.activedir.org/
List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive:
http://www.mail-archive.com/activedir%40mail.activedir.org/
List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive:
http://www.m

Re: [ActiveDir] Redirecting PC's into the proper OU

[Kamlesh Parmar]

We use multiple approaches to this problem,

1) Sysprep.inf :
You can provide the OU in which newly delpoyed computer account should
be created. We have developed our custom OS deployment solution, which
allows us to change the sysprep.inf file on the go, so no need to
rebuild the syspreped image whenever we want to make the change in
sysprep.

2) we use netdom.exe from 2003 resource kit,
which allows you to join the computer into specific OU.

REM *** Script start here ***
@echo off

setlocal
set /P CompName="Enter COMPUTERNAME to join to example domain : "
set /P JOINUSER="Enter DOMAIN USERNAME which has rights to join computer : " 
set /P LOCALADMIN="Enter LOCAL ADMINISTRATOR account username for
target computer : "

set OU="OU=Computers,OU=North,DC=Example,DC=com"

netdom join %CompName% /domain:example /UD:%JOINUSER% /PD:*
/UO:%LOCALADMIN% /PO:* /ou:%OU%
pause
REM *** Script end here ***




3) we have developed a script, which on weekly basis, lists computers
in default container and then finds its specific site from AD and
moves the computer account to its related OU. ( we have a mapping file
for sitename to OU mapping)


Following these three methods essentially keeps our default container
almost empty.



On 8/31/05, [EMAIL PROTECTED] <[EMAIL PROTECTED]> wrote:
> 
> 
> I go into the Computers container weekly and clean up the strays with a
> script, moving them to the right OU.
> 
> 
> Al Maurer 
> Service Manager, Naming and Authentication Services 
> IT | Information Technology 
> Agilent Technologies 
> (719) 590-2639; Telnet 590-2639 
> http://activedirectory.it.agilent.com 
> -- 
> "Cry 'Havoc!' and let slip the dogs of war"  - Anthony, in Julius Caesar III
> i. 
> 
> 
> 
> From: [EMAIL PROTECTED]
> [mailto:[EMAIL PROTECTED] On Behalf Of
> Dan Holme
> Sent: Tuesday, July 26, 2005 6:47 PM
> To: ActiveDir@mail.activedir.org
> Subject: RE: [ActiveDir] Redirecting PC's into the proper OU
> 
>  
> 
> There are two additional options for you:
> 
>  
> 
> 1)   If you are sysprepping your machines (or using an unattended answer
> file) XP supports a new parameter, MachineObjectOU, which you can put into
> the script.
> 
> 2)   *** I HAVE POSTED A CUSTOM TOOL *** that you can use… it's raw but
> quite functional and easy to tweak to your needs:
> http://intelliem.editme.com/depjoindomain 
> 
>  
> 
> Enjoy
> 
>  
> 
> Dan
> 
>  
> 
> 
> 
> From: [EMAIL PROTECTED]
> [mailto:[EMAIL PROTECTED] On Behalf Of
> David Adner
> Sent: Friday, July 22, 2005 11:59 AM
> To: ActiveDir@mail.activedir.org
> Subject: RE: [ActiveDir] Redirecting PC's into the proper OU
> 
>  
> 
> You can change the default location (with redircomp), but it's a default,
> not something that can be unique per computer.  If you want to be able to
> create computer accounts in varying OU's then it's something you'll either
> have to script (such as with netdom /join /ou)  or you could pre-create the
> accounts in the proper OU's.  Or you can be stuck doing it manually.  :)
> 
>  
> 
> 
> 
> From: [EMAIL PROTECTED]
> [mailto:[EMAIL PROTECTED] On Behalf Of P
> West
> Sent: Friday, July 22, 2005 1:48 PM
> To: ActiveDir@mail.activedir.org
> Subject: [ActiveDir] Redirecting PC's into the proper OU
> 
> 
> I know you can redirect computer account to a specified OU, using redircomp.
>  But what if you have multiple Ou's and want the pc to be added to the
> proper OU with some sort of logic.
> 
> 
>  
> 
> 
> Does this not exist or is this something that would need to be scripted?  Am
> I stuck doing this manually?
> 
> 
>  
> 
> 
>  
> 
> 
>  
> 
> 
> Thanks 
> 
> 
>  
> 
> 
> P west


-- 
--
~~~
"Fortune and Love befriend the bold"
~~~

RE: [ActiveDir] OT: UPDATE: Questions about hotfix 903235 (MS05-037)

[David Cliffe]

Just an update here (FYI) -
 
    A Microsoft tech. on the forums pointed out to me that 
the IE Cumulative Update 896727 from bulletin MS05-038 supersedes the hotfix 
903235 in MS05-037.  Once the cumulative update is applied, MBSA v2 no 
longer reports on the former.  Forty lashes to me for not reading more 
carefully first :-)
 
-DaveC
Reuters IS&T Service 
Delivery


From: [EMAIL PROTECTED] 
[mailto:[EMAIL PROTECTED] On Behalf Of David 
CliffeSent: Thursday, August 25, 2005 3:26 PMTo: 
ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] OT: Questions 
about hotfix 903235 (MS05-037)

Thanks Rick/Deji.
 
Interesting that your MBSA v2 is reporting on it OK.  Maybe I am the 
only one  :-o
 
I have worked around issues (2) and (3) [below] for 
now, and will take a moment to offer my opinion on 
(1).
 
Here we have a hotfix/bulletin that has been given a critical 
rating, as have many other hotfixes before and after it.  From 
a customer's viewpoint, I would like some consistency in the manner in 
which these hotfixes are reported as being installed.  This has gotten 
better by the way, but I don't find  903235 to be a good 
example.
 
During the time when I am reporting on installed instances, the 
technical details about each hotfix (what it does/how it does it) are not 
important to me.  I want to verify it's been 
installed and I want to rely on a consistent method to do 
so.
 
In this particular case, if there are OS/SP specific reasons why one reg 
key has to be used in favor of another, then so be it, but then I suggest 
there may be an error in the documented bulletin, where at least the XP SP2 
section should direct us to the "Installed Components" subkey, rather than 
the "ActiveX Compatibility" subkey. 
 
-DaveC
Reuters IS&T Service 
Delivery


From: [EMAIL PROTECTED] 
[mailto:[EMAIL PROTECTED] On Behalf Of Rick 
KingslanSent: Thursday, August 25, 2005 2:11 PMTo: 
ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] OT: Questions 
about hotfix 903235 (MS05-037)


Inline…….
 




From: 
[EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] 
On Behalf Of David 
CliffeSent: Thursday, August 
25, 2005 11:34 AMTo: 
ActiveDir@mail.activedir.orgSubject: [ActiveDir] OT: Questions about 
hotfix 903235 (MS05-037)
 

Hi 
-

 

    I've posted this 
elsewhere, but thought maybe not a bad idea to run it past this list for those 
that don't mind (thanks).  I've seen the following behavior 
with regard to this hotfix 903235:

 

(1) The bulletin MS05-037 
states to check here for its existence (post 
installation):

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet 
Explorer\ActiveX 
Compatibility\{03D9F3F2-B0E3-11D2-B081-006008039BF0}  In the past, the 
'norm' for IExpress-type patches has been here:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Active 
Setup\Installed 
Components\{8ade8c02-8da6-4ec1-a9ee-ec00ff73ce98}  [note: 
GUID above is specific to this hotfix]  Why this change in documentation?
 
[RTK]  Not a 
change in documentation.  The hotfix sets bits in the running of the actual 
component, so the compatibility flags are manipulated, rather than new moving 
parts.  I acknowledge that the location changes, but this is due to how the 
hotfix effects the installed component, JView Profiler. 

(2) I find that the SRVINFO 
tool does NOT identify this hotfix on SP1 (XP) and SP4 (2000) machines.  
Was expecting to see it under the 
"Internet Explorer 6" subheading of the SRVINFO output for these 
O/S.
 
[RTK] Can’t confirm or 
deny this one…..  Don’t have SRVINFO currently on 
anything
(3) I find that MBSA 
v.2  neither identifies it as installed nor identifies it as missing on 
SP1/2 (XP) and SP4 (2000) machines.  Can anyone else corrorborate these 
findings?  I'm told by our TAM that nobody else has reported 
this yet.
 
[RTK]  MBSA on my 
systems detect that it is either 
installed or not installed.
Thanks!

 
-DaveC
Reuters IS&T Service 
Delivery
-Visit 
our Internet site at http://www.reuters.comTo find out more about 
Reuters Products and Services visit http://www.reuters.com/productinfo 
Any views expressed in this message are those of the 
individualsender, except where the sender specifically states them to 
bethe views of Reuters Ltd.-Visit 
our Internet site at http://www.reuters.comTo find out more about 
Reuters Products and Services visit http://www.reuters.com/productinfo 
Any views expressed in this message are those of the 
individualsender, except where the sender specifically states them to 
bethe views of Reuters Ltd.

-
Visit our Internet site at http://www.reuters.com

To find out more about Reuters Products and Services visit http://www.reuters.com/productinfo 

Any views expressed in this message are those of  the  individual
sender,  except  where  the sender specifically states them to be
the views of 

RE: [ActiveDir] Redirecting PC's into the proper OU

[al_maurer]

I go into the Computers container weekly
and clean up the strays with a script, moving them to the right OU.



Al Maurer 
Service
Manager, Naming and Authentication Services 
IT
| Information Technology

Agilent
Technologies 
(719)
590-2639; Telnet 590-2639 
http://activedirectory.it.agilent.com 
-- 
"Cry
'Havoc!' and let slip the dogs of war"  - Anthony, in Julius Caesar
III i. 











From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On
Behalf Of Dan Holme
Sent: Tuesday, July 26, 2005 6:47
PM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir]
Redirecting PC's into the proper OU



 

There are two additional options for you:

 

1)   If you are sysprepping your machines (or using an unattended answer
file) XP supports a new parameter, MachineObjectOU, which you can put into the
script.

2)   *** I HAVE POSTED A CUSTOM TOOL *** that you can use…
it’s raw but quite functional and easy to tweak to your needs:
http://intelliem.editme.com/depjoindomain


 

Enjoy

 

Dan

 









From:
[EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of David Adner
Sent: Friday, July 22, 2005 11:59
AM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] Redirecting
PC's into the proper OU



 

You can change the default location (with
redircomp), but it's a default, not something that can be unique per
computer.  If you want to be able to create computer accounts in varying
OU's then it's something you'll either have to script (such as with netdom
/join /ou)  or you could pre-create the accounts in the proper OU's. 
Or you can be stuck doing it manually.  :)

 







From:
[EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of P West
Sent: Friday, July 22, 2005 1:48
PM
To: ActiveDir@mail.activedir.org
Subject: [ActiveDir] Redirecting
PC's into the proper OU



I know you can redirect computer account to a specified OU,
using redircomp.  But what if you have multiple Ou's and
want the pc to be added to the proper OU with some sort of logic.





 





Does this not exist or is this something that would need to
be scripted?  Am I stuck doing this manually?





 





 





 





Thanks 





 





P west

RE: [ActiveDir] Domain Password Policies

[Al Mulnick]

I have not worked with that tool and know very little about it.  
 
One thing to watch out for are tools that place themselves between the client 
and the directory.  By that I mean that they extend the directory and it's 
functionality in such a way that if you were to remove the product later (stop 
paying maintenance for example) then you lose everything and start again. Some 
tools work that way, and I don't personally believe they should.
 
Typically, if you have a different password policy, you need a separate domain 
to do this natively. 
 
Additionally, I'm not sure why you require a separate set of password policies? 
Can you expand on that? 



From: [EMAIL PROTECTED] on behalf of mike kline
Sent: Wed 8/31/2005 8:07 AM
To: ActiveDir@mail.activedir.org
Subject: [ActiveDir] Domain Password Policies


I know that Microsoft states that there can only be one password policy per 
domain.  Earlier this month Joe started a thread about AD Gripes and several 
people mentioned the password issue. 
 
We are dealing with the same thing.  I would like to have a more restrictive 
policy on our admin accounts OU.  Has anyone used a third party product and 
been successful?
 
For example 
 
http://www.anixis.com/products/ppe/features.htm
 
That product claims to do it but I'm wondering if anyone on this list has 
worked with that or any other product that could help out.
 
Thanks
Mike
<>

RE: [ActiveDir] determine number of users logged on last 60 days

[joe]

Strictly speaking, no there isn't a query that will return this. You would
need to script it as it will be a process to follow. You can't filter by OU
in a query unless you have another field populated in the objects that has
that OU specified so you can specify it in the filter or alternatively some
other field that marks an account as a service account (which IMO, everyone
should have). 

Now the additional questions that need to be asked are

Do you want the number of unique users (non-service) who have been
authenticated at least once in the last 60 days? i.e. You have 28,000
non-service account users, how many logged in in the last 60 days at least
once.

Do you want the number of times any users (non-service) have been
authenticated in the last 60 days? i.e. In the last month 20,000 users
logged in 20 times, 5000 logged in 15 times, 3000 logged in 26 times.

Do you want any kind of authentication (including runas, netuse /user,
kerberos renewels, non-kerberos auths to resources, etc) or just
authentications that are interactive logons?

Do you want just successful logons or do you want failed attempts as well?

Lots of different ways to dice this up and you need to know exactly what
kind of info is really needed to determine how to tackle the problem. The
original question may be, how busy are the DCs which gets translated to
"well dc's log people on so how many people logged on" then you give a
number of how many people logged on (say 26000 logged on) and they look up
somewhere that says if you have 26000 authentications spread over 2 months,
you only need one domain controller. I have seen such silly things in the
past. And to make it blatently obvious why that isn't valid, I have seen
pools of DCs that only have 40,000 users in the domain processing tens or
hundreds of millions of authentication requests a day. Hundreds of millions
of requests versus maybe 30,000 people logging on in a day is quite a delta
as a capacity question.


Possibly solutions are lastLogonTimeStamp values, collected lastLogon
values, event log entries if you are auditing the proper things. Going
forward tools that run during logon scripts, etc. All of these have
limitations though and it is unlikely that you will ever get the "true"
value regardless of the value you are looking for. But depending on what you
need there are varying levels of "nearness" you can get to the true value.






-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Cothern Jeff D.
Team EITC
Sent: Monday, August 29, 2005 10:11 AM
To: ActiveDir@mail.activedir.org
Subject: [ActiveDir] determine number of users logged on last 60 days

Is there query I could run that would tell me the number of users -minus
service accounts (guess filter by OU) that have logged on in the last 60
days.

Jeff Cothern

List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/

List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/

[ActiveDir] Domain Password Policies

[mike kline]

I know that Microsoft states that there can only be one password policy per domain.  Earlier this month Joe started a thread about AD Gripes and several people mentioned the password issue. 
 
We are dealing with the same thing.  I would like to have a more restrictive policy on our admin accounts OU.  Has anyone used a third party product and been successful?
 
For example 
 
http://www.anixis.com/products/ppe/features.htm
 
That product claims to do it but I'm wondering if anyone on this list has worked with that or any other product that could help out.
 
ThanksMike

RE: [ActiveDir] determine number of users logged on last 60 days

[Thommes, Michael M.]

How about joe's oldcmp tool (http://www.joeware.net/win/free/tools/oldcmp.htm)? 
 
"The tool will work with a Windows 2000 AD as well as a Windows 2003 AD. It can 
key off the pwdLastSet attribute or in a Windows 2003 Domain Functional Domain 
on lastLogonTimestamp. This means you are going after IDs that have not had 
their password reset in x days or you can go after accounts that haven't logged 
on x days where by default x, is 90 days."
 
Mike Thommes



From: [EMAIL PROTECTED] on behalf of Cothern Jeff D. Team EITC
Sent: Wed 8/31/2005 6:34 AM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] determine number of users logged on last 60 days



Unsure what the data is going to be used for. I just got the question of
how many users logged into the network in the last 60 days.  If I can
have this in an automated way were they can pull up the infromation
easily it would be great.  I think they are wanting it for metrics.

Jeff


-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Al Mulnick
Sent: Monday, August 29, 2005 11:23 AM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] determine number of users logged on last 60
days

It's possible, but not absolute.  Are you trying to automate user
management?
Can you give some more details about what you want and what you want to
do with the data?  That might help to spur some better information.

Basically, you can use lastlogontimestamp (dsquery makes it pretty easy
if you want to use that) to find out about when the last time a user
logged on assuming they triggered an update to this.  Some actions don't
trigger this update so a second data point is a useful thing to have to
narrow it down even more.  pwdLastSet is a useful data point IIRC.

Al

-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Cothern Jeff D.
Team EITC
Sent: Monday, August 29, 2005 10:11 AM
To: ActiveDir@mail.activedir.org
Subject: [ActiveDir] determine number of users logged on last 60 days

Is there query I could run that would tell me the number of users -minus
service accounts (guess filter by OU) that have logged on in the last 60
days.

Jeff Cothern

List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive:
http://www.mail-archive.com/activedir%40mail.activedir.org/
List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive:
http://www.mail-archive.com/activedir%40mail.activedir.org/


List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/



List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/

RE: [ActiveDir] determine number of users logged on last 60 days

[Al Mulnick]

MOM would be a great tool to investigate for information collection and 
trending reports based on that information. 
 
You could automate it by counting the users in the same manner I described, and 
then iterating through what's left discounting the service accounts if you 
wanted. 
 
You could also use the dsquery tools to do this because it's likely you don't 
need precision in this case but rather a rough estimate.  Using dsquery you can 
get the information pretty quickly and then you just need to count the objects 
it returns. 
 
Al



From: [EMAIL PROTECTED] on behalf of Cothern Jeff D. Team EITC
Sent: Wed 8/31/2005 7:34 AM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] determine number of users logged on last 60 days



Unsure what the data is going to be used for. I just got the question of
how many users logged into the network in the last 60 days.  If I can
have this in an automated way were they can pull up the infromation
easily it would be great.  I think they are wanting it for metrics.

Jeff


-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Al Mulnick
Sent: Monday, August 29, 2005 11:23 AM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] determine number of users logged on last 60
days

It's possible, but not absolute.  Are you trying to automate user
management?
Can you give some more details about what you want and what you want to
do with the data?  That might help to spur some better information.

Basically, you can use lastlogontimestamp (dsquery makes it pretty easy
if you want to use that) to find out about when the last time a user
logged on assuming they triggered an update to this.  Some actions don't
trigger this update so a second data point is a useful thing to have to
narrow it down even more.  pwdLastSet is a useful data point IIRC.

Al

-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Cothern Jeff D.
Team EITC
Sent: Monday, August 29, 2005 10:11 AM
To: ActiveDir@mail.activedir.org
Subject: [ActiveDir] determine number of users logged on last 60 days

Is there query I could run that would tell me the number of users -minus
service accounts (guess filter by OU) that have logged on in the last 60
days.

Jeff Cothern

List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive:
http://www.mail-archive.com/activedir%40mail.activedir.org/
List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive:
http://www.mail-archive.com/activedir%40mail.activedir.org/


List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/


<>

RE: [ActiveDir] determine number of users logged on last 60 days

[Cothern Jeff D. Team EITC]

Unsure what the data is going to be used for. I just got the question of
how many users logged into the network in the last 60 days.  If I can
have this in an automated way were they can pull up the infromation
easily it would be great.  I think they are wanting it for metrics.

Jeff
 

-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Al Mulnick
Sent: Monday, August 29, 2005 11:23 AM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] determine number of users logged on last 60
days

It's possible, but not absolute.  Are you trying to automate user
management?
Can you give some more details about what you want and what you want to
do with the data?  That might help to spur some better information.

Basically, you can use lastlogontimestamp (dsquery makes it pretty easy
if you want to use that) to find out about when the last time a user
logged on assuming they triggered an update to this.  Some actions don't
trigger this update so a second data point is a useful thing to have to
narrow it down even more.  pwdLastSet is a useful data point IIRC. 

Al 

-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Cothern Jeff D.
Team EITC
Sent: Monday, August 29, 2005 10:11 AM
To: ActiveDir@mail.activedir.org
Subject: [ActiveDir] determine number of users logged on last 60 days

Is there query I could run that would tell me the number of users -minus
service accounts (guess filter by OU) that have logged on in the last 60
days.

Jeff Cothern

List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive:
http://www.mail-archive.com/activedir%40mail.activedir.org/
List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive:
http://www.mail-archive.com/activedir%40mail.activedir.org/


List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/

RE: [ActiveDir] Permissions for a user to add users to a group

[Cothern Jeff D. Team EITC]

Ok looking thru the search function I cannot find any specific thing to
look for groups.  I see the find people but that is looking for contact
information not a particular group.  Perhaps I am missing something. 

Jeff
 

-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Fugleberg,
David A
Sent: Monday, August 29, 2005 11:50 AM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] Permissions for a user to add users to a group

A taskpad is one way to do it.  Another way is to tell the manager to
find the group using the Search function on the start menu - when they
double-click the group, the membership list is displayed and buttons are
provided to add and remove members.  The buttons are only active if they
have the permissions to do so, as mentioned below.  No additional
software install/config required.

Dave 

-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Cothern Jeff D.
Team EITC
Sent: Monday, August 29, 2005 7:45 AM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] Permissions for a user to add users to a group


Ok that is what I figured.  SO if I install just aduc from the adminpak
and create a custom task pad for the manager.  It would be the easier
and best method to alliviate confusion etc?

Jeff
 

-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of joe
Sent: Saturday, August 27, 2005 2:59 AM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] Permissions for a user to add users to a group

It means the manager can add or remove DNs to the member attribute of
the group. So they will be able to add or remove members of the group.
They won't actually be able to add/remove users from AD with just those
rights.

ADUC can be used, as can a script or anything else that modifies the
member attribute of the group in question.

  joe

 

-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Cothern Jeff D.
Team EITC
Sent: Friday, August 26, 2005 10:24 AM
To: ActiveDir@mail.activedir.org
Subject: [ActiveDir] Permissions for a user to add users to a group

If I set a group to managed by to a particular user and check the box
Manger can update member list.  

That means the Manager can add or delete users correct?

Does he need ADUC or is there another way he can add those users?  


Thanks

Jeff


List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive:
http://www.mail-archive.com/activedir%40mail.activedir.org/

List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive:
http://www.mail-archive.com/activedir%40mail.activedir.org/


List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive:
http://www.mail-archive.com/activedir%40mail.activedir.org/
List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive:
http://www.mail-archive.com/activedir%40mail.activedir.org/


List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/

RE: [ActiveDir] Permissions for a user to add users to a group

[Cothern Jeff D. Team EITC]

Does that work in windows 2000?   

-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Fugleberg,
David A
Sent: Monday, August 29, 2005 11:50 AM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] Permissions for a user to add users to a group

A taskpad is one way to do it.  Another way is to tell the manager to
find the group using the Search function on the start menu - when they
double-click the group, the membership list is displayed and buttons are
provided to add and remove members.  The buttons are only active if they
have the permissions to do so, as mentioned below.  No additional
software install/config required.

Dave 

-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Cothern Jeff D.
Team EITC
Sent: Monday, August 29, 2005 7:45 AM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] Permissions for a user to add users to a group


Ok that is what I figured.  SO if I install just aduc from the adminpak
and create a custom task pad for the manager.  It would be the easier
and best method to alliviate confusion etc?

Jeff
 

-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of joe
Sent: Saturday, August 27, 2005 2:59 AM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] Permissions for a user to add users to a group

It means the manager can add or remove DNs to the member attribute of
the group. So they will be able to add or remove members of the group.
They won't actually be able to add/remove users from AD with just those
rights.

ADUC can be used, as can a script or anything else that modifies the
member attribute of the group in question.

  joe

 

-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Cothern Jeff D.
Team EITC
Sent: Friday, August 26, 2005 10:24 AM
To: ActiveDir@mail.activedir.org
Subject: [ActiveDir] Permissions for a user to add users to a group

If I set a group to managed by to a particular user and check the box
Manger can update member list.  

That means the Manager can add or delete users correct?

Does he need ADUC or is there another way he can add those users?  


Thanks

Jeff


List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive:
http://www.mail-archive.com/activedir%40mail.activedir.org/

List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive:
http://www.mail-archive.com/activedir%40mail.activedir.org/


List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive:
http://www.mail-archive.com/activedir%40mail.activedir.org/
List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive:
http://www.mail-archive.com/activedir%40mail.activedir.org/


List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/

[ActiveDir] WINS replication issue, different domain

[J0mb]

good morning all,

i've got 2 Wins server (called WINS1 and WINS2) on a Windows 2000 AD 
domain called "AME.LOCAL". These are configured as pull-push partners of 
each other and will replicate correctly.

Now, I need to add 2 more Wins servers and configure them as P-P partners
with the above. However, these 2 new machines cannot be joined to 
the "AME.LOCAL" domain because of company policy. they must be on a 
workgroup or be domain controllers of their own domain (which cannot 
trust or be trusted by "AME.LOCAL")

I tried to build up one of the 2 new Wins server (called NEW1), win2003 
based), configured NEW1 and WINS1 as push-pull partners of each other but
it seems they will not replicate. This is true both if NEW1 is on a 
workgroup, or on its own domain.
what am I missing/doing wrong?

regards
alex

List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/

RE: [ActiveDir] Replication problems!

[Halonen Sami]

Fooling around with ntdsutil and metadata cleanup or ADSIedit should
give you some hints about the name of the DC(s) that's (are) missing. If
its missing on purpose, you need to do the metadata cleanup for the
server to get rid of it completely
(http://support.microsoft.com/default.aspx?scid=kb;en-us;216498) or if
that server should be online, you need to demote it, do the same
cleanup, fix the network connection, then promote it again. I don't know
if there's any way of fixing a DC that has been isolated for too long,
but if there is, its not probably worth the trouble since
demoting-promoting is a pretty straightforward and simple procedure.


-Sami

-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Kamlesh Parmar
Sent: 30. elokuuta 2005 22:21
To: ActiveDir@mail.activedir.org
Subject: Re: [ActiveDir] Replication problems!

It seems you have not been watching your logs frequently...

One of the DC has not replicated with this DC beyond tombstone
lifetime...
it could be a DC which was taken offline abruptly, without properly
demoting it.

run dcdiag.exe on that server it will tell you, which other DCs it is
not able to replicate.



On 8/30/05, Wilhelmsen Jan <[EMAIL PROTECTED]> wrote:
>  
> 
> Hi! 
> 
> I have noticed that on my DC i got several entries in the Directory 
> service event log
> 
> Event Type: Error 
> 
> Event Source:   NTDS Replication 
> 
> Event Category: Replication
> 
> Event ID:   1864 
> 
> Date:   29.08.2005 
> 
> Time:   10:40:14 
> 
> User:   NT AUTHORITY\ANONYMOUS LOGON 
> 
> Computer:   domcontroller1 
> 
> Description: 
> 
> This is the replication status for the following directory partition 
> on the local domain controller.
> 
>   
> 
> Directory partition: 
> 
> DC=DomainDnsZones,DC=mydomain,DC=net
> 
>   
> 
> The local domain controller has not recently received replication
> information from a number of domain controllers.   The count of domain
> controllers is shown, divided into the following intervals. 
> 
>   
> 
> More than 24 hours: 
> 
> 1
> 
> More than a week: 
> 
> 1
> 
> More than one month: 
> 
> 1
> 
> More than two months: 
> 
> 1
> 
> More than a tombstone lifetime: 
> 
> 1
> 
> Tombstone lifetime (days): 
> 
> 60
> 
> I run the command : repadmin /showvector /latency dc=mydomain,dc=net
> 
> And the result shows the following output: 
> 
> 0de822b5-b8da-4f0e-82a1-66ec9407b8f3@ USN 26321 @
> Time (unknown)
> 
> 1f2ff24b-496b-47e9-a735-089bd8f57285@ USN   2175489 @
> Time 2004-11-28 16:06:20
> 
> How can I fix this problem, there is obvious that this server has not 
> been replicated for a while but I can't seem to figure out which
servers it is.
> 
> If I run repadmin /showreps /v domcontroller1, I can all successful 
> and no errors.
> 
> Can anyone provide me with some tips on how to attack this problem? 
> 
> I also noticed that in one particular OU I cannot copy a user but if I

> create a new user in the OU there is no problem.
> 
> When I try to copy a user I get this error message after I press oko 
> for the creation of the new user.
> 
> Stop box: 
> 
> Windows cannot create the oobject test user because: 
> 
> The Name reference is invalid: 
>  
> 
> Thanks in advance: 
> 
> Jan


-- 
--
~~~
"Fortune and Love befriend the bold"
~~~
List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive:
http://www.mail-archive.com/activedir%40mail.activedir.org/
List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/

[ActiveDir] Networking rights...

[Kasper Sørensen]

Hm, i know it isnt anything with AD..
But i don't know where to look.. Hoping you could answer...
 
I have a computer that connects to a domain.
The only problem is, the work on the local computer can not be modified...
The "owner" of the local files and folders are the local account..
But now we use the domain, and they dont have access to their own folders, and files.. because they were made with the local user..
 
The problem is, the user on the domain needs administrative rights over its own computer, but not the domain..
how?!-- Best RegardsKasper Sørensenwww.mewe.dk