date:20060412

Let me guess because the DC you demoted is your Terminal Service License
server in the domain?
 
It's been a while since I last baby-sat a TS issue, but I believe that if the
Site license service is not installed on a DC, then you will have to manually
tell EACH TS in your environment how to locate the site license server. You
do this through the registry. I don't have a TS server/environment handy to
tell you exactly where the key is located. You can, however search the
registry for "DomainLicenseServer" (I think) and this should be where you
specify the name of the TS License server.
 
HTH
 

Sincerely, 
   _
  (, /  |  /)   /) /)   
/---| (/_  __   ___// _   //  _ 
 ) /|_/(__(_) // (_(_)(/_(_(_/(__(/_
(_/ /)  
   (/   
Microsoft MVP - Directory Services
www.readymaids.com   - we know IT
www.akomolafe.com  
Do you now realize that Today is the Tomorrow you were worried about
Yesterday? -anon
 



From: [EMAIL PROTECTED] on behalf of James Carter
Sent: Wed 4/12/2006 11:28 PM
To: ActiveDir@mail.activedir.org
Subject: [ActiveDir] "No Terminal License Server available"


Hi,
Single Windows 2003 domain
I demoted our DC to a member server and now we have an issue whereby when I
open Terminal Server Licensing manager, I get a message "No Terminal Server
License Server is available in the current domain or workgroup"
Anyone know why I receive this from demoting a DC and how to fix this!?



How low will we go? Check out Yahoo! Messenger's low PC-to-Phone call rates.
 
List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/

[ActiveDir] "No Terminal License Server available"

2006-04-12 Thread James Carter

Hi,  Single Windows 2003 domain  I demoted our DC to a member server and now we have an issue whereby when I open Terminal Server Licensing manager, I get a message "No Terminal Server License Server is available in the current domain or workgroup"  Anyone know why I receive this from demoting a DC and how to fix this!?
		How low will we go? Check out Yahoo! Messengers low  PC-to-Phone call rates.

RE: [ActiveDir] Deleting "default-first-site-name" site

2006-04-12 Thread Freddy HARTONO

Title: RE: [ActiveDir] Deleting "default-first-site-name" site



Woozzah.. stupid laggy exchange 
server.
 

Thank you and have a splendid 
day!
 
Kind Regards,
 
Freddy Hartono
Group Support 
Engineer
InternationalSOS Pte Ltd
mail: 
[EMAIL PROTECTED]
phone: (+65) 
6330-9785
 
 


From: [EMAIL PROTECTED] 
[mailto:[EMAIL PROTECTED] On Behalf Of Dean 
WellsSent: Thursday, April 13, 2006 11:26 AMTo: Send - AD 
mailing listSubject: RE: [ActiveDir] Deleting 
"default-first-site-name" site

I 
think you must have missed the answer in the follow-up reply ... that response 
contained -
 


No, IIRC it defaults to the site of the DC from which the 
directory was sourced.

... 
let me know if that doesn't cover your question.
 
Hope 
it's helpful!
--Dean WellsMSEtechnology* Email: dwells@msetechnology.comhttp://msetechnology.com
 

  
  
  From: [EMAIL PROTECTED] 
  [mailto:[EMAIL PROTECTED] On Behalf Of Freddy 
  HARTONOSent: Wednesday, April 12, 2006 10:55 PMTo: 
  ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] Deleting 
  "default-first-site-name" site
  
  just curious, if this is deleted - where would a new dc 
  with no subnet mapping be dropped to
   
  
  Thank you and have a splendid 
  day!
   
  Kind 
Regards,
   
  Freddy 
  Hartono
  Group Support 
  Engineer
  InternationalSOS Pte Ltd
  mail: 
  [EMAIL PROTECTED]
  phone: (+65) 
  6330-9785
   
   
  
  
  From: Steve Rochford 
  [mailto:[EMAIL PROTECTED] On Behalf Of Steve 
  RochfordSent: Wednesday, April 12, 2006 10:54 PMTo: 
  ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] Deleting 
  "default-first-site-name" site
  
  
  Thanks; that's what I 
  expected but I wanted to check before I deleted something crucial 
  :-)
   
  Steve
  
  
  From: [EMAIL PROTECTED] on 
  behalf of Dean WellsSent: Wed 12/04/2006 14:27To: Send - 
  AD mailing listSubject: RE: [ActiveDir] Deleting 
  "default-first-site-name" site
  
  Since replication takes place between DCs which logically 
  exist in logicalsites, no, ... not at all -- there's nothing to replicate 
  with.  Regardingthe deletion question; I've deleted it more times 
  than I can count,sometimes I rename it if I need a new site ... there's 
  nothing "special"about that object outside of its name (and that _should_ 
  also prove a mootpoint.  This of course depends upon the developer, 
  good coding vs. badcoding ... deleting it may break some joeware tools 
  though -- haha, justteasing :0)--Dean 
  WellsMSEtechnology* Email: [EMAIL PROTECTED]http://msetechnology.com> 
  -Original Message-> From: 
  [EMAIL PROTECTED]> [mailto:[EMAIL PROTECTED]] 
  On Behalf Of> Steve Rochford> Sent: Wednesday, April 12, 2006 
  9:15 AM> To: ActiveDir@mail.activedir.org> Subject: [ActiveDir] 
  Deleting "default-first-site-name" site>> We no longer have any 
  servers in the> "default-first-site-name" site; should I delete that 
  site? I> hadn't really thought it mattered until I was looking at 
  the> latency figures with repadmin (shown below for one 
  server).> Does it matter that no replication has taken place to a 
  site> without servers?> > 
  Steve> > Replication Latency for site willesden 
  (wstud3.student.cnwl.ac.uk):> 
  Originating Site    Ver    Time Local 
  Update    Time> Orig. Update   Latency  
  Since Last>   
  ==  =  === > 
  ===    ==>  
  Default-First-Site-Name 50  2004-04-07 
  08:25:58 > 2001-07-26 15:39:10  23656:46:48  
  17644:21:27>  
  wembley  58498  2006-04-12 12:25:57 > 2006-04-12 
  12:25:55  00:00:02  
  00:21:28>  
  kilburn  5  2006-04-12 12:10:56 > 2006-04-12 
  12:06:52  00:04:04  
  00:36:29>    
  willesden  59228  2006-04-12 12:09:50 > 2006-04-12 
  12:09:50  00:00:00  
  00:37:35> 
  Madhouse  13173  2006-04-12 12:25:57 > 2006-04-12 
  12:22:40  00:03:17  00:21:28> List info   : http://www.activedir.org/List.aspx> 
  List FAQ    : http://www.activedir.org/ListFAQ.aspx> 
  List archive:> http://www.mail-archive.com/activedir%40mail.activedir.org/>>List 
  info   : http://www.activedir.org/List.aspxList 
  FAQ    : http://www.activedir.org/ListFAQ.aspxList 
  archive: http://www.mail-archive.com/activedir%40mail.activedir.org/

RE: [ActiveDir] issue with R2 upgrade; SFU confusion?

Mike-

Did you ever get any resolution on this or more info?

Thanks,
Brian Desmond
[EMAIL PROTECTED]
 
c - 312.731.3132
 
 

> -Original Message-
> From: [EMAIL PROTECTED] [mailto:ActiveDir-
> [EMAIL PROTECTED] On Behalf Of joe
> Sent: Monday, February 20, 2006 7:14 PM
> To: ActiveDir@mail.activedir.org
> Subject: RE: [ActiveDir] issue with R2 upgrade; SFU confusion?
> 
> Ask him/her what the article number is if this is a known issue.  If
> he/she says there isn't one then say it sure isn't known very well
> then.
> 
> 
> --
> O'Reilly Active Directory Third Edition -
> http://www.joeware.net/win/ad3e.htm
> 
> 
> -Original Message-
> From: [EMAIL PROTECTED]
> [mailto:[EMAIL PROTECTED] On Behalf Of Thommes,
> Michael M.
> Sent: Friday, February 17, 2006 2:18 PM
> To: ActiveDir@mail.activedir.org
> Subject: RE: [ActiveDir] issue with R2 upgrade; SFU confusion?
> 
> Our MS TAM has indicated this is a known bug!  I will keep the group
> posted as I learn more details.
> 
> Mike Thommes
> 
> -Original Message-
> From: [EMAIL PROTECTED]
> [mailto:[EMAIL PROTECTED] On Behalf Of Thommes,
> Michael M.
> Sent: Friday, February 17, 2006 10:52 AM
> To: ActiveDir@mail.activedir.org
> Subject: RE: [ActiveDir] issue with R2 upgrade; SFU confusion?
> 
> As an update to this thread, we transferred the Schema Master role
back
> to other DC that has the SFU tools installed originally thinking this
> might get the R2 schema update to work.  Wrong!  It fails with the
same
> error.  I can only imagine we do not have that unique an environment
in
> our testbed and expect others to have the same experience.  Luckily,
we
> never put SFU 3.5 on our production systems.
> 
> We are going to open up a trouble ticket with Microsoft regarding this
> issue.  I would like to hear of others' experiences (success or
> failure) when trying to install R2 in an environment where SFU 3.5 had
> been installed.  Thanks!
> 
> Mike Thommes
> 
> -Original Message-
> From: [EMAIL PROTECTED]
> [mailto:[EMAIL PROTECTED] On Behalf Of Thommes,
> Michael M.
> Sent: Thursday, February 16, 2006 9:07 AM
> To: ActiveDir@mail.activedir.org
> Subject: RE: [ActiveDir] issue with R2 upgrade; SFU confusion?
> 
> Hi Guido,
>Thanks for the response!  This server is Windows 2003/SP1 with all
> but the current month's patches.  It is the current FSMO role holder.
> I did some checking this morning and find the SFU 3.5 tools on another
> DC that could have been the FSMO role holder at the time the SFU
schema
> changes were made.  I don't see why that would make any difference, do
> you?
> 
> -mike
> 
> -Original Message-
> From: [EMAIL PROTECTED]
> [mailto:[EMAIL PROTECTED] On Behalf Of Grillenmeier,
> Guido
> Sent: Thursday, February 16, 2006 3:00 AM
> To: ActiveDir@mail.activedir.org
> Subject: RE: [ActiveDir] issue with R2 upgrade; SFU confusion?
> 
> Mike - I see you're upgrading from Win2000 AD. Are your sure that
> you've previously installed SFU 3.5 or was it maybe SFU 2.0 ?
> 
> The reason I'm asking is that there's a known schema incompatibility
> with SFU 2.0:
> check out http://support.microsoft.com/?id=293783 "Cannot Upgrade
> Windows 2000 Server to Windows Server 2003 with Windows Services for
> UNIX 2.0 Installed"
> 
> CAUSE
> The upgrade may not work because the attributeSchema 'uid' that is
used
> by Windows 2000 Server for the NIS schema is not compatible with the
> one that is used by Windows Server 2003.
> 
> As such your error is likely independent from the changes in the R2
> schema - it's actually an incompatibility in the Win2003 base schema
> (not that this really matters for you; I just want to clarify that the
> error should be unrelated to R2). As such it's different from Aric's
> case, who was performing an upgrade from a Win2003 schema to Win2003
> R2...
> 
> 
> /Guido
> 
> -Original Message-
> From: [EMAIL PROTECTED]
> [mailto:[EMAIL PROTECTED] On Behalf Of Thommes,
> Michael M.
> Sent: Donnerstag, 16. Februar 2006 02:53
> To: ActiveDir@mail.activedir.org
> Subject: RE: [ActiveDir] issue with R2 upgrade; SFU confusion?
> 
> Hi Aric,
> No, there were a lot more errors - all seem to be related to SFU
> attributes.  I only copied a small portion to my posting to save
> bandwidth.
> Painful = time = headaches  8-(  I was expecting this upgrade to be a
> "walk in the park".
> 
> Mike Thommes
> 
> -Original Message-
> From: [EMAIL PROTECTED]
> [mailto:[EMAIL PROTECTED] On Behalf Of Bernard, Aric
> Sent: Wednesday, February 15, 2006 7:46 PM
> To: ActiveDir@mail.activedir.org
> Subject: RE: [ActiveDir] issue with R2 upgrade; SFU confusion?
> 
> Are these the only two errors you received?
> 
> I encountered similar errors during beta testing when I implemented R2
> in an existing forest - but a lot more than just 2. :)  I created a
> secondary forest and validated that it did not recur.  Note that I
also
> had SFU installed in the original forest and the new secondary forest.
> 
> I

RE: [ActiveDir] Deleting "default-first-site-name" site

Title: RE: [ActiveDir] Deleting "default-first-site-name" site



I 
think you must have missed the answer in the follow-up reply ... that response 
contained -
 


No, IIRC it defaults to the site of the DC from which the 
directory was sourced.

... 
let me know if that doesn't cover your question.
 
Hope 
it's helpful!
--Dean WellsMSEtechnology* Email: dwells@msetechnology.comhttp://msetechnology.com
 

  
  
  From: [EMAIL PROTECTED] 
  [mailto:[EMAIL PROTECTED] On Behalf Of Freddy 
  HARTONOSent: Wednesday, April 12, 2006 10:55 PMTo: 
  ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] Deleting 
  "default-first-site-name" site
  
  just curious, if this is deleted - where would a new dc 
  with no subnet mapping be dropped to
   
  
  Thank you and have a splendid 
  day!
   
  Kind 
Regards,
   
  Freddy 
  Hartono
  Group Support 
  Engineer
  InternationalSOS Pte Ltd
  mail: 
  [EMAIL PROTECTED]
  phone: (+65) 
  6330-9785
   
   
  
  
  From: Steve Rochford 
  [mailto:[EMAIL PROTECTED] On Behalf Of Steve 
  RochfordSent: Wednesday, April 12, 2006 10:54 PMTo: 
  ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] Deleting 
  "default-first-site-name" site
  
  
  Thanks; that's what I 
  expected but I wanted to check before I deleted something crucial 
  :-)
   
  Steve
  
  
  From: [EMAIL PROTECTED] on 
  behalf of Dean WellsSent: Wed 12/04/2006 14:27To: Send - 
  AD mailing listSubject: RE: [ActiveDir] Deleting 
  "default-first-site-name" site
  
  Since replication takes place between DCs which logically 
  exist in logicalsites, no, ... not at all -- there's nothing to replicate 
  with.  Regardingthe deletion question; I've deleted it more times 
  than I can count,sometimes I rename it if I need a new site ... there's 
  nothing "special"about that object outside of its name (and that _should_ 
  also prove a mootpoint.  This of course depends upon the developer, 
  good coding vs. badcoding ... deleting it may break some joeware tools 
  though -- haha, justteasing :0)--Dean 
  WellsMSEtechnology* Email: [EMAIL PROTECTED]http://msetechnology.com> 
  -Original Message-> From: 
  [EMAIL PROTECTED]> [mailto:[EMAIL PROTECTED]] 
  On Behalf Of> Steve Rochford> Sent: Wednesday, April 12, 2006 
  9:15 AM> To: ActiveDir@mail.activedir.org> Subject: [ActiveDir] 
  Deleting "default-first-site-name" site>> We no longer have any 
  servers in the> "default-first-site-name" site; should I delete that 
  site? I> hadn't really thought it mattered until I was looking at 
  the> latency figures with repadmin (shown below for one 
  server).> Does it matter that no replication has taken place to a 
  site> without servers?> > 
  Steve> > Replication Latency for site willesden 
  (wstud3.student.cnwl.ac.uk):> 
  Originating Site    Ver    Time Local 
  Update    Time> Orig. Update   Latency  
  Since Last>   
  ==  =  === > 
  ===    ==>  
  Default-First-Site-Name 50  2004-04-07 
  08:25:58 > 2001-07-26 15:39:10  23656:46:48  
  17644:21:27>  
  wembley  58498  2006-04-12 12:25:57 > 2006-04-12 
  12:25:55  00:00:02  
  00:21:28>  
  kilburn  5  2006-04-12 12:10:56 > 2006-04-12 
  12:06:52  00:04:04  
  00:36:29>    
  willesden  59228  2006-04-12 12:09:50 > 2006-04-12 
  12:09:50  00:00:00  
  00:37:35> 
  Madhouse  13173  2006-04-12 12:25:57 > 2006-04-12 
  12:22:40  00:03:17  00:21:28> List info   : http://www.activedir.org/List.aspx> 
  List FAQ    : http://www.activedir.org/ListFAQ.aspx> 
  List archive:> http://www.mail-archive.com/activedir%40mail.activedir.org/>>List 
  info   : http://www.activedir.org/List.aspxList 
  FAQ    : http://www.activedir.org/ListFAQ.aspxList 
  archive: http://www.mail-archive.com/activedir%40mail.activedir.org/

RE: [ActiveDir] Deleting "default-first-site-name" site

2006-04-12 Thread Freddy HARTONO

Title: RE: [ActiveDir] Deleting "default-first-site-name" site



just curious, if this is deleted - where would a new dc 
with no subnet mapping be dropped to
 

Thank you and have a splendid 
day!
 
Kind Regards,
 
Freddy Hartono
Group Support 
Engineer
InternationalSOS Pte Ltd
mail: 
[EMAIL PROTECTED]
phone: (+65) 
6330-9785
 
 


From: Steve Rochford 
[mailto:[EMAIL PROTECTED] On Behalf Of Steve 
RochfordSent: Wednesday, April 12, 2006 10:54 PMTo: 
ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] Deleting 
"default-first-site-name" site


Thanks; that's what I 
expected but I wanted to check before I deleted something crucial 
:-)
 
Steve


From: [EMAIL PROTECTED] on 
behalf of Dean WellsSent: Wed 12/04/2006 14:27To: Send - 
AD mailing listSubject: RE: [ActiveDir] Deleting 
"default-first-site-name" site

Since replication takes place between DCs which logically exist 
in logicalsites, no, ... not at all -- there's nothing to replicate 
with.  Regardingthe deletion question; I've deleted it more times than 
I can count,sometimes I rename it if I need a new site ... there's nothing 
"special"about that object outside of its name (and that _should_ also prove 
a mootpoint.  This of course depends upon the developer, good coding 
vs. badcoding ... deleting it may break some joeware tools though -- haha, 
justteasing :0)--Dean WellsMSEtechnology* Email: 
[EMAIL PROTECTED]http://msetechnology.com> 
-Original Message-> From: 
[EMAIL PROTECTED]> [mailto:[EMAIL PROTECTED]] 
On Behalf Of> Steve Rochford> Sent: Wednesday, April 12, 2006 9:15 
AM> To: ActiveDir@mail.activedir.org> Subject: [ActiveDir] 
Deleting "default-first-site-name" site>> We no longer have any 
servers in the> "default-first-site-name" site; should I delete that 
site? I> hadn't really thought it mattered until I was looking at 
the> latency figures with repadmin (shown below for one server).> 
Does it matter that no replication has taken place to a site> without 
servers?> > Steve> > Replication Latency 
for site willesden 
(wstud3.student.cnwl.ac.uk):> 
Originating Site    Ver    Time Local 
Update    Time> Orig. Update   Latency  
Since Last>   ==  
=  === > ===  
  ==>  
Default-First-Site-Name 50  2004-04-07 
08:25:58 > 2001-07-26 15:39:10  23656:46:48  
17644:21:27>  
wembley  58498  2006-04-12 12:25:57 > 2006-04-12 
12:25:55  00:00:02  
00:21:28>  
kilburn  5  2006-04-12 12:10:56 > 2006-04-12 
12:06:52  00:04:04  
00:36:29>    
willesden  59228  2006-04-12 12:09:50 > 2006-04-12 
12:09:50  00:00:00  
00:37:35> 
Madhouse  13173  2006-04-12 12:25:57 > 2006-04-12 
12:22:40  00:03:17  00:21:28> List info   : http://www.activedir.org/List.aspx> 
List FAQ    : http://www.activedir.org/ListFAQ.aspx> 
List archive:> http://www.mail-archive.com/activedir%40mail.activedir.org/>>List 
info   : http://www.activedir.org/List.aspxList 
FAQ    : http://www.activedir.org/ListFAQ.aspxList 
archive: http://www.mail-archive.com/activedir%40mail.activedir.org/

RE: [ActiveDir] Object case changes with ADMOD




How did that work out for you?
 

--
O'Reilly Active Directory Third Edition - http://www.joeware.net/win/ad3e.htm 
 
 


From: [EMAIL PROTECTED] 
[mailto:[EMAIL PROTECTED] On Behalf Of Noah 
EigerSent: Wednesday, April 05, 2006 9:45 PMTo: 
ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] Object case 
changes with ADMOD


Thanks. I’ll give it a 
try.
 




From: joe [mailto:[EMAIL PROTECTED] 
Sent: Wednesday, April 05, 
2006 6:35 PMTo: 
ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] Object case 
changes with ADMOD
 
Yeah then you want to upgrade 
to a newer version. Among the other fixes is a fix that stops it from normaling 
RDNs to lower case. 

 
--
O'Reilly Active Directory 
Third Edition - http://www.joeware.net/win/ad3e.htm 
 

 
 



From: 
[EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] 
On Behalf Of Noah 
EigerSent: Wednesday, April 
05, 2006 9:12 PMTo: 
ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] Object case 
changes with ADMOD
File version says: 
1.3.0.85
 





From: joe [mailto:[EMAIL PROTECTED] 
Sent: Wednesday, April 05, 
2006 5:40 PMTo: 
ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] Object case 
changes with ADMOD
 
Out of random curiosity are 
you using a version of ADMOD prior to V01.05.00?
 
  joe

 
--
O'Reilly Active Directory 
Third Edition - http://www.joeware.net/win/ad3e.htm 
 

 
 




From: 
[EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] 
On Behalf Of Noah 
EigerSent: Wednesday, April 
05, 2006 8:20 PMTo: 
ActiveDir@mail.activedir.orgSubject: [ActiveDir] Object case changes 
with ADMOD
Hi –
 
I have been testing a little batch file that uses adfind 
and admod to move some computer accounts around in AD. Based on a text file, 
computers move to different OU’s. The weird thing is that before being handled 
by admod, the accounts are in all capital letters (as seen in the DSA and in 
text output of DN’s). After the move, they appear in all lower case. 

 
While this is not the end of the world, it is a little 
odd. Why is this happening? Can I keep them in the same 
case?
 
The batch is as follows:
 
set 
toolPath=C:\Sysadmin\Tools\Apps\Joeware
set 
compList=C:\Sysadmin\Tools\Scripts\VarFiles\complist.txt
set 
logFile=c:\sysadmin\logs\compMove_log.txt
 
 
for /f "tokens=1-3" %%A in (%compList%) do 
(
    
%toolPath%\adfind -b dc=company,dc=com -f 
"&(objectcategory=computer)(name=%%A)" -dsq | %toolPath%\admod -move 
ou=%%C,ou=%%B,dc=company,dc=com
    
) >>%logFile%
 
The file format for complist.txt 
is:
COMPUTER1    
OUX  OUY
COMPUTER2    
OUZ  OUY
 
Thanks.
 
-- nme
 
--No virus found in this outgoing 
message.Checked by AVG Free Edition.Version: 7.1.385 / Virus Database: 
268.3.5/301 - Release Date: 4/4/2006
 
--No virus found in this incoming 
message.Checked by AVG Free Edition.Version: 7.1.385 / Virus Database: 
268.3.5/301 - Release Date: 4/4/2006
 
--No virus found in this outgoing 
message.Checked by AVG Free Edition.Version: 7.1.385 / Virus Database: 
268.3.5/301 - Release Date: 4/4/2006
--No virus found in this incoming message.Checked by AVG 
Free Edition.Version: 7.1.385 / Virus Database: 268.3.5/301 - Release Date: 
4/4/2006
--No virus found in this outgoing message.Checked by AVG 
Free Edition.Version: 7.1.385 / Virus Database: 268.3.5/301 - Release Date: 
4/4/2006

RE: [ActiveDir] AD delegations

http://blog.joeware.net/2005/07/17/48/ 


--
O'Reilly Active Directory Third Edition -
http://www.joeware.net/win/ad3e.htm 
 

-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Graham Turner
Sent: Wednesday, April 12, 2006 5:42 AM
To: activedir@mail.activedir.org
Subject: [ActiveDir] AD delegations

Dear all, needing to seek further assistance on OU delegations.

We have applied a delegation using the custom delegation wizard;

Create / Delete computer object

this works fine and dandy in the context of creating and deleting computer
objects in the container and its sub-containers.

however we are unable to move COMPUTER objects between OU's within the
delegation OU.

i would have thought that a MOVE is a combination of CREATE / DELETE which
it would seem have been applied as above, but perhaps not.

it seems an additional permission is required to be applied to the delegated
ou

any help on this will be gladly received

Thanks

G

List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/

List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/

RE: [ActiveDir] Replication issues on one of our DCs

I would certainly be a trifle concerned about disk...  


--
O'Reilly Active Directory Third Edition -
http://www.joeware.net/win/ad3e.htm 
 

-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Rimmerman, Russ
Sent: Wednesday, April 12, 2006 11:46 AM
To: ActiveDir@mail.activedir.org
Subject: [ActiveDir] Replication issues on one of our DCs


Any ideas?

NTFS compression isn't turned on.  Maybe a impending drive failure?




Internal event: Active Directory could not update the following object


with changes received from the following source domain controller. This is
because an error occurred during the application of the changes to Active
Directory on the domain controller.


Object:

CN=FFF-LEE-Six-Sigma,OU=LEE,OU=EH,OU=CAM,DC=FFF,DC=ourdomain,DC=com


Object GUID:

0a7ba036-b9be-4c9f-b978-1d1ce99c8e40


Source domain controller:

190d7fdf-0c3f-4c5d-ad78-0df06208c3be._msdcs.ourdomain.com


Synchronization of the local domain controller with the source domain
controller is blocked until this update problem is corrected.


This operation will be tried again at the next scheduled replication.


User Action


Restart the local domain controller if this condition appears to be related
to low system resources (for example, low physical or virtual memory).


Additional Data


Error value:

1127 While accessing the hard disk, a disk operation failed even after
retries.

For more information, see Help and Support Center at
http://go.microsoft.com/fwlink/events.asp.


~~
This e-mail is confidential, may contain proprietary information of the
Cooper Cameron Corporation and its operating Divisions and may be
confidential or privileged.

This e-mail should be read, copied, disseminated and/or used only by the
addressee. If you have received this message in error please delete it,
together with any attachments, from your system.
~~
List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/

List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/

RE: [ActiveDir] Deleting "default-first-site-name" site

HAHAHAHAHA ha ha ha ah Yeah. Smack.

I concur with Dean, this will be fine from an AD perspective, certainly
nothing special about it. Some people rename it, some people delete it. The
only time it is special is when it is the only one. :)



--
O'Reilly Active Directory Third Edition -
http://www.joeware.net/win/ad3e.htm 
 

-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Dean Wells
Sent: Wednesday, April 12, 2006 9:27 AM
To: Send - AD mailing list
Subject: RE: [ActiveDir] Deleting "default-first-site-name" site

Since replication takes place between DCs which logically exist in logical
sites, no, ... not at all -- there's nothing to replicate with.  Regarding
the deletion question; I've deleted it more times than I can count,
sometimes I rename it if I need a new site ... there's nothing "special"
about that object outside of its name (and that _should_ also prove a moot
point.  This of course depends upon the developer, good coding vs. bad
coding ... deleting it may break some joeware tools though -- haha, just
teasing :0)

--
Dean Wells
MSEtechnology
* Email: [EMAIL PROTECTED]
http://msetechnology.com

 

> -Original Message-
> From: [EMAIL PROTECTED]
> [mailto:[EMAIL PROTECTED] On Behalf Of Steve 
> Rochford
> Sent: Wednesday, April 12, 2006 9:15 AM
> To: ActiveDir@mail.activedir.org
> Subject: [ActiveDir] Deleting "default-first-site-name" site
> 
> We no longer have any servers in the
> "default-first-site-name" site; should I delete that site? I hadn't 
> really thought it mattered until I was looking at the latency figures 
> with repadmin (shown below for one server).
> Does it matter that no replication has taken place to a site without 
> servers?
>  
> Steve
>  
> Replication Latency for site willesden (wstud3.student.cnwl.ac.uk):
> Originating SiteVerTime Local UpdateTime 
> Orig. Update   Latency  Since Last
>   ==  =  === 
> ===    ==
>  Default-First-Site-Name 50  2004-04-07 08:25:58  
> 2001-07-26 15:39:10  23656:46:48  17644:21:27
>  wembley  58498  2006-04-12 12:25:57
> 2006-04-12 12:25:55  00:00:02  00:21:28
>  kilburn  5  2006-04-12 12:10:56
> 2006-04-12 12:06:52  00:04:04  00:36:29
>willesden  59228  2006-04-12 12:09:50
> 2006-04-12 12:09:50  00:00:00  00:37:35
> Madhouse  13173  2006-04-12 12:25:57
> 2006-04-12 12:22:40  00:03:17  00:21:28
> List info   : http://www.activedir.org/List.aspx
> List FAQ: http://www.activedir.org/ListFAQ.aspx
> List archive: 
> http://www.mail-archive.com/activedir%40mail.activedir.org/
> 
> 


List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/

List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/

RE: [ActiveDir] Changing a users password

That has got to be one of the longest signature blocks of all time...  

Hopefully that is only stamped on mail going outside of the org, hate to
have all of that bunched up in my Exchange DBs for all daily mail... ;)


--
O'Reilly Active Directory Third Edition -
http://www.joeware.net/win/ad3e.htm 
 

-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Marc A. Mapplebeck
Sent: Wednesday, April 12, 2006 12:30 PM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] Changing a users password

Why not just create a custom MMC in author mode that only allows ADUC to set
password, nothing else. It is possible to do. - Marc


_-_-_-_-_-_-_-_-_-
-"During times of universal deceit, telling the truth becomes a
revolutionary act." - George Orwell, 1984
_-_-_-_-_-_-_-_-_-
Marc A. Mapplebeck, MCP/MCDST/N+/A+/CNA
Owner, Shutterbug Productions & Consulting IT Manager, City Animal Hospital
Ltd.
MCP#: 3146827
CompTIA#: COMP001002835054
[EMAIL PROTECTED]
[EMAIL PROTECTED]
_-_-_-_-_-_-_-_-_-
P: 506-471-7044
ICQ: 26743793
Yahoo!: mmapplebeck
MSN: [EMAIL PROTECTED]
_-_-_-_-_-_-_-_-_-
This e-mail communication (including any or all attachments) is intended
only for the use of the person or entity to which it is addressed and may
contain confidential and/or privileged material. If you are not the intended
recipient of this e-mail, any use, review, retransmission, distribution,
dissemination, copying, printing, or other use of, or taking of any action
in reliance upon this e-mail, is strictly prohibited. If you have received
this e-mail in error, please contact the sender and delete the original and
any copy of this e-mail and any printout thereof, immediately. Your
co-operation is appreciated.

Le présent courriel (y compris toute pièce jointe) s'adresse uniquement à
son destinataire, qu'il soit une personne ou un organisme, et pourrait
comporter des renseignements privilégiés ou confidentiels. Si vous n'êtes
pas le destinataire du courriel, il est interdit d'utiliser, de revoir, de
retransmettre, de distribuer, de disséminer, de copier ou d'imprimer ce
courriel, d'agir en vous y fiant ou de vous en servir de toute autre façon.
Si vous avez reçu le présent courriel par erreur, prière de communiquer avec
l'expéditeur et d'éliminer l'original du courriel, ainsi que toute copie
électronique ou imprimée de celui-ci, immédiatement. Nous sommes
reconnaissants de votre collaboration. 
-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Oliver Marshall
Sent: April 12, 2006 04:46
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] Changing a users password

Net user command only works if you have full admin rights. I've google'd
till 2am this morning, haven't found any free script that doesn't use the
DN.

Cant use ADUC as I'm afraid that, if they see what info they *could* change,
that it will snowball and they will want to change it all. The whole reason
for this is that I am out of the office more and more and users here have a
massive issue with passwords. At the moment they right them down on a pad on
the "receptionists" desk (I say receptionist, but this lady has been here
longer than the earth has been turning, and I would rather she could
generate a new random password with "change on next logon" for all the users
in a given OU than have the passwords written on a pad on someones desk,
admin users are in a diff OU).

I'll keep hunting. Thanks for the help anyway.

-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Ulf B.
Simon-Weidner
Sent: 12 April 2006 07:01
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] Changing a users password

Hi Oliver,

First of all the receptionist needs to be delegated the rights to reset
users passwords, as well as being made aware of the consequences (local
credential cache of the users f.e.).

To reset the password you can use commands like "net user username password
/domain" or you can use AD-Tools like ADUC, "dsquery user domainroot -name
whatever | dsmod -pwd newpass -mustchangepwd yes", or you can create your
own script which searches for the user and changes password after asking for
approval. Www.microsoft.com/technet/scriptcenter provides the examples you
have to glue together for this.

Gruesse - Sincerely, 

Ulf B. Simon-Weidner 

  MVP-Book "Windows XP - Die Expertentipps": http://tinyurl.com/44zcz
  Weblog: http://msmvps.org/UlfBSimonWeidner
  Website: http://www.windowsserverfaq.org
  Profile:
http://mvp.support.microsoft.com/profile=35E388DE-4885-4308-B489-F2F1214
C811
D   

 

|-Original Message-
|From: [EMAIL PROTECTED]
|[mailto:[EMAIL PROTECTED] On Behalf Of Oliver 
|Marshall
|Sent: Wednesday, April 12, 2006 1:56 AM
|To: ActiveDir@mail.activedir.org
|Subject: [ActiveDir] Changing a users password
|
|Hi,
|
|I want to create a script that will allow a user here to change the 
|password of any other user.
|
|I have found several examples, mos

RE: [ActiveDir] Changing a users password

Full admin or Account Operator is what the NET API requires. Doesn't work
with delegated rights.

  joe 


--
O'Reilly Active Directory Third Edition -
http://www.joeware.net/win/ad3e.htm 
 

-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Oliver Marshall
Sent: Wednesday, April 12, 2006 3:46 AM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] Changing a users password

Net user command only works if you have full admin rights. I've google'd
till 2am this morning, haven't found any free script that doesn't use the
DN.

Cant use ADUC as I'm afraid that, if they see what info they *could* change,
that it will snowball and they will want to change it all. The whole reason
for this is that I am out of the office more and more and users here have a
massive issue with passwords. At the moment they right them down on a pad on
the "receptionists" desk (I say receptionist, but this lady has been here
longer than the earth has been turning, and I would rather she could
generate a new random password with "change on next logon" for all the users
in a given OU than have the passwords written on a pad on someones desk,
admin users are in a diff OU).

I'll keep hunting. Thanks for the help anyway.

-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Ulf B.
Simon-Weidner
Sent: 12 April 2006 07:01
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] Changing a users password

Hi Oliver,

First of all the receptionist needs to be delegated the rights to reset
users passwords, as well as being made aware of the consequences (local
credential cache of the users f.e.).

To reset the password you can use commands like "net user username password
/domain" or you can use AD-Tools like ADUC, "dsquery user domainroot -name
whatever | dsmod -pwd newpass -mustchangepwd yes", or you can create your
own script which searches for the user and changes password after asking for
approval. Www.microsoft.com/technet/scriptcenter provides the examples you
have to glue together for this.

Gruesse - Sincerely, 

Ulf B. Simon-Weidner 

  MVP-Book "Windows XP - Die Expertentipps": http://tinyurl.com/44zcz
  Weblog: http://msmvps.org/UlfBSimonWeidner
  Website: http://www.windowsserverfaq.org
  Profile:
http://mvp.support.microsoft.com/profile=35E388DE-4885-4308-B489-F2F1214
C811
D   

 

|-Original Message-
|From: [EMAIL PROTECTED]
|[mailto:[EMAIL PROTECTED] On Behalf Of Oliver 
|Marshall
|Sent: Wednesday, April 12, 2006 1:56 AM
|To: ActiveDir@mail.activedir.org
|Subject: [ActiveDir] Changing a users password
|
|Hi,
|
|I want to create a script that will allow a user here to change the 
|password of any other user.
|
|I have found several examples, most based on the examples on the MS 
|site. Thing is, they all depend on knowing the Distinguished Name of 
|the user, and the poor old receptionist wont have a clue what that is.
|
|Can anyone help me with a script that will change the password of a 
|user just knowing the username of the user ? At the least I'm after 
|some code to find the DN of a user from their username, and I can then 
|use that with the code I already have (I think).
|
|
|Thanks
|
|Olly
|List info   : http://www.activedir.org/List.aspx
|List FAQ: http://www.activedir.org/ListFAQ.aspx
|List archive: 
|http://www.mail-archive.com/activedir%40mail.activedir.org/

List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive:
http://www.mail-archive.com/activedir%40mail.activedir.org/
List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/

List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/

RE: [ActiveDir] Changing a users password

To find a user

adfind -sc u:X -dn 

Where X is the user's SAM name or cn.

  joe


--
O'Reilly Active Directory Third Edition -
http://www.joeware.net/win/ad3e.htm 
 

-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Oliver Marshall
Sent: Tuesday, April 11, 2006 7:56 PM
To: ActiveDir@mail.activedir.org
Subject: [ActiveDir] Changing a users password

Hi,

I want to create a script that will allow a user here to change the password
of any other user. 

I have found several examples, most based on the examples on the MS site.
Thing is, they all depend on knowing the Distinguished Name of the user, and
the poor old receptionist wont have a clue what that is.

Can anyone help me with a script that will change the password of a user
just knowing the username of the user ? At the least I'm after some code to
find the DN of a user from their username, and I can then use that with the
code I already have (I think).


Thanks

Olly
List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/

List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/

RE: [ActiveDir] User rights




http://www.activedir.org/article.aspx?aid=84
 

--
O'Reilly Active Directory Third Edition - http://www.joeware.net/win/ad3e.htm 
 
 


From: [EMAIL PROTECTED] 
[mailto:[EMAIL PROTECTED] On Behalf Of 
[EMAIL PROTECTED]Sent: Wednesday, April 12, 2006 1:35 
PMTo: ActiveDir@mail.activedir.orgSubject: [ActiveDir] 
User rights

My friends, I need a little help 
How can I grant a user, rights to join computers in 
my domain? 
I don´t want any other right just that. 
waht is the best way to do that? 
I tried to delegate right on computers object > 
create object. 
is that right? 
adriao ramos

RE: [ActiveDir] Extending the schema

Title: RE: [ActiveDir] Extending the schema



I have found coughing politely and bumping a hardcopy of 
the document/email/memo their direction has the best "told you so" effect... 
:o)
 
Several years ago I wrote up a quick document about 
EMC Celerras and the problems we were going to hit based on a quick review of 
what EMC was doing. EMC flew in a bunch of big wigs and engineers to meet with 
me and everyone in the management chain above me. They assured us that I 
was wrong on every count and I actually got pretty well chastised for writing 
something so mean but not by my direct management nor the guys in the AD 
Dev/Planning group of the company. I believe there were something like 13-15 
bullets on my hastily put together note. I believe over the next year I coughed 
and nudged in the area of... hmmm let me recall, I think it was 13-15 times... 
You know, I am quite sure it was 13-15 times. Amazing how much more the 
technical guy understands the technical aspects of how things work than say 
a manager 4 or 5 levels above the tecnnical people. 

 

--
O'Reilly Active Directory Third Edition - http://www.joeware.net/win/ad3e.htm 
 
 


From: [EMAIL PROTECTED] 
[mailto:[EMAIL PROTECTED] On Behalf Of 
[EMAIL PROTECTED]Sent: Wednesday, April 12, 2006 3:51 
AMTo: ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] 
Extending the schema

...what joe said, but also test the app thoroughly and 
document its issues so that you can then perform a CYA job back to those asking 
for the product and to your own boss :)
 
This is par for the course in the world of IT - we are 
often forced to deploy cr** and all we can do to mitigate the situation is 
to document our misgivings. At least if the whole thing blows up in your face, 
you can point to a doc or email and state 'told you so' :)
 
neil


From: [EMAIL PROTECTED] 
[mailto:[EMAIL PROTECTED] On Behalf Of 
joeSent: 12 April 2006 07:43To: 
ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] Extending the 
schema

I do not have first hand experience with it but have 
been speaking to some very trusted friends who have been trying to implement it 
and pretty much anything they say I would take as if I saw it myself. >From what 
I hear there are some "odd" ACEs added to the ACLs (I believe at the NC Head 
level) that make no sense but are required or you can't install LCS Servers. I 
believe specifically there is something with a property set that is absolutely 
worthless (I don't recall the details now). Also you can't substitute the ACEs, 
you must have the exact ACEs in place that the LCS prep puts into place. That 
means they aren't checking access rights, they are scanning the ACL looking for 
a specific ACE which ranks up there with some of the worst things I have seen 
out of any AD enabled app. This isn't very unusual for Exchange related 
stuff. The Exchange folks don't seem to really know how to use AD properly 
and LCS came from Exchange folks and has Exchange Dev all over it. Exchange 
itself had some very odd delegations that had to be made in the early E2K 
timeframe that I ran into and bugged that was absolutely meaningless as well if 
you were trying to delegate minimal permissions. I recall there was one 
delegation of an attribute that only existed on some config container objects 
but needed to be applied to users or else the GUI tools wouldn't work. 
Completely assinine stuff. I guess they are hitting the same crap with 
LCS.
 
To add even more pain, the MCS guy that my friends have 
been working with has been just a hair above useless for the whole thing so 
probably better to sit down and work it out yourself than contract MCS to come 
in and help out. I have personal experience with the specific MCS person and I 
am not entirely surprised though this is just one more area where he is 
supposed to be knowledgeable and this customer is so large that you would expect 
MCS wouldn't be dumb and send in someone who isn't pretty good with the 
product.
 
Basically, if you are being forced to use it, you don't 
have much choice, lube up and go for it. If you do have a choice, go through the 
product with a fine tooth comb in the lab and document all of the crap and then 
complain to MS. Possibly if enough people tell them that the functionality isn't 
good enough to deal with a shitty implementation they might get a clue. Most 
likely it has gone as far as it has is because most people don't have a clue 
what they are doing when they are installing things and assume anything out of 
MS will be done correctly and never verify the changes made in the directory and 
how much sense they may or may not make.
 
Oh another thing, there is some global group 
requirement built into LCS for admining the product, from what I heard you have 
NO CHOICE but to use global groups. This is yet another product that 
demonstrates that just because it came out of MS doesn't mean it is good or 
should just be implemented. 
 
  joe
 

--
O'Reilly Active Directory Thi

RE: [ActiveDir] OU's Structure




That is incorrect. I have chased this code path a couple of 
times in the Windows source and from other obvious logical reasons the hierarchy 
will not impact auth timings - read the book in the signature for more info on 
that as I specifically call this fallacy out. 
 
The issue is with the NUMBER of GPOs applied on those 
various levels. Whether you have 2 GPOs spread across 30 OU levels or 2 
GPOs across 2 GPO levels you will experience the same speed based on how the 
GPOs are enumerated (actually they aren't enumerated, it is a simple LDAP 
query). Returning all of the OUs that need to be checked is quick and fast, then 
the machine has to loop through all of those GPOs and figure out which ones 
apply in which order, etc etc etc etc.
 
As a general rule, I am much more a fan of setting up 
my GPO structure on an OU basis versus a group filtering basis. If anything 
applying a bunch of GPOs to an OU a user is in and then filtering out which ones 
they really have access to with groups would be slower than having multiple OU 
levels because there are more GPOs to loop through and check. I doubt it would 
add very much overhead but there would certainly be more than a deployment based 
on the hierarchical structure would have.
 
What company is this consultant with if you don't mind me 
asking? 
 
   joe
 

--
O'Reilly Active Directory Third Edition - http://www.joeware.net/win/ad3e.htm 
 
 


From: [EMAIL PROTECTED] 
[mailto:[EMAIL PROTECTED] On Behalf Of Milton 
SanchoSent: Wednesday, April 12, 2006 4:54 PMTo: 
ActiveDir@mail.activedir.orgSubject: [ActiveDir] OU's 
Structure

Hello,
 
I got a discussion with a consultant who was hired to deploy a new 
corporate domain(Win2003) structure. 
 
We have right now a domain running on Windows 2000 (Active Directory 2000), 
I created a logical OU structure in the domain controller according all the 
departments we have in the network. For instance sales,customer service, IT 
,  marketing, Facilities, so on. With this structure I have all the users 
and objects organized by OU, then if we need to apply GPO or customized security 
polices we apply it by department (OU) wihout affect others OU (Departments). 

 
However in the other hand, the consultant told us we have not to use this 
"OU structure" , because it decrease login time at client level. ??? 
Not sure about his comment. Because I have seen how end users loggin on 
their different departments without the behaviour that he argumented.
 
Now, we have a Win2003 domain , without the "OU Structure" that we have in 
the win2000 domain, I have not found yet the difference he mentioned. Besides to 
keep all users just into one OU looks to be more complex to apply GPO and other 
policies. 
 
 Thanks comments

Re: [ActiveDir] Store only function

2006-04-12 Thread Navroz Shariff

You could do what Bryan mentioned by adjusting the ACL of the required
folder under the security tab.

-Shariff


On 4/11/06 4:12 PM, "Brian Desmond" <[EMAIL PROTECTED]> wrote:

> Yes. Give them the right to Create Files/Write Data but not modify or
> delete. 
> 
> Thanks,
> Brian Desmond
> [EMAIL PROTECTED]
>  
> c - 312.731.3132
>  
>  
> 
>> -Original Message-
>> From: [EMAIL PROTECTED] [mailto:ActiveDir-
>> [EMAIL PROTECTED] On Behalf Of Steven Comeau
>> Sent: Tuesday, April 11, 2006 3:28 PM
>> To: ActiveDir@mail.activedir.org
>> Subject: [ActiveDir] Store only function
>> 
>> Is there a way for setting up rights to a folder so that someone can
>> place a file in a folder but not be able to modify or overwrite that
>> file once placed into a folder?
>> 
>> Thankie...
>> 
>> Steven Comeau
>> Sr. Director of IT
>> Community Options
>> 16 Farber Road
>> Princeton, NJ  08540
>> EMail: [EMAIL PROTECTED]
>> Phone: 609-951-9900  x114
>> FAX: (609)  919-3889
>> www.comop.org
>> 
>> Give the gift of  flowers   http://www.Vaseful.com.
>> 
>> ~
>> This message is intended for the use of the individual or entity to
>> which it is addressed and may contain information that is privileged,
>> confidential and exempt from disclosure under applicable law.  If the
>> reader of this message is not the intended recipient or the employee
> or
>> agent responsible for delivering the message to the intended
> recipient,
>> you are hereby notified that any distribution or copying of the
>> communication is strictly prohibited.  If you have received this
>> communication in error, please notify us immediately by e-mail and
>> return the original message to us at this e-mail address.  Thank you
>> for your cooperation in supporting confidentiality.
>>  ~
>> 
>> List info   : http://www.activedir.org/List.aspx
>> List FAQ: http://www.activedir.org/ListFAQ.aspx
>> List archive: http://www.mail-
>> archive.com/activedir%40mail.activedir.org/
> List info   : http://www.activedir.org/List.aspx
> List FAQ: http://www.activedir.org/ListFAQ.aspx
> List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/


List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/

[ActiveDir] Domain System Volume

2006-04-12 Thread Justin_Leney

Return Receipt

   Your   [ActiveDir] Domain System Volume
   document:

   wasJustin Leney/US/DCI
   received
   by:

   at:04/12/2006 07:56:53 PM







NEW! COSMEO, THE ONLINE HOMEWORK HELP TOOL BROUGHT TO YOU BY DISCOVERY CHANNEL. 
 FREE TRIAL AT HTTP://WWW.COSMEO.COM

This e-mail, and any attachment, is intended only for the person or entity to 
which it is addressed and may contain confidential and/or privileged material. 
Any review, re-transmission, copying, dissemination or other use of this 
information by persons or entities other than the intended recipient is 
prohibited. If you received this in error, please contact the sender and delete 
the material from any computer. The contents of this message may contain 
personal views which are not the views of Discovery Communications, Inc. (DCI).

List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/

RE: [ActiveDir] Network browsing slow and not showing all compute rs

Because it caters largely to the smaller operations crowd where
its useful for those folks I think.

Thanks,
Brian Desmond

[EMAIL PROTECTED]

c - 312.731.3132

From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Al Mulnick
Sent: Wednesday, April 12, 2006 7:32 PM
To: ActiveDir@mail.activedir.org
Subject: Re: [ActiveDir] Network browsing slow and not showing all
compute rs

What? BE has a manual input box for the machine name? Trying
to figure out why I'd want to use the browser in the first place then. 

On 4/12/06, Brian Desmond <[EMAIL PROTECTED]> wrote:

Smack
myself everytime I accidentally click the little expand thing in their browser
since it's a single threaded GUI. They have a manually punch in the server name
box. 

Thanks,
Brian Desmond

[EMAIL PROTECTED]

c - 312.731.3132

From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED]]
On Behalf Of Al Mulnick
Sent: Wednesday, April 12, 2006 3:44 PM

To: ActiveDir@mail.activedir.org 
Subject: Re: [ActiveDir] Network browsing slow and not
showing all compute rs

how'd you work around it? 

On 4/11/06, Brian Desmond <[EMAIL PROTECTED]> wrote: 

I've got 10
and it uses the crap – you can work around it though. Trend does as well.

Thanks,
Brian Desmond

[EMAIL PROTECTED]

c - 312.731.3132

From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED]]
On Behalf Of Al Mulnick
Sent: Tuesday, April 11, 2006 9:24 PM

To: ActiveDir@mail.activedir.org

Subject: Re: [ActiveDir] Network browsing slow and not showing all
compute rs 

BE uses the network browser?? What version is that? 

There is no way to build that network browser and then not let others on the
network see it that I'm aware of; network browsing is older than security :) 

WINS is the way to go for what I think you want to accomplish.  WINS is
the preferred method. 

Al

On 4/11/06, Joe Lagreca <[EMAIL PROTECTED]> wrote: 

I appreciate all your very good points.

Let me start by saying not all of our users need to be able to browse 
the entire network, just a few of our machines.  Currently we were
running backup exec on our server, choosing which clients to push the 
agent to.  Backup exec chooses the clients to push the agent to via
the network browser. 

I have resolved the network browser speed issue on my WinXP
workstation by starting the "Computer Browser
service".  However it 
still cannot see all active machines on the network.

If I check the AD DNS, I see far more registered computers than in the 
network browser.  I can ping them as well to make sure they are
actually turned on. 

Our subnets can all talk to each other with no ports being blocked.
However I'm not sure if broadcast traffic is being passed. 

Our two AD controllers only seem to be able to keep track of the
computers in their subnet. I think our problem is that we don't have a 
Subnet Browser or Local Master Browser on our other subnets.

I thought WINS was the old school way of keeping track of the 
computers on the network, and it wasn't ideal to use anymore, so I
haven't looked into it at all.  Am I wrong in thinking this? 

How would I prevent all of our employees from being able to list the
resources in their network browser, but still be able to do it on our 
IT workstations?

Thanks!

Joe

On 4/11/06, Susan Bradley, CPA aka Ebitz - SBS Rocks [MVP] 
<[EMAIL PROTECTED]>
wrote:
> (waiving hand) 
>
> In little lans we do... of course in little lans I've mapped the drive 
> letter for the UNC path for them so ... I guess it's just me that uses
> browse the network function now that i think about it. 
>
> Noah Eiger wrote:
>
> > 
> >
> >Do most folks really allow users to browse their networks? What reason
would 
> >end users have to browse for anything besides servers? (Some might
argue
> >there is not reason to actually 'browse' for anything.) 
> >
> >-- nme
> >
> >-Original Message- 
> >From: Gorder, Lee E Mr CTNOSC/GD-NS [mailto:
[EMAIL PROTECTED]]
> >
> >Sent: Tuesday, April 11, 2006 12:31 PM
> >To: ' ActiveDir@mail.activedir.org'
> >Subject: RE: [ActiveDir] Network browsing slow and not showing all
compute
> >rs
> >
> >If they are on different subnets ensure UDP 137 is allowed through the

> >router.  Are you using WINS?  I doubt this is a
problem with your domain
> >controllers or DNS for that matter.
> >
> >Check the following
> >- Ensure NetBIOS over TCP is enabled 
> >- Browser service is running
> >- Router/firewall settings
> >- Restart master browser
> >
> >
> >-Original Message-
> >From: Joe Lagreca [mailto: [EMAIL PROTECTED]]
> >Sent: Tuesday, April 11, 2006 12:11 PM
> >To: ActiveDir@mail.activedir.org
> >Subject: [ActiveDir] Network browsing slow and not showing all
computers 
> >
> >When I try to browse our domain via the network:
> >
> >Start -> My Network Places -> Entire Network -> Microsoft
Windows 
> >Netwo

Re: [ActiveDir] Network browsing slow and not showing all compute rs

2006-04-12 Thread Al Mulnick

What? BE has a manual input box for the machine name? Trying to figure out why I'd want to use the browser in the first place then.  
On 4/12/06, Brian Desmond <[EMAIL PROTECTED]> wrote:



Smack myself everytime I accidentally click the little expand thing in their browser since it's a single threaded GUI. They have a manually punch in the server name box. 


 
Thanks,Brian Desmond

[EMAIL PROTECTED]

 
c - 312.731.3132
 
 






From: 
[EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]] On Behalf Of 
Al MulnickSent: Wednesday, April 12, 2006 3:44 PM
To: ActiveDir@mail.activedir.org
Subject: Re: [ActiveDir] Network browsing slow and not showing all compute rs



 
how'd you work around it? 

On 4/11/06, Brian Desmond <[EMAIL PROTECTED]> wrote: 


I've got 10 and it uses the crap – you can work around it though. Trend does as well.
 
Thanks,Brian Desmond
[EMAIL PROTECTED] 
 
c - 312.731.3132
 
 





From: 
[EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]] On Behalf Of 
Al MulnickSent: Tuesday, April 11, 2006 9:24 PM

To: ActiveDir@mail.activedir.org

Subject: Re: [ActiveDir] Network browsing slow and not showing all compute rs 

 

BE uses the network browser?? What version is that? 

 

There is no way to build that network browser and then not let others on the network see it that I'm aware of; network browsing is older than security :) 

 

WINS is the way to go for what I think you want to accomplish.  WINS is the preferred method. 

 

Al 

On 4/11/06, Joe Lagreca <[EMAIL PROTECTED]> wrote: 
I appreciate all your very good points.Let me start by saying not all of our users need to be able to browse the entire network, just a few of our machines.  Currently we wererunning backup exec on our server, choosing which clients to push the 
agent to.  Backup exec chooses the clients to push the agent to viathe network browser. I have resolved the network browser speed issue on my WinXPworkstation by starting the "Computer Browser service".  However it 
still cannot see all active machines on the network.If I check the AD DNS, I see far more registered computers than in the network browser.  I can ping them as well to make sure they areactually turned on. 
Our subnets can all talk to each other with no ports being blocked.However I'm not sure if broadcast traffic is being passed. Our two AD controllers only seem to be able to keep track of thecomputers in their subnet. I think our problem is that we don't have a 
Subnet Browser or Local Master Browser on our other subnets.I thought WINS was the old school way of keeping track of the computers on the network, and it wasn't ideal to use anymore, so Ihaven't looked into it at all.  Am I wrong in thinking this? 
How would I prevent all of our employees from being able to list theresources in their network browser, but still be able to do it on our IT workstations?Thanks!JoeOn 4/11/06, Susan Bradley, CPA aka Ebitz - SBS Rocks [MVP] 
<[EMAIL PROTECTED]> wrote:> (waiving hand) >> In little lans we do... of course in little lans I've mapped the drive 
> letter for the UNC path for them so ... I guess it's just me that uses> browse the network function now that i think about it. >> Noah Eiger wrote:>> > 
> >> >Do most folks really allow users to browse their networks? What reason would > >end users have to browse for anything besides servers? (Some might argue> >there is not reason to actually 'browse' for anything.) 
> >> >-- nme> >> >-Original Message- > >From: Gorder, Lee E Mr CTNOSC/GD-NS [mailto:
 [EMAIL PROTECTED]]> >> >Sent: Tuesday, April 11, 2006 12:31 PM> >To: ' 
ActiveDir@mail.activedir.org'> >Subject: RE: [ActiveDir] Network browsing slow and not showing all compute> >rs> >> >If they are on different subnets ensure UDP 137 is allowed through the 
> >router.  Are you using WINS?  I doubt this is a problem with your domain> >controllers or DNS for that matter.> >> >Check the following> >- Ensure NetBIOS over TCP is enabled 
> >- Browser service is running> >- Router/firewall settings> >- Restart master browser> >> >> >-Original Message-> >From: Joe Lagreca [mailto: 
[EMAIL PROTECTED]]> >Sent: Tuesday, April 11, 2006 12:11 PM> >To: 
ActiveDir@mail.activedir.org> >Subject: [ActiveDir] Network browsing slow and not showing all computers > >> >When I try to browse our domain via the network:> >> >Start -> My Network Places -> Entire Network -> Microsoft Windows 
> >Network -> mydomain> > > >it is very slow, and won't show all active computers.  DNS is> >functioning properly, as I can resolve all names just fine.> >> >This happens on both windows 2000 and windows xp clients.  Not all 
> >computers, including the servers, are on the same subnet.  Domain> >controllers are windows 2003.> >> >I am inclined to think something about our domain controllers isn't> >configured properly.  Has anyone had this problem before, or have an 
> >idea where I should look for a fix?> >List info   : http://www.activedir.org/List.aspx 
> >List FAQ: http://www.activedir.or

Re: [ActiveDir] OU's Structure

2006-04-12 Thread mike kline

Milton,
The OU structure you are using is fine and it is a fairly common. You are using a function-based design that makes it easier for you to administer your domain.
OU's are created for basically two reasons. The first is for group policies and the second is for delegation of administration. You are using your structure to apply policies and that is fine. You could also use GPO security filtering if you condensed all the users into one OU but you are right that would lead to a more complex GPO design for you.

Microsoft has addressed this specific topic in their documentation. Take a look at
http://www.microsoft.com/windows2000/techinfo/reskit/deploy/ccm/Chapt-5.doc
"OU depth does not noticably affect the length of logon time, regardless of whether the user in in a higher-level OU or a lower-level OU"
So the number of depth of the OU structure in itself will not affect your login times. What the consultant may have been thinking about is the number of GPO's that a user has to processed when a user logs in. That can have an affect on login times but you can't equate always equate OU with a GPO.

Microsoft also has tips for optimizing logon performance
http://support.microsoft.com/default.aspx?scid=kb;en-us;315418&sd=tech
How to optimize Group Policy Logon Perfomance.
You said that you are not seeing any difference in login in times in your departments so again your structure and GPO deployment seem to be ok.
Thanks
Mike
On 4/12/06, Milton Sancho <[EMAIL PROTECTED]> wrote:

Hello,
I got a discussion with a consultant who was hired to deploy a new corporate domain(Win2003) structure.
We have right now a domain running on Windows 2000 (Active Directory 2000), I created a logical OU structure in the domain controller according all the departments we have in the network. For instance sales,customer service, IT , marketing, Facilities, so on. With this structure I have all the users and objects organized by OU, then if we need to apply GPO or customized security polices we apply it by department (OU) wihout affect others OU (Departments).

However in the other hand, the consultant told us we have not to use this "OU structure" , because it decrease login time at client level. ???
Not sure about his comment. Because I have seen how end users loggin on their different departments without the behaviour that he argumented.
Now, we have a Win2003 domain , without the "OU Structure" that we have in the win2000 domain, I have not found yet the difference he mentioned. Besides to keep all users just into one OU looks to be more complex to apply GPO and other policies.

Thanks comments

RE: [ActiveDir] OU's Structure









Your consultant is smoking something. OU depth has nothing to do
with logon time (although I have seen recommendations to keep it like under 5
or 7 depth as a matter of design practice). The number of group policies the
client has to process will of course affect logon time (and if you have them
linked at every level in the tree of course logon time will increase). 

 

Thanks,
Brian Desmond

[EMAIL PROTECTED]

 

c - 312.731.3132

 

 











From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Milton Sancho
Sent: Wednesday, April 12, 2006 4:54 PM
To: ActiveDir@mail.activedir.org
Subject: [ActiveDir] OU's Structure



 



Hello,





 





I got a discussion with a consultant who was hired to deploy
a new corporate domain(Win2003) structure. 





 





We have right now a domain running on Windows 2000 (Active
Directory 2000), I created a logical OU structure in the domain controller
according all the departments we have in the network. For instance
sales,customer service, IT ,  marketing, Facilities, so on. With this
structure I have all the users and objects organized by OU, then if we need to
apply GPO or customized security polices we apply it by department (OU) wihout
affect others OU (Departments). 





 





However in the other hand, the consultant told us we have
not to use this "OU structure" , because it decrease login time
at client level. ??? 





Not sure about his comment. Because I have seen how end
users loggin on their different departments without the behaviour that he
argumented.





 





Now, we have a Win2003 domain , without the "OU
Structure" that we have in the win2000 domain, I have not found yet the
difference he mentioned. Besides to keep all users just into one OU looks to be
more complex to apply GPO and other policies. 





 





 Thanks comments

RE: [ActiveDir] Network browsing slow and not showing all compute rs

Smack myself everytime I accidentally click the little expand
thing in their browser since it’s a single threaded GUI. They have a
manually punch in the server name box. 

Thanks,
Brian Desmond

[EMAIL PROTECTED]

c - 312.731.3132

From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Al Mulnick
Sent: Wednesday, April 12, 2006 3:44 PM
To: ActiveDir@mail.activedir.org
Subject: Re: [ActiveDir] Network browsing slow and not showing all
compute rs

how'd you work around it? 

On 4/11/06, Brian Desmond <[EMAIL PROTECTED]> wrote:

I've got 10
and it uses the crap – you can work around it though. Trend does as well.

Thanks,
Brian Desmond

[EMAIL PROTECTED]

c - 312.731.3132

From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED]]
On Behalf Of Al Mulnick
Sent: Tuesday, April 11, 2006 9:24 PM

To: ActiveDir@mail.activedir.org

Subject: Re: [ActiveDir] Network browsing slow and
not showing all compute rs 

BE uses the network browser?? What version is that? 

There is no way to build that network browser and then not let others on the
network see it that I'm aware of; network browsing is older than security :) 

WINS is the way to go for what I think you want to accomplish.  WINS is
the preferred method. 

Al

On 4/11/06, Joe Lagreca <[EMAIL PROTECTED]> wrote: 

I appreciate all your very good points.

Let me start by saying not all of our users need to be able to browse 
the entire network, just a few of our machines.  Currently we were
running backup exec on our server, choosing which clients to push the 
agent to.  Backup exec chooses the clients to push the agent to via
the network browser. 

I have resolved the network browser speed issue on my WinXP
workstation by starting the "Computer Browser
service".  However it 
still cannot see all active machines on the network.

If I check the AD DNS, I see far more registered computers than in the 
network browser.  I can ping them as well to make sure they are
actually turned on. 

Our subnets can all talk to each other with no ports being blocked.
However I'm not sure if broadcast traffic is being passed. 

Our two AD controllers only seem to be able to keep track of the
computers in their subnet. I think our problem is that we don't have a 
Subnet Browser or Local Master Browser on our other subnets.

I thought WINS was the old school way of keeping track of the 
computers on the network, and it wasn't ideal to use anymore, so I
haven't looked into it at all.  Am I wrong in thinking this? 

How would I prevent all of our employees from being able to list the
resources in their network browser, but still be able to do it on our 
IT workstations?

Thanks!

Joe

On 4/11/06, Susan Bradley, CPA aka Ebitz - SBS Rocks [MVP] 
<[EMAIL PROTECTED]>
wrote:
> (waiving hand) 
>
> In little lans we do... of course in little lans I've mapped the drive 
> letter for the UNC path for them so ... I guess it's just me that uses
> browse the network function now that i think about it. 
>
> Noah Eiger wrote:
>
> > 
> >
> >Do most folks really allow users to browse their networks? What reason
would 
> >end users have to browse for anything besides servers? (Some might
argue
> >there is not reason to actually 'browse' for anything.) 
> >
> >-- nme
> >
> >-Original Message- 
> >From: Gorder, Lee E Mr CTNOSC/GD-NS [mailto:
[EMAIL PROTECTED]]
> >
> >Sent: Tuesday, April 11, 2006 12:31 PM
> >To: ' ActiveDir@mail.activedir.org'
> >Subject: RE: [ActiveDir] Network browsing slow and not showing all
compute
> >rs
> >
> >If they are on different subnets ensure UDP 137 is allowed through the

> >router.  Are you using WINS?  I doubt this is a
problem with your domain
> >controllers or DNS for that matter.
> >
> >Check the following
> >- Ensure NetBIOS over TCP is enabled 
> >- Browser service is running
> >- Router/firewall settings
> >- Restart master browser
> >
> >
> >-Original Message-
> >From: Joe Lagreca [mailto: [EMAIL PROTECTED]]
> >Sent: Tuesday, April 11, 2006 12:11 PM
> >To: ActiveDir@mail.activedir.org
> >Subject: [ActiveDir] Network browsing slow and not showing all
computers 
> >
> >When I try to browse our domain via the network:
> >
> >Start -> My Network Places -> Entire Network -> Microsoft
Windows 
> >Network -> mydomain
> > 
> >it is very slow, and won't show all active computers.  DNS
is
> >functioning properly, as I can resolve all names just fine.
> >
> >This happens on both windows 2000 and windows xp
clients.  Not all 
> >computers, including the servers, are on the same
subnet.  Domain
> >controllers are windows 2003.
> >
> >I am inclined to think something about our domain controllers isn't
> >configured properly.  Has anyone had this problem before, or
have an 
> >idea where I should look for a fix?
> >List info   : http://www.activedir.org/List.aspx 
> >List FAQ: http://www.activedir.org/ListFAQ.aspx
> >List archive:

RE: [ActiveDir] OU's Structure




The OU 
structure and depth does not directly influence logon time (AD hierarchy is in 
fact something of a simulation).  Hierarchy can influence login performance 
only when nested sufficiently deeply and with a large number of linked GPOs at 
each or most of the superior OUs, a choice made by admins., not a 
default.
--Dean WellsMSEtechnology* Email: dwells@msetechnology.comhttp://msetechnology.com
 

  
  
  From: [EMAIL PROTECTED] 
  [mailto:[EMAIL PROTECTED] On Behalf Of Milton 
  SanchoSent: Wednesday, April 12, 2006 4:54 PMTo: 
  ActiveDir@mail.activedir.orgSubject: [ActiveDir] OU's 
  Structure
  
  Hello,
   
  I got a discussion with a consultant who was hired to deploy a new 
  corporate domain(Win2003) structure. 
   
  We have right now a domain running on Windows 2000 (Active Directory 
  2000), I created a logical OU structure in the domain controller according all 
  the departments we have in the network. For instance sales,customer service, 
  IT ,  marketing, Facilities, so on. With this structure I have all the 
  users and objects organized by OU, then if we need to apply GPO or customized 
  security polices we apply it by department (OU) wihout affect others OU 
  (Departments). 
   
  However in the other hand, the consultant told us we have not to use this 
  "OU structure" , because it decrease login time at client level. ??? 
  
  Not sure about his comment. Because I have seen how end users loggin on 
  their different departments without the behaviour that he argumented.
   
  Now, we have a Win2003 domain , without the "OU Structure" that we have 
  in the win2000 domain, I have not found yet the difference he mentioned. 
  Besides to keep all users just into one OU looks to be more complex to apply 
  GPO and other policies. 
   
   Thanks comments

RE: [ActiveDir] OU's Structure

The consultant may have been referring to the number of GPOs that you are
attaching to the OUs. The more GPOs that have to be processed, the longer the
login time.
 
OU design is really a matter or preferences, IMO.
 

Sincerely, 
   _
  (, /  |  /)   /) /)   
/---| (/_  __   ___// _   //  _ 
 ) /|_/(__(_) // (_(_)(/_(_(_/(__(/_
(_/ /)  
   (/   
Microsoft MVP - Directory Services
www.readymaids.com   - we know IT
www.akomolafe.com  
Do you now realize that Today is the Tomorrow you were worried about
Yesterday? -anon
 



From: [EMAIL PROTECTED] on behalf of Milton Sancho
Sent: Wed 4/12/2006 1:53 PM
To: ActiveDir@mail.activedir.org
Subject: [ActiveDir] OU's Structure


Hello,
 
I got a discussion with a consultant who was hired to deploy a new corporate
domain(Win2003) structure. 
 
We have right now a domain running on Windows 2000 (Active Directory 2000), I
created a logical OU structure in the domain controller according all the
departments we have in the network. For instance sales,customer service, IT ,
marketing, Facilities, so on. With this structure I have all the users and
objects organized by OU, then if we need to apply GPO or customized security
polices we apply it by department (OU) wihout affect others OU (Departments).

 
However in the other hand, the consultant told us we have not to use this "OU
structure" , because it decrease login time at client level. ??? 
Not sure about his comment. Because I have seen how end users loggin on their
different departments without the behaviour that he argumented.
 
Now, we have a Win2003 domain , without the "OU Structure" that we have in
the win2000 domain, I have not found yet the difference he mentioned. Besides
to keep all users just into one OU looks to be more complex to apply GPO and
other policies. 
 
 Thanks comments
List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/

[ActiveDir] OU's Structure

2006-04-12 Thread Milton Sancho

Hello,
 
I got a discussion with a consultant who was hired to deploy a new corporate domain(Win2003) structure. 
 
We have right now a domain running on Windows 2000 (Active Directory 2000), I created a logical OU structure in the domain controller according all the departments we have in the network. For instance sales,customer service, IT ,  marketing, Facilities, so on. With this structure I have all the users and objects organized by OU, then if we need to apply GPO or customized security polices we apply it by department (OU) wihout affect others OU (Departments). 

 
However in the other hand, the consultant told us we have not to use this "OU structure" , because it decrease login time at client level. ??? 
Not sure about his comment. Because I have seen how end users loggin on their different departments without the behaviour that he argumented.
 
Now, we have a Win2003 domain , without the "OU Structure" that we have in the win2000 domain, I have not found yet the difference he mentioned. Besides to keep all users just into one OU looks to be more complex to apply GPO and other policies. 

 
 Thanks comments

RE: [ActiveDir] Domain System Volume

2006-04-12 Thread Group, Russ




Thank you very much.  Right after I sent this - I 
reread the document.  I guess this was a "DUH" moment!
 
ThanksRuss


From: [EMAIL PROTECTED] 
[mailto:[EMAIL PROTECTED] On Behalf Of Olivarez, Sergio 
J Mr CTNOSC/GD-NSSent: Wednesday, April 12, 2006 4:31 
PMTo: ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] 
Domain System Volume


If you look at the 
Microsoft document on Metadata cleanup it states this as a 
step:
 
Use ADSIEdit to delete the FRS 
member object. To do this, follow these steps: 

  
  

  a. 
  

  Click Start, click 
  Run, type adsiedit.msc in the Open box, and then 
  click OK
  

  b. 
  

  Expand the Domain 
  NC 
container.
  

  c. 
  

  Expand DC=Your 
  Domain, DC=COM, PRI, LOCAL, 
  NET.
  

  d. 
  

  Expand CN=System.
  

  e. 
  

  Expand CN=File Replication 
  Service.
  

  f. 
  

  Expand CN=Domain System Volume 
  (SYSVOL 
  share).
  

  g. 
  

  Right-click the domain 
  controller you are removing, and then click Delete.
 
Make sure you clean 
up DNS!
http://support.microsoft.com/?kbid=216498
 
 

Thanks... ... ... 
...

- Sergio 




From: Group, 
Russ [mailto:[EMAIL PROTECTED] Sent: Wednesday, April 12, 2006 1:16 
PMTo: 
ActiveDir@mail.activedir.orgSubject: [ActiveDir] Domain System 
Volume
 

Hi 
all

 

We had removed an old 
DC using metadata cleanup.  However, I still see errors referring to the 
removed DC in the event logs of the current DCs.  Digging through ADSI 
Edit, I found the old DC in CN=System, CN=File Replication Service, CN=Domain 
System Volume (SYSvol share).  I believe that I can just delete the object, 
but I would like to hear from someone who has done this 
before.

 

Help?

 

ThanksRuss

RE: [ActiveDir] Domain System Volume

2006-04-12 Thread Olivarez, Sergio J Mr CTNOSC/GD-NS









If you look at the
Microsoft document on Metadata cleanup it states this as a step:

 

Use ADSIEdit to delete the FRS member object. To do this,
follow these steps: 


 
  
  a. 
  
  
  Click Start, click Run,
  type adsiedit.msc in the Open
  box, and then click OK
  
 
 
  
  b. 
  
  
  Expand the Domain NC container.
  
 
 
  
  c. 
  
  
  Expand DC=Your Domain, DC=COM, PRI, LOCAL, NET.
  
 
 
  
  d. 
  
  
  Expand CN=System.
  
 
 
  
  e. 
  
  
  Expand CN=File Replication Service.
  
 
 
  
  f. 
  
  
  Expand CN=Domain System Volume (SYSVOL share).
  
 
 
  
  g. 
  
  
  Right-click the domain controller you are removing, and
  then click Delete.
  
 


 

Make sure you clean up
DNS!

http://support.microsoft.com/?kbid=216498

 

 



Thanks... ... ... ...





- Sergio 







From: Group, Russ
[mailto:[EMAIL PROTECTED] 
Sent: Wednesday, April 12, 2006
1:16 PM
To: ActiveDir@mail.activedir.org
Subject: [ActiveDir] Domain System
Volume



 



Hi all





 





We had removed an old DC using metadata
cleanup.  However, I still see errors referring to the removed DC in the
event logs of the current DCs.  Digging through ADSI Edit, I found the old
DC in CN=System, CN=File Replication Service, CN=Domain System Volume (SYSvol
share).  I believe that I can just delete the object, but I would like to
hear from someone who has done this before.





 





Help?





 





Thanks

Russ

RE: [ActiveDir] Domain System Volume

Go ahead and delete it. Delete it in Sites and Services as well as in the
Domain Controllers OU if it's still there. Then look for traces of it in your
DNS zone and nuke any reference to it.
 

Sincerely, 
   _
  (, /  |  /)   /) /)   
/---| (/_  __   ___// _   //  _ 
 ) /|_/(__(_) // (_(_)(/_(_(_/(__(/_
(_/ /)  
   (/   
Microsoft MVP - Directory Services
www.readymaids.com   - we know IT
www.akomolafe.com  
Do you now realize that Today is the Tomorrow you were worried about
Yesterday? -anon
 



From: [EMAIL PROTECTED] on behalf of Group, Russ
Sent: Wed 4/12/2006 1:16 PM
To: ActiveDir@mail.activedir.org
Subject: [ActiveDir] Domain System Volume


Hi all
 
We had removed an old DC using metadata cleanup.  However, I still see errors
referring to the removed DC in the event logs of the current DCs.  Digging
through ADSI Edit, I found the old DC in CN=System, CN=File Replication
Service, CN=Domain System Volume (SYSvol share).  I believe that I can just
delete the object, but I would like to hear from someone who has done this
before.
 
Help?
 
Thanks

Russ
List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/

[ActiveDir] User rights

2006-04-12 Thread adriaoramos


My friends, I need a little help
How can I grant a user, rights to join computers
in my domain?
I don´t want any other right just that.
waht is the best way to do that?
I tried to delegate right on computers object
> create object.
is that right?
adriao ramos

[ActiveDir] Domain System Volume

2006-04-12 Thread Group, Russ




Hi 
all
 
We had 
removed an old DC using metadata cleanup.  However, I still see errors 
referring to the removed DC in the event logs of the current DCs.  Digging 
through ADSI Edit, I found the old DC in CN=System, CN=File Replication Service, 
CN=Domain System Volume (SYSvol share).  I believe that I can just delete 
the object, but I would like to hear from someone who has done this 
before.
 
Help?
 
ThanksRuss

Re: [ActiveDir] Network browsing slow and not showing all compute rs

2006-04-12 Thread Al Mulnick

how'd you work around it? 
On 4/11/06, Brian Desmond <[EMAIL PROTECTED]> wrote:



I've got 10 and it uses the crap – you can work around it though. Trend does as well.
 
Thanks,Brian Desmond

[EMAIL PROTECTED]

 
c - 312.731.3132
 
 





From: 
[EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]] On Behalf Of 
Al MulnickSent: Tuesday, April 11, 2006 9:24 PM
To: ActiveDir@mail.activedir.org

Subject: Re: [ActiveDir] Network browsing slow and not showing all compute rs 


 

BE uses the network browser?? What version is that? 

 

There is no way to build that network browser and then not let others on the network see it that I'm aware of; network browsing is older than security :) 

 

WINS is the way to go for what I think you want to accomplish.  WINS is the preferred method. 

 

Al 

On 4/11/06, Joe Lagreca <[EMAIL PROTECTED]> wrote: 
I appreciate all your very good points.Let me start by saying not all of our users need to be able to browse the entire network, just a few of our machines.  Currently we wererunning backup exec on our server, choosing which clients to push the
agent to.  Backup exec chooses the clients to push the agent to viathe network browser. I have resolved the network browser speed issue on my WinXPworkstation by starting the "Computer Browser service".  However it
still cannot see all active machines on the network.If I check the AD DNS, I see far more registered computers than in the network browser.  I can ping them as well to make sure they areactually turned on.
Our subnets can all talk to each other with no ports being blocked.However I'm not sure if broadcast traffic is being passed. Our two AD controllers only seem to be able to keep track of thecomputers in their subnet. I think our problem is that we don't have a
Subnet Browser or Local Master Browser on our other subnets.I thought WINS was the old school way of keeping track of the computers on the network, and it wasn't ideal to use anymore, so Ihaven't looked into it at all.  Am I wrong in thinking this?
How would I prevent all of our employees from being able to list theresources in their network browser, but still be able to do it on our IT workstations?Thanks!JoeOn 4/11/06, Susan Bradley, CPA aka Ebitz - SBS Rocks [MVP]
<[EMAIL PROTECTED]> wrote:> (waiving hand) >> In little lans we do... of course in little lans I've mapped the drive
> letter for the UNC path for them so ... I guess it's just me that uses> browse the network function now that i think about it. >> Noah Eiger wrote:>> >
> >> >Do most folks really allow users to browse their networks? What reason would > >end users have to browse for anything besides servers? (Some might argue> >there is not reason to actually 'browse' for anything.)
> >> >-- nme> >> >-Original Message- > >From: Gorder, Lee E Mr CTNOSC/GD-NS [mailto:
[EMAIL PROTECTED]]> >> >Sent: Tuesday, April 11, 2006 12:31 PM> >To: ' 
ActiveDir@mail.activedir.org'> >Subject: RE: [ActiveDir] Network browsing slow and not showing all compute> >rs> >> >If they are on different subnets ensure UDP 137 is allowed through the 
> >router.  Are you using WINS?  I doubt this is a problem with your domain> >controllers or DNS for that matter.> >> >Check the following> >- Ensure NetBIOS over TCP is enabled 
> >- Browser service is running> >- Router/firewall settings> >- Restart master browser> >> >> >-Original Message-> >From: Joe Lagreca [mailto: 
[EMAIL PROTECTED]]> >Sent: Tuesday, April 11, 2006 12:11 PM> >To: 
ActiveDir@mail.activedir.org> >Subject: [ActiveDir] Network browsing slow and not showing all computers > >> >When I try to browse our domain via the network:> >> >Start -> My Network Places -> Entire Network -> Microsoft Windows
> >Network -> mydomain> > > >it is very slow, and won't show all active computers.  DNS is> >functioning properly, as I can resolve all names just fine.> >> >This happens on both windows 2000 and windows xp clients.  Not all 
> >computers, including the servers, are on the same subnet.  Domain> >controllers are windows 2003.> >> >I am inclined to think something about our domain controllers isn't> >configured properly.  Has anyone had this problem before, or have an 
> >idea where I should look for a fix?> >List info   : http://www.activedir.org/List.aspx
> >List FAQ: http://www.activedir.org/ListFAQ.aspx> >List archive: 
http://www.mail-archive.com/activedir%40mail.activedir.org/> >> >List info   : http://www.activedir.org/List.aspx
> >List FAQ: http://www.activedir.org/ListFAQ.aspx> >List archive: 
http://www.mail-archive.com/activedir%40mail.activedir.org/> >> >> >> >>> --> Letting your vendors set your risk analysis these days? > 
http://www.threatcode.com>> List info   : http://www.activedir.org/List.aspx> List FAQ: 
http://www.activedir.org/ListFAQ.aspx> List archive: 
http://www.mail-archive.com/activedir%40mail.activedir.org/>List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspxList archive: 
ht

RE: [ActiveDir] Extending the schema

2006-04-12 Thread Lee, Wook

Title: RE: [ActiveDir] Extending the schema








A lot of the complexity comes from having
multiple domains. If you have a simple forest with a single domain, then it’s
doable but ugly. As you scale up the complexity of your forest, if you insist
on having users from each domain, then you have to deal with an N-squared
expansion in the number of permissioning steps in order to get everything
talking to everything else. That’s why there are alternative deployment
strategies that reduce that complexity. I advocate the resource domain
architecture because you can throw it away at the end of the day if you want,
or had it over to an outsourcer. 

 

So the schema change itself will not be so
bad especially if you get all the DCs upgraded to Windows 2003 SP1. You will
avoid all of the headaches associated with full GC re-sync, though to be honest
it’s not a big deal if you only have one domain.

 

The main issues for me are the placement
of the system objects (though I’ve heard that they might fix that in a
future version) and the overall permissions model which involves domain global
groups, new property sets and domain-wide ACLs with ACEs referring to those
domain groups for every domain with servers in it.

 

Don’t get me wrong. I like the LCS
functionality. I like the service and what it does for me. I just don’t
like the implementation.

 

Wook

 









From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On
Behalf Of [EMAIL PROTECTED]
Sent: Wednesday, April 12, 2006 12:51 AM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] Extending
the schema



 

...what joe said, but also test the app
thoroughly and document its issues so that you can then perform a CYA job back
to those asking for the product and to your own boss :)

 

This is par for the course in the world of
IT - we are often forced to deploy cr** and all we can do to mitigate the
situation is to document our misgivings. At least if the whole thing blows up
in your face, you can point to a doc or email and state 'told you so' :)

 

neil







From:
[EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of joe
Sent: 12 April 2006 07:43
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] Extending
the schema

I do not have first hand experience with
it but have been speaking to some very trusted friends who have been trying to
implement it and pretty much anything they say I would take as if I saw it
myself. From what I hear there are some "odd" ACEs added to the ACLs
(I believe at the NC Head level) that make no sense but are required or you can't
install LCS Servers. I believe specifically there is something with a property
set that is absolutely worthless (I don't recall the details now). Also you
can't substitute the ACEs, you must have the exact ACEs in place that the LCS
prep puts into place. That means they aren't checking access rights, they are
scanning the ACL
looking for a specific ACE which ranks up there with some of the worst things I
have seen out of any AD enabled app. This isn't very unusual for Exchange
related stuff. The Exchange folks don't seem to really know how to use AD
properly and LCS came from Exchange folks and has Exchange Dev all over
it. Exchange itself had some very odd delegations that had to be made in the
early E2K timeframe that I ran into and bugged that was absolutely meaningless
as well if you were trying to delegate minimal permissions. I recall there was
one delegation of an attribute that only existed on some config container
objects but needed to be applied to users or else the GUI tools wouldn't work.
Completely assinine stuff. I guess they are hitting the same crap with LCS.

 

To add even more pain, the MCS
guy that my friends have been working with has been just a hair above useless
for the whole thing so probably better to sit down and work it out yourself
than contract MCS
to come in and help out. I have personal experience with the specific MCS
person and I am not entirely surprised though this is just one more area
where he is supposed to be knowledgeable and this customer is so large that you
would expect MCS
wouldn't be dumb and send in someone who isn't pretty good with the product.

 

Basically, if you are being forced to use
it, you don't have much choice, lube up and go for it. If you do have a choice,
go through the product with a fine tooth comb in the lab and document all of
the crap and then complain to MS. Possibly if enough people tell them that the
functionality isn't good enough to deal with a shitty implementation they might
get a clue. Most likely it has gone as far as it has is because most people
don't have a clue what they are doing when they are installing things and
assume anything out of MS will be done correctly and never verify the changes
made in the directory and how much sense they may or may not make.

 

Oh another thing, there is some global
group requirement built into LCS for admining the product, from what I heard
you have NO CHOICE but to us

RE: [ActiveDir] Changing a users password

Function generatePassword( allowNumbers )
 NUMLOWER= 48  ' 48 = 0
 NUMUPPER= 57  ' 57 = 9
 LOWERBOUND  = 65  ' 65 = A
 UPPERBOUND  = 90  ' 90 = Z
 LOWERBOUND1 = 97  ' 97 = a
 UPPERBOUND1 = 122 ' 122 = z
 PASSWORD_LENGTH = 10
 ' initialize the random number generator
 Randomize()
 UserPass = ""
 count = 0
 DO UNTIL count = PASSWORD_LENGTH
  If allowNumbers Then
   pwd = Int( ( NUMUPPER - NUMLOWER ) * Rnd + NUMLOWER )
  Else
   ' generate a num between 2 and 10 ;
   ' if num > 4 create an uppercase else create lowercase
   If Int( ( 10 - 2 + 1 ) * Rnd + 2 ) > 4 Then
pwd = Int( ( UPPERBOUND - LOWERBOUND + 1 ) * Rnd + LOWERBOUND )
   Else
pwd = Int( ( UPPERBOUND1 - LOWERBOUND1 + 1 ) * Rnd + LOWERBOUND1 )
   End If
  End If
  UserPass = UserPass + Chr( pwd )
  count = count + 1
 Loop
 pwd1 = Int( ( NUMUPPER - NUMLOWER + 1 ) * Rnd + NUMLOWER )
 lUserPass = LCASE(Left(UserPass, 3)) & Right(UserPass, 7)
generatePassword = lUserPass & pwd1
End Function
 

Sincerely, 
   _
  (, /  |  /)   /) /)   
/---| (/_  __   ___// _   //  _ 
 ) /|_/(__(_) // (_(_)(/_(_(_/(__(/_
(_/ /)  
   (/   
Microsoft MVP - Directory Services
www.readymaids.com   - we know IT
www.akomolafe.com  
Do you now realize that Today is the Tomorrow you were worried about
Yesterday? -anon
 



From: [EMAIL PROTECTED] on behalf of Oliver Marshall
Sent: Wed 4/12/2006 2:13 AM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] Changing a users password



Thanks, but I have absolutely no idea how to apply that to the asp
script I have here :S

-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of
[EMAIL PROTECTED]
Sent: 12 April 2006 10:05
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] Changing a users password

Google is a wonderful thing :)

http://www.dotnetjunkies.com/Tutorial/1A07BA3D-72EC-41E8-9713-557B9189F8
20.dcik

neil


-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Oliver Marshall
Sent: 12 April 2006 09:53
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] Changing a users password

Hmmm interesting. It certainly does what it says on the tin.

Don't suppose you know how to create an 8 character alphanumeric random
string of characters do you ?

Thanks

-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of
[EMAIL PROTECTED]
Sent: 12 April 2006 09:00
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] Changing a users password

Delegate the ability to reset password to your helpdesk lady.

Then grab http://www.rlmueller.net/Programs/ResetPassword.txt

Clean that up, put it behind an asp page that requires authentication.
Give
your helpdesk lady access to the page and show her how to use it.


Sincerely,
   _   
  (, /  |  /)   /) /)  
/---| (/_  __   ___// _   //  _
 ) /|_/(__(_) // (_(_)(/_(_(_/(__(/_
(_/ /) 
   (/  
Microsoft MVP - Directory Services
www.readymaids.com   - we know IT
www.akomolafe.com  Do you now realize that
Today is the Tomorrow you were worried about Yesterday? -anon




From: [EMAIL PROTECTED] on behalf of Oliver Marshall
Sent: Wed 4/12/2006 12:45 AM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] Changing a users password



Net user command only works if you have full admin rights. I've google'd
till 2am this morning, haven't found any free script that doesn't use
the DN.

Cant use ADUC as I'm afraid that, if they see what info they *could*
change, that it will snowball and they will want to change it all. The
whole reason for this is that I am out of the office more and more and
users here have a massive issue with passwords. At the moment they right
them down on a pad on the "receptionists" desk (I say receptionist, but
this lady has been here longer than the earth has been turning, and I
would rather she could generate a new random password with "change on
next logon" for all the users in a given OU than have the passwords
written on a pad on someones desk, admin users are in a diff OU).

I'll keep hunting. Thanks for the help anyway.

-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Ulf B.
Simon-Weidner
Sent: 12 April 2006 07:01
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] Changing a users password

Hi Oliver,

First of all the receptionist needs to be delegated the rights to reset
users passwords, as well as being made aware of the consequences (local
credential cache of the users f.e.).

To reset the password you can use commands like "net user username
password
/domain" or you

RE: [ActiveDir] Changing a users password

2006-04-12 Thread Marc A. Mapplebeck

Why not just create a custom MMC in author mode that only allows ADUC to set
password, nothing else. It is possible to do. - Marc


_-_-_-_-_-_-_-_-_-
-"During times of universal deceit, telling the truth becomes a
revolutionary act." - George Orwell, 1984
_-_-_-_-_-_-_-_-_-
Marc A. Mapplebeck, MCP/MCDST/N+/A+/CNA
Owner, Shutterbug Productions & Consulting
IT Manager, City Animal Hospital Ltd.
MCP#: 3146827
CompTIA#: COMP001002835054
[EMAIL PROTECTED]
[EMAIL PROTECTED]
_-_-_-_-_-_-_-_-_-
P: 506-471-7044
ICQ: 26743793
Yahoo!: mmapplebeck
MSN: [EMAIL PROTECTED]
_-_-_-_-_-_-_-_-_-
This e-mail communication (including any or all attachments) is intended
only for the use of the person or entity to which it is addressed and may
contain confidential and/or privileged material. If you are not the intended
recipient of this e-mail, any use, review, retransmission, distribution,
dissemination, copying, printing, or other use of, or taking of any action
in reliance upon this e-mail, is strictly prohibited. If you have received
this e-mail in error, please contact the sender and delete the original and
any copy of this e-mail and any printout thereof, immediately. Your
co-operation is appreciated.

Le présent courriel (y compris toute pièce jointe) s'adresse uniquement à
son destinataire, qu'il soit une personne ou un organisme, et pourrait
comporter des renseignements privilégiés ou confidentiels. Si vous n'êtes
pas le destinataire du courriel, il est interdit d'utiliser, de revoir, de
retransmettre, de distribuer, de disséminer, de copier ou d'imprimer ce
courriel, d'agir en vous y fiant ou de vous en servir de toute autre façon.
Si vous avez reçu le présent courriel par erreur, prière de communiquer avec
l'expéditeur et d'éliminer l'original du courriel, ainsi que toute copie
électronique ou imprimée de celui-ci, immédiatement. Nous sommes
reconnaissants de votre collaboration. 
-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Oliver Marshall
Sent: April 12, 2006 04:46
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] Changing a users password

Net user command only works if you have full admin rights. I've google'd
till 2am this morning, haven't found any free script that doesn't use the
DN.

Cant use ADUC as I'm afraid that, if they see what info they *could* change,
that it will snowball and they will want to change it all. The whole reason
for this is that I am out of the office more and more and users here have a
massive issue with passwords. At the moment they right them down on a pad on
the "receptionists" desk (I say receptionist, but this lady has been here
longer than the earth has been turning, and I would rather she could
generate a new random password with "change on next logon" for all the users
in a given OU than have the passwords written on a pad on someones desk,
admin users are in a diff OU).

I'll keep hunting. Thanks for the help anyway.

-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Ulf B.
Simon-Weidner
Sent: 12 April 2006 07:01
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] Changing a users password

Hi Oliver,

First of all the receptionist needs to be delegated the rights to reset
users passwords, as well as being made aware of the consequences (local
credential cache of the users f.e.).

To reset the password you can use commands like "net user username password
/domain" or you can use AD-Tools like ADUC, "dsquery user domainroot -name
whatever | dsmod -pwd newpass -mustchangepwd yes", or you can create your
own script which searches for the user and changes password after asking for
approval. Www.microsoft.com/technet/scriptcenter provides the examples you
have to glue together for this.

Gruesse - Sincerely, 

Ulf B. Simon-Weidner 

  MVP-Book "Windows XP - Die Expertentipps": http://tinyurl.com/44zcz
  Weblog: http://msmvps.org/UlfBSimonWeidner
  Website: http://www.windowsserverfaq.org
  Profile:
http://mvp.support.microsoft.com/profile=35E388DE-4885-4308-B489-F2F1214
C811
D   

 

|-Original Message-
|From: [EMAIL PROTECTED]
|[mailto:[EMAIL PROTECTED] On Behalf Of Oliver 
|Marshall
|Sent: Wednesday, April 12, 2006 1:56 AM
|To: ActiveDir@mail.activedir.org
|Subject: [ActiveDir] Changing a users password
|
|Hi,
|
|I want to create a script that will allow a user here to change the 
|password of any other user.
|
|I have found several examples, most based on the examples on the MS 
|site. Thing is, they all depend on knowing the Distinguished Name of 
|the user, and the poor old receptionist wont have a clue what that is.
|
|Can anyone help me with a script that will change the password of a 
|user just knowing the username of the user ? At the least I'm after 
|some code to find the DN of a user from their username, and I can then 
|use that with the code I already have (I think).
|
|
|Thanks
|
|Olly
|List info   : http://www.activedir.org/List.aspx
|List FAQ: http://www.a

RE: [ActiveDir] Deleting "default-first-site-name" site

No, IIRC it defaults to the site of the DC from which the directory was
sourced.

--
Dean Wells
MSEtechnology
* Email: [EMAIL PROTECTED]
http://msetechnology.com

 

> -Original Message-
> From: [EMAIL PROTECTED] 
> [mailto:[EMAIL PROTECTED] On Behalf Of 
> Daniel Gilbert
> Sent: Wednesday, April 12, 2006 11:59 AM
> To: ActiveDir@mail.activedir.org
> Subject: RE: [ActiveDir] Deleting "default-first-site-name" site
> 
> OK here is a question that will show my lack of AD knowledge:
> 
> If you promote a new domain controller and no subnet 
> association exists, doesnt that domain controller default to 
> the default-first-site?
> 
> I know it makes sense to create a new site, assign a subnet 
> to that site but ..
> 
> If that site is not there, been deleted then where does the 
> new domain controller go?
> 
> Dan
> 
> >  Original Message 
> > Subject: RE: [ActiveDir] Deleting "default-first-site-name" site
> > From: "Steve Rochford" <[EMAIL PROTECTED]>
> > Date: Wed, April 12, 2006 7:53 am
> > To: 
> > 
> > Thanks; that's what I expected but I wanted to check before 
> I deleted 
> > something crucial :-)
> >  
> > Steve
> > 
> > 
> > 
> > From: [EMAIL PROTECTED] on behalf of Dean Wells
> > Sent: Wed 12/04/2006 14:27
> > To: Send - AD mailing list
> > Subject: RE: [ActiveDir] Deleting "default-first-site-name" site
> > 
> > 
> > 
> > Since replication takes place between DCs which logically exist in 
> > logical sites, no, ... not at all -- there's nothing to replicate 
> > with.
> > Regarding
> > the deletion question; I've deleted it more times than I can count, 
> > sometimes I rename it if I need a new site ... there's nothing 
> > "special"
> > about that object outside of its name (and that _should_ 
> also prove a 
> > moot point.  This of course depends upon the developer, good coding 
> > vs. bad coding ... deleting it may break some joeware tools 
> though -- 
> > haha, just teasing :0)
> > 
> > --
> > Dean Wells
> > MSEtechnology
> > * Email: [EMAIL PROTECTED]
> > http://msetechnology.com
> > 
> > 
> > 
> > > -Original Message-
> > > From: [EMAIL PROTECTED]
> > > [mailto:[EMAIL PROTECTED] On Behalf Of Steve 
> > > Rochford
> > > Sent: Wednesday, April 12, 2006 9:15 AM
> > > To: ActiveDir@mail.activedir.org
> > > Subject: [ActiveDir] Deleting "default-first-site-name" site
> > >
> > > We no longer have any servers in the 
> "default-first-site-name" site; 
> > > should I delete that site? I hadn't really thought it 
> mattered until 
> > > I was looking at the latency figures with repadmin (shown 
> below for 
> > > one server).
> > > Does it matter that no replication has taken place to a 
> site without 
> > > servers?
> > > 
> > > Steve
> > > 
> > > Replication Latency for site willesden 
> (wstud3.student.cnwl.ac.uk):
> > > Originating SiteVerTime Local UpdateTime
> > > Orig. Update   Latency  Since Last
> > >   ==  =  === 
> > > ===    ==
> > >  Default-First-Site-Name 50  2004-04-07 08:25:58 
> > > 2001-07-26 15:39:10  23656:46:48  17644:21:27
> > >  wembley  58498  2006-04-12 12:25:57
> > > 2006-04-12 12:25:55  00:00:02  00:21:28
> > >  kilburn  5  2006-04-12 12:10:56
> > > 2006-04-12 12:06:52  00:04:04  00:36:29
> > >willesden  59228  2006-04-12 12:09:50
> > > 2006-04-12 12:09:50  00:00:00  00:37:35
> > > Madhouse  13173  2006-04-12 12:25:57
> > > 2006-04-12 12:22:40  00:03:17  00:21:28
> > > List info   : http://www.activedir.org/List.aspx
> > > List FAQ: http://www.activedir.org/ListFAQ.aspx
> > > List archive:
> > > http://www.mail-archive.com/activedir%40mail.activedir.org/
> > >
> > >
> > 
> > 
> > List info   : http://www.activedir.org/List.aspx
> > List FAQ: http://www.activedir.org/ListFAQ.aspx
> > List archive:
> > http://www.mail-archive.com/activedir%40mail.activedir.org/
> > 
> > 
> > 
> 
> List info   : http://www.activedir.org/List.aspx
> List FAQ: http://www.activedir.org/ListFAQ.aspx
> List archive: 
> http://www.mail-archive.com/activedir%40mail.activedir.org/
> 
> 


List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/

RE: [ActiveDir] Deleting "default-first-site-name" site

2006-04-12 Thread Daniel Gilbert

OK here is a question that will show my lack of AD knowledge:

If you promote a new domain controller and no subnet association exists,
doesnt that domain controller default to the default-first-site?

I know it makes sense to create a new site, assign a subnet to that site
but ..

If that site is not there, been deleted then where does the new domain
controller go?

Dan

>  Original Message 
> Subject: RE: [ActiveDir] Deleting "default-first-site-name" site
> From: "Steve Rochford" <[EMAIL PROTECTED]>
> Date: Wed, April 12, 2006 7:53 am
> To: 
> 
> Thanks; that's what I expected but I wanted to check before I deleted
> something crucial :-)
>  
> Steve
> 
> 
> 
> From: [EMAIL PROTECTED] on behalf of Dean Wells
> Sent: Wed 12/04/2006 14:27
> To: Send - AD mailing list
> Subject: RE: [ActiveDir] Deleting "default-first-site-name" site
> 
> 
> 
> Since replication takes place between DCs which logically exist in
> logical
> sites, no, ... not at all -- there's nothing to replicate with. 
> Regarding
> the deletion question; I've deleted it more times than I can count,
> sometimes I rename it if I need a new site ... there's nothing
> "special"
> about that object outside of its name (and that _should_ also prove a
> moot
> point.  This of course depends upon the developer, good coding vs. bad
> coding ... deleting it may break some joeware tools though -- haha,
> just
> teasing :0)
> 
> --
> Dean Wells
> MSEtechnology
> * Email: [EMAIL PROTECTED]
> http://msetechnology.com
> 
> 
> 
> > -Original Message-
> > From: [EMAIL PROTECTED]
> > [mailto:[EMAIL PROTECTED] On Behalf Of
> > Steve Rochford
> > Sent: Wednesday, April 12, 2006 9:15 AM
> > To: ActiveDir@mail.activedir.org
> > Subject: [ActiveDir] Deleting "default-first-site-name" site
> >
> > We no longer have any servers in the
> > "default-first-site-name" site; should I delete that site? I
> > hadn't really thought it mattered until I was looking at the
> > latency figures with repadmin (shown below for one server).
> > Does it matter that no replication has taken place to a site
> > without servers?
> > 
> > Steve
> > 
> > Replication Latency for site willesden (wstud3.student.cnwl.ac.uk):
> > Originating SiteVerTime Local UpdateTime
> > Orig. Update   Latency  Since Last
> >   ==  =  === 
> > ===    ==
> >  Default-First-Site-Name 50  2004-04-07 08:25:58 
> > 2001-07-26 15:39:10  23656:46:48  17644:21:27
> >  wembley  58498  2006-04-12 12:25:57 
> > 2006-04-12 12:25:55  00:00:02  00:21:28
> >  kilburn  5  2006-04-12 12:10:56 
> > 2006-04-12 12:06:52  00:04:04  00:36:29
> >willesden  59228  2006-04-12 12:09:50 
> > 2006-04-12 12:09:50  00:00:00  00:37:35
> > Madhouse  13173  2006-04-12 12:25:57 
> > 2006-04-12 12:22:40  00:03:17  00:21:28
> > List info   : http://www.activedir.org/List.aspx
> > List FAQ: http://www.activedir.org/ListFAQ.aspx
> > List archive:
> > http://www.mail-archive.com/activedir%40mail.activedir.org/
> >
> >
> 
> 
> List info   : http://www.activedir.org/List.aspx
> List FAQ: http://www.activedir.org/ListFAQ.aspx
> List archive:
> http://www.mail-archive.com/activedir%40mail.activedir.org/
> 
> 
> 

List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/

[ActiveDir] Replication issues on one of our DCs

2006-04-12 Thread Rimmerman, Russ


Any ideas?

NTFS compression isn't turned on.  Maybe a impending drive failure?



Internal event: Active Directory could not update the following object

with changes received from the following source domain controller. This
is because an error occurred during the application of the changes to
Active Directory on the domain controller.

Object:

CN=FFF-LEE-Six-Sigma,OU=LEE,OU=EH,OU=CAM,DC=FFF,DC=ourdomain,DC=com

Object GUID:

0a7ba036-b9be-4c9f-b978-1d1ce99c8e40

Source domain controller:

190d7fdf-0c3f-4c5d-ad78-0df06208c3be._msdcs.ourdomain.com

Synchronization of the local domain controller with the source domain
controller is blocked until this update problem is corrected.

This operation will be tried again at the next scheduled replication.

User Action

Restart the local domain controller if this condition appears to be
related to low system resources (for example, low physical or virtual
memory).

Additional Data

Error value:

1127 While accessing the hard disk, a disk operation failed even after
retries.

For more information, see Help and Support Center at
http://go.microsoft.com/fwlink/events.asp.


~~
This e-mail is confidential, may contain proprietary information
of the Cooper Cameron Corporation and its operating Divisions
and may be confidential or privileged.

This e-mail should be read, copied, disseminated and/or used only
by the addressee. If you have received this message in error please
delete it, together with any attachments, from your system.
~~
List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/

RE: [ActiveDir] Deleting "default-first-site-name" site

2006-04-12 Thread Steve Rochford

Thanks; that's what I expected but I wanted to check before I deleted something 
crucial :-)
 
Steve



From: [EMAIL PROTECTED] on behalf of Dean Wells
Sent: Wed 12/04/2006 14:27
To: Send - AD mailing list
Subject: RE: [ActiveDir] Deleting "default-first-site-name" site



Since replication takes place between DCs which logically exist in logical
sites, no, ... not at all -- there's nothing to replicate with.  Regarding
the deletion question; I've deleted it more times than I can count,
sometimes I rename it if I need a new site ... there's nothing "special"
about that object outside of its name (and that _should_ also prove a moot
point.  This of course depends upon the developer, good coding vs. bad
coding ... deleting it may break some joeware tools though -- haha, just
teasing :0)

--
Dean Wells
MSEtechnology
* Email: [EMAIL PROTECTED]
http://msetechnology.com



> -Original Message-
> From: [EMAIL PROTECTED]
> [mailto:[EMAIL PROTECTED] On Behalf Of
> Steve Rochford
> Sent: Wednesday, April 12, 2006 9:15 AM
> To: ActiveDir@mail.activedir.org
> Subject: [ActiveDir] Deleting "default-first-site-name" site
>
> We no longer have any servers in the
> "default-first-site-name" site; should I delete that site? I
> hadn't really thought it mattered until I was looking at the
> latency figures with repadmin (shown below for one server).
> Does it matter that no replication has taken place to a site
> without servers?
> 
> Steve
> 
> Replication Latency for site willesden (wstud3.student.cnwl.ac.uk):
> Originating SiteVerTime Local UpdateTime
> Orig. Update   Latency  Since Last
>   ==  =  === 
> ===    ==
>  Default-First-Site-Name 50  2004-04-07 08:25:58 
> 2001-07-26 15:39:10  23656:46:48  17644:21:27
>  wembley  58498  2006-04-12 12:25:57 
> 2006-04-12 12:25:55  00:00:02  00:21:28
>  kilburn  5  2006-04-12 12:10:56 
> 2006-04-12 12:06:52  00:04:04  00:36:29
>willesden  59228  2006-04-12 12:09:50 
> 2006-04-12 12:09:50  00:00:00  00:37:35
> Madhouse  13173  2006-04-12 12:25:57 
> 2006-04-12 12:22:40  00:03:17  00:21:28
> List info   : http://www.activedir.org/List.aspx
> List FAQ: http://www.activedir.org/ListFAQ.aspx
> List archive:
> http://www.mail-archive.com/activedir%40mail.activedir.org/
>
>


List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/


<>

RE: [ActiveDir] AD replication compression algorithms

Title: AD replication compression algorithms



Thanks 
for the URL ...
--Dean WellsMSEtechnology* Email: dwells@msetechnology.comhttp://msetechnology.com
 

  
  
  From: [EMAIL PROTECTED] 
  [mailto:[EMAIL PROTECTED] On Behalf Of 
  [EMAIL PROTECTED]Sent: Wednesday, April 12, 2006 9:49 
  AMTo: ActiveDir@mail.activedir.orgSubject: RE: 
  [ActiveDir] AD replication compression algorithms
  
  Thanks Dean.
   
  In fact technet article http://technet2.microsoft.com/WindowsServer/en/Library/c238f32b-4400-4a0c-b4fb-7b0febecfc731033.mspx does 
  offer some "stats", which led me to wonder why this change was made and what 
  experiences other customers had of the legacy behaviour. I assumed lots of ppl 
  had seen issues. [Like yourself, I've never seen these issues - I prefer to 
  spec the DCs carefully :) ]
   
  I 
  don't have the luxury of time to test all the permutations - as much as I'd 
  like to :) I plan to suggest adoption of the legacy behaviour along with a 
  suitable DC spec. I can then monitor and assess the situation thereafter and 
  modify behaviour as needed. [The changes will be deployed via 
  GPO.]
   
  Thanks again,
  neil
  
  
  
  From: [EMAIL PROTECTED] 
  [mailto:[EMAIL PROTECTED] On Behalf Of Dean 
  WellsSent: 12 April 2006 14:37To: Send - AD mailing 
  listSubject: RE: [ActiveDir] AD replication compression 
  algorithms
  
  I've 
  never thoroughly tested it having not encountered perf. issues with the now 
  legacy MSZIP algorithm nor have I seen any published stats. from MS outlining 
  tangible differences on shrink-wrapped hardware.  I'd suggest running 
  through a few dry-run scenarios with the relevant reg. tweaks (below) in place 
  -
  Compression adjusted per DC 
  -
  HKLM\CCS\Services\NTDS\Parameters / 
  REG_DWORD: Replicator compression algorithm
   
  Values: (default = 3)
  0 - Disable Compression1 - Value not used2 - Force MSzip 
  algorithm3 - Use Xpress 
  algorithm
   
   
  Adjusting compression expense per 
  DC -HKLM\CCS\Services\NTDS\Parameters / 
  REG_DWORD: Replicator compression level
   
  Values: 0 through 9 (Default=3)(0=faster, 9=more compression, values 
  beyond 3 have been tested and typically 
  provide little if any 
  compression gain)
  Hope this goes some way toward 
  helping.
   
  Kindest regards.
   
  Dean
  --Dean 
  WellsMSEtechnology* Email: dwells@msetechnology.comhttp://msetechnology.com
   
  


From: [EMAIL PROTECTED] 
[mailto:[EMAIL PROTECTED] On Behalf Of 
[EMAIL PROTECTED]Sent: Wednesday, April 12, 2006 6:08 
AMTo: ActiveDir@mail.activedir.orgSubject: [ActiveDir] 
AD replication compression algorithms

Scenario: Lots of poorly connected branch 
offices (as low as 64kbps) 
Requirement: Deploy a global AD replication 
topology which minimises WAN bandwidth usage 
Suggestion: Deploy a standard DC build 
(hardware and OS) Revert to w2k legacy 
compression setting 
Does anyone have any experience of using the 
older algorithm versus the newer algo? 
How much "better" at compressing data is the 
older algo? How much more CPU overhead 
does the older algo represent? 
All comments welcome :) 
Thanks, neil 
___Neil RustonGlobal Technology 
InfrastructureNomura 
International plcTelephone: ჸ (0) 20 7521 3481 
PLEASE READ: The 
information contained in this email is confidential and 
intended for the 
named recipient(s) only. If you are not an intended 
recipient of 
this email please notify the sender immediately and delete your 

copy from your 
system. You must not copy, distribute or take any further 

action in 
reliance on it. Email is not a secure method of communication and 

Nomura 
International plc ('NIplc') will not, to the extent permitted by law, 

accept 
responsibility or liability for (a) the accuracy or completeness of, 

or (b) the 
presence of any virus, worm or similar malicious or disabling 

code in, this 
message or any attachment(s) to it. If verification of this 

email is sought 
then please request a hard copy. Unless otherwise stated 

this email: (1) 
is not, and should not be treated or relied upon as, 
investment 
research; (2) contains views or opinions that are solely those of 

the author and 
do not necessarily represent those of NIplc; (3) is intended 

for 
informational purposes only and is not a recommendation, solicitation or 

offer to buy or 
sell securities or related financial instruments. NIplc 
does not provide 
investment services to private customers. Authorised and 

regulated by the 
Financial Services Authority. Registered in England 
no. 1550505 VAT 
No. 447 2492 35. Registered Office: 1 St Martin's-le-Grand, 

London, EC1A 
4NP. A member of the Nomura group of co

RE: [ActiveDir] AD replication compression algorithms

Title: AD replication compression algorithms



Thanks Dean.
 
In fact technet article http://technet2.microsoft.com/WindowsServer/en/Library/c238f32b-4400-4a0c-b4fb-7b0febecfc731033.mspx does 
offer some "stats", which led me to wonder why this change was made and what 
experiences other customers had of the legacy behaviour. I assumed lots of ppl 
had seen issues. [Like yourself, I've never seen these issues - I prefer to spec 
the DCs carefully :) ]
 
I 
don't have the luxury of time to test all the permutations - as much as I'd like 
to :) I plan to suggest adoption of the legacy behaviour along with a suitable 
DC spec. I can then monitor and assess the situation thereafter and modify 
behaviour as needed. [The changes will be deployed via GPO.]
 
Thanks 
again,
neil



From: [EMAIL PROTECTED] 
[mailto:[EMAIL PROTECTED] On Behalf Of Dean 
WellsSent: 12 April 2006 14:37To: Send - AD mailing 
listSubject: RE: [ActiveDir] AD replication compression 
algorithms

I've 
never thoroughly tested it having not encountered perf. issues with the now 
legacy MSZIP algorithm nor have I seen any published stats. from MS outlining 
tangible differences on shrink-wrapped hardware.  I'd suggest running 
through a few dry-run scenarios with the relevant reg. tweaks (below) in place 
-
Compression adjusted per DC 
-
HKLM\CCS\Services\NTDS\Parameters / 
REG_DWORD: Replicator compression algorithm
 
Values: (default = 3)
0 - Disable Compression1 - Value not used2 - Force MSzip 
algorithm3 - Use Xpress 
algorithm
 
 
Adjusting compression expense per DC 
-HKLM\CCS\Services\NTDS\Parameters / 
REG_DWORD: Replicator compression level
 
Values: 0 through 9 (Default=3)(0=faster, 9=more compression, values 
beyond 3 have been tested and typically 
provide little if any 
compression gain)
Hope this goes some way toward helping.
 
Kindest regards.
 
Dean
--Dean WellsMSEtechnology* Email: dwells@msetechnology.comhttp://msetechnology.com
 

  
  
  From: [EMAIL PROTECTED] 
  [mailto:[EMAIL PROTECTED] On Behalf Of 
  [EMAIL PROTECTED]Sent: Wednesday, April 12, 2006 6:08 
  AMTo: ActiveDir@mail.activedir.orgSubject: [ActiveDir] 
  AD replication compression algorithms
  
  Scenario: Lots of poorly connected branch 
  offices (as low as 64kbps) 
  Requirement: Deploy a global AD replication 
  topology which minimises WAN bandwidth usage 
  Suggestion: Deploy a standard DC build 
  (hardware and OS) Revert to w2k legacy 
  compression setting 
  Does anyone have any experience of using the older 
  algorithm versus the newer algo? 
  How much "better" at compressing data is the older 
  algo? How much more CPU overhead does the 
  older algo represent? 
  All comments welcome :) 
  Thanks, neil 
  ___Neil RustonGlobal Technology 
  InfrastructureNomura 
  International plcTelephone: ჸ (0) 20 7521 3481 
  PLEASE READ: The 
  information contained in this email is confidential and 
  intended for the 
  named recipient(s) only. If you are not an intended 
  recipient of this 
  email please notify the sender immediately and delete your 

  copy from your 
  system. You must not copy, distribute or take any further 
  action in reliance 
  on it. Email is not a secure method of communication and 
  Nomura 
  International plc ('NIplc') will not, to the extent permitted by law, 
  
  accept 
  responsibility or liability for (a) the accuracy or completeness of, 
  
  or (b) the 
  presence of any virus, worm or similar malicious or disabling 
  
  code in, this 
  message or any attachment(s) to it. If verification of this 
  
  email is sought 
  then please request a hard copy. Unless otherwise stated 
  this email: (1) is 
  not, and should not be treated or relied upon as, 
  investment 
  research; (2) contains views or opinions that are solely those of 
  
  the author and do 
  not necessarily represent those of NIplc; (3) is intended 
  for informational 
  purposes only and is not a recommendation, solicitation or 

  offer to buy or 
  sell securities or related financial instruments. NIplc 
  does not provide 
  investment services to private customers. Authorised and 
  regulated by the 
  Financial Services Authority. Registered in England 
  no. 1550505 VAT 
  No. 447 2492 35. Registered Office: 1 St Martin's-le-Grand, 
  
  London, EC1A 4NP. 
  A member of the Nomura group of companies. 
PLEASE READ: The information contained in this email is confidential and

intended for the named recipient(s) only. If you are not an intended

recipient of this email please notify the sender immediately and delete your

copy from your system. You must not copy, distribute or take any further

action in reliance on it. Email is not a secure method of communication and

Nomura International plc ('NIplc') will not, to the extent permitted by law,

accept responsibility or liability for (

RE: [ActiveDir] AD replication compression algorithms

Title: AD replication compression algorithms



I've 
never thoroughly tested it having not encountered perf. issues with the now 
legacy MSZIP algorithm nor have I seen any published stats. from MS outlining 
tangible differences on shrink-wrapped hardware.  I'd suggest running 
through a few dry-run scenarios with the relevant reg. tweaks (below) in place 
-
Compression adjusted per DC 
-
HKLM\CCS\Services\NTDS\Parameters / 
REG_DWORD: Replicator compression algorithm
 
Values: (default = 3)
0 - Disable Compression1 - Value not used2 - Force MSzip 
algorithm3 - Use Xpress 
algorithm
 
 
Adjusting compression expense per DC 
-HKLM\CCS\Services\NTDS\Parameters / 
REG_DWORD: Replicator compression level
 
Values: 0 through 9 (Default=3)(0=faster, 9=more compression, values 
beyond 3 have been tested and typically 
provide little if any 
compression gain)
Hope this goes some way toward helping.
 
Kindest regards.
 
Dean
--Dean WellsMSEtechnology* Email: dwells@msetechnology.comhttp://msetechnology.com
 

  
  
  From: [EMAIL PROTECTED] 
  [mailto:[EMAIL PROTECTED] On Behalf Of 
  [EMAIL PROTECTED]Sent: Wednesday, April 12, 2006 6:08 
  AMTo: ActiveDir@mail.activedir.orgSubject: [ActiveDir] 
  AD replication compression algorithms
  
  Scenario: Lots of poorly connected branch 
  offices (as low as 64kbps) 
  Requirement: Deploy a global AD replication 
  topology which minimises WAN bandwidth usage 
  Suggestion: Deploy a standard DC build 
  (hardware and OS) Revert to w2k legacy 
  compression setting 
  Does anyone have any experience of using the older 
  algorithm versus the newer algo? 
  How much "better" at compressing data is the older 
  algo? How much more CPU overhead does the 
  older algo represent? 
  All comments welcome :) 
  Thanks, neil 
  ___Neil RustonGlobal Technology 
  InfrastructureNomura 
  International plcTelephone: ჸ (0) 20 7521 3481 
  PLEASE READ: The 
  information contained in this email is confidential and 
  intended for the 
  named recipient(s) only. If you are not an intended 
  recipient of this 
  email please notify the sender immediately and delete your 

  copy from your 
  system. You must not copy, distribute or take any further 
  action in reliance 
  on it. Email is not a secure method of communication and 
  Nomura 
  International plc ('NIplc') will not, to the extent permitted by law, 
  
  accept 
  responsibility or liability for (a) the accuracy or completeness of, 
  
  or (b) the 
  presence of any virus, worm or similar malicious or disabling 
  
  code in, this 
  message or any attachment(s) to it. If verification of this 
  
  email is sought 
  then please request a hard copy. Unless otherwise stated 
  this email: (1) is 
  not, and should not be treated or relied upon as, 
  investment 
  research; (2) contains views or opinions that are solely those of 
  
  the author and do 
  not necessarily represent those of NIplc; (3) is intended 
  for informational 
  purposes only and is not a recommendation, solicitation or 

  offer to buy or 
  sell securities or related financial instruments. NIplc 
  does not provide 
  investment services to private customers. Authorised and 
  regulated by the 
  Financial Services Authority. Registered in England 
  no. 1550505 VAT 
  No. 447 2492 35. Registered Office: 1 St Martin's-le-Grand, 
  
  London, EC1A 4NP. 
  A member of the Nomura group of companies.

RE: [ActiveDir] Deleting "default-first-site-name" site

Since replication takes place between DCs which logically exist in logical
sites, no, ... not at all -- there's nothing to replicate with.  Regarding
the deletion question; I've deleted it more times than I can count,
sometimes I rename it if I need a new site ... there's nothing "special"
about that object outside of its name (and that _should_ also prove a moot
point.  This of course depends upon the developer, good coding vs. bad
coding ... deleting it may break some joeware tools though -- haha, just
teasing :0)

--
Dean Wells
MSEtechnology
* Email: [EMAIL PROTECTED]
http://msetechnology.com

 

> -Original Message-
> From: [EMAIL PROTECTED] 
> [mailto:[EMAIL PROTECTED] On Behalf Of 
> Steve Rochford
> Sent: Wednesday, April 12, 2006 9:15 AM
> To: ActiveDir@mail.activedir.org
> Subject: [ActiveDir] Deleting "default-first-site-name" site
> 
> We no longer have any servers in the 
> "default-first-site-name" site; should I delete that site? I 
> hadn't really thought it mattered until I was looking at the 
> latency figures with repadmin (shown below for one server). 
> Does it matter that no replication has taken place to a site 
> without servers?
>  
> Steve
>  
> Replication Latency for site willesden (wstud3.student.cnwl.ac.uk):
> Originating SiteVerTime Local UpdateTime 
> Orig. Update   Latency  Since Last
>   ==  =  ===  
> ===    ==
>  Default-First-Site-Name 50  2004-04-07 08:25:58  
> 2001-07-26 15:39:10  23656:46:48  17644:21:27
>  wembley  58498  2006-04-12 12:25:57  
> 2006-04-12 12:25:55  00:00:02  00:21:28
>  kilburn  5  2006-04-12 12:10:56  
> 2006-04-12 12:06:52  00:04:04  00:36:29
>willesden  59228  2006-04-12 12:09:50  
> 2006-04-12 12:09:50  00:00:00  00:37:35
> Madhouse  13173  2006-04-12 12:25:57  
> 2006-04-12 12:22:40  00:03:17  00:21:28
> List info   : http://www.activedir.org/List.aspx
> List FAQ: http://www.activedir.org/ListFAQ.aspx
> List archive: 
> http://www.mail-archive.com/activedir%40mail.activedir.org/
> 
> 


List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/

[ActiveDir] Deleting "default-first-site-name" site

2006-04-12 Thread Steve Rochford

We no longer have any servers in the "default-first-site-name" site; should I 
delete that site? I hadn't really thought it mattered until I was looking at 
the latency figures with repadmin (shown below for one server). Does it matter 
that no replication has taken place to a site without servers?
 
Steve
 
Replication Latency for site willesden (wstud3.student.cnwl.ac.uk):
Originating SiteVerTime Local UpdateTime Orig. Update   
Latency  Since Last
  ==  =  ===  ===  
  ==
 Default-First-Site-Name 50  2004-04-07 08:25:58  2001-07-26 15:39:10  
23656:46:48  17644:21:27
 wembley  58498  2006-04-12 12:25:57  2006-04-12 12:25:55  
00:00:02  00:21:28
 kilburn  5  2006-04-12 12:10:56  2006-04-12 12:06:52  
00:04:04  00:36:29
   willesden  59228  2006-04-12 12:09:50  2006-04-12 12:09:50  
00:00:00  00:37:35
Madhouse  13173  2006-04-12 12:25:57  2006-04-12 12:22:40  
00:03:17  00:21:28
List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/

[ActiveDir] AD replication compression algorithms

Title: AD replication compression algorithms






Scenario:

Lots of poorly connected branch offices (as low as 64kbps)


Requirement:

Deploy a global AD replication topology which minimises WAN bandwidth usage


Suggestion:

Deploy a standard DC build (hardware and OS)

Revert to w2k legacy compression setting



Does anyone have any experience of using the older algorithm versus the newer algo? 


How much "better" at compressing data is the older algo?

How much more CPU overhead does the older algo represent?



All comments welcome :)


Thanks,

neil



___
Neil Ruston
Global Technology Infrastructure
Nomura International plc
Telephone: ჸ (0) 20 7521 3481 



PLEASE READ: The information contained in this email is confidential and

intended for the named recipient(s) only. If you are not an intended

recipient of this email please notify the sender immediately and delete your

copy from your system. You must not copy, distribute or take any further

action in reliance on it. Email is not a secure method of communication and

Nomura International plc ('NIplc') will not, to the extent permitted by law,

accept responsibility or liability for (a) the accuracy or completeness of,

or (b) the presence of any virus, worm or similar malicious or disabling

code in, this message or any attachment(s) to it. If verification of this

email is sought then please request a hard copy. Unless otherwise stated

this email: (1) is not, and should not be treated or relied upon as,

investment research; (2) contains views or opinions that are solely those of

the author and do not necessarily represent those of NIplc; (3) is intended

for informational purposes only and is not a recommendation, solicitation or

offer to buy or sell securities or related financial instruments.  NIplc

does not provide investment services to private customers.  Authorised and

regulated by the Financial Services Authority.  Registered in England

no. 1550505 VAT No. 447 2492 35.  Registered Office: 1 St Martin's-le-Grand,

London, EC1A 4NP.  A member of the Nomura group of companies.

[ActiveDir] AD delegations

2006-04-12 Thread Graham Turner

Dear all, needing to seek further assistance on OU delegations.

We have applied a delegation using the custom delegation wizard;

Create / Delete computer object

this works fine and dandy in the context of creating and deleting computer 
objects
in the container and its sub-containers.

however we are unable to move COMPUTER objects between OU's within the 
delegation OU.

i would have thought that a MOVE is a combination of CREATE / DELETE which it 
would
seem have been applied as above, but perhaps not.

it seems an additional permission is required to be applied to the delegated ou

any help on this will be gladly received

Thanks

G

List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/

RE: [ActiveDir] Changing a users password

2006-04-12 Thread Oliver Marshall

Thanks, but I have absolutely no idea how to apply that to the asp
script I have here :S

-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of
[EMAIL PROTECTED]
Sent: 12 April 2006 10:05
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] Changing a users password

Google is a wonderful thing :)

http://www.dotnetjunkies.com/Tutorial/1A07BA3D-72EC-41E8-9713-557B9189F8
20.dcik

neil

-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Oliver Marshall
Sent: 12 April 2006 09:53
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] Changing a users password

Hmmm interesting. It certainly does what it says on the tin.

Don't suppose you know how to create an 8 character alphanumeric random
string of characters do you ? 

Thanks

-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of
[EMAIL PROTECTED]
Sent: 12 April 2006 09:00
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] Changing a users password

Delegate the ability to reset password to your helpdesk lady.

Then grab http://www.rlmueller.net/Programs/ResetPassword.txt

Clean that up, put it behind an asp page that requires authentication.
Give
your helpdesk lady access to the page and show her how to use it.

Sincerely, 
   _
  (, /  |  /)   /) /)   
/---| (/_  __   ___// _   //  _ 
 ) /|_/(__(_) // (_(_)(/_(_(_/(__(/_
(_/ /)  
   (/   
Microsoft MVP - Directory Services
www.readymaids.com   - we know IT
www.akomolafe.com  Do you now realize that
Today is the Tomorrow you were worried about Yesterday? -anon

From: [EMAIL PROTECTED] on behalf of Oliver Marshall
Sent: Wed 4/12/2006 12:45 AM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] Changing a users password

Net user command only works if you have full admin rights. I've google'd
till 2am this morning, haven't found any free script that doesn't use
the DN.

Cant use ADUC as I'm afraid that, if they see what info they *could*
change, that it will snowball and they will want to change it all. The
whole reason for this is that I am out of the office more and more and
users here have a massive issue with passwords. At the moment they right
them down on a pad on the "receptionists" desk (I say receptionist, but
this lady has been here longer than the earth has been turning, and I
would rather she could generate a new random password with "change on
next logon" for all the users in a given OU than have the passwords
written on a pad on someones desk, admin users are in a diff OU).

I'll keep hunting. Thanks for the help anyway.

-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Ulf B.
Simon-Weidner
Sent: 12 April 2006 07:01
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] Changing a users password

Hi Oliver,

First of all the receptionist needs to be delegated the rights to reset
users passwords, as well as being made aware of the consequences (local
credential cache of the users f.e.).

To reset the password you can use commands like "net user username
password
/domain" or you can use AD-Tools like ADUC, "dsquery user domainroot
-name
whatever | dsmod -pwd newpass -mustchangepwd yes", or you can create
your
own script which searches for the user and changes password after asking
for
approval. Www.microsoft.com/technet/scriptcenter provides the examples
you
have to glue together for this.

Gruesse - Sincerely,

Ulf B. Simon-Weidner

  MVP-Book "Windows XP - Die Expertentipps": http://tinyurl.com/44zcz
  Weblog: http://msmvps.org/UlfBSimonWeidner
  Website: http://www.windowsserverfaq.org
  Profile:
http://mvp.support.microsoft.com/profile=35E388DE-4885-4308-B489-F2F1214
C811
D  

|-Original Message-
|From: [EMAIL PROTECTED]
|[mailto:[EMAIL PROTECTED] On Behalf Of
|Oliver Marshall
|Sent: Wednesday, April 12, 2006 1:56 AM
|To: ActiveDir@mail.activedir.org
|Subject: [ActiveDir] Changing a users password
|
|Hi,
|
|I want to create a script that will allow a user here to
|change the password of any other user.
|
|I have found several examples, most based on the examples on
|the MS site. Thing is, they all depend on knowing the
|Distinguished Name of the user, and the poor old receptionist
|wont have a clue what that is.
|
|Can anyone help me with a script that will change the password
|of a user just knowing the username of the user ? At the least
|I'm after some code to find the DN of a user from their
|username, and I can then use that with the code I already have
|(I think).
|
|
|Thanks
|
|Olly
|List info   : http://www.activedir.org/List.aspx
|List FAQ: http://www.activedir.org/ListFAQ.aspx
|List archive:
|http://www.mail-archive.com/activedir%40mail.activedir.org/

List info   : http://ww

RE: [ActiveDir] Changing a users password

Google is a wonderful thing :)

http://www.dotnetjunkies.com/Tutorial/1A07BA3D-72EC-41E8-9713-557B9189F8
20.dcik

neil


-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Oliver Marshall
Sent: 12 April 2006 09:53
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] Changing a users password

Hmmm interesting. It certainly does what it says on the tin.

Don't suppose you know how to create an 8 character alphanumeric random
string of characters do you ? 

Thanks

-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of
[EMAIL PROTECTED]
Sent: 12 April 2006 09:00
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] Changing a users password

Delegate the ability to reset password to your helpdesk lady.
 
Then grab http://www.rlmueller.net/Programs/ResetPassword.txt
 
Clean that up, put it behind an asp page that requires authentication.
Give
your helpdesk lady access to the page and show her how to use it.
 

Sincerely, 
   _
  (, /  |  /)   /) /)   
/---| (/_  __   ___// _   //  _ 
 ) /|_/(__(_) // (_(_)(/_(_(_/(__(/_
(_/ /)  
   (/   
Microsoft MVP - Directory Services
www.readymaids.com   - we know IT
www.akomolafe.com  Do you now realize that
Today is the Tomorrow you were worried about Yesterday? -anon
 



From: [EMAIL PROTECTED] on behalf of Oliver Marshall
Sent: Wed 4/12/2006 12:45 AM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] Changing a users password



Net user command only works if you have full admin rights. I've google'd
till 2am this morning, haven't found any free script that doesn't use
the DN.

Cant use ADUC as I'm afraid that, if they see what info they *could*
change, that it will snowball and they will want to change it all. The
whole reason for this is that I am out of the office more and more and
users here have a massive issue with passwords. At the moment they right
them down on a pad on the "receptionists" desk (I say receptionist, but
this lady has been here longer than the earth has been turning, and I
would rather she could generate a new random password with "change on
next logon" for all the users in a given OU than have the passwords
written on a pad on someones desk, admin users are in a diff OU).

I'll keep hunting. Thanks for the help anyway.

-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Ulf B.
Simon-Weidner
Sent: 12 April 2006 07:01
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] Changing a users password

Hi Oliver,

First of all the receptionist needs to be delegated the rights to reset
users passwords, as well as being made aware of the consequences (local
credential cache of the users f.e.).

To reset the password you can use commands like "net user username
password
/domain" or you can use AD-Tools like ADUC, "dsquery user domainroot
-name
whatever | dsmod -pwd newpass -mustchangepwd yes", or you can create
your
own script which searches for the user and changes password after asking
for
approval. Www.microsoft.com/technet/scriptcenter provides the examples
you
have to glue together for this.

Gruesse - Sincerely,

Ulf B. Simon-Weidner

  MVP-Book "Windows XP - Die Expertentipps": http://tinyurl.com/44zcz
  Weblog: http://msmvps.org/UlfBSimonWeidner
  Website: http://www.windowsserverfaq.org
  Profile:
http://mvp.support.microsoft.com/profile=35E388DE-4885-4308-B489-F2F1214
C811
D  



|-Original Message-
|From: [EMAIL PROTECTED]
|[mailto:[EMAIL PROTECTED] On Behalf Of
|Oliver Marshall
|Sent: Wednesday, April 12, 2006 1:56 AM
|To: ActiveDir@mail.activedir.org
|Subject: [ActiveDir] Changing a users password
|
|Hi,
|
|I want to create a script that will allow a user here to
|change the password of any other user.
|
|I have found several examples, most based on the examples on
|the MS site. Thing is, they all depend on knowing the
|Distinguished Name of the user, and the poor old receptionist
|wont have a clue what that is.
|
|Can anyone help me with a script that will change the password
|of a user just knowing the username of the user ? At the least
|I'm after some code to find the DN of a user from their
|username, and I can then use that with the code I already have
|(I think).
|
|
|Thanks
|
|Olly
|List info   : http://www.activedir.org/List.aspx
|List FAQ: http://www.activedir.org/ListFAQ.aspx
|List archive:
|http://www.mail-archive.com/activedir%40mail.activedir.org/

List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive:
http://www.mail-archive.com/activedir%40mail.activedir.org/
List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive:
http://www.mail-archive.com/activedir%40ma

Re: [ActiveDir] Changing a users password

2006-04-12 Thread Matheesha Weerasinghe

How about using lockoutstatus.exe? its no script tool but is sure easy to use.

M@
List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/

RE: [ActiveDir] Changing a users password

2006-04-12 Thread Oliver Marshall

Hmmm interesting. It certainly does what it says on the tin.

Don't suppose you know how to create an 8 character alphanumeric random
string of characters do you ? 

Thanks

-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of
[EMAIL PROTECTED]
Sent: 12 April 2006 09:00
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] Changing a users password

Delegate the ability to reset password to your helpdesk lady.
 
Then grab http://www.rlmueller.net/Programs/ResetPassword.txt
 
Clean that up, put it behind an asp page that requires authentication.
Give
your helpdesk lady access to the page and show her how to use it.
 

Sincerely, 
   _
  (, /  |  /)   /) /)   
/---| (/_  __   ___// _   //  _ 
 ) /|_/(__(_) // (_(_)(/_(_(_/(__(/_
(_/ /)  
   (/   
Microsoft MVP - Directory Services
www.readymaids.com   - we know IT
www.akomolafe.com  
Do you now realize that Today is the Tomorrow you were worried about
Yesterday? -anon
 



From: [EMAIL PROTECTED] on behalf of Oliver Marshall
Sent: Wed 4/12/2006 12:45 AM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] Changing a users password



Net user command only works if you have full admin rights. I've google'd
till 2am this morning, haven't found any free script that doesn't use
the DN.

Cant use ADUC as I'm afraid that, if they see what info they *could*
change, that it will snowball and they will want to change it all. The
whole reason for this is that I am out of the office more and more and
users here have a massive issue with passwords. At the moment they right
them down on a pad on the "receptionists" desk (I say receptionist, but
this lady has been here longer than the earth has been turning, and I
would rather she could generate a new random password with "change on
next logon" for all the users in a given OU than have the passwords
written on a pad on someones desk, admin users are in a diff OU).

I'll keep hunting. Thanks for the help anyway.

-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Ulf B.
Simon-Weidner
Sent: 12 April 2006 07:01
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] Changing a users password

Hi Oliver,

First of all the receptionist needs to be delegated the rights to reset
users passwords, as well as being made aware of the consequences (local
credential cache of the users f.e.).

To reset the password you can use commands like "net user username
password
/domain" or you can use AD-Tools like ADUC, "dsquery user domainroot
-name
whatever | dsmod -pwd newpass -mustchangepwd yes", or you can create
your
own script which searches for the user and changes password after asking
for
approval. Www.microsoft.com/technet/scriptcenter provides the examples
you
have to glue together for this.

Gruesse - Sincerely,

Ulf B. Simon-Weidner

  MVP-Book "Windows XP - Die Expertentipps": http://tinyurl.com/44zcz
  Weblog: http://msmvps.org/UlfBSimonWeidner
  Website: http://www.windowsserverfaq.org
  Profile:
http://mvp.support.microsoft.com/profile=35E388DE-4885-4308-B489-F2F1214
C811
D  



|-Original Message-
|From: [EMAIL PROTECTED]
|[mailto:[EMAIL PROTECTED] On Behalf Of
|Oliver Marshall
|Sent: Wednesday, April 12, 2006 1:56 AM
|To: ActiveDir@mail.activedir.org
|Subject: [ActiveDir] Changing a users password
|
|Hi,
|
|I want to create a script that will allow a user here to
|change the password of any other user.
|
|I have found several examples, most based on the examples on
|the MS site. Thing is, they all depend on knowing the
|Distinguished Name of the user, and the poor old receptionist
|wont have a clue what that is.
|
|Can anyone help me with a script that will change the password
|of a user just knowing the username of the user ? At the least
|I'm after some code to find the DN of a user from their
|username, and I can then use that with the code I already have
|(I think).
|
|
|Thanks
|
|Olly
|List info   : http://www.activedir.org/List.aspx
|List FAQ: http://www.activedir.org/ListFAQ.aspx
|List archive:
|http://www.mail-archive.com/activedir%40mail.activedir.org/

List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive:
http://www.mail-archive.com/activedir%40mail.activedir.org/
List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive:
http://www.mail-archive.com/activedir%40mail.activedir.org/


List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive:
http://www.mail-archive.com/activedir%40mail.activedir.org/
List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive: http://www.mail-archive.com

FW: [ActiveDir] GPO question

2006-04-12 Thread Simon Clayton

Or you can apply a WMI Filter to the User GPO such that it runs if the
device does not have a particular service, chassis type, etc.

Many thanks,
Simon Clayton | Principal Consultant
Technology Infrastructure Practice
Avanade UK Ltd | Leeds Office
2nd Floor, 1 City Square, Leeds, LS1 2ES
Tel: +44 (0) 7970 509788
www.avanade.com
IM: [EMAIL PROTECTED]
-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Figueroa,
Johnny
Sent: 07 April 2006 16:38
To: ActiveDir@mail.activedir.org
Subject: [ActiveDir] GPO question


We have a GPO in place for all users to do Folder Redirection of My
Documents. We are experiencing problems with long delays during this
process when users connect to a Citrix Server. This started with 2003
SP1 (there is a "potential" hot fix from MS, but we are not crazy about
it)

The real question is that I am not finding a way to not apply that GPO
when our users connect to the Citrix servers. Here is what I mean:

A) Typically you can counteract a GPO applied above with a GPO that
disables that same function, like we did recently with Screen Saver
settings. But, Folder redirection of My Documents can not be "disabled",
it is just "not configured" or Configured and pointing to the
redirection location. 

B) There are no GPOs applied to the Terminal Server or Citrix Servers
OUs, but do not want to Block inheritance of GPOs (not best practices
because it is hard to troubleshoot and I am not even sure it is an
option in this case). The Folder Redirection GPO is applied to the USERS
OU and sub OUs based on AD Group membership.

C) Loopback processing seems to be the reverse of what I am trying to
do. Unless I am just not getting it. 

Any other ideas?

Thanks

Johnny Figueroa
Enterprise Network Consultant/Integrator Network Services Banner Health
Voice (602)
495-4195 Fax (602) 495-4406
 
WARNING: This message, and any attachments, are intended only for the
use of the individual or entity to which it is addressed and may contain
information that is privileged, confidential and exempt from disclosure
under applicable law.  If the reader of this message is not the intended
recipient or employee/agent responsible for delivering the message to
the intended recipient, you are hereby notified that any dissemination,
distribution or copying of the communication is strictly prohibited.  If
you receive this communication in error, please notify us immediately
List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive:
http://www.mail-archive.com/activedir%40mail.activedir.org/
List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/

RE: [ActiveDir] Changing a users password

Delegate the ability to reset password to your helpdesk lady.
 
Then grab http://www.rlmueller.net/Programs/ResetPassword.txt
 
Clean that up, put it behind an asp page that requires authentication. Give
your helpdesk lady access to the page and show her how to use it.
 

Sincerely, 
   _
  (, /  |  /)   /) /)   
/---| (/_  __   ___// _   //  _ 
 ) /|_/(__(_) // (_(_)(/_(_(_/(__(/_
(_/ /)  
   (/   
Microsoft MVP - Directory Services
www.readymaids.com   - we know IT
www.akomolafe.com  
Do you now realize that Today is the Tomorrow you were worried about
Yesterday? -anon
 



From: [EMAIL PROTECTED] on behalf of Oliver Marshall
Sent: Wed 4/12/2006 12:45 AM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] Changing a users password



Net user command only works if you have full admin rights. I've google'd
till 2am this morning, haven't found any free script that doesn't use
the DN.

Cant use ADUC as I'm afraid that, if they see what info they *could*
change, that it will snowball and they will want to change it all. The
whole reason for this is that I am out of the office more and more and
users here have a massive issue with passwords. At the moment they right
them down on a pad on the "receptionists" desk (I say receptionist, but
this lady has been here longer than the earth has been turning, and I
would rather she could generate a new random password with "change on
next logon" for all the users in a given OU than have the passwords
written on a pad on someones desk, admin users are in a diff OU).

I'll keep hunting. Thanks for the help anyway.

-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Ulf B.
Simon-Weidner
Sent: 12 April 2006 07:01
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] Changing a users password

Hi Oliver,

First of all the receptionist needs to be delegated the rights to reset
users passwords, as well as being made aware of the consequences (local
credential cache of the users f.e.).

To reset the password you can use commands like "net user username
password
/domain" or you can use AD-Tools like ADUC, "dsquery user domainroot
-name
whatever | dsmod -pwd newpass -mustchangepwd yes", or you can create
your
own script which searches for the user and changes password after asking
for
approval. Www.microsoft.com/technet/scriptcenter provides the examples
you
have to glue together for this.

Gruesse - Sincerely,

Ulf B. Simon-Weidner

  MVP-Book "Windows XP - Die Expertentipps": http://tinyurl.com/44zcz
  Weblog: http://msmvps.org/UlfBSimonWeidner
  Website: http://www.windowsserverfaq.org
  Profile:
http://mvp.support.microsoft.com/profile=35E388DE-4885-4308-B489-F2F1214
C811
D  



|-Original Message-
|From: [EMAIL PROTECTED]
|[mailto:[EMAIL PROTECTED] On Behalf Of
|Oliver Marshall
|Sent: Wednesday, April 12, 2006 1:56 AM
|To: ActiveDir@mail.activedir.org
|Subject: [ActiveDir] Changing a users password
|
|Hi,
|
|I want to create a script that will allow a user here to
|change the password of any other user.
|
|I have found several examples, most based on the examples on
|the MS site. Thing is, they all depend on knowing the
|Distinguished Name of the user, and the poor old receptionist
|wont have a clue what that is.
|
|Can anyone help me with a script that will change the password
|of a user just knowing the username of the user ? At the least
|I'm after some code to find the DN of a user from their
|username, and I can then use that with the code I already have
|(I think).
|
|
|Thanks
|
|Olly
|List info   : http://www.activedir.org/List.aspx
|List FAQ: http://www.activedir.org/ListFAQ.aspx
|List archive:
|http://www.mail-archive.com/activedir%40mail.activedir.org/

List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive:
http://www.mail-archive.com/activedir%40mail.activedir.org/
List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/


List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/

RE: [ActiveDir] Extending the schema