RE: [ActiveDir] Net localgroup limitation?
According to the schema the sAMAccountName must be 0-256, however, this is one of the famous SAM Attributes, the rules of the schema are not necessarily the rules that apply to the SAM Attributes see http://blog.joeware.net/2006/01/21/222/ - which is a blog article titled "But the schema says description is multivalued." The sAMAccountname is fun because it depends on the object type it is applied to. For instance a user object peaks out at 20 even with LDAP. Localgroup names I believe could go to 256 characters if you knew how. You can definitely go that high on the local SAM on workstations. Even with NET.EXE you can create and manipulate domain local groups with greater than 20 characters. In fact I just doublechecked and easily handled creating, populating, and deleting a group with 100 characters. The pinch though is when you are trying to add that group to another group. NET.EXE screws that up and throws the usage screen. However, that doesn't mean it can't be done and that the API doesn't handle it. If you grab my LG tool from the website (http://www.joeware.net/win/free/tools/lg.htm) it will do it and I can guarantee it uses the LEGACY NET API. I wrote the main code used in that tool initially back in about 1997 or 1998 or so. I do recall in the early days of W2K some kind of an issue with group names though while importing them into AD from NT4 Domains. If the group was too long it would instead get a random sAMAccountName which I thought was quite fun. I ended up having to put in a check script after every migration to make sure that cn's and SAM Names matched up. Interestingly enough, MS has put an attribute into AD to hint at some point upcoming support for turning off the LANMAN support which artifically limits say a userid SAM Name to 20 characters called uASCompat. However, currently that attribute seems to be entirely read-only. I have not been able to find a way to change it the various times I have poked through the source code. joe _ From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Almeida Pinto, Jorge de Sent: Friday, January 20, 2006 12:14 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Net localgroup limitation? Hi, In AD: the sAMAccountName must be between 0 and 256 characters long the cn must be between 1 and 64 characters long I guess the NET commands are still using legacy methods When creating a group in a NT4 the limit was 20 char when you used the user manager for domains. However, using other methods (scripting or third party tooling) it was possible to pass the limit of user manager for domains. Don't remember what the real limit was/is Jorge _ From: [EMAIL PROTECTED] on behalf of Freddy HARTONO Sent: Fri 2006-01-20 08:48 To: activedir@mail.activedir.org Subject: [ActiveDir] Net localgroup limitation? Hi Just curious is there a 19 characters limit for net localgroup commands? Just realised after trying to script a couple of things - that adding this doesn't work This works Net localgroup Administrators "domain\12345678910123456789" /ADD This doesn't work Net localgroup Administrators "domain\123456789101234567890123456" /ADD Anyone else comes up with this limitation? Thank you and have a splendid day! Kind Regards, Freddy Hartono Group Support Engineer InternationalSOS Pte Ltd mail: [EMAIL PROTECTED] phone: (+65) 6330-9785 <>
RE: [ActiveDir] Accout policy
I believe I read on one of the blogs or various computer news sites (is there a difference anymore) that this was one of hundreds of new features they were looking at possibly implementing. Don't count the feature until we hit RC2 and then still don't bet the house on it. :) From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Jonathan WattsSent: Thursday, January 19, 2006 5:02 AMTo: ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] Accout policy I *believe* that setting different password policies on different OU’s may be a feature in Longhorn. Can’t remember where I heard this, I could of course be completely wrong… Jon From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Mike HogenauerSent: 19 January 2006 01:52To: ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] Accout policy Thanks, Yeah I’m trying to set different password policies per domain groups… From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Darren Mar-EliaSent: Wednesday, January 18, 2006 4:56 PMTo: ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] Accout policy Mike- Its a common question. There is currently only one *domain* password policy supported per AD domain. It does not have to be set in the DDP but it does have to be set on a GPO that is linked to the domain (if you have more than one, then the highest in the list wins). So you can't create separate policies for different user groups if those users are domain accounts. What you can do is have separate account policies for local member server or workstation SAM-based accounts, but that isn't what you're asking, is it? Darren From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Mike HogenauerSent: Wednesday, January 18, 2006 4:51 PMTo: ActiveDir@mail.activedir.orgSubject: [ActiveDir] Accout policy Sorry for the newbie question…. So is it true you can only apply an account policy, for example a password policy to change passwords every 90 days only to the default domain policy? I need to change my policy setting per groups for password expiration, ex finance, HR, etc, for compliance. I thought I could apply a password policy per OU for each group… Am I wrong? Thanks Mike This e-mail has been scanned for all viruses by Star. Theservice is powered by MessageLabs. For more information on a proactiveanti-virus service working around the clock, around the globe, visit:http://www.star.net.uk
RE: [ActiveDir] Permissions vanishing
Title: RE: [ActiveDir] Token Bloat Sorry for the delay, just catching back up. Had to step out and review some chapters of the 2E version of the AD Cookbook. The code is really basic, it simply sleeps until something breaks or the security is changed. You can get help on the changenotify module in the basic ActiveState Perl help as it is right in the Win32:: stuff. Just scroll to the bottom of the TOC on the left of the User Guide and then under Win32 look for ChangeNotify. Just slap that on a path and then if the security changes on anything under that path it should fire. It won't tell you what changed, just that there was a change. #=== use Win32;use Win32::ChangeNotify; $path=shift; $WatchDir = new Win32::ChangeNotify($path, 1, FILE_NOTIFY_CHANGE_SECURITY);if(!$WatchDir) { print "Failed to monitor watch directory $path\n"; print "Error: " . GetError() . "\n"; exit(); }$WatchDir->reset(); $WatchDir->wait or warn "Something failed: $!\n"; print "There has been a change to the security.\n"; #=== Glad you like oldcmp! joe From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Bahta, Nathaniel V Contractor NASIC/SCNASent: Friday, January 20, 2006 5:01 AMTo: ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] Permissions vanishing Gil, That is a good avenue of approach, although I do not recall any GPO's that modify folder permissions, it is something I have not checked nevertheless. I will give that a look. Joe, That would be great if you had the perl code for file change/modification notification. I would greatly appreciate that. I am using your oldcmp.exe right now and putting together some perl code that parses through it to pull out host names and user names and then emails a monthly list that can be used to clean them up in AD with a cron job consisting of perl code based upon the Active Directory Cookbook's jobs. Your utility is very useful. Thanks again. Nate Bahta From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of joeSent: Friday, January 20, 2006 1:13 AMTo: ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] Permissions vanishing I concur with Gil, either something really bad is happening or the auditing isn't tight (i.e. some account doing the work is outside of the audit policy, like say you configured watch for domain users making changes and it isn't catching the secprin doing it). Verify the SACL on the folder (btw is that getting changed too?), make sure SharedData isn't a junction and taking its perms from somewhere else, set up a script to do event notification on the folder that will detect a DACL change and tell you exactly when it is occurring. On the last, if you need it, I think I have some old old old old perl code I wrote back in the 90's to do file change notification I could try and find. A friend of mine had a project where he had to set up an auto FTP feed that had to be fired when certain file types hit the folder so I whipped up a quick perl script to handle it. From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Gil KirkpatrickSent: Thursday, January 19, 2006 2:19 PMTo: ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] Permissions vanishing The fact that nothing showed up in the audit log is disturbing. Can you modify the ACL manually and see the audit entries that appear? Is there possibly a group policy that is changing the ACLs? -gil From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Bahta, Nathaniel V Contractor NASIC/SCNASent: Thursday, January 19, 2006 11:34 AMTo: ActiveDir@mail.activedir.orgSubject: [ActiveDir] Permissions vanishing Hey everyone, I am having a issue with a cluster server that shares our our common access data drive. Every other day, the NTFS permissions on the shared clustered drive will revert to only Administrators and System having privleges. I have it set up as follows: X:\SharedData - Share permissions Authenticated Users RWX X:\SharedData - Inherited NTFS permissions Authenticated Users RX,LIST FOLDER CONTENTS Administrators F System F Every other day or so the Authenticated users vanish from the NTFS permissions. I enabled auditing on the folder for permission change, but nothing came up in the security log that stated that the permissions had changed. Any ideas? I would appreciate anything anyone had to suggest. Thanks, Nate
RE: [ActiveDir] OT: Gauging AD experience
Oh great Gil thanks... now I have to clean Coca-cola off my monitors. :o) Good to see you back Todd. You working for Ringling Bros now? From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Gil KirkpatrickSent: Friday, January 20, 2006 2:16 PMTo: ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] OT: Gauging AD experience But at least you're not bitter... -g From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Myrick, Todd (NIH/CC/DNA) [E]Sent: Friday, January 20, 2006 12:06 PMTo: ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] OT: Gauging AD experience In my experience, when good directories go bad, it is usually due to three things. Firewalls Firewalls Did I list firewalls? Runner ups would be ADC for Exchange, Clowns posing as Administrators, Clowns posing as DNS experts, Clowns posing as Security experts, and no disaster recovery solution. Todd Myrick Brushing off the dust of my MVP status. From: joe [mailto:[EMAIL PROTECTED] Sent: Thursday, January 19, 2006 3:17 PMTo: ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] OT: Gauging AD experience When I read Al's post I thought of you Wook, I figured, hey Wook could use a creative presentation name... ;o) I would say “When Bad Things Happen To Good Directories” is more on par with "When Bad Things Happen To Good People", say like when your nanny gets a flat tire. "When Good Directories Go Bad" is more like when your good little daughter hits her teen years and starts going out to parties in fish net stockings and Big Red gum. :o) From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Lee, WookSent: Thursday, January 19, 2006 2:00 PMTo: ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] OT: Gauging AD experienceImportance: Low Sorry, I already did that one. My first DEC presentation was entitled “When Bad Things Happen To Good Directories”. J Wook From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of [EMAIL PROTECTED]Sent: Thursday, January 19, 2006 8:02 AMTo: ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] OT: Gauging AD experience when good directories go bad…sounds like a catchy title for a presentation, Joe. I think of directories and identity management infrastructures a little like networks: you rarely do get to design one from scratch, you’re always tweaking an existing one. And I agree that tweaking the existing ones are a lot more interesting than designing from a blank slate. The analogy could be taken too far, but like networks, directories and authentications systems are always morphing due to new technologies, new tools, adding or removing applications. Lots of fun. Al Maurer Service Manager, Naming and Authentication Services IT | Information Technology Agilent Technologies (719) 590-2639; Telnet 590-2639 http://activedirectory.it.agilent.com From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of joeSent: Wednesday, January 18, 2006 6:31 PMTo: ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] OT: Gauging AD experience I would say focusing on the design of big directories is pigeon-holing a little too much. There are only so many big directories that need to be designed. I personally find much more fun in diagnosing good directories that have gone bad than trying to design them. I design if I have to but it isn't what I like. Plus often with the design, it is rarely the case where you actually have all of the info though someone will tell you you do. You find out you don't later on when someone starts complaining or something starts breaking. I am not sure I would go so far to say it is something you let the tools handle though. A lot of the tools out there still aren't doing the greatest job and there are many companies that don't want to spend the millions on those tools that they would be charged for them instead having a few really good people handling it. A tool doesn't see bad things coming when someone is coming at you with the next great thing they want to plug into the AD. If the tool does catch it, it is way too late in the integration cycle. Plus, what if the tool isn't catching the problem? Someone has to be knowledgeable enough too. If you depend solely on your tools to keep your AD running well it is possible you are going to get cut pretty good. When I did Ops, I had several tools that watched what had been determined needed to be watched and then I would just go off and sample things to decide if there was something that maybe could be watched that we weren't watching. That could take the form of just watching a network packets on a DC or a client subnet for an hour or so or just walking the event logs event by event or walking through looking at objects in the directory. Whatever. To get into those positions you want to get in with the companies already mentioned and jump about (and try not t
RE: [ActiveDir] Limitations and issues with domain local groups and GC replicated data
Title: Limitations and issues with domain local groups and GC replicated data As Guido mentioned Domain Local groups are generally fine to apply to AD assuming 1. You are not trying to block READ for something that gets into the GC. Generally I don't recommend DENY ACEs anyway, they tend to make things confusing. 2. You are granting READ for something that gets into the GC that isn't granted in some other way (as Guido mentioned, Auth Users have a lot of READ access already, in fact Exchange depends pretty heavily on it as you may find if you try to block auth users from reading Exchange items). 3. Any delegation in the config container - though this can be worked around in special ways. The worst of the bunch is #1. If you block someone from trying to read something and they have a location where that info exists and the ACE that blocks their reading doesn't work, then obviously they are going to read the data assuming you blocked it because something else granted it. This can also occur with the confidentiality bit if you have non-K3 SP1 DC/GCs. #2 and #3 are a bit of a pain but usually not devastating, basically unless you are aware of where you are connecting, you could get odd results. I once pushed hard to make the Group Scope for Exchange delegations in the config container conform to the corporate group scope standards and that meant they had to be Domain Local Groups. It still worked but required a domain local group in every domain and the same members in that group in every domain to work "seamlessly". While that isn't a best practice, some of the other details in the deployment meant it was either going to be multiple global groups or multiple domain local groups, UGs were out of the question for several reasons including technical and political reasons. I am still firmly of the opinion we need a domain local global group. A group that can take membership from any domain and be used in any domain but not require a GC for resolution. It would require a decent change to how memberof or tokengroups works though, like for instance when you add someone from another domain to a group, it immediately goes out and stamps something in the foreign domain that isn't visible to users/admins and lets the user account there reflect the membership (kind of like phantoms but different). I don't much like UG Craching[1] due to the maintenance and various issues described with its implementation[2] and don't often see an environment where I can willy nilly make every DC a GC or even put a GC in every site. From what I recall hearing back years ago, UGs were primarily hacked in to support Exchange. I have also thought it would be cool if we could register a handle for the token/certificate creation process so we could write our own code to determine what should and shouldn't be inserted into the token than gets created. Obviously that is a great space to attack if trying to hack something and I know that some of the MS folks are already leary of the password notification hooks into LSASS let alone doing something that would invoke non-MS code as much as firing registered handlers for token/certificate creation. For that reason I never even submitted it as a DCR because I don't believe there is even the most remote chance something like that would be done since the chance of evil far exceeds the number of people who could properly use it for good. joe [1] (c) Dean Wells [2] Things that make troubleshooting more convoluted or complex tend to be something I try to avoid. My main goal is to try and be simple because I think complex thoughts at 3AM when the place is burning down and I just got up after having been out with friends celebrating the new year or someone's birthday or whatever. Plus my memory sucks, complicated systems and complicated lies would be a downfall for me as I wouldn't remember them. From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of [EMAIL PROTECTED]Sent: Monday, January 23, 2006 4:34 AMTo: ActiveDir@mail.activedir.orgSubject: [ActiveDir] Limitations and issues with domain local groups and GC replicated data I really appreciate the response, Guido :) Many thanks! Put it this way - if I had £1 for each time I tried to persuade an org to go with a single domain and then see a multi regional/political forest be implemented anyway - I'd be a rich man :) This org has managed to progress from multiple forests, where each country has its own domain to a single (proposed) forest, where each region is represented by a single domain. They don't feel comfortable going the extra step, even though all the pitfalls were explained in detail, over a period of several months. My question stems from the fact that we (will) have multiple, domains and will likely need cross domains perms. I don't foresee hidden OUs nor the removal of auth users from OU perms right now. Those putting together
RE: [ActiveDir] OT: speaking of AD books...
1. Purchase a copy of joe's book for self and everyone at work and everyone you know. To be serious though, in your shoes, my choice would be to work 70-80 hours a week and spend the extra 10-20 hours for a while trying to identify anything that could be automated or handled in some other safe way that requires less of my time and then work to get that done. Try to find some big hitters that if you get cleared out of the way gives you more time to find more things to automate to get out of the way. If you save say 2 minutes on something you do 20 times a day that is still 40 minutes saved. Also consider that when you automate things, they tend to be done in a more consistent manner so you run into less issues due to small mistakes in consistency that cause investigation time. The last ops position that I started back in 2001 when I did this I actually ended up working closer to probably 100 or more hours a week handling manually requests and issues globally as I was the only one on the brand new team that had any understanding on how to really fix things that were broken and things at that point were very broken. That went on for months but slowly adding the appropriate scripts the work load reduced as things took minutes instead of tens of minutes or seconds instead of minutes and the other guys were able to run the scripts to do things and were spinning up on how everything worked. If you do nothing manually that is recurring I would be extremely surprised. I haven't seen an ops job yet that didn't have a lot of time spent doing the same things over and over again. If however, that is the case, then the efficiencies have to be gained in producing tools to help you troubleshoot and make that go quicker. There is always something that can be done to make a group faster, better, and more efficient. The thing is to find it and figure out what it takes to get better and then do it. It might be the solution is buy something, but that usually doesn't go over well so keep in mind anything you can buy you can probably cobble together yourself if you need it bad enough and it will help you. It falls back to something I have said multiple times on list and other places. If you are too busy chopping down the trees to sharpen the axe you will just get further and further behind as your axe dulls. In every IT ops based job I have had, it was always a case of too much work and too few resources. Not once did I get hired into an ops group that had nothing to do or a bunch of free time to sit around. I expect that makes sense because there is no reason to hire someone if there is free time. So the goal is always to try and figure out how to do things in such a way that it can be done better and more efficiently. While you are figuring out how to automate you are learning how things work so you become more deadly with your troubleshooting-fu so when problems crop up outside of the normal requests and daily grind you are quicker (hopefully) at solving them. -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Rocky Habeeb Sent: Monday, January 23, 2006 10:14 AM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] OT: speaking of AD books... Dear people, I would appreciate it it you would prioritize the following for me; [A] [ ] Work 60 hours a week managing (with only one other person) 250 PCs in 4 states and 40 Servers. [B] [ ] Live at the only bookmark in my browser when at home "www.microsoft.com" looking for solutions, etc. [C] [ ] Read joe's (et al) new book. [D] [ ] Studying for my MCSA [E] [ ] Studying for my MCP [F] [ ] Studying for my MCSE [G] [ ] Securing my network [H] [ ] Reading the new book joe is going to write on BP's [Yes, please tell me how to rebuild a DC remotely from bare metal!!] [I] [ ] Reading Robbie's book(s) (note: please sub-prioritize those books) [J] [ ] Balanicing my checkbook ( hey .. I have to do something else at home, right?) [K] [ ] Patching my network [L] [ ] Learn to script [M] [ ] Watch College basketball on TV [N] [ ] Read all of Sakari's books [O] [ ] Read the AD list archives completely "Hey, I'm almost serious here." As Guido would say, "That's enough for today." RH List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
RE: [ActiveDir] OT: speaking of AD books...
Oh yeah they save our ass here too all the time. Compared to the ILO stuff from Compaq though they suck. They do some weird stuff with the drivers and the way the virtual floppy/cd shows up to the OS and when you boot. Thanks, Brian Desmond [EMAIL PROTECTED] c - 312.731.3132 From: [EMAIL PROTECTED] on behalf of joe Sent: Mon 1/23/2006 5:40 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] OT: speaking of AD books... The thing that always bothered me about the DRACs were that they kept changing the software so you never knew from month to month what software you would use to work with them and what you could do in it. Overall though, they made life a bunch easier for us several times than it necessarily would have been otherwise. From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Brian Desmond Sent: Monday, January 23, 2006 2:20 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] OT: speaking of AD books... Those DRAC cards from dell are a POS if you've used a ILO or RILOE from HPQ not to mention the fact that those DRAC cards from Dell are a POS when you try to do disk imaging on a PowerEdge with one. Thanks, Brian Desmond [EMAIL PROTECTED] c - 312.731.3132 From: [EMAIL PROTECTED] on behalf of Fuller, Stuart Sent: Mon 1/23/2006 10:44 AM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] OT: speaking of AD books... C) Hunter and I were TRs and I would highly recommend it. Joe & Robbie have made significant changes and have cleared up a couple of my pet peeves in the scripts and security bits from the 2E book. It also still has the best introduction and explanation of VB scripting for AD. As to the BP guide... I too would like to see that. We have managed to stay fairly centralized but we are now supporting a second remote data center. The one thing that has saved us is the new version of Dell's RAC card. It has a virtual CD/floppy drive feature where you can map your local workstation drive to be the CD or floppy of the server. Using that feature I was able to do bare metal installs across the wire. Very cool and saved me a seven hour round trip drive to eastern Montana. _Stuart Fuller -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Rocky Habeeb Sent: Monday, January 23, 2006 8:14 AM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] OT: speaking of AD books... Dear people, I would appreciate it it you would prioritize the following for me; [A] [ ] Work 60 hours a week managing (with only one other person) 250 PCs in 4 states and 40 Servers. [B] [ ] Live at the only bookmark in my browser when at home "www.microsoft.com" looking for solutions, etc. [C] [ ] Read joe's (et al) new book. [D] [ ] Studying for my MCSA [E] [ ] Studying for my MCP [F] [ ] Studying for my MCSE [G] [ ] Securing my network [H] [ ] Reading the new book joe is going to write on BP's [Yes, please tell me how to rebuild a DC remotely from bare metal!!] [I] [ ] Reading Robbie's book(s) (note: please sub-prioritize those books) [J] [ ] Balanicing my checkbook ( hey .. I have to do something else at home, right?) [K] [ ] Patching my network [L] [ ] Learn to script [M] [ ] Watch College basketball on TV [N] [ ] Read all of Sakari's books [O] [ ] Read the AD list archives completely "Hey, I'm almost serious here." As Guido would say, "That's enough for today." RH List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ <>
RE: [ActiveDir] OT: speaking of AD books...
Hey I didn't see Robbie sitting next to me typing away He was kicking me in the butt right along though going, hey how's it coming, do we need to bring in some more authors More authors!!! The nerve!!! Slave driver I tell you. I still have strap marks on my flanks. Not sure how new that virtual cd/floppy is. I was using them in the last position in 2004 I believe. They are pretty cool though there were some bothersome shorcomings too. -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Fuller, Stuart Sent: Monday, January 23, 2006 10:44 AM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] OT: speaking of AD books... C) Hunter and I were TRs and I would highly recommend it. Joe & Robbie have made significant changes and have cleared up a couple of my pet peeves in the scripts and security bits from the 2E book. It also still has the best introduction and explanation of VB scripting for AD. As to the BP guide... I too would like to see that. We have managed to stay fairly centralized but we are now supporting a second remote data center. The one thing that has saved us is the new version of Dell's RAC card. It has a virtual CD/floppy drive feature where you can map your local workstation drive to be the CD or floppy of the server. Using that feature I was able to do bare metal installs across the wire. Very cool and saved me a seven hour round trip drive to eastern Montana. _Stuart Fuller -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Rocky Habeeb Sent: Monday, January 23, 2006 8:14 AM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] OT: speaking of AD books... Dear people, I would appreciate it it you would prioritize the following for me; [A] [ ] Work 60 hours a week managing (with only one other person) 250 PCs in 4 states and 40 Servers. [B] [ ] Live at the only bookmark in my browser when at home "www.microsoft.com" looking for solutions, etc. [C] [ ] Read joe's (et al) new book. [D] [ ] Studying for my MCSA [E] [ ] Studying for my MCP [F] [ ] Studying for my MCSE [G] [ ] Securing my network [H] [ ] Reading the new book joe is going to write on BP's [Yes, please tell me how to rebuild a DC remotely from bare metal!!] [I] [ ] Reading Robbie's book(s) (note: please sub-prioritize those books) [J] [ ] Balanicing my checkbook ( hey .. I have to do something else at home, right?) [K] [ ] Patching my network [L] [ ] Learn to script [M] [ ] Watch College basketball on TV [N] [ ] Read all of Sakari's books [O] [ ] Read the AD list archives completely "Hey, I'm almost serious here." As Guido would say, "That's enough for today." RH List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
RE: [ActiveDir] OT: speaking of AD books...
The thing that always bothered me about the DRACs were that they kept changing the software so you never knew from month to month what software you would use to work with them and what you could do in it. Overall though, they made life a bunch easier for us several times than it necessarily would have been otherwise. _ From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Brian Desmond Sent: Monday, January 23, 2006 2:20 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] OT: speaking of AD books... Those DRAC cards from dell are a POS if you've used a ILO or RILOE from HPQ not to mention the fact that those DRAC cards from Dell are a POS when you try to do disk imaging on a PowerEdge with one. Thanks, Brian Desmond [EMAIL PROTECTED] c - 312.731.3132 _ From: [EMAIL PROTECTED] on behalf of Fuller, Stuart Sent: Mon 1/23/2006 10:44 AM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] OT: speaking of AD books... C) Hunter and I were TRs and I would highly recommend it. Joe & Robbie have made significant changes and have cleared up a couple of my pet peeves in the scripts and security bits from the 2E book. It also still has the best introduction and explanation of VB scripting for AD. As to the BP guide... I too would like to see that. We have managed to stay fairly centralized but we are now supporting a second remote data center. The one thing that has saved us is the new version of Dell's RAC card. It has a virtual CD/floppy drive feature where you can map your local workstation drive to be the CD or floppy of the server. Using that feature I was able to do bare metal installs across the wire. Very cool and saved me a seven hour round trip drive to eastern Montana. _Stuart Fuller -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Rocky Habeeb Sent: Monday, January 23, 2006 8:14 AM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] OT: speaking of AD books... Dear people, I would appreciate it it you would prioritize the following for me; [A] [ ] Work 60 hours a week managing (with only one other person) 250 PCs in 4 states and 40 Servers. [B] [ ] Live at the only bookmark in my browser when at home "www.microsoft.com" looking for solutions, etc. [C] [ ] Read joe's (et al) new book. [D] [ ] Studying for my MCSA [E] [ ] Studying for my MCP [F] [ ] Studying for my MCSE [G] [ ] Securing my network [H] [ ] Reading the new book joe is going to write on BP's [Yes, please tell me how to rebuild a DC remotely from bare metal!!] [I] [ ] Reading Robbie's book(s) (note: please sub-prioritize those books) [J] [ ] Balanicing my checkbook ( hey .. I have to do something else at home, right?) [K] [ ] Patching my network [L] [ ] Learn to script [M] [ ] Watch College basketball on TV [N] [ ] Read all of Sakari's books [O] [ ] Read the AD list archives completely "Hey, I'm almost serious here." As Guido would say, "That's enough for today." RH List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ <>
RE: [ActiveDir] OT: speaking of AD books...
Yeah I read your posts and I think "it depends" is the standard but good answer. Everything else is kind of hard. I don't expect there are many occasions where you get to build from scratch, you are usually building from some form of infrastructure that you have to keep in mind. Would I be willing to do a "best practices" book. No. I am just no so sure I believe in "best practices" strong enough to publish something saying this is what they are. As Susan often points out the best practices can very tremendously where you are. I have several ideas bouncing around in my head with what I may do. One I can visualize being done is probably a conversational type book with cool tech questions I have answered say over the last several years with maybe further discussion and more details behind the answers. Probably break it up into some general tech sections. That would give me the most freedom I think in how and what I write so end up liking it but not sure how well it would sell. I would probably just do that through a no-name publisher so the book could be low cost. Another would be a series of a couple of books that just focused on some specific things and really tried to dig into them. AD is a huge topic and it really doesn't do it justice to try to cover tons of the tech in a single book, no one ever seems to get through it and what you do get through stops short on the depth of where you might want it to go. Or at least I have seen that myself in books in many tech areas. If this book ends up selling really well then I will that be more geeked about writing some more. I look at myself as a normal joe and find it difficult to see why people would pay to read something I write (especially when they can read what I write for free all over the place). It is one of the reasons why my tools are free. I figure, why pay for something you could pretty much do yourself if you really needed it that bad. It is more about fun for me though I wouldn't mind somehow figuring out how to make it big doing it. One idea for the best practices may be just to grab a group of experts or if you chose, a group of MVPs so you can call it the MVP AD Best Practices or something like that and let them all duke it out over what would be the best practice. As we have seen from this list several times, best practices are things that people have different opinions about. Look at the empty root discussion as a great example. You will find people that are gung ho empty root, some that are gung ho against it, some that are sort of against it but won't really fight you and some that are sort of for it but won't really fight you. joe -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Rich Milburn Sent: Monday, January 23, 2006 2:30 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] OT: speaking of AD books... A further note on a BP book, RE the "it depends" response: It's true that is often the answer for "it depends". But often there is a recommended way to do something (def. for best practice) and if you are following best practices then it really doesn't "depend", because the unknowns are taken care of. There are books (big, thick ones) that tell you all the ways you can do something. For people who do a lot of consulting, or are assuming a big mess, these are lifesavers. But what about the lucky [EMAIL PROTECTED]@rd that gets to build a company's infrastructure from scratch? Something that when others look at it, they can guess what's there because it makes sense, it uses defaults, it follows commonly accepted guidelines... other fields have these guidelines, I believe, more than our industry does (such as accounting's GAP). The more I think about it... the more I try to determine if I might have enough time to compile such a thing. It would draw heavily from this list... Rich -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Fuller, Stuart Sent: Monday, January 23, 2006 9:44 AM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] OT: speaking of AD books... C) Hunter and I were TRs and I would highly recommend it. Joe & Robbie have made significant changes and have cleared up a couple of my pet peeves in the scripts and security bits from the 2E book. It also still has the best introduction and explanation of VB scripting for AD. As to the BP guide... I too would like to see that. We have managed to stay fairly centralized but we are now supporting a second remote data center. The one thing that has saved us is the new version of Dell's RAC card. It has a virtual CD/floppy drive feature where you can map your local workstation drive to be the CD or floppy of the server. Using that feature I was able to do bare metal installs across the wire. Very cool and saved me a seven hour round trip drive to eastern Montana. _Stuart Fuller -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf
RE: [ActiveDir] OT: speaking of AD books...
Don't search for the book - search for yourself: "Joe Richards" "Active Directory" ... gets you straight to your book. Gruesse - Sincerely, Ulf B. Simon-Weidner MVP-Book "Windows XP - Die Expertentipps": http://tinyurl.com/44zcz Weblog: http://msmvps.org/UlfBSimonWeidner Website: http://www.windowsserverfaq.org Profile: http://mvp.support.microsoft.com/profile=35E388DE-4885-4308-B489-F2F1214C811 D -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of joe Sent: Monday, January 23, 2006 5:18 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] OT: speaking of AD books... Yep, The second edition keeps popping up when I search myself. I don't know what is up with that which is one reason why I set up that page. I also did it because I am an Amazon "associate" so anyone who buys from Amazon through that link I have gets me some small amount towards a gift certificate. I usually get a $10-$12 gift certificate each quarter. :) -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Al Lilianstrom Sent: Monday, January 23, 2006 9:56 AM To: ActiveDir@mail.activedir.org Subject: Re: [ActiveDir] OT: speaking of AD books... Coleman, Hunter wrote: > http://www.joeware.net/win/ad3e.htm Thanks. I had the right title but the 3rd edition wasn't coming up in my search. al > -Original Message- > From: [EMAIL PROTECTED] > [mailto:[EMAIL PROTECTED] On Behalf Of Al > Lilianstrom > Sent: Monday, January 23, 2006 7:19 AM > To: ActiveDir@mail.activedir.org > Subject: Re: [ActiveDir] OT: speaking of AD books... > > I lost track of which book Joe was writing about below. Can someone > refresh my memory? > > As for Joe writing a book about how he does things - what would be cool. > > al > > Rich Milburn wrote: >> Joe I have one question for you on this book before mine arrives... >> am > >> I going to read it, and then start bugging you again about compiling >> a > >> book of AD and server best practices based off of all the good novels >> you have posted on this list?? >> >> :) >> >> In fact... come to think of it... maybe there is still an unwritten >> book... one that takes topics that tend to come up on this list and >> deals with each on a discussion basis. It might be more useful for >> consultants and architects though, but still... two examples: >> >> 1) empty root domain issue - pros and cons >> 2) remotely managing DCs - joe you once had a long spiel on how you >> used to manage all those DCs remotely, and rather than give someone >> DA > >> rights to work on it, you'd demote it, then rebuild it from bare >> metal. A decent percentage of us probably knows how to do these > things remotely. >> But what if someone wanted to set something like this up, and it was >> a > >> new concept to them. Is there a guide out there anywhere that could >> show how to do it? From setting up the imaging software, to >> configuring a DC image to come up without someone clicking any >> buttons > locally, etc? >> >> A book like that would probably want a lot of input from a lot of >> people, because the answers to a lot of best practices questions are >> "it depends". But I bet there's a need... >> >> Rich >> - >> - >> - >> Rich Milburn >> MCSE, Microsoft MVP - Directory Services Sr Network Analyst, Field >> Platform Development Applebee's International, Inc. >> 4551 W. 107th St >> Overland Park, KS 66207 >> 913-967-2819 >> - >> - "I love the smell of red herrings in the morning" - anonymous >> >> -Original Message- >> From: [EMAIL PROTECTED] >> [mailto:[EMAIL PROTECTED] On Behalf Of joe >> Sent: Sunday, January 22, 2006 10:15 PM >> To: ActiveDir@mail.activedir.org >> Subject: RE: [ActiveDir] OT: speaking of AD books... >> >> Yeah there is a chapter on migration from 2K to K3 as well as a small >> chapter on upgrading to K3R2. >> >> The big wins in this version of the book if anyone asks me though are >> >> 1. A real live chapter on ADAM. First in existence that I am aware of. > >> I like this chapter, if anyone reads it and has issues with it, >> please > >> email me directly. I really like ADAM, I want to make sure my info is >> all correct and that it fits people's experiences with it. Heck I >> wouldn't mind just hearing about people's experiences so if I write >> anything else concerning ADAM, I can comment on it so others may not >> hit the same issues/pitfalls. >> >> 2. Significant updates to the Schema Chapters. >> >> 3. Significant updates to the Security Chapters. >> >> 4. A chapter on basic Exchange (AD-Related) tasks and how to script >> them. >> >> 5. The Site Topology and Replication chapter got a pretty serious >> update as well. >> >> 6. A lot of the scripts were reworked. >> >> Do not buy the book for the VB.NET and Di
RE: [ActiveDir] CPU/Memory usage & .vbs?
Very easily; just put the following lines near the top: oFileName = Inputbox("Enter the path and filename to save the info.","CPU Usage","CPUuse.txt")Set FSO = CreateObject("Scripting.FileSystemObject")Set oFile = FSO.CreateTextFile(oFileName, True) and put an oFile.WriteLine, with whatever data you want, wherever you want. eg. oFile.WriteLine intProcessorUse.PercentProcessorTime Of course, it's usually better to put the values into a variable, and then do what you want with the variable... From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Harding, DevonSent: Monday, January 23, 2006 12:47 PMTo: ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] CPU/Memory usage & .vbs? This is great! What I need is to use this code to output the current usage percentage to a text file. Can this be done? strComputer = "."Set objWMIService = GetObject("winmgmts:" _ & "{impersonationLevel=impersonate}!\\" & strComputer & "\root\cimv2")set objRefresher = CreateObject("WbemScripting.Swbemrefresher")Set objProcessor = objRefresher.AddEnum _ (objWMIService, "Win32_PerfFormattedData_PerfOS_Processor").objectSetintThresholdViolations = 0objRefresher.RefreshDo For each intProcessorUse in objProcessor If intProcessorUse.PercentProcessorTime > 90 Then intThresholdViolations = intThresholdViolations + 1 If intThresholdViolations = 10 Then intThresholdViolations = 0 Wscript.Echo "Processor usage threshold exceeded." End If Else intThresholdViolations = 0 End If Next Wscript.Sleep 6000 objRefresher.RefreshLoop From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Al MulnickSent: Sunday, January 22, 2006 11:52 AMTo: ActiveDir@mail.activedir.orgSubject: Re: [ActiveDir] CPU/Memory usage & .vbs? WMI is a pretty easy way to get this done. What's your comfort level with scripting? Have you seen this? http://www.activexperts.com/activmonitor/windowsmanagement/adminscripts/monitoring/performance/ On 1/22/06, Harding, Devon <[EMAIL PROTECTED]> wrote: That being said. I'm looking for a script that will output the current memory usage (in percentage) & the top cpu processes. Is this possible? wmi? From: [EMAIL PROTECTED] on behalf of Michael B. SmithSent: Sat 1/21/2006 6:14 PMTo: ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] OT: .vbs mailing list?Although my most useful information about tough _vbscript_ questions hascome from here and from Robbie Allen's various books, there is [EMAIL PROTECTED].-Original Message-From: [EMAIL PROTECTED][mailto:[EMAIL PROTECTED]] On Behalf Of Harding, DevonSent: Saturday, January 21, 2006 12:17 PMTo: ActiveDir@mail.activedir.orgSubject: [ActiveDir] OT: .vbs mailing list?Is there a VBSript mailing list out there?-Devon-__ This message and any attachments are solely for the intendedrecipient and may contain confidential or privileged information.If you are not the intended recipient, any disclosure, copying, useor distribution of the information included in the message and any attachments is prohibited. If you have received this communicationin error, please notify us by reply e-mail and immediately andpermanently delete this message and any attachments. Thank You.List info : http://www.activedir.org/List.aspxList FAQ: http://www.activedir.org/ListFAQ.aspxList archive:http://www.mail-archive.com/activedir%40mail.activedir.org/List info : http://www.activedir.org/List.aspxList FAQ: http://www.activedir.org/ListFAQ.aspxList archive: http://www.mail-archive.com/activedir%40mail.activedir.org/List info : http://www.activedir.org/List.aspxList FAQ: http://www.activedir.org/ListFAQ.aspxList archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
RE: [ActiveDir] CPU/Memory usage & .vbs?
This is great! What I need is to use this code to output the current usage percentage to a text file. Can this be done? strComputer = "."Set objWMIService = GetObject("winmgmts:" _ & "{impersonationLevel=impersonate}!\\" & strComputer & "\root\cimv2")set objRefresher = CreateObject("WbemScripting.Swbemrefresher")Set objProcessor = objRefresher.AddEnum _ (objWMIService, "Win32_PerfFormattedData_PerfOS_Processor").objectSetintThresholdViolations = 0objRefresher.RefreshDo For each intProcessorUse in objProcessor If intProcessorUse.PercentProcessorTime > 90 Then intThresholdViolations = intThresholdViolations + 1 If intThresholdViolations = 10 Then intThresholdViolations = 0 Wscript.Echo "Processor usage threshold exceeded." End If Else intThresholdViolations = 0 End If Next Wscript.Sleep 6000 objRefresher.RefreshLoop From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Al Mulnick Sent: Sunday, January 22, 2006 11:52 AM To: ActiveDir@mail.activedir.org Subject: Re: [ActiveDir] CPU/Memory usage & .vbs? WMI is a pretty easy way to get this done. What's your comfort level with scripting? Have you seen this? http://www.activexperts.com/activmonitor/windowsmanagement/adminscripts/monitoring/performance/ On 1/22/06, Harding, Devon <[EMAIL PROTECTED]> wrote: That being said. I'm looking for a script that will output the current memory usage (in percentage) & the top cpu processes. Is this possible? wmi? From: [EMAIL PROTECTED] on behalf of Michael B. Smith Sent: Sat 1/21/2006 6:14 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] OT: .vbs mailing list? Although my most useful information about tough _vbscript_ questions has come from here and from Robbie Allen's various books, there is [EMAIL PROTECTED]. -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]] On Behalf Of Harding, Devon Sent: Saturday, January 21, 2006 12:17 PM To: ActiveDir@mail.activedir.org Subject: [ActiveDir] OT: .vbs mailing list? Is there a VBSript mailing list out there? -Devon - __ This message and any attachments are solely for the intended recipient and may contain confidential or privileged information. If you are not the intended recipient, any disclosure, copying, use or distribution of the information included in the message and any attachments is prohibited. If you have received this communication in error, please notify us by reply e-mail and immediately and permanently delete this message and any attachments. Thank You. List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
RE: [ActiveDir] OT: speaking of AD books...
A further note on a BP book, RE the "it depends" response: It's true that is often the answer for "it depends". But often there is a recommended way to do something (def. for best practice) and if you are following best practices then it really doesn't "depend", because the unknowns are taken care of. There are books (big, thick ones) that tell you all the ways you can do something. For people who do a lot of consulting, or are assuming a big mess, these are lifesavers. But what about the lucky [EMAIL PROTECTED]@rd that gets to build a company's infrastructure from scratch? Something that when others look at it, they can guess what's there because it makes sense, it uses defaults, it follows commonly accepted guidelines... other fields have these guidelines, I believe, more than our industry does (such as accounting's GAP). The more I think about it... the more I try to determine if I might have enough time to compile such a thing. It would draw heavily from this list... Rich -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Fuller, Stuart Sent: Monday, January 23, 2006 9:44 AM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] OT: speaking of AD books... C) Hunter and I were TRs and I would highly recommend it. Joe & Robbie have made significant changes and have cleared up a couple of my pet peeves in the scripts and security bits from the 2E book. It also still has the best introduction and explanation of VB scripting for AD. As to the BP guide... I too would like to see that. We have managed to stay fairly centralized but we are now supporting a second remote data center. The one thing that has saved us is the new version of Dell's RAC card. It has a virtual CD/floppy drive feature where you can map your local workstation drive to be the CD or floppy of the server. Using that feature I was able to do bare metal installs across the wire. Very cool and saved me a seven hour round trip drive to eastern Montana. _Stuart Fuller -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Rocky Habeeb Sent: Monday, January 23, 2006 8:14 AM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] OT: speaking of AD books... Dear people, I would appreciate it it you would prioritize the following for me; [A] [ ] Work 60 hours a week managing (with only one other person) 250 PCs in 4 states and 40 Servers. [B] [ ] Live at the only bookmark in my browser when at home "www.microsoft.com" looking for solutions, etc. [C] [ ] Read joe's (et al) new book. [D] [ ] Studying for my MCSA [E] [ ] Studying for my MCP [F] [ ] Studying for my MCSE [G] [ ] Securing my network [H] [ ] Reading the new book joe is going to write on BP's [Yes, please tell me how to rebuild a DC remotely from bare metal!!] [I] [ ] Reading Robbie's book(s) (note: please sub-prioritize those books) [J] [ ] Balanicing my checkbook ( hey .. I have to do something else at home, right?) [K] [ ] Patching my network [L] [ ] Learn to script [M] [ ] Watch College basketball on TV [N] [ ] Read all of Sakari's books [O] [ ] Read the AD list archives completely "Hey, I'm almost serious here." As Guido would say, "That's enough for today." RH List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ ---APPLEBEE'S INTERNATIONAL, INC. CONFIDENTIALITY NOTICE--- PRIVILEGED / CONFIDENTIAL INFORMATION may be contained in this message or any attachments. This information is strictly confidential and may be subject to attorney-client privilege. This message is intended only for the use of the named addressee. If you are not the intended recipient of this message, unauthorized forwarding, printing, copying, distribution, or using such information is strictly prohibited and may be unlawful. If you have received this in error, you should kindly notify the sender by reply e-mail and immediately destroy this message. Unauthorized interception of this e-mail is a violation of federal criminal law. Applebee's International, Inc. reserves the right to monitor and review the content of all messages sent to and from this e-mail address. Messages sent to or from this e-mail address may be stored on the Applebee's International, Inc. e-mail system. List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
RE: [ActiveDir] OT: speaking of AD books...
Those DRAC cards from dell are a POS if you've used a ILO or RILOE from HPQ not to mention the fact that those DRAC cards from Dell are a POS when you try to do disk imaging on a PowerEdge with one. Thanks, Brian Desmond [EMAIL PROTECTED] c - 312.731.3132 From: [EMAIL PROTECTED] on behalf of Fuller, Stuart Sent: Mon 1/23/2006 10:44 AM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] OT: speaking of AD books... C) Hunter and I were TRs and I would highly recommend it. Joe & Robbie have made significant changes and have cleared up a couple of my pet peeves in the scripts and security bits from the 2E book. It also still has the best introduction and explanation of VB scripting for AD. As to the BP guide... I too would like to see that. We have managed to stay fairly centralized but we are now supporting a second remote data center. The one thing that has saved us is the new version of Dell's RAC card. It has a virtual CD/floppy drive feature where you can map your local workstation drive to be the CD or floppy of the server. Using that feature I was able to do bare metal installs across the wire. Very cool and saved me a seven hour round trip drive to eastern Montana. _Stuart Fuller -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Rocky Habeeb Sent: Monday, January 23, 2006 8:14 AM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] OT: speaking of AD books... Dear people, I would appreciate it it you would prioritize the following for me; [A] [ ] Work 60 hours a week managing (with only one other person) 250 PCs in 4 states and 40 Servers. [B] [ ] Live at the only bookmark in my browser when at home "www.microsoft.com" looking for solutions, etc. [C] [ ] Read joe's (et al) new book. [D] [ ] Studying for my MCSA [E] [ ] Studying for my MCP [F] [ ] Studying for my MCSE [G] [ ] Securing my network [H] [ ] Reading the new book joe is going to write on BP's [Yes, please tell me how to rebuild a DC remotely from bare metal!!] [I] [ ] Reading Robbie's book(s) (note: please sub-prioritize those books) [J] [ ] Balanicing my checkbook ( hey .. I have to do something else at home, right?) [K] [ ] Patching my network [L] [ ] Learn to script [M] [ ] Watch College basketball on TV [N] [ ] Read all of Sakari's books [O] [ ] Read the AD list archives completely "Hey, I'm almost serious here." As Guido would say, "That's enough for today." RH List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ <>
RE: [ActiveDir] OT: speaking of AD books...
Yep, The second edition keeps popping up when I search myself. I don't know what is up with that which is one reason why I set up that page. I also did it because I am an Amazon "associate" so anyone who buys from Amazon through that link I have gets me some small amount towards a gift certificate. I usually get a $10-$12 gift certificate each quarter. :) -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Al Lilianstrom Sent: Monday, January 23, 2006 9:56 AM To: ActiveDir@mail.activedir.org Subject: Re: [ActiveDir] OT: speaking of AD books... Coleman, Hunter wrote: > http://www.joeware.net/win/ad3e.htm Thanks. I had the right title but the 3rd edition wasn't coming up in my search. al > -Original Message- > From: [EMAIL PROTECTED] > [mailto:[EMAIL PROTECTED] On Behalf Of Al > Lilianstrom > Sent: Monday, January 23, 2006 7:19 AM > To: ActiveDir@mail.activedir.org > Subject: Re: [ActiveDir] OT: speaking of AD books... > > I lost track of which book Joe was writing about below. Can someone > refresh my memory? > > As for Joe writing a book about how he does things - what would be cool. > > al > > Rich Milburn wrote: >> Joe I have one question for you on this book before mine arrives... >> am > >> I going to read it, and then start bugging you again about compiling >> a > >> book of AD and server best practices based off of all the good novels >> you have posted on this list?? >> >> :) >> >> In fact... come to think of it... maybe there is still an unwritten >> book... one that takes topics that tend to come up on this list and >> deals with each on a discussion basis. It might be more useful for >> consultants and architects though, but still... two examples: >> >> 1) empty root domain issue - pros and cons >> 2) remotely managing DCs - joe you once had a long spiel on how you >> used to manage all those DCs remotely, and rather than give someone >> DA > >> rights to work on it, you'd demote it, then rebuild it from bare >> metal. A decent percentage of us probably knows how to do these > things remotely. >> But what if someone wanted to set something like this up, and it was >> a > >> new concept to them. Is there a guide out there anywhere that could >> show how to do it? From setting up the imaging software, to >> configuring a DC image to come up without someone clicking any >> buttons > locally, etc? >> >> A book like that would probably want a lot of input from a lot of >> people, because the answers to a lot of best practices questions are >> "it depends". But I bet there's a need... >> >> Rich >> - >> - >> - >> Rich Milburn >> MCSE, Microsoft MVP - Directory Services Sr Network Analyst, Field >> Platform Development Applebee's International, Inc. >> 4551 W. 107th St >> Overland Park, KS 66207 >> 913-967-2819 >> - >> - "I love the smell of red herrings in the morning" - anonymous >> >> -Original Message- >> From: [EMAIL PROTECTED] >> [mailto:[EMAIL PROTECTED] On Behalf Of joe >> Sent: Sunday, January 22, 2006 10:15 PM >> To: ActiveDir@mail.activedir.org >> Subject: RE: [ActiveDir] OT: speaking of AD books... >> >> Yeah there is a chapter on migration from 2K to K3 as well as a small >> chapter on upgrading to K3R2. >> >> The big wins in this version of the book if anyone asks me though are >> >> 1. A real live chapter on ADAM. First in existence that I am aware of. > >> I like this chapter, if anyone reads it and has issues with it, >> please > >> email me directly. I really like ADAM, I want to make sure my info is >> all correct and that it fits people's experiences with it. Heck I >> wouldn't mind just hearing about people's experiences so if I write >> anything else concerning ADAM, I can comment on it so others may not >> hit the same issues/pitfalls. >> >> 2. Significant updates to the Schema Chapters. >> >> 3. Significant updates to the Security Chapters. >> >> 4. A chapter on basic Exchange (AD-Related) tasks and how to script >> them. >> >> 5. The Site Topology and Replication chapter got a pretty serious >> update as well. >> >> 6. A lot of the scripts were reworked. >> >> Do not buy the book for the VB.NET and Directory Services chapter. I >> am not a NET person, I fully admit it, it is pretty much the same as >> it was in 2E. >> If you want a book in that realm, you want the book Joe Kaplan has >> been working on, I was a technical reviewer for that book and it >> looks > >> like it is going to be pretty good. >> >> >> The TR folks can comment if they like on what they liked about it or >> anything they think that is in it that makes it worthwhile. I had, >> what I considered unusual, a two way street with feedback with the >> TRs. They sent me their comments, I sent back responses for many of >> the comments and asked for more det
RE: [ActiveDir] OT: speaking of AD books...
C) Hunter and I were TRs and I would highly recommend it. Joe & Robbie have made significant changes and have cleared up a couple of my pet peeves in the scripts and security bits from the 2E book. It also still has the best introduction and explanation of VB scripting for AD. As to the BP guide... I too would like to see that. We have managed to stay fairly centralized but we are now supporting a second remote data center. The one thing that has saved us is the new version of Dell's RAC card. It has a virtual CD/floppy drive feature where you can map your local workstation drive to be the CD or floppy of the server. Using that feature I was able to do bare metal installs across the wire. Very cool and saved me a seven hour round trip drive to eastern Montana. _Stuart Fuller -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Rocky Habeeb Sent: Monday, January 23, 2006 8:14 AM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] OT: speaking of AD books... Dear people, I would appreciate it it you would prioritize the following for me; [A] [ ] Work 60 hours a week managing (with only one other person) 250 PCs in 4 states and 40 Servers. [B] [ ] Live at the only bookmark in my browser when at home "www.microsoft.com" looking for solutions, etc. [C] [ ] Read joe's (et al) new book. [D] [ ] Studying for my MCSA [E] [ ] Studying for my MCP [F] [ ] Studying for my MCSE [G] [ ] Securing my network [H] [ ] Reading the new book joe is going to write on BP's [Yes, please tell me how to rebuild a DC remotely from bare metal!!] [I] [ ] Reading Robbie's book(s) (note: please sub-prioritize those books) [J] [ ] Balanicing my checkbook ( hey .. I have to do something else at home, right?) [K] [ ] Patching my network [L] [ ] Learn to script [M] [ ] Watch College basketball on TV [N] [ ] Read all of Sakari's books [O] [ ] Read the AD list archives completely "Hey, I'm almost serious here." As Guido would say, "That's enough for today." RH List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
[ActiveDir] FW: Stopping accidental folder moves by users
Title: Re: Stopping accidental folder moves by users This topic was mentioned a few months ago. I just got this from another list. Seems like a pretty cool idea to me. From: Windows NT/2000 Discussion List on behalf of Scott BrooksSent: Mon 1/23/2006 7:55 AMTo: [EMAIL PROTECTED]Subject: Re: Stopping accidental folder moves by users >>> Danny 01/20/2006 11:46:08 AM >>>Has anyone found a solution to stop users from successfully andaccidentally moving folders whilst allowing them to create newfolders, file, read, modify, and write? Hi Danny,I just create a "+ Do Not Delete.txt" file in the directory the userslike to Move. This text file contains the following text that explainshow it works:This file is here so that an accidental move of this directory cannot be done by non-administrators. How this is handled, is toremove all permissions from this file, except for administrators.That we if someone accidentally attempts to move the directorythis file is in, they won't be able to move this file (since theydo not have the needed permissions) and in turn they will not beable to move the entire directory.Note: In Windows 2000 security I had to do the following to getthis to work:1. Copy "+ Do Not Delete.txt" to the desired folder.2. Right click on "+ Do Not Delete.txt" and select Properties.3. On the General tab check mark "Read-only" - this was critical to this working. Without it, others could still delete the file.4. On the Security tab, check off "Allow inheritable permissions from parent to propagate to object.5. When prompted, click on "Copy" to copy previously inherited permissions to this object.6. Click on "Everyone" and then check mark "Deny" for Write access.- Scott Brooks So, maybe there is a more elegant solution, but the above works.Scott--The WINNT-L list is hosted on a Windows NT(TM) machine running L-Softinternational's LISTSERV(R) software. For subscription/signoff infoand archives, see http://peach.ease.lsoft.com/archives/winnt-l.html . COPYRIGHT INFO:http://peach.ease.lsoft.com/scripts/wa.exe?SHOWTPL=COPYRIGHT&L=WINNT-L
RE: [ActiveDir] OT: speaking of AD books...
Dear people, I would appreciate it it you would prioritize the following for me; [A] [ ] Work 60 hours a week managing (with only one other person) 250 PCs in 4 states and 40 Servers. [B] [ ] Live at the only bookmark in my browser when at home "www.microsoft.com" looking for solutions, etc. [C] [ ] Read joe's (et al) new book. [D] [ ] Studying for my MCSA [E] [ ] Studying for my MCP [F] [ ] Studying for my MCSE [G] [ ] Securing my network [H] [ ] Reading the new book joe is going to write on BP's [Yes, please tell me how to rebuild a DC remotely from bare metal!!] [I] [ ] Reading Robbie's book(s) (note: please sub-prioritize those books) [J] [ ] Balanicing my checkbook ( hey .. I have to do something else at home, right?) [K] [ ] Patching my network [L] [ ] Learn to script [M] [ ] Watch College basketball on TV [N] [ ] Read all of Sakari's books [O] [ ] Read the AD list archives completely "Hey, I'm almost serious here." As Guido would say, "That's enough for today." RH List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
Re: [ActiveDir] OT: speaking of AD books...
Coleman, Hunter wrote: http://www.joeware.net/win/ad3e.htm Thanks. I had the right title but the 3rd edition wasn't coming up in my search. al -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Al Lilianstrom Sent: Monday, January 23, 2006 7:19 AM To: ActiveDir@mail.activedir.org Subject: Re: [ActiveDir] OT: speaking of AD books... I lost track of which book Joe was writing about below. Can someone refresh my memory? As for Joe writing a book about how he does things - what would be cool. al Rich Milburn wrote: Joe I have one question for you on this book before mine arrives... am I going to read it, and then start bugging you again about compiling a book of AD and server best practices based off of all the good novels you have posted on this list?? :) In fact... come to think of it... maybe there is still an unwritten book... one that takes topics that tend to come up on this list and deals with each on a discussion basis. It might be more useful for consultants and architects though, but still... two examples: 1) empty root domain issue - pros and cons 2) remotely managing DCs - joe you once had a long spiel on how you used to manage all those DCs remotely, and rather than give someone DA rights to work on it, you'd demote it, then rebuild it from bare metal. A decent percentage of us probably knows how to do these things remotely. But what if someone wanted to set something like this up, and it was a new concept to them. Is there a guide out there anywhere that could show how to do it? From setting up the imaging software, to configuring a DC image to come up without someone clicking any buttons locally, etc? A book like that would probably want a lot of input from a lot of people, because the answers to a lot of best practices questions are "it depends". But I bet there's a need... Rich -- - Rich Milburn MCSE, Microsoft MVP - Directory Services Sr Network Analyst, Field Platform Development Applebee's International, Inc. 4551 W. 107th St Overland Park, KS 66207 913-967-2819 -- "I love the smell of red herrings in the morning" - anonymous -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of joe Sent: Sunday, January 22, 2006 10:15 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] OT: speaking of AD books... Yeah there is a chapter on migration from 2K to K3 as well as a small chapter on upgrading to K3R2. The big wins in this version of the book if anyone asks me though are 1. A real live chapter on ADAM. First in existence that I am aware of. I like this chapter, if anyone reads it and has issues with it, please email me directly. I really like ADAM, I want to make sure my info is all correct and that it fits people's experiences with it. Heck I wouldn't mind just hearing about people's experiences so if I write anything else concerning ADAM, I can comment on it so others may not hit the same issues/pitfalls. 2. Significant updates to the Schema Chapters. 3. Significant updates to the Security Chapters. 4. A chapter on basic Exchange (AD-Related) tasks and how to script them. 5. The Site Topology and Replication chapter got a pretty serious update as well. 6. A lot of the scripts were reworked. Do not buy the book for the VB.NET and Directory Services chapter. I am not a NET person, I fully admit it, it is pretty much the same as it was in 2E. If you want a book in that realm, you want the book Joe Kaplan has been working on, I was a technical reviewer for that book and it looks like it is going to be pretty good. The TR folks can comment if they like on what they liked about it or anything they think that is in it that makes it worthwhile. I had, what I considered unusual, a two way street with feedback with the TRs. They sent me their comments, I sent back responses for many of the comments and asked for more detail or asked questions or what not as needed. I know most everything I have ever TR'ed has been sort of a black hole where I don't know if the feedback is being used or not which I never liked. At least one reviewer mentioned to me that the feedback was unusual and well accepted. I don't expect this to be the be all end all book on AD but I did try to make it so I would be happy my name was on it which if anyone knows me is not a low achievement bar, I am a bit picky. But at the same time, I know I didn't get everything perfect, there wasn't time for perfect, it had to be released this decade. It isn't a book that is in my voice/tone; it is a refresh so I attempted to follow the voice/tone that was there as much as possible as it wasn't mine to change. Some people will not like that and some people are probably thankful for it. :o) -Origi
RE: [ActiveDir] OT: speaking of AD books...
http://www.joeware.net/win/ad3e.htm -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Al Lilianstrom Sent: Monday, January 23, 2006 7:19 AM To: ActiveDir@mail.activedir.org Subject: Re: [ActiveDir] OT: speaking of AD books... I lost track of which book Joe was writing about below. Can someone refresh my memory? As for Joe writing a book about how he does things - what would be cool. al Rich Milburn wrote: > Joe I have one question for you on this book before mine arrives... am > I going to read it, and then start bugging you again about compiling a > book of AD and server best practices based off of all the good novels > you have posted on this list?? > > :) > > In fact... come to think of it... maybe there is still an unwritten > book... one that takes topics that tend to come up on this list and > deals with each on a discussion basis. It might be more useful for > consultants and architects though, but still... two examples: > > 1) empty root domain issue - pros and cons > 2) remotely managing DCs - joe you once had a long spiel on how you > used to manage all those DCs remotely, and rather than give someone DA > rights to work on it, you'd demote it, then rebuild it from bare > metal. A decent percentage of us probably knows how to do these things remotely. > But what if someone wanted to set something like this up, and it was a > new concept to them. Is there a guide out there anywhere that could > show how to do it? From setting up the imaging software, to > configuring a DC image to come up without someone clicking any buttons locally, etc? > > > A book like that would probably want a lot of input from a lot of > people, because the answers to a lot of best practices questions are > "it depends". But I bet there's a need... > > Rich > -- > - > Rich Milburn > MCSE, Microsoft MVP - Directory Services Sr Network Analyst, Field > Platform Development Applebee's International, Inc. > 4551 W. 107th St > Overland Park, KS 66207 > 913-967-2819 > -- > "I love the smell of red herrings in the morning" - anonymous > > -Original Message- > From: [EMAIL PROTECTED] > [mailto:[EMAIL PROTECTED] On Behalf Of joe > Sent: Sunday, January 22, 2006 10:15 PM > To: ActiveDir@mail.activedir.org > Subject: RE: [ActiveDir] OT: speaking of AD books... > > Yeah there is a chapter on migration from 2K to K3 as well as a small > chapter on upgrading to K3R2. > > The big wins in this version of the book if anyone asks me though are > > 1. A real live chapter on ADAM. First in existence that I am aware of. > I like this chapter, if anyone reads it and has issues with it, please > email me directly. I really like ADAM, I want to make sure my info is > all correct and that it fits people's experiences with it. Heck I > wouldn't mind just hearing about people's experiences so if I write > anything else concerning ADAM, I can comment on it so others may not > hit the same issues/pitfalls. > > 2. Significant updates to the Schema Chapters. > > 3. Significant updates to the Security Chapters. > > 4. A chapter on basic Exchange (AD-Related) tasks and how to script > them. > > 5. The Site Topology and Replication chapter got a pretty serious > update as well. > > 6. A lot of the scripts were reworked. > > Do not buy the book for the VB.NET and Directory Services chapter. I > am not a NET person, I fully admit it, it is pretty much the same as > it was in 2E. > If you want a book in that realm, you want the book Joe Kaplan has > been working on, I was a technical reviewer for that book and it looks > like it is going to be pretty good. > > > The TR folks can comment if they like on what they liked about it or > anything they think that is in it that makes it worthwhile. I had, > what I considered unusual, a two way street with feedback with the > TRs. They sent me their comments, I sent back responses for many of > the comments and asked for more detail or asked questions or what not > as needed. I know most everything I have ever TR'ed has been sort of a > black hole where I don't know if the feedback is being used or not > which I never liked. At least one reviewer mentioned to me that the > feedback was unusual and well accepted. > > I don't expect this to be the be all end all book on AD but I did try > to make it so I would be happy my name was on it which if anyone knows > me is not a low achievement bar, I am a bit picky. But at the same > time, I know I didn't get everything perfect, there wasn't time for > perfect, it had to be released this decade. It isn't a book that is in > my voice/tone; it is a refresh so I attempted to follow the voice/tone > that was there as much as possible as it wasn't mine to change. Some > people will not like that and some people are proba
Re: [ActiveDir] OT: speaking of AD books...
I lost track of which book Joe was writing about below. Can someone refresh my memory? As for Joe writing a book about how he does things - what would be cool. al Rich Milburn wrote: Joe I have one question for you on this book before mine arrives... am I going to read it, and then start bugging you again about compiling a book of AD and server best practices based off of all the good novels you have posted on this list?? :) In fact... come to think of it... maybe there is still an unwritten book... one that takes topics that tend to come up on this list and deals with each on a discussion basis. It might be more useful for consultants and architects though, but still... two examples: 1) empty root domain issue - pros and cons 2) remotely managing DCs - joe you once had a long spiel on how you used to manage all those DCs remotely, and rather than give someone DA rights to work on it, you'd demote it, then rebuild it from bare metal. A decent percentage of us probably knows how to do these things remotely. But what if someone wanted to set something like this up, and it was a new concept to them. Is there a guide out there anywhere that could show how to do it? From setting up the imaging software, to configuring a DC image to come up without someone clicking any buttons locally, etc? A book like that would probably want a lot of input from a lot of people, because the answers to a lot of best practices questions are "it depends". But I bet there's a need... Rich --- Rich Milburn MCSE, Microsoft MVP - Directory Services Sr Network Analyst, Field Platform Development Applebee's International, Inc. 4551 W. 107th St Overland Park, KS 66207 913-967-2819 -- "I love the smell of red herrings in the morning" - anonymous -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of joe Sent: Sunday, January 22, 2006 10:15 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] OT: speaking of AD books... Yeah there is a chapter on migration from 2K to K3 as well as a small chapter on upgrading to K3R2. The big wins in this version of the book if anyone asks me though are 1. A real live chapter on ADAM. First in existence that I am aware of. I like this chapter, if anyone reads it and has issues with it, please email me directly. I really like ADAM, I want to make sure my info is all correct and that it fits people's experiences with it. Heck I wouldn't mind just hearing about people's experiences so if I write anything else concerning ADAM, I can comment on it so others may not hit the same issues/pitfalls. 2. Significant updates to the Schema Chapters. 3. Significant updates to the Security Chapters. 4. A chapter on basic Exchange (AD-Related) tasks and how to script them. 5. The Site Topology and Replication chapter got a pretty serious update as well. 6. A lot of the scripts were reworked. Do not buy the book for the VB.NET and Directory Services chapter. I am not a NET person, I fully admit it, it is pretty much the same as it was in 2E. If you want a book in that realm, you want the book Joe Kaplan has been working on, I was a technical reviewer for that book and it looks like it is going to be pretty good. The TR folks can comment if they like on what they liked about it or anything they think that is in it that makes it worthwhile. I had, what I considered unusual, a two way street with feedback with the TRs. They sent me their comments, I sent back responses for many of the comments and asked for more detail or asked questions or what not as needed. I know most everything I have ever TR'ed has been sort of a black hole where I don't know if the feedback is being used or not which I never liked. At least one reviewer mentioned to me that the feedback was unusual and well accepted. I don't expect this to be the be all end all book on AD but I did try to make it so I would be happy my name was on it which if anyone knows me is not a low achievement bar, I am a bit picky. But at the same time, I know I didn't get everything perfect, there wasn't time for perfect, it had to be released this decade. It isn't a book that is in my voice/tone; it is a refresh so I attempted to follow the voice/tone that was there as much as possible as it wasn't mine to change. Some people will not like that and some people are probably thankful for it. :o) -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Garyphold Sent: Friday, January 20, 2006 3:02 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] OT: speaking of AD books... We're migrating our AD from W2K to W2K3 in the next month. And I want to be able to find out a little about the AD migration beforehand (our consultant is doing it - I'm not ready to jump into deep water on something like this). Will
RE: [ActiveDir] OT: speaking of AD books...
Would this be a 'design best practices' book or an 'operational best practices' book? Personally, I'd rather those subjects be kept separate, although I agree, that each deserves its own publication :) Maybe joe can act as editor and collate BPs from several ppl, with a one off payment or small royalty being offered to all contributors (whose BPs make it to the end product :) neil -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Rich Milburn Sent: 23 January 2006 14:15 To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] OT: speaking of AD books... Joe I have one question for you on this book before mine arrives... am I going to read it, and then start bugging you again about compiling a book of AD and server best practices based off of all the good novels you have posted on this list?? :) In fact... come to think of it... maybe there is still an unwritten book... one that takes topics that tend to come up on this list and deals with each on a discussion basis. It might be more useful for consultants and architects though, but still... two examples: 1) empty root domain issue - pros and cons 2) remotely managing DCs - joe you once had a long spiel on how you used to manage all those DCs remotely, and rather than give someone DA rights to work on it, you'd demote it, then rebuild it from bare metal. A decent percentage of us probably knows how to do these things remotely. But what if someone wanted to set something like this up, and it was a new concept to them. Is there a guide out there anywhere that could show how to do it? From setting up the imaging software, to configuring a DC image to come up without someone clicking any buttons locally, etc? A book like that would probably want a lot of input from a lot of people, because the answers to a lot of best practices questions are "it depends". But I bet there's a need... Rich --- Rich Milburn MCSE, Microsoft MVP - Directory Services Sr Network Analyst, Field Platform Development Applebee's International, Inc. 4551 W. 107th St Overland Park, KS 66207 913-967-2819 -- "I love the smell of red herrings in the morning" - anonymous -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of joe Sent: Sunday, January 22, 2006 10:15 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] OT: speaking of AD books... Yeah there is a chapter on migration from 2K to K3 as well as a small chapter on upgrading to K3R2. The big wins in this version of the book if anyone asks me though are 1. A real live chapter on ADAM. First in existence that I am aware of. I like this chapter, if anyone reads it and has issues with it, please email me directly. I really like ADAM, I want to make sure my info is all correct and that it fits people's experiences with it. Heck I wouldn't mind just hearing about people's experiences so if I write anything else concerning ADAM, I can comment on it so others may not hit the same issues/pitfalls. 2. Significant updates to the Schema Chapters. 3. Significant updates to the Security Chapters. 4. A chapter on basic Exchange (AD-Related) tasks and how to script them. 5. The Site Topology and Replication chapter got a pretty serious update as well. 6. A lot of the scripts were reworked. Do not buy the book for the VB.NET and Directory Services chapter. I am not a NET person, I fully admit it, it is pretty much the same as it was in 2E. If you want a book in that realm, you want the book Joe Kaplan has been working on, I was a technical reviewer for that book and it looks like it is going to be pretty good. The TR folks can comment if they like on what they liked about it or anything they think that is in it that makes it worthwhile. I had, what I considered unusual, a two way street with feedback with the TRs. They sent me their comments, I sent back responses for many of the comments and asked for more detail or asked questions or what not as needed. I know most everything I have ever TR'ed has been sort of a black hole where I don't know if the feedback is being used or not which I never liked. At least one reviewer mentioned to me that the feedback was unusual and well accepted. I don't expect this to be the be all end all book on AD but I did try to make it so I would be happy my name was on it which if anyone knows me is not a low achievement bar, I am a bit picky. But at the same time, I know I didn't get everything perfect, there wasn't time for perfect, it had to be released this decade. It isn't a book that is in my voice/tone; it is a refresh so I attempted to follow the voice/tone that was there as much as possible as it wasn't mine to change. Some people will not like that and some people are probably thankful for it. :o) -Original Message- From: [EMAIL PROTECTED] [mailto
RE: [ActiveDir] OT: speaking of AD books...
Joe I have one question for you on this book before mine arrives... am I going to read it, and then start bugging you again about compiling a book of AD and server best practices based off of all the good novels you have posted on this list?? :) In fact... come to think of it... maybe there is still an unwritten book... one that takes topics that tend to come up on this list and deals with each on a discussion basis. It might be more useful for consultants and architects though, but still... two examples: 1) empty root domain issue - pros and cons 2) remotely managing DCs - joe you once had a long spiel on how you used to manage all those DCs remotely, and rather than give someone DA rights to work on it, you'd demote it, then rebuild it from bare metal. A decent percentage of us probably knows how to do these things remotely. But what if someone wanted to set something like this up, and it was a new concept to them. Is there a guide out there anywhere that could show how to do it? From setting up the imaging software, to configuring a DC image to come up without someone clicking any buttons locally, etc? A book like that would probably want a lot of input from a lot of people, because the answers to a lot of best practices questions are "it depends". But I bet there's a need... Rich --- Rich Milburn MCSE, Microsoft MVP - Directory Services Sr Network Analyst, Field Platform Development Applebee's International, Inc. 4551 W. 107th St Overland Park, KS 66207 913-967-2819 -- "I love the smell of red herrings in the morning" - anonymous -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of joe Sent: Sunday, January 22, 2006 10:15 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] OT: speaking of AD books... Yeah there is a chapter on migration from 2K to K3 as well as a small chapter on upgrading to K3R2. The big wins in this version of the book if anyone asks me though are 1. A real live chapter on ADAM. First in existence that I am aware of. I like this chapter, if anyone reads it and has issues with it, please email me directly. I really like ADAM, I want to make sure my info is all correct and that it fits people's experiences with it. Heck I wouldn't mind just hearing about people's experiences so if I write anything else concerning ADAM, I can comment on it so others may not hit the same issues/pitfalls. 2. Significant updates to the Schema Chapters. 3. Significant updates to the Security Chapters. 4. A chapter on basic Exchange (AD-Related) tasks and how to script them. 5. The Site Topology and Replication chapter got a pretty serious update as well. 6. A lot of the scripts were reworked. Do not buy the book for the VB.NET and Directory Services chapter. I am not a NET person, I fully admit it, it is pretty much the same as it was in 2E. If you want a book in that realm, you want the book Joe Kaplan has been working on, I was a technical reviewer for that book and it looks like it is going to be pretty good. The TR folks can comment if they like on what they liked about it or anything they think that is in it that makes it worthwhile. I had, what I considered unusual, a two way street with feedback with the TRs. They sent me their comments, I sent back responses for many of the comments and asked for more detail or asked questions or what not as needed. I know most everything I have ever TR'ed has been sort of a black hole where I don't know if the feedback is being used or not which I never liked. At least one reviewer mentioned to me that the feedback was unusual and well accepted. I don't expect this to be the be all end all book on AD but I did try to make it so I would be happy my name was on it which if anyone knows me is not a low achievement bar, I am a bit picky. But at the same time, I know I didn't get everything perfect, there wasn't time for perfect, it had to be released this decade. It isn't a book that is in my voice/tone; it is a refresh so I attempted to follow the voice/tone that was there as much as possible as it wasn't mine to change. Some people will not like that and some people are probably thankful for it. :o) -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Garyphold Sent: Friday, January 20, 2006 3:02 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] OT: speaking of AD books... We're migrating our AD from W2K to W2K3 in the next month. And I want to be able to find out a little about the AD migration beforehand (our consultant is doing it - I'm not ready to jump into deep water on something like this). Will the 3rd edition cover W2K and getting from there to W2K3? And we'll still be using W2K on a couple of servers, so I want to be able to have documentation that will cover both. Thanks. Gary -Or
RE: [ActiveDir] CPU/Memory usage & .vbs?
Have a look at http://www.lissware.net, Volume 1 Sample 5.18 to 5.19 - WatchInstanceStateWithRefreshMethod.wsf Sample 5.20 - WatchInstanceCollectionStateWithRefresher.wsf Volume 2 Sample 3.77 to 3.78 - WMICounterMonitor.wsf Sample 3.79 - PerfMonProv.mof Sample 3.80 - PerfMonClasses.Mof Sample 3.81 - NTProcesses.wsf All these scripts represent techniques and technologies to gather such a data. You can also have a look at http://www.microsoft.com/technet/scriptcenter/scripts/default.mspx WMI Code Creator v1.0 can also help you: http://www.microsoft.com/downloads/details.aspx?FamilyID=2cc30a64-ea15-4661-8da4-55bbc145c30e&DisplayLang=en HTH /Alain From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of joeSent: Sunday, January 22, 2006 7:47 PMTo: ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] CPU/Memory usage & .vbs? Yeah I think WMI is about it for you for this type of stuff from script. Look through the archives for posts from Alain Lissoir (PM for WMI at MS) as he has several links for free tools to automate creating scripts to gather info like this. From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Al MulnickSent: Sunday, January 22, 2006 11:52 AMTo: ActiveDir@mail.activedir.orgSubject: Re: [ActiveDir] CPU/Memory usage & .vbs? WMI is a pretty easy way to get this done. What's your comfort level with scripting? Have you seen this? http://www.activexperts.com/activmonitor/windowsmanagement/adminscripts/monitoring/performance/ On 1/22/06, Harding, Devon <[EMAIL PROTECTED]> wrote: That being said. I'm looking for a script that will output the current memory usage (in percentage) & the top cpu processes. Is this possible? wmi? From: [EMAIL PROTECTED] on behalf of Michael B. SmithSent: Sat 1/21/2006 6:14 PMTo: ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] OT: .vbs mailing list?Although my most useful information about tough _vbscript_ questions hascome from here and from Robbie Allen's various books, there is [EMAIL PROTECTED].-Original Message-From: [EMAIL PROTECTED][mailto:[EMAIL PROTECTED]] On Behalf Of Harding, DevonSent: Saturday, January 21, 2006 12:17 PMTo: ActiveDir@mail.activedir.orgSubject: [ActiveDir] OT: .vbs mailing list?Is there a VBSript mailing list out there?-Devon-__ This message and any attachments are solely for the intendedrecipient and may contain confidential or privileged information.If you are not the intended recipient, any disclosure, copying, useor distribution of the information included in the message and any attachments is prohibited. If you have received this communicationin error, please notify us by reply e-mail and immediately andpermanently delete this message and any attachments. Thank You.List info : http://www.activedir.org/List.aspxList FAQ: http://www.activedir.org/ListFAQ.aspxList archive:http://www.mail-archive.com/activedir%40mail.activedir.org/List info : http://www.activedir.org/List.aspxList FAQ: http://www.activedir.org/ListFAQ.aspxList archive: http://www.mail-archive.com/activedir%40mail.activedir.org/List info : http://www.activedir.org/List.aspxList FAQ: http://www.activedir.org/ListFAQ.aspxList archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
[ActiveDir] Limitations and issues with domain local groups and GC replicated data
Title: Limitations and issues with domain local groups and GC replicated data I really appreciate the response, Guido :) Many thanks! Put it this way - if I had £1 for each time I tried to persuade an org to go with a single domain and then see a multi regional/political forest be implemented anyway - I'd be a rich man :) This org has managed to progress from multiple forests, where each country has its own domain to a single (proposed) forest, where each region is represented by a single domain. They don't feel comfortable going the extra step, even though all the pitfalls were explained in detail, over a period of several months. My question stems from the fact that we (will) have multiple, domains and will likely need cross domains perms. I don't foresee hidden OUs nor the removal of auth users from OU perms right now. Those putting together the security model / roles / admin model etc were suggesting DLGs and that is where I stepped in and expressed concerns. I'll go investigate the options available and put forward a new proposal to the engineers. Thanks again, neil From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Grillenmeier, GuidoSent: 20 January 2006 18:58To: ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] Limitations and issues with domain local groups and GC replicated data > I'm trying to figure out if this represents an issue to me in my (proposed) regional > multi-domain environment or not. > > We are currently planning to use DLGs for permissioning AD data as well as server > based data. We planned to then nest global groups (GGs) into these DLGs from various > domains in the forest. Will such a scenario be affected by the issue described above? Yes it does. Are you actually in the planning phase of the domain-model / forest-structure itself? Or does this multi-domain AD already exist and you need to plan the security model for it? If you're still structuring the forest, you should seriously consider a single domain approach to avoid many of the challenges involved with multiple domain forests (the security on GC data using DLGs just being one of them). The impact of AD data in GCs that are secured with DLGs certainly depends on your overall security strategy in the AD forest. If you leave the default ACLs in place (which grant a whole lot of READ permissions to authenticated users) and are just planning to use the DLGs to add extra rights to OUs (or any object) for delegating administrative tasks (e.g. permissions to change PW or to add specific objects such as computers to an OU), this will typcially not impact you negatively when trying to access the data from a remote domain on a GC. Why? Well the data in the GC is read-only anyways so even though those extra permissions will not be applicable on the GC in a remote domain, the data can't be edited anyways so you won't notice the difference. If however you are planning to take away a lot of the default rights - or you are granting extra rights to read hidden data (e.g. hidden group-memberships in Exchange or simply an OU where the default read-permissions have been removed so that the data won't be visible for the normal users), granting rights using a DLG will not suffice to make the data accessible on the GC in a remote domain. It doesn't matter that you're planning to put the users from the various domains into Global Groups (GGs) and then nest these into the DLGs => the GC of a remote domain has no clue who is a member of the DLG (since the member attribute of a DLG is not replicated to the GC), so it can't expand the token of the user that tries to access the data on that remote GC. To make it clear: 1. a user in DomA (DOMA-Usr1) is a member of a DLG in DomB (DOMB-DLG1). 2. DOMB-DLG1 is used to grant read access on an OU in DomB (where auth. users READ access has been removed) 3. when DOMA-Usr1 logs onto his client he is authenticated via a DOMA DC 4. at this time he will only have DOMA groups in his token + any Universal Groups of the forest (needs to connect to a GC at logon to find the appropriate group-memberships of the user). He will thus have the DLGs and GGs of his own domain (DOMA) and UGs of any domain in his token. 5. he now connects to a DOMB DC to look at the secured OU => because of the transitive trust he is automatically authenticated - at this time the user's access token is generated for the DOMB domain by a DOMB DC => this DC knows of the user's DLG memberships in DOMB and adds DOMB-DLG1 to DOMA-Usr1's access token (only valid on DOMB resources); it doesn't matter if the user has a direct membership in the DLG or via a GG of DOMA. 6. the user successfully accesses the secured OU on the DOMB DC Now the same data is replicated to a GC in DomA. 1. DOMA-USR1 now tries to access the OU on a DOMA-GC 2. only the user's DomA token is valid on a DC or GC (or any other resource) in DomA - this does not