RE: [ActiveDir] Virtual Servers in Branch Offices
Other than to set up the Virtual instances themselves, you will not ordinarily use the admin site to do much. After they are up and running, you will bring out either RDP or VMRC for doing all administration of the guest OS, and at that point the performance is very much independent of where the admin website is located. To directly answer your question (:)), I have not measured the performance personally. I have not had a reason to, given that my typical use for the admin website is as I have described above. Hope I make sense. Sincerely, Dèjì Akómöláfé, MCSE+M MCSA+M MCP+I Microsoft MVP - Directory Services www.readymaids.com - we know IT www.akomolafe.com Do you now realize that Today is the Tomorrow you were worried about Yesterday? -anon From: [EMAIL PROTECTED] on behalf of Phil Renouf Sent: Wed 10/19/2005 10:35 PM To: ActiveDir@mail.activedir.org Subject: Re: [ActiveDir] Virtual Servers in Branch Offices Yeah, I was just wondering if you saw any issues with putting it on a box across a WAN link. I have never looked into that before so I was just wondering your opinion on it for my own curiosity. Phil On 10/19/05, [EMAIL PROTECTED] [EMAIL PROTECTED] wrote: I don't get your drift. There is no requirement for the web server to be in the same location as the virtual server. Sincerely, Dèjì Akómöláfé, MCSE+M MCSA+M MCP+I Microsoft MVP - Directory Services www.readymaids.com - we know IT www.akomolafe.com Do you now realize that Today is the Tomorrow you were worried about Yesterday? -anon From: [EMAIL PROTECTED] on behalf of Phil Renouf Sent: Wed 10/19/2005 8:07 PM To: ActiveDir@mail.activedir.org Subject: Re: [ActiveDir] Virtual Servers in Branch Offices Would you put the admin site on a server not at that location? Because if you wouldn't then that won't help much since if you had another server to put the admin site on at the remote location then that would be a good place to put the f/p services. Phil On 10/19/05, [EMAIL PROTECTED] [EMAIL PROTECTED] wrote: You can separate the 2 roles. You can put the admin site on a non-dc server. Sincerely, Dèjì Akómöláfé, MCSE+M MCSA+M MCP+I Microsoft MVP - Directory Services www.readymaids.com - we know IT www.akomolafe.com Do you now realize that Today is the Tomorrow you were worried about Yesterday? -anon From: [EMAIL PROTECTED] on behalf of Al Mulnick Sent: Wed 10/19/2005 6:32 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Virtual Servers in Branch Offices Strange, I was just having this conversation today with a co-worker. :) My thoughts? I'd say make it a GC and put the f/p in the virtual. Why? because you still need to protect the physical, but the virtual you can give out access to. The downside is that the virtual machine requires IIS (in Microsoft products) meaning you have a vector for attack. But nothing that requires changing the security otherwise for the GC. I prefer not to put IIS on a GC for security reasons, but if you can get away without it then I should think that this method would provide greater ability to secure it. Keep in mind that physical access is still warranted. It's just that you wouldn't have to worry about somebody taking the GC home on a USB key like they otherwise could ;) It's not pretty no matter which way you turn IMHO. Could be better. Al -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Noah Eiger Sent: Wednesday, October 19, 2005 11:42 AM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Virtual Servers in Branch Offices I assume you are refering to the fact that the the host could be compromised over the network and the virtual hard drive or virtual machine itself simply copied. (Just for the record, this is covered in the white paper. Did not mean to imply that it is
RE: [ActiveDir] Virtual Servers in Branch Offices
Title: Message Hi Al, you don't need IIS running on the machine where Virtual Server is running. IIS supports the admin website, and you can put this on any other server, and have couple servers managed from one machine. Since we are talking about VS in BOs I'd recommend putting the virtual server w/o IIS and the admin-sites (not sure about the right names of the components - to lazy to install VS just to figure that out) on the BO-Servers and install the admin-Webpages onto a central server (or a workstation). Ulf From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Al MulnickSent: Thursday, October 20, 2005 3:33 AMTo: ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] Virtual Servers in Branch Offices Strange, I was just having this conversation today with a co-worker. :) My thoughts? I'd say make it a GC and put the f/p in the virtual. Why? because you still need to protect the physical, but the virtual you can give out access to. The downside is that the virtual machine requires IIS (in Microsoft products) meaning you have a vector for attack. But nothing that requires changing the security otherwise for the GC. I prefer not to put IIS on a GC for security reasons, but if you can get away without it then I should think that this method would provide greater ability to secure it. Keep in mind that physical access is still warranted. It's just that you wouldn't have to worry about somebody taking the GC home on a USB key like they otherwise could ;) It's not pretty no matter which way you turn IMHO. Could be better. Al -Original Message-From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Noah EigerSent: Wednesday, October 19, 2005 11:42 AMTo: ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] Virtual Servers in Branch Offices I assume you are refering to the fact that the the host could be compromised over the network and the virtual hard drive or virtual machine itself simply copied. (Just for the record, this is covered in the white paper. Did not mean to imply that it is not. Security in this respect is refered over to NTFS permissions). So given that you could have a single physical machine at a branch office and that you must have a DC and F/P service, what is the prefered configuration? -- nme P.S. thanks for keeping this thread going. From: Dean Wells [mailto:[EMAIL PROTECTED] Sent: Tuesday, October 18, 2005 8:42 PMTo: Send - AD mailing listSubject: RE: [ActiveDir] Virtual Servers in Branch Offices "Does placing the DC inside a virtual machine add any security? Would it be harder for someone with physical access to compromise the DC? The white paper does not really make this clear. Also, I am assuming that a host machine would be a domain member, right? Does it authenticate off the virtual DC?" Dean Virtual DCseffectively weaken thebroader-definition of security in a number of ways including the context of physical access ... this is due primarily to the relative ease with which the entire DC's state can be duplicated, subsequently, becoming portable and reproduced in a running state elsewhere with little to no effort. The host machine has no bearing ... it's rather like saying "the rack in which the server is physically housed has to be a domain member" (or any further extension of that particular metaphor). Keep in mind the VM (for the most part) doesn't even realize it's virtual. /Dean --Dean WellsMSEtechnology* Email: dwells@msetechnology.comhttp://msetechnology.com From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Noah EigerSent: Friday, October 14, 2005 12:01 PMTo: ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] Virtual Servers in Branch Offices Thanks for the thoughts. And thanks Tony for the reference -- just finished reading it. Unfortunately, deploying the DC at HQ or simply authenticating over the WAN is not really an option. The WAN links are ok (and getting better) but are located in places where environmental (as in the weather) conditions often cause short interruptions. Does placing the DC inside a virtual machine add any security? Would it be harder for someone with physcial access to compromise the DC? The white paper does not really make this clear. Also, I am assuming that a host machine would be a domain member, right? Does it authenticate off the virtual DC? [1] Thanks again. -- nme [1] This sort of reminds me of the scene in
RE: [ActiveDir] Virtual Servers in Branch Offices
I have to second that - I don't see much performance issues when admininterface and the vs-host are seperated. The mgmt traffic should be pretty low, the higher traffic is when connecting onto a machine via RDP, VSRC or the webbased VSRC. Either or they will cause the traffic between the VS-host and the machine where the admin is sitting, no matter where the webpage runs. And I'd usually recommend using RDP here - provides a higher performance (than VSRC) and the admin doesn't need to worry if he's connecting to a real or virtual machines - same interface. Propably the transfer of the webpage causes way more traffic than managing the VS-guest with it. So you might get a better performance / less WAN-Traffic if you put the webpage in your hub and only the VS-host w/o admin-webpage in the Branch-Office. Ulf |-Original Message- |From: [EMAIL PROTECTED] |[mailto:[EMAIL PROTECTED] On Behalf Of |[EMAIL PROTECTED] |Sent: Thursday, October 20, 2005 7:55 AM |To: ActiveDir@mail.activedir.org |Subject: RE: [ActiveDir] Virtual Servers in Branch Offices | |Other than to set up the Virtual instances themselves, you |will not ordinarily use the admin site to do much. After they |are up and running, you will bring out either RDP or VMRC for |doing all administration of the guest OS, and at that point |the performance is very much independent of where the admin |website is located. | |To directly answer your question (:)), I have not measured the |performance personally. I have not had a reason to, given that |my typical use for the admin website is as I have described above. | |Hope I make sense. | | |Sincerely, | |Dèjì Akómöláfé, MCSE+M MCSA+M MCP+I |Microsoft MVP - Directory Services |www.readymaids.com - we know IT |www.akomolafe.com |Do you now realize that Today is the Tomorrow you were worried |about Yesterday? -anon | | | |From: [EMAIL PROTECTED] on behalf of Phil Renouf |Sent: Wed 10/19/2005 10:35 PM |To: ActiveDir@mail.activedir.org |Subject: Re: [ActiveDir] Virtual Servers in Branch Offices | | |Yeah, I was just wondering if you saw any issues with putting |it on a box across a WAN link. I have never looked into that |before so I was just wondering your opinion on it for my own curiosity. | |Phil | | |On 10/19/05, [EMAIL PROTECTED] [EMAIL PROTECTED] wrote: | | I don't get your drift. There is no requirement for the |web server to be in | the same location as the virtual server. | | | Sincerely, | | Dèjì Akómöláfé, MCSE+M MCSA+M MCP+I | Microsoft MVP - Directory Services | www.readymaids.com - we know IT | www.akomolafe.com | Do you now realize that Today is the Tomorrow you were |worried about | Yesterday? -anon | | | | From: [EMAIL PROTECTED] on behalf of |Phil Renouf | Sent: Wed 10/19/2005 8:07 PM | To: ActiveDir@mail.activedir.org | Subject: Re: [ActiveDir] Virtual Servers in Branch Offices | | | Would you put the admin site on a server not at that location? |Because if you | wouldn't then that won't help much since if you had |another server to put the | admin site on at the remote location then that would be |a good place to put | the f/p services. | | Phil | | | On 10/19/05, [EMAIL PROTECTED] [EMAIL PROTECTED] wrote: | | You can separate the 2 roles. You can put the |admin site on a non-dc | server. | | | Sincerely, | | Dèjì Akómöláfé, MCSE+M MCSA+M MCP+I | Microsoft MVP - Directory Services | www.readymaids.com - we know IT | www.akomolafe.com | Do you now realize that Today is the Tomorrow |you were worried about | Yesterday? -anon | | | | From: [EMAIL PROTECTED] on |behalf of Al Mulnick | Sent: Wed 10/19/2005 6:32 PM | To: ActiveDir@mail.activedir.org | Subject: RE: [ActiveDir] Virtual Servers in |Branch Offices | | | Strange, I was just having this conversation |today with a co-worker. | :) | | My thoughts? I'd say make it a GC and put the |f/p in the virtual. | Why? | because you still need to protect the physical, |but the virtual you | can give | out access to. The downside is that the virtual |machine requires IIS | (in | Microsoft products) meaning you have a vector |for attack. But nothing | that | requires changing the security otherwise for the GC. | | I prefer not to put IIS on a GC for security |reasons, but if you can | get away | without it then I should think that this
RE: [ActiveDir] Microsoft password notification service
Title: Message Hi, Before continuing, Is your first problem resolved ? Yann De: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] De la part de Antonio ArandaEnvoyé: jeudi 20 octobre 2005 01:15À: ActiveDir@mail.activedir.orgObjet: RE: [ActiveDir] Microsoft password notification service Event Type:ErrorEvent Source:PCNSSVCEvent Category:Error Event ID:6025Date:7/10/2005Time:1:08:29 PMUser:N/AComputer:POLICEDescription:Password Change Notification Service received an RPC exception attempting to deliver a notification. Thread ID: 1988 Tracking ID: e6656f05-0f1a-4fb7-b04c-a3f23deb8114 User GUID: 0146a5d7-774b-47b8-aeb3-72db14d038ac User: MCOM\agnew_s237 Target: personality Delivery Attempts: 1097 Queued Notifications: 3 0x0005 - Access is denied. could you help me with this error message? thanks Antonio -Original Message-From: TIROA YANN [mailto:[EMAIL PROTECTED] On Behalf Of TIROA YANNSent: Wednesday, October 19, 2005 12:58 PMTo: ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] Microsoft password notification service Hi, seems like a collision problem while created 2objectswith same name and same DN ondifferents DCs. So the most recently named objects keeps the original DN attribute, AD renames the remaining duplicates to a name as "originalRdn#CNF:objectGuid", where CNF is a tag to denote that the object was renamed due to a name conflict. In order to resolve this issue u may delete3 of them, logically, those which have the CNF tags:êrsonnaly, i will delete all of them and recreate them with pcnscfg.exe So open ADUC, go to "System" container (in advanced feature mode of ADUC), find the "Password Change Notification Service" container, u will see all your targets created. Delete all of them and recreate them again. Wait before for the end of replication to take place *BEFORE* recreatings targets. Yann De: [EMAIL PROTECTED] de la part de Antonio ArandaDate: mer. 19/10/2005 18:59À: ActiveDir@mail.activedir.orgObjet : RE: [ActiveDir] Microsoft password notification service Here is what I typed and the responds. C:\Program Files\Microsoft Password Change Notificationpcnscfg DELETETARGET /N:miisdemoError deleting the target. The target was not found. C:\Program Files\Microsoft Password Change Notificationpcnscfg DISABLETARGET /N:miisdemoError modifying the target. The target was not found. C:\Program Files\Microsoft Password Change Notificationpcnscfg MODIFYTARGET /N:miisdemo /a:personality /s:PCNSPER2/PERSONALITY /fi:"domain Users" /f:3Error modifying the target. The target was not found. C:\Program Files\Microsoft Password Change Notificationpcnscfg listThe service configuration is not set. Defaults will be used by the service. Default Service Configuration MaxQueueLength: 0 MaxQueueAge...: 259200 seconds MaxNotificationRetries: 0 RetryInterval.: 60 seconds Targets Target Name...: miisdemoCNF:71ee789f-c80a-44ea-9353-447b0d578559 Target GUID...: B79C4341-B3ED-413A-A046-7016E557E982 Server FQDN or Address: personality Service Principal Name: PCNSPER2/PERSONALITY Authentication Service: Kerberos Inclusion Group Name..: MCOM\Domain Users Exclusion Group Name..: Keep Alive Interval...: 0 seconds User Name Format..: 3 Queue Warning Level...: 0 Queue Warning Interval: 30 minutes Disabled..: False Target Name...: miisdemoCNF:f0b31f2e-0d09-4506-a37a-cd56a0d20d5e Target GUID...: FA0D13B1-C03F-461C-90A9-2DDD3B77B063 Server FQDN or Address: personality.mcom.utpb.edu Service Principal Name: PCNSPER1/PERSONALITY.MCOM.UTPB.EDU Authentication Service: Kerberos Inclusion Group Name..: MCOM\Domain Users Exclusion Group Name..: Keep Alive Interval...: 0 seconds User Name Format..: 3 Queue Warning Level...: 0 Queue Warning Interval: 30 minutes Disabled..: False Target Name...: miisdemoCNF:fbbf4c22-7f86-4494-8fb3-ef5f1f43d990 Target GUID...: B686780E-5DA2-46C6-BF56-F11EB808368B Server FQDN or Address: personality Service Principal Name: PCNSPER2/PERSONALITY Authentication Service: Kerberos Inclusion Group Name..: MCOM\Domain Users Exclusion Group Name..: Keep Alive Interval...: 0 seconds User Name Format..: 3 Queue Warning Level...: 0 Queue Warning Interval: 30 minutes Disabled..: False Total targets: 3 Thanks Antonio Aranda -Original Message-From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of TIROA YANNSent: Wednesday, October 19, 2005 10:41 AMTo: ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] Microsoft password notification service Hi, Can youdump to usthedetails of thewhole commandsu typethe results ? See in the
[ActiveDir] OT: Performance Counters
Hello all, I have an issue where all the performance counters on a Windows Server 2003 SP1 server all appear as numbers, no descriptions or clues are detailed to as why this is occuring. The server also has SQL installed. Does anyone have any notions? Mark List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
[ActiveDir] Default Web browser
Hi, I wander if anyone could help. We have many users running terminal server sessions on one server. When set the default browser for one user it changes it for all the users. Is the there a way to set the default browser for certain groups via a group policy? -- Shane De Jager Technical Developer INTERGAGE High-performance, updateable Web sites Switchboard +44(0)845 456 1022 == www.intergage.co.uk [EMAIL PROTECTED] Are you aware of our referral scheme? Learn how you could profit personally from passing us leads. Click here to pass a referral: www.intergage.co.uk/referrals List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
Re: [ActiveDir] Default Web browser
Shane De Jager wrote: Hi, I wander if anyone could help. We have many users running terminal server sessions on one server. When set the default browser for one user it changes it for all the users. Is the there a way to set the default browser for certain groups via a group policy? I don't know about a group policy setting, but the prompt can be disabled. http://thethin.net/faqs2.cfm?id=111category=2sortby=date Regards, Arlo List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
Re: [ActiveDir] OT? Remote Assistance.
Not sure if you ever got this going? If not, do you have either of these policy settings set? computer configuratin/windows settings/security settings/local policies/user rights assignment/deny access to this computer from the network or access this computer from the network? For sure, the deny will stop it. I would guess that if you name a group in the allow, it also could stop it. John Kennedy, Jim [EMAIL PROTECTED] aschools.org To Sent by: ActiveDir@mail.activedir.org [EMAIL PROTECTED] cc ail.activedir.org Subject [ActiveDir] OT? Remote Assistance. 10/18/2005 12:18 PM Please respond to [EMAIL PROTECTED] tivedir.org Trouble getting Remote Assistance going. XP w/ SP2 in a 2K3 domain. XP firewall disabled on both boxes. Two computers for test. Both in the same OU. GPO forces offer and invite enabled with a group having the permissions. RSOP on both machines shows it is all taking effect. Both logged on users are local admins, and are in fact domain admins. Invitations for Assistance work fine, in both directions. However Offer Assistance fails with 'Permission Denied'. Been through everything here: http://support.microsoft.com/default.aspx?scid=kb;en-us;310629 Simple file sharing off and verified the groups and members are being passed down. This one does not apply, that group policy is undefined. Tried defining it with the fix anyway, no change. http://support.microsoft.com/?kbid=884910 http://support.microsoft.com/default.aspx?scid=kb;en-us;889248 Even fired up all the disabled services on both machines. List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
RE: [ActiveDir] OT: Exchange Insider articles
That link send me to an OWA login for MS... From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Phil RenoufSent: Wednesday, October 19, 2005 8:07 PMTo: activedir@mail.activedir.orgSubject: [ActiveDir] OT: Exchange Insider articles Since Exchange seems to come up here fairly often I figured there would be some people interested to know that there are some new articles being posted to the Exchange site titled "Exchange Insider" articles. There is a lot of great information there and I believe there are more to come. http://www.microsoft.com/technet/prodtechnol/exchange/2003/insider/default.mspx Phil
RE: [ActiveDir] OT: Exchange Insider articles
Stop that crazy link stuff.. If you copy/paste the link it works. http://www.microsoft.com/technet/prodtechnol/exchange/2003/insider/default.mspx From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Phil RenoufSent: Wednesday, October 19, 2005 8:07 PMTo: activedir@mail.activedir.orgSubject: [ActiveDir] OT: Exchange Insider articles Since Exchange seems to come up here fairly often I figured there would be some people interested to know that there are some new articles being posted to the Exchange site titled "Exchange Insider" articles. There is a lot of great information there and I believe there are more to come. http://www.microsoft.com/technet/prodtechnol/exchange/2003/insider/default.mspx Phil
RE: [ActiveDir] Interesting Scripting Task.....
All, Just thought a quick update might save a bit of pain for those of you that ever want to use the CreateXMLFromEnvironment.wsf and CreateEnvironmentFromXML.wsf scripts from GPMC. I found a snag where CreateEnvironmentFromXML.wsf can't import user accounts where the name contains a comma (and probably othe special characters). I know it is bad practice to use these in display names, but it is supported by dsa.msc and so inevitably has been used. There are a few ways around this, I got past it by changing line 596 from szName = User.Get(name); To szName = User.Get(samAccountName); This could be done a lot smarter I know, but for a quick fix this works and is all I need for now. -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Smith, Brad Sent: 12 October 2005 13:16 To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Interesting Scripting Task. The script Darren pointed out seem to be working just fine, now I need to configure a decent migtable ;-) Thanks again for the heads up Darren. -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Darren Mar-Elia Sent: 10 October 2005 17:40 To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Interesting Scripting Task. Yes, Microsoft has attempted it. Check out the scripts directory under the GPMC install. It has two scripts: CreateXMLFromEnvironment.wsf and CreateEnvironmentFromXML.wsf That do pretty much everything that you've described below. Darren -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Smith, Brad Sent: Monday, October 10, 2005 8:08 AM To: ActiveDir@mail.activedir.org Subject: [ActiveDir] Interesting Scripting Task. All, I am pondering the possibility of automating the creation of development environments. The problem I am hoping to solve is that a lot of our testing needs to be done in an environment where all our Ous, GPOs, Groups and so forth are present. Recreating this is a nightmare, so to alleviate this I want to write an import/export script that dumps all the OU's, Groups, Users and GPO's (including security) and then restores them in a different target domain (different forest too). Has anyone attempted/achieved this before? Brad This email and any attached files are confidential and copyright protected. If you are not the addressee, any dissemination of this communication is strictly prohibited. Unless otherwise expressly agreed in writing, nothing stated in this communication shall be legally binding. List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ This message has been scanned for viruses by MailControl - (see http://bluepages.wsatkins.co.uk/?4318150) List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
Re: [ActiveDir] OT: Exchange Insider articles
Hutchins, Mike wrote: That link send me to an OWA login for MS... Just use the diplayed link: http://www.microsoft.com/technet/prodtechnol/exchange/2003/insider/default.mspx -- Tomasz Onyszko http://www.w2k.pl List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
Re: [ActiveDir] OT: Exchange Insider articles
Ah, the MS cut and paste from OWA bug that leaves the OWA tag in the html :-) https://mail.microsoft.com/exchweb/bin/redir.asp?URL=http://www.microsoft.com/technet/prodtechnol/exchange/2003/insider/default.mspx Try this: http://www.microsoft.com/technet/prodtechnol/exchange/2003/insider/default.mspx Hutchins, Mike wrote: That link send me to an OWA login for MS... *From:* [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] *On Behalf Of *Phil Renouf *Sent:* Wednesday, October 19, 2005 8:07 PM *To:* activedir@mail.activedir.org *Subject:* [ActiveDir] OT: Exchange Insider articles Since Exchange seems to come up here fairly often I figured there would be some people interested to know that there are some new articles being posted to the Exchange site titled Exchange Insider articles. There is a lot of great information there and I believe there are more to come. http://www.microsoft.com/technet/prodtechnol/exchange/2003/insider/default.mspx https://mail.microsoft.com/exchweb/bin/redir.asp?URL=http://www.microsoft.com/technet/prodtechnol/exchange/2003/insider/default.mspx Phil List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
RE: [ActiveDir] Virtual Servers in Branch Offices
That's good to know. I did not know you could install VS without the IIS components. I should point out that putting a GC in a remote site does often imply that local resources (even if just opposable thumb types) will have the ability to physically access the machine. You'll have some risk, but at least you would not have to munge up the permissions to allow for f/p maintenance. You *can* just have the f/p administrative resource just have permissions, full control, etc of the f/p virtual. It's always good to learn something new :) From: Ulf B. Simon-Weidner [EMAIL PROTECTED] Reply-To: ActiveDir@mail.activedir.org To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Virtual Servers in Branch Offices Date: Thu, 20 Oct 2005 09:42:14 +0200 Hi Al, you don't need IIS running on the machine where Virtual Server is running. IIS supports the admin website, and you can put this on any other server, and have couple servers managed from one machine. Since we are talking about VS in BOs I'd recommend putting the virtual server w/o IIS and the admin-sites (not sure about the right names of the components - to lazy to install VS just to figure that out) on the BO-Servers and install the admin-Webpages onto a central server (or a workstation). Ulf _ From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Al Mulnick Sent: Thursday, October 20, 2005 3:33 AM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Virtual Servers in Branch Offices Strange, I was just having this conversation today with a co-worker. :) My thoughts? I'd say make it a GC and put the f/p in the virtual. Why? because you still need to protect the physical, but the virtual you can give out access to. The downside is that the virtual machine requires IIS (in Microsoft products) meaning you have a vector for attack. But nothing that requires changing the security otherwise for the GC. I prefer not to put IIS on a GC for security reasons, but if you can get away without it then I should think that this method would provide greater ability to secure it. Keep in mind that physical access is still warranted. It's just that you wouldn't have to worry about somebody taking the GC home on a USB key like they otherwise could ;) It's not pretty no matter which way you turn IMHO. Could be better. Al -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Noah Eiger Sent: Wednesday, October 19, 2005 11:42 AM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Virtual Servers in Branch Offices I assume you are refering to the fact that the the host could be compromised over the network and the virtual hard drive or virtual machine itself simply copied. (Just for the record, this is covered in the white paper. Did not mean to imply that it is not. Security in this respect is refered over to NTFS permissions). So given that you could have a single physical machine at a branch office and that you must have a DC and F/P service, what is the prefered configuration? -- nme P.S. thanks for keeping this thread going. _ From: Dean Wells [mailto:[EMAIL PROTECTED] Sent: Tuesday, October 18, 2005 8:42 PM To: Send - AD mailing list Subject: RE: [ActiveDir] Virtual Servers in Branch Offices Does placing the DC inside a virtual machine add any security? Would it be harder for someone with physical access to compromise the DC? The white paper does not really make this clear. Also, I am assuming that a host machine would be a domain member, right? Does it authenticate off the virtual DC? Dean Virtual DCs effectively weaken the broader-definition of security in a number of ways including the context of physical access ... this is due primarily to the relative ease with which the entire DC's state can be duplicated, subsequently, becoming portable and reproduced in a running state elsewhere with little to no effort. The host machine has no bearing ... it's rather like saying the rack in which the server is physically housed has to be a domain member (or any further extension of that particular metaphor). Keep in mind the VM (for the most part) doesn't even realize it's virtual. /Dean -- Dean Wells MSEtechnology * Email: dwells mailto:[EMAIL PROTECTED] @msetechnology.com http://msetechnology.com/ http://msetechnology.com _ From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Noah Eiger Sent: Friday, October 14, 2005 12:01 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Virtual Servers in Branch Offices Thanks for the thoughts. And thanks Tony for the reference -- just finished reading it. Unfortunately, deploying the DC at HQ or simply authenticating over the WAN is not really an option. The WAN links are ok (and getting better) but are located in places where environmental (as in the weather) conditions often cause short interruptions. Does placing the DC inside a virtual machine add any security? Would it be harder for
RE: [ActiveDir] Virtual Servers in Branch Offices
That's good to know. I did not know you could install VS without the IIS components. I should point out that putting a GC in a remote site does often imply that local resources (even if just opposable thumb types) will have the ability to physically access the machine. You'll have some risk, but at least you would not have to munge up the permissions to allow for f/p maintenance. You *can* just have the f/p administrative resource just have permissions, full control, etc of the f/p virtual. It's always good to learn something new :) From: Ulf B. Simon-Weidner [EMAIL PROTECTED] Reply-To: ActiveDir@mail.activedir.org To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Virtual Servers in Branch Offices Date: Thu, 20 Oct 2005 09:42:14 +0200 Hi Al, you don't need IIS running on the machine where Virtual Server is running. IIS supports the admin website, and you can put this on any other server, and have couple servers managed from one machine. Since we are talking about VS in BOs I'd recommend putting the virtual server w/o IIS and the admin-sites (not sure about the right names of the components - to lazy to install VS just to figure that out) on the BO-Servers and install the admin-Webpages onto a central server (or a workstation). Ulf _ From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Al Mulnick Sent: Thursday, October 20, 2005 3:33 AM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Virtual Servers in Branch Offices Strange, I was just having this conversation today with a co-worker. :) My thoughts? I'd say make it a GC and put the f/p in the virtual. Why? because you still need to protect the physical, but the virtual you can give out access to. The downside is that the virtual machine requires IIS (in Microsoft products) meaning you have a vector for attack. But nothing that requires changing the security otherwise for the GC. I prefer not to put IIS on a GC for security reasons, but if you can get away without it then I should think that this method would provide greater ability to secure it. Keep in mind that physical access is still warranted. It's just that you wouldn't have to worry about somebody taking the GC home on a USB key like they otherwise could ;) It's not pretty no matter which way you turn IMHO. Could be better. Al -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Noah Eiger Sent: Wednesday, October 19, 2005 11:42 AM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Virtual Servers in Branch Offices I assume you are refering to the fact that the the host could be compromised over the network and the virtual hard drive or virtual machine itself simply copied. (Just for the record, this is covered in the white paper. Did not mean to imply that it is not. Security in this respect is refered over to NTFS permissions). So given that you could have a single physical machine at a branch office and that you must have a DC and F/P service, what is the prefered configuration? -- nme P.S. thanks for keeping this thread going. _ From: Dean Wells [mailto:[EMAIL PROTECTED] Sent: Tuesday, October 18, 2005 8:42 PM To: Send - AD mailing list Subject: RE: [ActiveDir] Virtual Servers in Branch Offices Does placing the DC inside a virtual machine add any security? Would it be harder for someone with physical access to compromise the DC? The white paper does not really make this clear. Also, I am assuming that a host machine would be a domain member, right? Does it authenticate off the virtual DC? Dean Virtual DCs effectively weaken the broader-definition of security in a number of ways including the context of physical access ... this is due primarily to the relative ease with which the entire DC's state can be duplicated, subsequently, becoming portable and reproduced in a running state elsewhere with little to no effort. The host machine has no bearing ... it's rather like saying the rack in which the server is physically housed has to be a domain member (or any further extension of that particular metaphor). Keep in mind the VM (for the most part) doesn't even realize it's virtual. /Dean -- Dean Wells MSEtechnology * Email: dwells mailto:[EMAIL PROTECTED] @msetechnology.com http://msetechnology.com/ http://msetechnology.com _ From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Noah Eiger Sent: Friday, October 14, 2005 12:01 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Virtual Servers in Branch Offices Thanks for the thoughts. And thanks Tony for the reference -- just finished reading it. Unfortunately, deploying the DC at HQ or simply authenticating over the WAN is not really an option. The WAN links are ok (and getting better) but are located in places where environmental (as in the weather) conditions often cause short interruptions. Does placing the DC inside a virtual machine add any security? Would it be harder for
Re: [ActiveDir] OT: Exchange Insider articles
Damn, this Gmail switching to rich text editing is messing with me! Sorry folks. Phil On 10/20/05, Susan Bradley, CPA aka Ebitz - SBS Rocks [MVP] [EMAIL PROTECTED] wrote: Ah, the MS cut and paste from OWA bugthat leaves the OWA tag in thehtml:-) https://mail.microsoft.com/exchweb/bin/redir.asp?URL="">Try this: http://www.microsoft.com/technet/prodtechnol/exchange/2003/insider/default.mspxHutchins, Mike wrote: That link send me to an OWA login for MS... *From:* [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]] *On Behalf Of *Phil Renouf *Sent:* Wednesday, October 19, 2005 8:07 PM *To:* activedir@mail.activedir.org *Subject:* [ActiveDir] OT: Exchange Insider articles Since Exchange seems to come up here fairly often I figured there would be some people interested to know that there are some new articles being posted to the Exchange site titled Exchange Insider articles. There is a lot of great information there and I believe there are more to come. http://www.microsoft.com/technet/prodtechnol/exchange/2003/insider/default.mspx https://mail.microsoft.com/exchweb/bin/redir.asp?URL="" PhilList info : http://www.activedir.org/List.aspxList FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
RE: [ActiveDir] Server Monitoring
On this note, for another (slightly late) free software plug, pandoramon (http://pandoramon.sourceforge.net) is quite a nice web-based open source monitoring platform, and operates with agents running on target hosts (with an agent for linux, windows, and several flavours of unix) that talks to the management system. There are some quite good screenshots (http://pandoramon.sourceforge.net/en/index.php?sec=screenshots) on the sourceforge page if you don't feel like reading through the documentation to get a brief overview as to what it'll do! - James. On Tue, 2005-10-18 at 13:26 -0400, Alborzfard, Alex wrote: A little late to put my 2 cents in, but I guess better late than never. I've used NAGIOS, Kaseya, and MonitorIT. If you're comfortable with Linux I'd go with NAGIOS, you can't go wrong with the price: FREE. Otherwise the other two are viable options, you get a whole lotta features. The down side is that they require installing agents. --Alex -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of John Parker Sent: Monday, October 17, 2005 9:34 AM To: ActiveDir@mail.activedir.org Subject: [ActiveDir] Server Monitoring Hello all... We are searching for a tool that will monitor server uptime and send out an alert when a server goes down. Anyone have a suggestion? Does not have to be too complicated. Everything is Win2K AD fully spacked. Thank you in advance. John Parker, MCSE IS Admin. Senior Technical Specialist Alpha Display Systems. Alpha Video 7711 Computer Ave. Edina, MN. 55435 952-896-9898 Local 800-388-0008 Watts 952-896-9899 Fax 612-804-8769 Cell 952-841-3327 Direct [EMAIL PROTECTED] Be excellent to each other ---End of Line--- -Original Message- From: Susan Bradley, CPA aka Ebitz - SBS Rocks [MVP] [mailto:[EMAIL PROTECTED] Sent: Sunday, October 16, 2005 9:49 PM To: ActiveDir@mail.activedir.org Subject: Re: [ActiveDir] Knowing when users were deleted. I give carte blanche to folks to wack me upside the head if I get too annoying. :-) Rick Kingslan wrote: Susan, Really - I know you too well. You're not going to lurk. Get in the game. It appears most folks want to hear what you have to say from the Small Business arena. And, if it broadens the message of managing and maintaining the systems - it's good for all. Just please - stop convincing yourself you're lurking You're aren't! You're too valuable to do so... :o) Rick [msft] -- Posting is provided AS IS, and confers no rights or warranties ... -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Susan Bradley, CPA aka Ebitz - SBS Rocks [MVP] Sent: Sunday, October 16, 2005 9:02 PM To: ActiveDir@mail.activedir.org Subject: Re: [ActiveDir] Knowing when users were deleted. sorry .. I know...I know...lurk..lurk The consultant crowd who can't handle 300 SBS boxes hitting their inbox at 6 a.m have asked for a dashboard. I can handle a daily email they can't. At a NTuser group meeting I was at ...some of the dashboard tools in Linux were discussed. Nagios in particular was one they used for monitoring. Monitoring -- MRTG: The Multi Router Traffic Grapher: http://mrtg.hdl.com/mrtg.html Graphical console for Snort - Analysis Console for Intrusion Databases (ACID): http://acidlab.sourceforge.net/ Intrustion detection - Snort.org: http://www.snort.org/ Monitoring - Nagios: Home: http://www.nagios.org/ Traffic probe - ntop - network top: http://www.ntop.org/head.html Susan Bradley, CPA aka Ebitz - SBS Rocks [MVP] wrote: Yup information overload 'is' a problem. And then after the scale its... okay what the heck is the server trying to tell me? I'm still a fan of www.eventid.net over microsoft.com's click here. Rick Kingslan wrote: And, as you know that does work well in SBSland. However, when the scale grows, so do the requirements. IN the Medium to Enterprise space, the idea is more along the lines of a system or series of systems pumping this type of information into paging and making intelligent decisions based on the audit, event, alerts, services, etc. Which, is right where MOM 2005 drops into the picture. If it _IS_ the event aggregator, or if it's pushing up to a bigger overall item such as HP OpenView - that data is available. It's just that instead of getting an e-mail per server (most admins would just begin to create a rule to send these to DEV/NUL after a while...) MOM collects, enforces and reports this same type of information. Scale makes the problem much tougher, as I'm sure you can imagine Rick [msft] -- Posting is provided AS IS, and confers no rights or warranties ... -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Susan Bradley, CPA aka Ebitz
[ActiveDir] Sudhir Kaushal/GIS/CSC is out of the office.
I will be out of the office starting 10/20/2005 and will not return until 10/24/2005. I will respond to your message when I return. List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
[ActiveDir] Need ADSI Scripting help.
I am looking for some example script and/or help for the script I am writing for my company. What I want to achieve is if I run the script against the machine list which will be in the text file, it should give me the output in the text file saying which machine account is enabled, disabled or not found. I know how to manipulate the text files using fso object but I am not sure what do I need to use to get the attributes of computer container in AD. Any help in this regard is highly appreciated and valued. Please let me know if you need more information abou this. -- Thanks, Jitendra Kalyankar List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
RE: [ActiveDir] Need ADSI Scripting help.
Before you do this, see oldcmp at www.joeware.net http://www.joeware.net/win/free/index.htm mc -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Jitendra Kalyankar Sent: Thursday, October 20, 2005 4:14 PM To: ActiveDir@mail.activedir.org Subject: [ActiveDir] Need ADSI Scripting help. I am looking for some example script and/or help for the script I am writing for my company. What I want to achieve is if I run the script against the machine list which will be in the text file, it should give me the output in the text file saying which machine account is enabled, disabled or not found. I know how to manipulate the text files using fso object but I am not sure what do I need to use to get the attributes of computer container in AD. Any help in this regard is highly appreciated and valued. Please let me know if you need more information abou this. -- Thanks, Jitendra Kalyankar List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ This e-mail transmission contains information that is intended to be confidential and privileged. If you receive this e-mail and you are not a named addressee you are hereby notified that you are not authorized to read, print, retain, copy or disseminate this communication without the consent of the sender and that doing so is prohibited and may be unlawful. Please reply to the message immediately by informing the sender that the message was misdirected. After replying, please delete and otherwise erase it and any attachments from your computer system. Your assistance in correcting this error is appreciated. List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
Re: [ActiveDir] Need ADSI Scripting help.
I know about the Oldcmp.exe, but the thing is the tool is really powerful and I don't want Jr. Sys. Admins doing something or deleting something that they are not suppose to. And again I will have to go through the security department route to use it. Too much hassel Hope that explains my situation. Sincerely, Jitendra Kalyankar On 10/20/05, Creamer, Mark [EMAIL PROTECTED] wrote: Before you do this, see oldcmp at www.joeware.net http://www.joeware.net/win/free/index.htm mc -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Jitendra Kalyankar Sent: Thursday, October 20, 2005 4:14 PM To: ActiveDir@mail.activedir.org Subject: [ActiveDir] Need ADSI Scripting help. I am looking for some example script and/or help for the script I am writing for my company. What I want to achieve is if I run the script against the machine list which will be in the text file, it should give me the output in the text file saying which machine account is enabled, disabled or not found. I know how to manipulate the text files using fso object but I am not sure what do I need to use to get the attributes of computer container in AD. Any help in this regard is highly appreciated and valued. Please let me know if you need more information abou this. -- Thanks, Jitendra Kalyankar List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ This e-mail transmission contains information that is intended to be confidential and privileged. If you receive this e-mail and you are not a named addressee you are hereby notified that you are not authorized to read, print, retain, copy or disseminate this communication without the consent of the sender and that doing so is prohibited and may be unlawful. Please reply to the message immediately by informing the sender that the message was misdirected. After replying, please delete and otherwise erase it and any attachments from your computer system. Your assistance in correcting this error is appreciated. List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ -- Thanks, Jitendra Kalyankar List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
RE: [ActiveDir] Need ADSI Scripting help.
Yes, but oldcmp does have significant levels of are you sure built in. Anyway, there is a nice perl solution you might want to look at on Robbie Allen's site, at http://rallenhome.com/books/adcookbook/src/08.08-find_inactive_computers.pls.txt In the book, Robbie explains why one would use Perl for this task rather than VBScript. That's all I've seen...maybe there's something on Microsoft's Script Center mc -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Jitendra Kalyankar Sent: Thursday, October 20, 2005 4:29 PM To: ActiveDir@mail.activedir.org Subject: Re: [ActiveDir] Need ADSI Scripting help. I know about the Oldcmp.exe, but the thing is the tool is really powerful and I don't want Jr. Sys. Admins doing something or deleting something that they are not suppose to. And again I will have to go through the security department route to use it. Too much hassel Hope that explains my situation. Sincerely, Jitendra Kalyankar On 10/20/05, Creamer, Mark [EMAIL PROTECTED] wrote: Before you do this, see oldcmp at www.joeware.net http://www.joeware.net/win/free/index.htm mc -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Jitendra Kalyankar Sent: Thursday, October 20, 2005 4:14 PM To: ActiveDir@mail.activedir.org Subject: [ActiveDir] Need ADSI Scripting help. I am looking for some example script and/or help for the script I am writing for my company. What I want to achieve is if I run the script against the machine list which will be in the text file, it should give me the output in the text file saying which machine account is enabled, disabled or not found. I know how to manipulate the text files using fso object but I am not sure what do I need to use to get the attributes of computer container in AD. Any help in this regard is highly appreciated and valued. Please let me know if you need more information abou this. -- Thanks, Jitendra Kalyankar List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ This e-mail transmission contains information that is intended to be confidential and privileged. If you receive this e-mail and you are not a named addressee you are hereby notified that you are not authorized to read, print, retain, copy or disseminate this communication without the consent of the sender and that doing so is prohibited and may be unlawful. Please reply to the message immediately by informing the sender that the message was misdirected. After replying, please delete and otherwise erase it and any attachments from your computer system. Your assistance in correcting this error is appreciated. List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ -- Thanks, Jitendra Kalyankar List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ This e-mail transmission contains information that is intended to be confidential and privileged. If you receive this e-mail and you are not a named addressee you are hereby notified that you are not authorized to read, print, retain, copy or disseminate this communication without the consent of the sender and that doing so is prohibited and may be unlawful. Please reply to the message immediately by informing the sender that the message was misdirected. After replying, please delete and otherwise erase it and any attachments from your computer system. Your assistance in correcting this error is appreciated. List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
RE: [ActiveDir] Need ADSI Scripting help.
Just as an FYI, scripts are just as dangerous or more so. It is why I wrote oldcmp in the first place. Too many people biting themselves in the ass. I don't know how I could put more rubber bumpers on that tool unless I started asking questions to gauge levels of intelligence and whether or not certain switches should be allowed. :o) I understand the security department route though too. If they are antsy because it is freeware, let me know and I can charge you 100k or so for it and you get everything you get now plus a bill. :o) -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Jitendra Kalyankar Sent: Thursday, October 20, 2005 4:29 PM To: ActiveDir@mail.activedir.org Subject: Re: [ActiveDir] Need ADSI Scripting help. I know about the Oldcmp.exe, but the thing is the tool is really powerful and I don't want Jr. Sys. Admins doing something or deleting something that they are not suppose to. And again I will have to go through the security department route to use it. Too much hassel Hope that explains my situation. Sincerely, Jitendra Kalyankar On 10/20/05, Creamer, Mark [EMAIL PROTECTED] wrote: Before you do this, see oldcmp at www.joeware.net http://www.joeware.net/win/free/index.htm mc -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Jitendra Kalyankar Sent: Thursday, October 20, 2005 4:14 PM To: ActiveDir@mail.activedir.org Subject: [ActiveDir] Need ADSI Scripting help. I am looking for some example script and/or help for the script I am writing for my company. What I want to achieve is if I run the script against the machine list which will be in the text file, it should give me the output in the text file saying which machine account is enabled, disabled or not found. I know how to manipulate the text files using fso object but I am not sure what do I need to use to get the attributes of computer container in AD. Any help in this regard is highly appreciated and valued. Please let me know if you need more information abou this. -- Thanks, Jitendra Kalyankar List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ This e-mail transmission contains information that is intended to be confidential and privileged. If you receive this e-mail and you are not a named addressee you are hereby notified that you are not authorized to read, print, retain, copy or disseminate this communication without the consent of the sender and that doing so is prohibited and may be unlawful. Please reply to the message immediately by informing the sender that the message was misdirected. After replying, please delete and otherwise erase it and any attachments from your computer system. Your assistance in correcting this error is appreciated. List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ -- Thanks, Jitendra Kalyankar List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
RE: [ActiveDir] Need ADSI Scripting help.
Hi Jitendra, As a frequent user of joeware smile, I hope I can pipe in and comment that joe's adfind.exe is strictly a querying tool and you can achieve your quest with: adfind -default -f ((objectcategory=computer)(useraccountcontrol:1.2.840.113556. 1.4.803:=2)) (watch the line wrap) Mike Thommes Ps. There was a discussion about this on this maillist on 10/14/05. Check the archives. -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of joe Sent: Thursday, October 20, 2005 4:16 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Need ADSI Scripting help. Just as an FYI, scripts are just as dangerous or more so. It is why I wrote oldcmp in the first place. Too many people biting themselves in the ass. I don't know how I could put more rubber bumpers on that tool unless I started asking questions to gauge levels of intelligence and whether or not certain switches should be allowed. :o) I understand the security department route though too. If they are antsy because it is freeware, let me know and I can charge you 100k or so for it and you get everything you get now plus a bill. :o) -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Jitendra Kalyankar Sent: Thursday, October 20, 2005 4:29 PM To: ActiveDir@mail.activedir.org Subject: Re: [ActiveDir] Need ADSI Scripting help. I know about the Oldcmp.exe, but the thing is the tool is really powerful and I don't want Jr. Sys. Admins doing something or deleting something that they are not suppose to. And again I will have to go through the security department route to use it. Too much hassel Hope that explains my situation. Sincerely, Jitendra Kalyankar On 10/20/05, Creamer, Mark [EMAIL PROTECTED] wrote: Before you do this, see oldcmp at www.joeware.net http://www.joeware.net/win/free/index.htm mc -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Jitendra Kalyankar Sent: Thursday, October 20, 2005 4:14 PM To: ActiveDir@mail.activedir.org Subject: [ActiveDir] Need ADSI Scripting help. I am looking for some example script and/or help for the script I am writing for my company. What I want to achieve is if I run the script against the machine list which will be in the text file, it should give me the output in the text file saying which machine account is enabled, disabled or not found. I know how to manipulate the text files using fso object but I am not sure what do I need to use to get the attributes of computer container in AD. Any help in this regard is highly appreciated and valued. Please let me know if you need more information abou this. -- Thanks, Jitendra Kalyankar List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ This e-mail transmission contains information that is intended to be confidential and privileged. If you receive this e-mail and you are not a named addressee you are hereby notified that you are not authorized to read, print, retain, copy or disseminate this communication without the consent of the sender and that doing so is prohibited and may be unlawful. Please reply to the message immediately by informing the sender that the message was misdirected. After replying, please delete and otherwise erase it and any attachments from your computer system. Your assistance in correcting this error is appreciated. List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ -- Thanks, Jitendra Kalyankar List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
Re: [ActiveDir] Need ADSI Scripting help.
Wow! Thanks Joe for your reply also thanks Mark too. I tried my best to explain to my manager but in vein so I am back to square one. If my own manager is not comfy with it what will I tell the Security! I know the scripts are as dangerous as your util or even more so but those who know how to go about it, not the one who will be using it. Yeah it would be even better if your oldcmp would guage intelligence ;-), can you do that? :-D Anyways I will continue using your utilities free or not. Care to shed more light on the question I asked? And I guess its more of want to know how you did it than what my company requires. Anyways I will find it out sooner or later. But anyways thanks very much guys for your help. Sincerely, Jitendra Kalyankar On 10/20/05, joe [EMAIL PROTECTED] wrote: Just as an FYI, scripts are just as dangerous or more so. It is why I wrote oldcmp in the first place. Too many people biting themselves in the ass. I don't know how I could put more rubber bumpers on that tool unless I started asking questions to gauge levels of intelligence and whether or not certain switches should be allowed. :o) I understand the security department route though too. If they are antsy because it is freeware, let me know and I can charge you 100k or so for it and you get everything you get now plus a bill. :o) -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Jitendra Kalyankar Sent: Thursday, October 20, 2005 4:29 PM To: ActiveDir@mail.activedir.org Subject: Re: [ActiveDir] Need ADSI Scripting help. I know about the Oldcmp.exe, but the thing is the tool is really powerful and I don't want Jr. Sys. Admins doing something or deleting something that they are not suppose to. And again I will have to go through the security department route to use it. Too much hassel Hope that explains my situation. Sincerely, Jitendra Kalyankar On 10/20/05, Creamer, Mark [EMAIL PROTECTED] wrote: Before you do this, see oldcmp at www.joeware.net http://www.joeware.net/win/free/index.htm mc -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Jitendra Kalyankar Sent: Thursday, October 20, 2005 4:14 PM To: ActiveDir@mail.activedir.org Subject: [ActiveDir] Need ADSI Scripting help. I am looking for some example script and/or help for the script I am writing for my company. What I want to achieve is if I run the script against the machine list which will be in the text file, it should give me the output in the text file saying which machine account is enabled, disabled or not found. I know how to manipulate the text files using fso object but I am not sure what do I need to use to get the attributes of computer container in AD. Any help in this regard is highly appreciated and valued. Please let me know if you need more information abou this. -- Thanks, Jitendra Kalyankar List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ This e-mail transmission contains information that is intended to be confidential and privileged. If you receive this e-mail and you are not a named addressee you are hereby notified that you are not authorized to read, print, retain, copy or disseminate this communication without the consent of the sender and that doing so is prohibited and may be unlawful. Please reply to the message immediately by informing the sender that the message was misdirected. After replying, please delete and otherwise erase it and any attachments from your computer system. Your assistance in correcting this error is appreciated. List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ -- Thanks, Jitendra Kalyankar List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ -- Thanks, Jitendra Kalyankar List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
RE: [ActiveDir] Need ADSI Scripting help.
Well if you have a list of DNs, you will then create a loop in the script that loops through connecting to those DNs and then grab the UAC attribute and check to see if the account is disabled (bit 1 is lit, aka value 2) sort of like set o=getobject(LDAP://cn=someuser,cn=users,dc=joe,dc=com) uac=o.useraccountcontrol if ((uac 2)=2) then wscript.echo disabled else wscript.echo enabled joe -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Jitendra Kalyankar Sent: Thursday, October 20, 2005 5:36 PM To: ActiveDir@mail.activedir.org Subject: Re: [ActiveDir] Need ADSI Scripting help. Wow! Thanks Joe for your reply also thanks Mark too. I tried my best to explain to my manager but in vein so I am back to square one. If my own manager is not comfy with it what will I tell the Security! I know the scripts are as dangerous as your util or even more so but those who know how to go about it, not the one who will be using it. Yeah it would be even better if your oldcmp would guage intelligence ;-), can you do that? :-D Anyways I will continue using your utilities free or not. Care to shed more light on the question I asked? And I guess its more of want to know how you did it than what my company requires. Anyways I will find it out sooner or later. But anyways thanks very much guys for your help. Sincerely, Jitendra Kalyankar On 10/20/05, joe [EMAIL PROTECTED] wrote: Just as an FYI, scripts are just as dangerous or more so. It is why I wrote oldcmp in the first place. Too many people biting themselves in the ass. I don't know how I could put more rubber bumpers on that tool unless I started asking questions to gauge levels of intelligence and whether or not certain switches should be allowed. :o) I understand the security department route though too. If they are antsy because it is freeware, let me know and I can charge you 100k or so for it and you get everything you get now plus a bill. :o) -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Jitendra Kalyankar Sent: Thursday, October 20, 2005 4:29 PM To: ActiveDir@mail.activedir.org Subject: Re: [ActiveDir] Need ADSI Scripting help. I know about the Oldcmp.exe, but the thing is the tool is really powerful and I don't want Jr. Sys. Admins doing something or deleting something that they are not suppose to. And again I will have to go through the security department route to use it. Too much hassel Hope that explains my situation. Sincerely, Jitendra Kalyankar On 10/20/05, Creamer, Mark [EMAIL PROTECTED] wrote: Before you do this, see oldcmp at www.joeware.net http://www.joeware.net/win/free/index.htm mc -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Jitendra Kalyankar Sent: Thursday, October 20, 2005 4:14 PM To: ActiveDir@mail.activedir.org Subject: [ActiveDir] Need ADSI Scripting help. I am looking for some example script and/or help for the script I am writing for my company. What I want to achieve is if I run the script against the machine list which will be in the text file, it should give me the output in the text file saying which machine account is enabled, disabled or not found. I know how to manipulate the text files using fso object but I am not sure what do I need to use to get the attributes of computer container in AD. Any help in this regard is highly appreciated and valued. Please let me know if you need more information abou this. -- Thanks, Jitendra Kalyankar List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ This e-mail transmission contains information that is intended to be confidential and privileged. If you receive this e-mail and you are not a named addressee you are hereby notified that you are not authorized to read, print, retain, copy or disseminate this communication without the consent of the sender and that doing so is prohibited and may be unlawful. Please reply to the message immediately by informing the sender that the message was misdirected. After replying, please delete and otherwise erase it and any attachments from your computer system. Your assistance in correcting this error is appreciated. List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ -- Thanks, Jitendra Kalyankar List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive:
RE: [ActiveDir] Need ADSI Scripting help.
You can find more ADSI script samples (kinda of library) at http://www.lissware.net Go to the White Paper section and download the scripts and WP for free. WHITE PAPERS: October 2000 (Compaq Active Answers): Part 1 - Introduction to the use of Exchange 2000 with Windows Script Host (Script Kit) Part 2 - Managing Exchange with Scripts - Advanced Topics (Script Kit) February 2000 (Compaq Active Answers): Part 1 - Understanding the Microsoft WSH and the ADSI in Windows 2000 (Script Kit) Part 2 - The powerful combination of WSH and ADSI under Windows 2000 (Script Kit) HTH /Alain -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of joe Sent: Thursday, October 20, 2005 4:54 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Need ADSI Scripting help. Well if you have a list of DNs, you will then create a loop in the script that loops through connecting to those DNs and then grab the UAC attribute and check to see if the account is disabled (bit 1 is lit, aka value 2) sort of like set o=getobject(LDAP://cn=someuser,cn=users,dc=joe,dc=com) uac=o.useraccountcontrol if ((uac 2)=2) then wscript.echo disabled else wscript.echo enabled joe -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Jitendra Kalyankar Sent: Thursday, October 20, 2005 5:36 PM To: ActiveDir@mail.activedir.org Subject: Re: [ActiveDir] Need ADSI Scripting help. Wow! Thanks Joe for your reply also thanks Mark too. I tried my best to explain to my manager but in vein so I am back to square one. If my own manager is not comfy with it what will I tell the Security! I know the scripts are as dangerous as your util or even more so but those who know how to go about it, not the one who will be using it. Yeah it would be even better if your oldcmp would guage intelligence ;-), can you do that? :-D Anyways I will continue using your utilities free or not. Care to shed more light on the question I asked? And I guess its more of want to know how you did it than what my company requires. Anyways I will find it out sooner or later. But anyways thanks very much guys for your help. Sincerely, Jitendra Kalyankar On 10/20/05, joe [EMAIL PROTECTED] wrote: Just as an FYI, scripts are just as dangerous or more so. It is why I wrote oldcmp in the first place. Too many people biting themselves in the ass. I don't know how I could put more rubber bumpers on that tool unless I started asking questions to gauge levels of intelligence and whether or not certain switches should be allowed. :o) I understand the security department route though too. If they are antsy because it is freeware, let me know and I can charge you 100k or so for it and you get everything you get now plus a bill. :o) -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Jitendra Kalyankar Sent: Thursday, October 20, 2005 4:29 PM To: ActiveDir@mail.activedir.org Subject: Re: [ActiveDir] Need ADSI Scripting help. I know about the Oldcmp.exe, but the thing is the tool is really powerful and I don't want Jr. Sys. Admins doing something or deleting something that they are not suppose to. And again I will have to go through the security department route to use it. Too much hassel Hope that explains my situation. Sincerely, Jitendra Kalyankar On 10/20/05, Creamer, Mark [EMAIL PROTECTED] wrote: Before you do this, see oldcmp at www.joeware.net http://www.joeware.net/win/free/index.htm mc -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Jitendra Kalyankar Sent: Thursday, October 20, 2005 4:14 PM To: ActiveDir@mail.activedir.org Subject: [ActiveDir] Need ADSI Scripting help. I am looking for some example script and/or help for the script I am writing for my company. What I want to achieve is if I run the script against the machine list which will be in the text file, it should give me the output in the text file saying which machine account is enabled, disabled or not found. I know how to manipulate the text files using fso object but I am not sure what do I need to use to get the attributes of computer container in AD. Any help in this regard is highly appreciated and valued. Please let me know if you need more information abou this. -- Thanks, Jitendra Kalyankar List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ This e-mail transmission contains information that is intended to be confidential and privileged. If you receive this e-mail and you are not a named addressee you are hereby notified that you are not authorized to read, print, retain, copy or disseminate this communication without the consent of the sender and that doing so is prohibited and may be unlawful. Please