RE: [ActiveDir] backup/restore of DCs with third party tool
I do have thoughts what could go wrong, but was wondering if someone has experience with this. Anyone? Anyone? Met vriendelijke groeten / Kind regards, Ing. Jorge de Almeida Pinto Senior Infrastructure Consultant MVP Windows Server - Directory Services LogicaCMG Nederland B.V. (BU RTINC Eindhoven) ( Tel : +31-(0)40-29.57.777 ( Mobile : +31-(0)6-26.26.62.80 * E-mail : see sender address From: [EMAIL PROTECTED] on behalf of Almeida Pinto, Jorge de Sent: Tue 2006-05-02 15:30 To: ActiveDir@mail.activedir.org Subject: [ActiveDir] backup/restore of DCs with third party tool Hi, I was wondering if someone has any experience with HP Openview Storage data Protector Manager concerning the backup and restore of domain controllers. With NTBACKUP and third party backup/restore tools I have worked with until now to backup/restore a DC you needed to select the system state which contains the following components: * COM+ Class Registration database (always included) * Boot files including the system files (always included) * Certificate Services database (only for certificate services server) * Active Directory directory service (only for directory server) * SYSVOL structure (only for directory server) * Cluster service information (only for cluster server) * IIS Metabase (only for IIS server) Microsoft defined the system state as the collection of these components and during backup or restore it was always an all-or-nothing selection. Of course there is a good reason for that as several components interact/work with each other. However, with HP Openview Storage data Protector Manager the possibility exists to select individual components of the system state during backup or restore. I wonder what the impact is of restoring individual components of the system state (not all) (e.g. only AD without SYSVOL and registry, etc.) Can anyone elaborate on that? Does anyone have experience with this? Thank you! Cheers, jorge Met vriendelijke groeten / Kind regards, Ing. Jorge de Almeida Pinto Senior Infrastructure Consultant MVP Windows Server - Directory Services LogicaCMG Nederland B.V. (BU RTINC Eindhoven) ( Tel : +31-(0)40-29.57.777 ( Mobile : +31-(0)6-26.26.62.80 * E-mail : see sender address This e-mail and any attachment is for authorised use by the intended recipient(s) only. It may contain proprietary material, confidential information and/or be subject to legal privilege. It should not be copied, disclosed to, retained or used by, any other party. If you are not an intended recipient then please promptly delete this e-mail and any attachment and all copies and inform the sender. Thank you. List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ winmail.dat
[ActiveDir] Query regarding Windows Time Service
I have a query regarding the Windows Time Service. Our environment is Windows 2003 FFL, Single Domain. We have a Network Time Server which I have configured our PDCe to use. Having read other posts I also configured our Core DC's to use this Time Server so that if the PDCe failed, I could just seize the role to another DC and have one less thing to configure.What I am receiving is Eventlog messages saying "the time provider NtpClient is configured to acquire a time from one or more time sources, however none of the sources are currently accessible. No attempt to contact a source will be made for 960 minutes. Ntpclient has no source of accurate time" Event ID 29This is received on all of the Core DC's that I have configured to use the Network Time Server rather than the PDCe.All I did was run the following command on each DC that could potentially be used as a PDCew32tm /config /manualpeerlist:10.1.1.225 /syncfromflags:manual /reliable:yes /updateAnyone know why I would be receiving these event messages, should I be concerned?James Yahoo! Messenger with Voice. Make PC-to-Phone Calls to the US (and 30+ countries) for 2¢/min or less.
[ActiveDir] which GC answers?
When I use ldp and I found a user (lingering) how can I know which GC of many of them has that copy of the object? I use ADSIEDT, but I have many GC´s. is there a easier way to discover in which of them it is? Thanks Adrião F Ramos
RE: [ActiveDir] which GC answers?
a way to check this is: REPADMIN /SHOWOBJMETA GC: DN of lingering object OUTPUT.TXT GC: targets ALL GCs in the forest For each GC: * you get the metadata of the object if it exists on the GC OR * you get Directory object not found if the object does not exist in addition to this you can wrap a script around this that takes away some manual stuff you must do. Met vriendelijke groeten / Kind regards, Ing. Jorge de Almeida Pinto Senior Infrastructure Consultant MVP Windows Server - Directory Services LogicaCMG Nederland B.V. (BU RTINC Eindhoven) ( Tel : +31-(0)40-29.57.777 ( Mobile : +31-(0)6-26.26.62.80 * E-mail : see sender address From: [EMAIL PROTECTED] on behalf of [EMAIL PROTECTED] Sent: Wed 2006-05-03 14:44 To: ActiveDir@mail.activedir.org Subject: [ActiveDir] which GC answers? When I use ldp and I found a user (lingering) how can I know which GC of many of them has that copy of the object? I use ADSIEDT, but I have many GC´s. is there a easier way to discover in which of them it is? Thanks Adrião F Ramos This e-mail and any attachment is for authorised use by the intended recipient(s) only. It may contain proprietary material, confidential information and/or be subject to legal privilege. It should not be copied, disclosed to, retained or used by, any other party. If you are not an intended recipient then please promptly delete this e-mail and any attachment and all copies and inform the sender. Thank you. winmail.dat
RE: [ActiveDir] backup/restore of DCs with third party tool
Does anyone have experience with this? I have some. I can only speak to separating and backing up only the AD DB state without registry, etc. We used to use this method alot in testing AD, we had a little utility / unit test called dsback.exe, that would just trigger AD's streaming backup / restore support. It basically worked. Achtung! Note, this is VERY different than just copying off the AD DB, and copying it back later. This uses the regular backup / restore infrastructure, so it does the right things, and changes the invocation ID during restore. We only worked w/in a fairly narrow constraint when doing such testing, though, which is that the restore was back to the same machine, which had not changed its DC state. Also the backup we used was never very old, i.e. made hours or at most a few days before. We didn't restore just the AD DB to fresh install (obviously this wouldn't work). Also I'm 91% sure we didn't restore the AD DB to a different DC. I'm fairly certain anything but the same DC backup/restore is unlikely to work, or will have some issues. The problem with even the limited case I mention above, it is not entirely clear what security sub-systems expect the AD DB and registry to be in sync ... i.e. perhaps machine account password changing (or any of probably a dozen to several dozen suspect operations), requires the two to be in sync, we wouldn't know such issues until someone managed to get a backup / restore spanning such an event, and given the limited time nature of our testing w/ this method, it was unlikely we shook out any issues there. Is it supported? No. Achtung! If you come to PSS w/ problems, and they learn how you've done this (and if you hide it, you're just an one of my favorite offensive words deleted), the first thing they'll ask is, Do you have any real backups of system state? What are the dangers of using such a system? Unknown. I can't even say, I'm convinced there isn't a big bad hairy monster hiding in this closet, frankly I don't know. I do know it will work for the AD DB most of the time. I myself wouldn't do it to production. Cheers, BrettSh On Wed, 3 May 2006, Almeida Pinto, Jorge de wrote: I do have thoughts what could go wrong, but was wondering if someone has experience with this. Anyone? Anyone? Met vriendelijke groeten / Kind regards, Ing. Jorge de Almeida Pinto Senior Infrastructure Consultant MVP Windows Server - Directory Services LogicaCMG Nederland B.V. (BU RTINC Eindhoven) ( Tel : +31-(0)40-29.57.777 ( Mobile : +31-(0)6-26.26.62.80 * E-mail : see sender address From: [EMAIL PROTECTED] on behalf of Almeida Pinto, Jorge de Sent: Tue 2006-05-02 15:30 To: ActiveDir@mail.activedir.org Subject: [ActiveDir] backup/restore of DCs with third party tool Hi, I was wondering if someone has any experience with HP Openview Storage data Protector Manager concerning the backup and restore of domain controllers. With NTBACKUP and third party backup/restore tools I have worked with until now to backup/restore a DC you needed to select the system state which contains the following components: * COM+ Class Registration database (always included) * Boot files including the system files (always included) * Certificate Services database (only for certificate services server) * Active Directory directory service (only for directory server) * SYSVOL structure (only for directory server) * Cluster service information (only for cluster server) * IIS Metabase (only for IIS server) Microsoft defined the system state as the collection of these components and during backup or restore it was always an all-or-nothing selection. Of course there is a good reason for that as several components interact/work with each other. However, with HP Openview Storage data Protector Manager the possibility exists to select individual components of the system state during backup or restore. I wonder what the impact is of restoring individual components of the system state (not all) (e.g. only AD without SYSVOL and registry, etc.) Can anyone elaborate on that? Does anyone have experience with this? Thank you! Cheers, jorge Met vriendelijke groeten / Kind regards, Ing. Jorge de Almeida Pinto Senior Infrastructure Consultant MVP Windows Server - Directory Services LogicaCMG Nederland B.V. (BU RTINC Eindhoven) ( Tel : +31-(0)40-29.57.777 ( Mobile : +31-(0)6-26.26.62.80 * E-mail : see sender address This e-mail and any attachment is for authorised use by the intended recipient(s) only. It may contain proprietary material, confidential information and/or be subject to legal privilege. It should not be copied, disclosed to, retained or used by, any other party. If you are not an intended recipient then please
RE: [ActiveDir] which GC answers?
Thanks I´ll try that ___ Adrião Ferreira Ramos [EMAIL PROTECTED] Equipe Suporte Windows (11) 3388-8193 Almeida Pinto, Jorge de [EMAIL PROTECTED] Enviado Por: [EMAIL PROTECTED] 03/05/2006 11:20 Favor responder a ActiveDir@mail.activedir.org Para ActiveDir@mail.activedir.org cc Assunto RE: [ActiveDir] which GC answers? a way to check this is: REPADMIN /SHOWOBJMETA GC: DN of lingering object OUTPUT.TXT GC: targets ALL GCs in the forest For each GC: * you get the metadata of the object if it exists on the GC OR * you get Directory object not found if the object does not exist in addition to this you can wrap a script around this that takes away some manual stuff you must do. Met vriendelijke groeten / Kind regards, Ing. Jorge de Almeida Pinto Senior Infrastructure Consultant MVP Windows Server - Directory Services LogicaCMG Nederland B.V. (BU RTINC Eindhoven) ( Tel : +31-(0)40-29.57.777 ( Mobile : +31-(0)6-26.26.62.80 * E-mail : see sender address From: [EMAIL PROTECTED] on behalf of [EMAIL PROTECTED] Sent: Wed 2006-05-03 14:44 To: ActiveDir@mail.activedir.org Subject: [ActiveDir] which GC answers? When I use ldp and I found a user (lingering) how can I know which GC of many of them has that copy of the object? I use ADSIEDT, but I have many GC´s. is there a easier way to discover in which of them it is? Thanks Adrião F Ramos This e-mail and any attachment is for authorised use by the intended recipient(s) only. It may contain proprietary material, confidential information and/or be subject to legal privilege. It should not be copied, disclosed to, retained or used by, any other party. If you are not an intended recipient then please promptly delete this e-mail and any attachment and all copies and inform the sender. Thank you. winmail.dat Description: Binary data
RE: [ActiveDir] which GC answers?
Hi Jorge, I dont mean to hijack this thread but I have also been having an issue with lingeringobjects. I ran your repadmin command shown below on one of the lingering objects I have. For the lingering object I specified, the output lists a GUID (Originating DC) that doesnt exist any more. An Originating DC is also the owner of the object, right? The member DC/GCs) of the domain that once hosted this Originating DC produce a different output from the repadmin /showobjmeta command than the other GCs namely Directory Object not found. If a DC is demoted, the object would be owned by one of the remaining DCs. But, if the owner is no longer around, the object is garbage. Right? My question is this why are lingeringobjects such a bear to clean out? It seems to me an admin should be able to use a repadmin /removelingeringobjects GC: DN of lingering object type of syntax to take care of all of the GCs at the same time. My TAM has indicated the existence of a replfix tool, but Im not sure how it works. Thoughts/comments? Mike Thommes Ps. For any MS folks out there, it would really be helpful to include examples within the repadmin help considering how powerful this command can be. Pps. I think lingeringobjects are synonymous with headache. From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Almeida Pinto, Jorge de Sent: Wednesday, May 03, 2006 9:21 AM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] which GC answers? a way to check this is: REPADMIN /SHOWOBJMETA GC: DN of lingering object OUTPUT.TXT GC: targets ALL GCs in the forest For each GC: * you get the metadata of the object if it exists on the GC OR * you get Directory object not found if the object does not exist in addition to this you can wrap a script around this that takes away some manual stuff you must do. Met vriendelijke groeten / Kind regards, Ing. Jorge de Almeida Pinto Senior Infrastructure Consultant MVP Windows Server- Directory Services LogicaCMG Nederland B.V. (BU RTINC Eindhoven) ( Tel : +31-(0)40-29.57.777 ( Mobile : +31-(0)6-26.26.62.80 * E-mail : see sender address From: [EMAIL PROTECTED] on behalf of [EMAIL PROTECTED] Sent: Wed 2006-05-03 14:44 To: ActiveDir@mail.activedir.org Subject: [ActiveDir] which GC answers? When I use ldp and I found a user (lingering) how can I know which GC of many of them has that copy of the object? I use ADSIEDT, but I have many GC´s. is there a easier way to discover in which of them it is? Thanks Adrião F Ramos
[ActiveDir] Migrating Term service cals
We are installing a new Citrix farm in a new Forest and decommissioning the old Citrix server in our old Forest. Are there any special procedures to migrate the CAL's over to the Licensing Server in the new Forest? Thanks
Re: Re: [ActiveDir] ADAM Management Tool REQs and Desires...... WAS: Internet Authentication Concepts: Pointers?
personally, I'd like a command line tool thats interactive like ntdsutil or nslookup. I'd be able to use this to browse the ADAM instance from a command line. Have a prompt which allows me to navigate the hierachy. Execute commands such as create/delete objecttype etc... M@ On 4/28/06, Stewart, Fitz [EMAIL PROTECTED] wrote: Heck, just give a user the ability to create and otherwise manage objects – users, groups, the basics. Name, etc. Nothing fancy, just not the command-line-ishness of ADSIEDIT. -fitz 703-866-7473 703-626-5741 (cell) From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of joe Sent: Friday, April 28, 2006 3:46 PM To: ActiveDir@mail.activedir.org Subject: RE: Re: [ActiveDir] ADAM Management Tool REQs and Desires.. WAS: Internet Authentication Concepts: Pointers? I have some curiosity in this realm... What would everyone consider good things and requirements for an ADAM management tool. Even assuming, cough, GUI. joe -- O'Reilly Active Directory Third Edition - http://www.joeware.net/win/ad3e.htm From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Jef Kazimer Sent: Friday, April 28, 2006 10:01 AM To: ActiveDir@mail.activedir.org Subject: RE: Re: [ActiveDir] Internet Authentication Concepts: Pointers? Since it is LDAP I did look at some friendlier admin tools, but none really hit the mark for me. I believed that group looked at Softerra's tool, and there is the web based PHP LDAP manager, and also the C# LDAP manager tool. You can Live search the names or I can post the links here if you want. In the end I wrote my own as a .NET web app since I found them lacking. Yet as I said if I want to go global, I don't know if I want to position what I wrote without some major changes. :) J Subject: RE: Re: [ActiveDir] Internet Authentication Concepts: Pointers? Date: Fri, 28 Apr 2006 09:44:55 -0400 From: [EMAIL PROTECTED] To: ActiveDir@mail.activedir.org That's a very good point. Does anyone know of any 3rd parties which improve the ADAM administrative UI experience? J. Fitzgerald (Fitz) Stewart Systems Architect IRM/OPS/ENM Worldwide Information Network Systems USAID/DoS IT Infrastructure Collaboration Program [EMAIL PROTECTED] mailto:[EMAIL PROTECTED] [EMAIL PROTECTED] mailto:[EMAIL PROTECTED] 703-866-7473 703-626-5741 (cell) From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Jef Kazimer Sent: Friday, April 28, 2006 9:27 AM To: ActiveDir@mail.activedir.org Subject: RE: Re: [ActiveDir] Internet Authentication Concepts: Pointers? Mylo, Thanks for the information! I have setup ADAM utilizing a custom web UI utilizing AZman for a small project before, but I have concerns about scalabilty. The issues are not with the ADAM instance at all, but the UI that is needed to manage ADAM. ADSIedit is great for someone who understands the directory, but it's not that user friendly for web application owners, helpdesk, etc. This was for a simple application of about 500 users, and it met their needs but I don't see this as a scalable solution from a global perspective. This will be a backend data store that contains the user identity, but the applications that utilize it will be of different flavors from DMZ hosted web apps, to externally hosted apps. The flavors of web apps will range from websphere, ColdFusion, .NET and I suspect some PHP apps. With AD, I guess I was thinking it has a well known support interface (though I am sure I would need to customize anyway...so I'm not sure that value is really there). So I was expecting to maybe find 3rd parties that do sit in front of this to manage the IDs stored. Though this could be AD or ADAM with ADAM being the most cost effective. This looks like siteMinder might be a good solution to manage all of these environments but I will need to look into that. I suppose I am getting ahead of myself, because I do not know the requirements as of yet, and I'm making assumptions that could be totally off the mark here. I guess it's a new environment and wanted to get some info ahead of before it was needed. :) Thanks again! Jef Date: Fri, 28 Apr 2006 01:40:09 +0200 From: [EMAIL PROTECTED] To: ActiveDir@mail.activedir.org Subject: Re: [ActiveDir] Internet Authentication Concepts: Pointers? Jef, As Al pointed out, there are numerous products from vendors such as IBM/BEA/Oracle/RSA/Netegrity/Entrust/Baltimore Labs (RIP) etc providing web-based authentication/authorisation in front of AD. Since from a design point-of-view it's generally not a good idea to stick AD too close to the Internet, often these solutions comprise a presentation tier, e.g. with IIS (using some sort of ISAPI plugins) that th! en hooks into
RE: Re: [ActiveDir] ADAM Management Tool REQs and Desires...... WAS: Internet Authentication Concepts: Pointers?
Or more like something like an interactive ad shell. -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Matheesha Weerasinghe Sent: Wednesday, May 03, 2006 1:26 PM To: ActiveDir@mail.activedir.org Subject: Re: Re: [ActiveDir] ADAM Management Tool REQs and Desires.. WAS: Internet Authentication Concepts: Pointers? personally, I'd like a command line tool thats interactive like ntdsutil or nslookup. I'd be able to use this to browse the ADAM instance from a command line. Have a prompt which allows me to navigate the hierachy. Execute commands such as create/delete objecttype etc... M@ On 4/28/06, Stewart, Fitz [EMAIL PROTECTED] wrote: Heck, just give a user the ability to create and otherwise manage objects â users, groups, the basics. Name, etc. Nothing fancy, just not the command-line-ishness of ADSIEDIT. -fitz 703-866-7473 703-626-5741 (cell) From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of joe Sent: Friday, April 28, 2006 3:46 PM To: ActiveDir@mail.activedir.org Subject: RE: Re: [ActiveDir] ADAM Management Tool REQs and Desires.. WAS: Internet Authentication Concepts: Pointers? I have some curiosity in this realm... What would everyone consider good things and requirements for an ADAM management tool. Even assuming, cough, GUI. joe -- O'Reilly Active Directory Third Edition - http://www.joeware.net/win/ad3e.htm From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Jef Kazimer Sent: Friday, April 28, 2006 10:01 AM To: ActiveDir@mail.activedir.org Subject: RE: Re: [ActiveDir] Internet Authentication Concepts: Pointers? Since it is LDAP I did look at some friendlier admin tools, but none really hit the mark for me. I believed that group looked at Softerra's tool, and there is the web based PHP LDAP manager, and also the C# LDAP manager tool. You can Live search the names or I can post the links here if you want. In the end I wrote my own as a .NET web app since I found them lacking. Yet as I said if I want to go global, I don't know if I want to position what I wrote without some major changes. :) J Subject: RE: Re: [ActiveDir] Internet Authentication Concepts: Pointers? Date: Fri, 28 Apr 2006 09:44:55 -0400 From: [EMAIL PROTECTED] To: ActiveDir@mail.activedir.org That's a very good point. Does anyone know of any 3rd parties which improve the ADAM administrative UI experience? J. Fitzgerald (Fitz) Stewart Systems Architect IRM/OPS/ENM Worldwide Information Network Systems USAID/DoS IT Infrastructure Collaboration Program [EMAIL PROTECTED] mailto:[EMAIL PROTECTED] [EMAIL PROTECTED] mailto:[EMAIL PROTECTED] 703-866-7473 703-626-5741 (cell) From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Jef Kazimer Sent: Friday, April 28, 2006 9:27 AM To: ActiveDir@mail.activedir.org Subject: RE: Re: [ActiveDir] Internet Authentication Concepts: Pointers? Mylo, Thanks for the information! I have setup ADAM utilizing a custom web UI utilizing AZman for a small project before, but I have concerns about scalabilty. The issues are not with the ADAM instance at all, but the UI that is needed to manage ADAM. ADSIedit is great for someone who understands the directory, but it's not that user friendly for web application owners, helpdesk, etc. This was for a simple application of about 500 users, and it met their needs but I don't see this as a scalable solution from a global perspective. This will be a backend data store that contains the user identity, but the applications that utilize it will be of different flavors from DMZ hosted web apps, to externally hosted apps. The flavors of web apps will range from websphere, ColdFusion, .NET and I suspect some PHP apps. With AD, I guess I was thinking it has a well known support interface (though I am sure I would need to customize anyway...so I'm not sure that value is really there). So I was expecting to maybe find 3rd parties that do sit in front of this to manage the IDs stored. Though this could be AD or ADAM with ADAM being the most cost effective. This looks like siteMinder might be a good solution to manage all of these environments but I will need to look into that. I suppose I am getting ahead of myself, because I do not know the requirements as of yet, and I'm making assumptions that could be totally off the mark here. I guess it's a new environment and wanted to get some info ahead of before it was needed. :) Thanks again! Jef Date: Fri, 28 Apr 2006 01:40:09 +0200 From: [EMAIL PROTECTED] To: ActiveDir@mail.activedir.org Subject: Re: [ActiveDir] Internet Authentication Concepts:
Re: Re: [ActiveDir] ADAM Management Tool REQs and Desires...... WAS: Internet Authentication Concepts: Pointers?
That is the type of thing that would be pretty reasonable to build by writing a provider for MSH (Monad) that exposes an LDAP store like AD or ADAM as a drive. I think a few people have taken a swing at this already, but I'm not sure if anything is shipping yet. Having this integrated into MSH is going to enable a huge number of scenarios. Joe K. - Original Message - From: Matheesha Weerasinghe [EMAIL PROTECTED] To: ActiveDir@mail.activedir.org Sent: Wednesday, May 03, 2006 12:26 PM Subject: Re: Re: [ActiveDir] ADAM Management Tool REQs and Desires.. WAS: Internet Authentication Concepts: Pointers? personally, I'd like a command line tool thats interactive like ntdsutil or nslookup. I'd be able to use this to browse the ADAM instance from a command line. Have a prompt which allows me to navigate the hierachy. Execute commands such as create/delete objecttype etc... M@ On 4/28/06, Stewart, Fitz [EMAIL PROTECTED] wrote: Heck, just give a user the ability to create and otherwise manage objects – users, groups, the basics. Name, etc. Nothing fancy, just not the command-line-ishness of ADSIEDIT. -fitz 703-866-7473 703-626-5741 (cell) From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of joe Sent: Friday, April 28, 2006 3:46 PM To: ActiveDir@mail.activedir.org Subject: RE: Re: [ActiveDir] ADAM Management Tool REQs and Desires.. WAS: Internet Authentication Concepts: Pointers? I have some curiosity in this realm... What would everyone consider good things and requirements for an ADAM management tool. Even assuming, cough, GUI. joe -- O'Reilly Active Directory Third Edition - http://www.joeware.net/win/ad3e.htm From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Jef Kazimer Sent: Friday, April 28, 2006 10:01 AM To: ActiveDir@mail.activedir.org Subject: RE: Re: [ActiveDir] Internet Authentication Concepts: Pointers? Since it is LDAP I did look at some friendlier admin tools, but none really hit the mark for me. I believed that group looked at Softerra's tool, and there is the web based PHP LDAP manager, and also the C# LDAP manager tool. You can Live search the names or I can post the links here if you want. In the end I wrote my own as a .NET web app since I found them lacking. Yet as I said if I want to go global, I don't know if I want to position what I wrote without some major changes. :) J Subject: RE: Re: [ActiveDir] Internet Authentication Concepts: Pointers? Date: Fri, 28 Apr 2006 09:44:55 -0400 From: [EMAIL PROTECTED] To: ActiveDir@mail.activedir.org That's a very good point. Does anyone know of any 3rd parties which improve the ADAM administrative UI experience? J. Fitzgerald (Fitz) Stewart Systems Architect IRM/OPS/ENM Worldwide Information Network Systems USAID/DoS IT Infrastructure Collaboration Program [EMAIL PROTECTED] mailto:[EMAIL PROTECTED] [EMAIL PROTECTED] mailto:[EMAIL PROTECTED] 703-866-7473 703-626-5741 (cell) From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Jef Kazimer Sent: Friday, April 28, 2006 9:27 AM To: ActiveDir@mail.activedir.org Subject: RE: Re: [ActiveDir] Internet Authentication Concepts: Pointers? Mylo, Thanks for the information! I have setup ADAM utilizing a custom web UI utilizing AZman for a small project before, but I have concerns about scalabilty. The issues are not with the ADAM instance at all, but the UI that is needed to manage ADAM. ADSIedit is great for someone who understands the directory, but it's not that user friendly for web application owners, helpdesk, etc. This was for a simple application of about 500 users, and it met their needs but I don't see this as a scalable solution from a global perspective. This will be a backend data store that contains the user identity, but the applications that utilize it will be of different flavors from DMZ hosted web apps, to externally hosted apps. The flavors of web apps will range from websphere, ColdFusion, .NET and I suspect some PHP apps. With AD, I guess I was thinking it has a well known support interface (though I am sure I would need to customize anyway...so I'm not sure that value is really there). So I was expecting to maybe find 3rd parties that do sit in front of this to manage the IDs stored. Though this could be AD or ADAM with ADAM being the most cost effective. This looks like siteMinder might be a good solution to manage all of these environments but I will need to look into that. I suppose I am getting ahead of myself, because I do not know the requirements as of yet, and I'm making assumptions that could be totally off the mark here. I guess it's a new environment and wanted to get some info ahead of before it was needed. :) Thanks again! Jef
RE: [ActiveDir] Check Active Directory Backups
Blogs.msdn.com/brettsh Thanks, Brian Desmond [EMAIL PROTECTED] c - 312.731.3132 From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Teo De Las Heras Sent: Wednesday, May 03, 2006 3:20 PM To: ActiveDir@mail.activedir.org Subject: [ActiveDir] Check Active Directory Backups I came across a article a while ago that demonstrated how to use one of the replication tools (replmon, repadmin) to verify that all the AD partitions have been successfully backed up. Anyone know the commands or have the article link handy? I thought it was on techtarget.com but I can't find it there. Teo
Re: [ActiveDir] Check Active Directory Backups
That's it! Thanks Brian! On 5/3/06, Brian Desmond [EMAIL PROTECTED] wrote: Blogs.msdn.com/brettsh Thanks,Brian Desmond [EMAIL PROTECTED] c - 312.731.3132 From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]] On Behalf Of Teo De Las HerasSent: Wednesday, May 03, 2006 3:20 PMTo: ActiveDir@mail.activedir.org Subject: [ActiveDir] Check Active Directory Backups I came across a article a while ago that demonstrated how to use one of the replication tools (replmon, repadmin) to verify that all the AD partitions have been successfully backed up. Anyone know the commands or have the article link handy? I thought it was on techtarget.com but I can't find it there. Teo
RE: [ActiveDir] which GC answers?
For the lingering object I specified, the output lists a GUID (Originating DC) that doesn't exist any more If it shows the GUID that database instance (that is what the invocation ID identifies) does not exist anymore and most probably the DC does not exist anymore because it was demoted or its metadata was cleaned An Originating DC is also the owner of the object, right? nope. the originating DC is the DC where the change was made or was created (originated!) it is part of the replication mechanism of AD The member DC/GCs) of the domain that once hosted this Originating DC produce a different output from the repadmin /showobjmeta command than the other GCs - namely Directory Object not found directory object not found can mean two things... (1) the object was created somewhere, but has not yet replicated to several DCs/GCs (2) it is a lingering object (which by the way can be identified by event ID 1388 or 1988 if an attempt is made to replicate a lingering object) If a DC is demoted, the object would be owned by one of the remaining DCs. But, if the owner is no longer around, the object is garbage. Right? nope... again... the originating DC is the DC where the change was made or was created (originated!) it is part of the replication mechanism of AD the object was born on a DC. just because the DC is gone does not mean the object is crap or worthless. look into it from another point of view. you were born as a child from your mom and dad. just because your mom and/or dad is/are gone someday does NOT mean you should not exist. Definitely not true! I think you get the point ;-)) Lingering objects are a real PITA!!! Lingering objects can only be detected if: (1) something of a lingering objects is changed and it tries to replicate (event ID 1388 if you loose consistency replication and event ID 1988 if you strict consistency replication) (2) you go in and look for them using REPADMIN (support tools) or GCCHK (joeware). REPADMIN in advisory mode will report event IDs 1938 (starting detection summary), 1946 (for each lingering object detected) and 1942 (final detection summary) are registered in the DS event log REPADMIN in cleanup mode will report event IDs 1937 (starting removal summary), 1945 (for each lingering object detected and removed) and 1939 (final removal summary) are registered in the DS event log (3) you have issues in your directory. mail not being delivered, address book, replication, etc... I believe it is possible to automate the detection and cleanup, but that requires some scripting... the following is some info I posted about a week or two ago... # Lingering objects are a PITA! Lingering objects on DCs/GCs occur when one or more objects are deleted on some DC while that DC is disconnected for more than the tombstone lifetime (which depends on the first DC in the forest and its OS or some manual configuration). When an object is deleted the object is transformed into a tombstone. Because the DC is disconnected where the deletion occured it is not able to replicate the tombstone to other DCs. After the tombstone lifetime the tombstone objects are garbage collected. After that moment one or more DCs don't have any trace of the deleted object or tombstones while other DCs do because the tombstone was never replicated to them. As soon as the connection is reestablished after the tombstone lifetime, the lingering objects replicate to the other DCs again (at least they try to, but that depends on how (A) is configured). More information about lingering objects and possible ways to remove lingering objects: (1) http://technet2.microsoft.com/WindowsServer/en/Library/4a1f420d-25d6-417c-9d8b-6e22f472ef3c1033.mspx (2) http://support.microsoft.com/?id=314282 non-existent objects in GCs. These could also be called lingering objects, but that is a definition thing I'm not getting into right now. Non-existent objects can occur in GCs when a domain in a MULTI DOMAIN FOREST has been fully restored using backups (with this I mean that all DCs, or some DCs while others are being rebuild, have been restored). Because the domain was restored using backups (and backups are always older than the current situation), the domain went back in time (it went to the state when the backups were created). However, GCs in other domains are still up and running and those were not restored or did not go to the same state as the writable version of the domain did. Because of that the GCs know more than the DCs of the domain itself and THAT is NOT correct! A possible way to remove non-existent objects in GCs (or the read-only version of objects in the GCs that correspond to the writable version of objectson DCs but do not exist): (1) http://support.microsoft.com/?id=314282 Something else that can happen is that the version of attributes from objects in the restored domain can be lower than the version of attributes of
RE: [ActiveDir] Check Active Directory Backups
REPADMIN /SHOWBACKUP DC_LIST Met vriendelijke groeten / Kind regards, Ing. Jorge de Almeida Pinto Senior Infrastructure Consultant MVP Windows Server - Directory Services LogicaCMG Nederland B.V. (BU RTINC Eindhoven) ( Tel : +31-(0)40-29.57.777 ( Mobile : +31-(0)6-26.26.62.80 * E-mail : see sender address From: [EMAIL PROTECTED] on behalf of Teo De Las Heras Sent: Wed 2006-05-03 21:19 To: ActiveDir@mail.activedir.org Subject: [ActiveDir] Check Active Directory Backups I came across a article a while ago that demonstrated how to use one of the replication tools (replmon, repadmin) to verify that all the AD partitions have been successfully backed up. Anyone know the commands or have the article link handy? I thought it was on techtarget.com but I can't find it there. Teo This e-mail and any attachment is for authorised use by the intended recipient(s) only. It may contain proprietary material, confidential information and/or be subject to legal privilege. It should not be copied, disclosed to, retained or used by, any other party. If you are not an intended recipient then please promptly delete this e-mail and any attachment and all copies and inform the sender. Thank you. winmail.dat
Re: [ActiveDir] Check Active Directory Backups
I gotta get Brett a A-blogger list Tshirt... it's a moral imperative now that he's clearly a Tech resource. (sorry Tony..chit chatty I know) Teo De Las Heras wrote: That's it! Thanks Brian! On 5/3/06, *Brian Desmond* [EMAIL PROTECTED] mailto:[EMAIL PROTECTED] wrote: Blogs.msdn.com/brettsh http://blogs.msdn.com/brettsh *Thanks,** *Brian Desmond** [EMAIL PROTECTED] * mailto:[EMAIL PROTECTED] *c - 312.731.3132* *From:* [EMAIL PROTECTED] mailto:[EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] mailto:[EMAIL PROTECTED]] *On Behalf Of *Teo De Las Heras *Sent:* Wednesday, May 03, 2006 3:20 PM *To:* ActiveDir@mail.activedir.org mailto:ActiveDir@mail.activedir.org *Subject:* [ActiveDir] Check Active Directory Backups I came across a article a while ago that demonstrated how to use one of the replication tools (replmon, repadmin) to verify that all the AD partitions have been successfully backed up. Anyone know the commands or have the article link handy? I thought it was on techtarget.com http://techtarget.com/ but I can't find it there. Teo -- Letting your vendors set your risk analysis these days? http://www.threatcode.com List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
[ActiveDir] TScmd help
I need to try and find users who have a certain TS Profile path and change the server name. It is W2K/W2K3 mixed. I have googled and have tscmd, but can tell I will be needing to do some voodoo also. Any help is appreciated. Mike Hutchins Sys Admin [EMAIL PROTECTED] List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
RE: [ActiveDir] Migrating Term service cals
It's in the Licensing portion of the FAQ: http://www.microsoft.com/windowsserver2003/community/centers/terminal/termina l_faq.mspx Sincerely, _ (, / | /) /) /) /---| (/_ __ ___// _ // _ ) /|_/(__(_) // (_(_)(/_(_(_/(__(/_ (_/ /) (/ Microsoft MVP - Directory Services www.readymaids.com http://www.readymaids.com - we know IT www.akomolafe.com http://www.akomolafe.com Do you now realize that Today is the Tomorrow you were worried about Yesterday? -anon From: [EMAIL PROTECTED] on behalf of Tom Kern Sent: Wed 5/3/2006 9:19 AM To: activedirectory Subject: [ActiveDir] Migrating Term service cals We are installing a new Citrix farm in a new Forest and decommissioning the old Citrix server in our old Forest. Are there any special procedures to migrate the CAL's over to the Licensing Server in the new Forest? Thanks List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
RE: [ActiveDir] TScmd help
Mike, Can you use ADfind and ADmod for this? ADfind -h DC -Default -f "(TSpath=Blah)" -dsq | ADMOD tspath::NewPath Now I don't remember f TS path (I know it's not the attribute name so you will need to look at it) is a string value or if t's contained in that blob value with the other TS settings. just an Idea Subject: [ActiveDir] TScmd help Date: Wed, 3 May 2006 15:12:42 -0600 From: [EMAIL PROTECTED] To: ActiveDir@mail.activedir.org IneedtotryandfinduserswhohaveacertainTSProfilepathand changetheservername. ItisW2K/W2K3mixed. Ihavegoogledandhavetscmd,butcantellIwillbeneedingtodosome voodooalso.Anyhelpisappreciated. MikeHutchins SysAdmin [EMAIL PROTECTED] Listinfo:http://www.activedir.org/List.aspx ListFAQ:http://www.activedir.org/ListFAQ.aspx Listarchive:http://www.mail-archive.com/activedir%40mail.activedir.org/Upgrade for free to Windows Live Mail beta and you could win an African Safari Learn more
RE: [ActiveDir] TScmd help
A, I think I shall try that! Thanks Jef! From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Jef KazimerSent: Wednesday, May 03, 2006 2:39 PMTo: ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] TScmd help Mike, Can you use ADfind and ADmod for this? ADfind -h DC -Default -f "(TSpath=Blah)" -dsq | ADMOD tspath::NewPath Now I don't remember f TS path (I know it's not the attribute name so you will need to look at it) is a string value or if t's contained in that blob value with the other TS settings. just an Idea Subject: [ActiveDir] TScmd help Date: Wed, 3 May 2006 15:12:42 -0600 From: [EMAIL PROTECTED] To: ActiveDir@mail.activedir.org IneedtotryandfinduserswhohaveacertainTSProfilepathand changetheservername. ItisW2K/W2K3mixed. Ihavegoogledandhavetscmd,butcantellIwillbeneedingtodosome voodooalso.Anyhelpisappreciated. MikeHutchins SysAdmin [EMAIL PROTECTED] Listinfo:http://www.activedir.org/List.aspx ListFAQ:http://www.activedir.org/ListFAQ.aspx Listarchive:http://www.mail-archive.com/activedir%40mail.activedir.org/ Upgrade for free to Windows Live Mail beta and you could win an African Safari Learn more
RE: [ActiveDir] TScmd help
Mike, Scratch that. It is not the string I was thinking about. I'm sure Joe will know though :) From: [EMAIL PROTECTED]To: ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] TScmd helpDate: Wed, 3 May 2006 16:38:42 -0500 Mike, Can you use ADfind and ADmod for this? ADfind -h DC -Default -f "(TSpath=Blah)" -dsq | ADMOD tspath::NewPath Now I don't remember f TS path (I know it's not the attribute name so you will need to look at it) is a string value or if t's contained in that blob value with the other TS settings. just an Idea Subject: [ActiveDir] TScmd help Date: Wed, 3 May 2006 15:12:42 -0600 From: [EMAIL PROTECTED] To: ActiveDir@mail.activedir.org IneedtotryandfinduserswhohaveacertainTSProfilepathand changetheservername. ItisW2K/W2K3mixed. Ihavegoogledandhavetscmd,butcantellIwillbeneedingtodosome voodooalso.Anyhelpisappreciated. MikeHutchins SysAdmin [EMAIL PROTECTED] Listinfo:http://www.activedir.org/List.aspx ListFAQ:http://www.activedir.org/ListFAQ.aspx Listarchive:http://www.mail-archive.com/activedir%40mail.activedir.org/ Upgrade for free to Windows Live Mail beta and you could win an African Safari Learn moreEnter the Windows Live Mail beta sweepstakes Upgrade today
[ActiveDir] Several IMAP Accounts-Outlook fail
Your Server Has Reported a UID Which Does Not Comply with the IMAP Standard I received this error once I configured several IMAP email-accounts in the same profile, the worse point if I use ny other e-mail client (Thunderbird-Evolution, etc) set the sme e-mail accounts works fine I refer to this Kb: http://support.microsoft.com/?kbid=294779 However the resolution is not very useful To resolve this behavior, remove the IMAP account and create a new one I am using Outlook 2003 client , Please help me to find a solution
RE: [ActiveDir] TScmd help
Joe? joe?me? The TS Attributes are stored in an amazingly efficient and highly useful format called a blob. Blob as you may or may not know stands for Big Lump of a, Ok, for now on we will call what the TS attributes are stored in a Blos. So this Blos is keptin the userParameters attribute. It is a form of a name value pair setup but is entirely undocumented by MS and dorking with it is surely going to impact how PSS supports you when you encounter an issue. Instead of hearing the ubiquitous "That is By Design" or "I need you to crash the server and send us a dump" you will hear the almost as ubiquitous "That is unsupported" or "You are Unsupportable in that state". There have been some attempts in the SAMBA space to decode that information and I am not at liberty to say how they are doing on it but keep in mind, they may not have access to all different configs using that attribute because TS attributes are not the only ones that go in there. Yes, Microsoft had the opportunity to fix the issues with that and userAccountControl 6+ years ago with the release of AD and yes they did refuse that opportunity. On the positive side some thought is now going into userAccountControl nowadays with ADAM though it is still quite quite. quite rough. TS attributes unfortunately, are still dorked. I don't see that they are attempting to clean it up either, maybe they (MSFT) are hoping they (the attributes) will just get sick and tired of being treated like second class citizens and just go away. When people ask me about setting them with admod I tend to say, go away, don't come back until you grow up and become real attributes. You can set it with admod right now, you just need to know the actual binary chunk to send into admod to do it. joe -- O'Reilly Active Directory Third Edition - http://www.joeware.net/win/ad3e.htm From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Jef KazimerSent: Wednesday, May 03, 2006 5:50 PMTo: ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] TScmd help Mike, Scratch that. It is not the string I was thinking about. I'm sure Joe will know though :) From: [EMAIL PROTECTED]To: ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] TScmd helpDate: Wed, 3 May 2006 16:38:42 -0500 Mike, Can you use ADfind and ADmod for this? ADfind -h DC -Default -f "(TSpath=Blah)" -dsq | ADMOD tspath::NewPath Now I don't remember f TS path (I know it's not the attribute name so you will need to look at it) is a string value or if t's contained in that blob value with the other TS settings. just an Idea Subject: [ActiveDir] TScmd help Date: Wed, 3 May 2006 15:12:42 -0600 From: [EMAIL PROTECTED] To: ActiveDir@mail.activedir.org IneedtotryandfinduserswhohaveacertainTSProfilepathand changetheservername. ItisW2K/W2K3mixed. Ihavegoogledandhavetscmd,butcantellIwillbeneedingtodosome voodooalso.Anyhelpisappreciated. MikeHutchins SysAdmin [EMAIL PROTECTED] Listinfo:http://www.activedir.org/List.aspx ListFAQ:http://www.activedir.org/ListFAQ.aspx Listarchive:http://www.mail-archive.com/activedir%40mail.activedir.org/ Upgrade for free to Windows Live Mail beta and you could win an African Safari Learn more Enter the Windows Live Mail beta sweepstakes Upgrade today
RE: [ActiveDir] Migrating Term service cals
You don't migrate, you reactivate the new LS...BTDT From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Tom Kern Sent: Wednesday, May 03, 2006 9:19 AM To: activedirectory Subject: [ActiveDir] Migrating Term service cals We are installing a new Citrix farm in a new Forest and decommissioning the old Citrix server in our old Forest. Are there any special procedures to migrate the CAL's over to the Licensing Server in the new Forest? Thanks List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
RE: [ActiveDir] TScmd help
My first travesty with said blos, was when an admin could not reset a users password via the MMC. After some PSS support, it turns out it was the NWCLIENT attributes stored in the userParameters field. As it turns out these users in the NT4 days had the Netware client piece, and when they were migrated with ADMT to 2000, this nugget came with it. The solution? Just clear the userParameters attribute for all affected users if I remember. I think there is a KB article on it now. From: [EMAIL PROTECTED]To: ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] TScmd helpDate: Wed, 3 May 2006 19:05:10 -0400 Joe? joe?me? The TS Attributes are stored in an amazingly efficient and highly useful format called a blob. Blob as you may or may not know stands for Big Lump of a, Ok, for now on we will call what the TS attributes are stored in a Blos. So this Blos is keptin the userParameters attribute. It is a form of a name value pair setup but is entirely undocumented by MS and dorking with it is surely going to impact how PSS supports you when you encounter an issue. Instead of hearing the ubiquitous "That is By Design" or "I need you to crash the server and send us a dump" you will hear the almost as ubiquitous "That is unsupported" or "You are Unsupportable in that state". There have been some attempts in the SAMBA space to decode that information and I am not at liberty to say how they are doing on it but keep in mind, they may not have access to all different configs using that attribute because TS attributes are not the only ones that go in there. Yes, Microsoft had the opportunity to fix the issues with that and userAccountControl 6+ years ago with the release of AD and yes they did refuse that opportunity. On the positive side some thought is now going into userAccountControl nowadays with ADAM though it is still quite quite. quite rough. TS attributes unfortunately, are still dorked. I don't see that they are attempting to clean it up either, maybe they (MSFT) are hoping they (the attributes) will just get sick and tired of being treated like second class citizens and just go away. When people ask me about setting them with admod I tend to say, go away, don't come back until you grow up and become real attributes. You can set it with admod right now, you just need to know the actual binary chunk to send into admod to do it. joe -- O'Reilly Active Directory Third Edition - http://www.joeware.net/win/ad3e.htm From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Jef KazimerSent: Wednesday, May 03, 2006 5:50 PMTo: ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] TScmd help Mike, Scratch that. It is not the string I was thinking about. I'm sure Joe will know though :) From: [EMAIL PROTECTED]To: ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] TScmd helpDate: Wed, 3 May 2006 16:38:42 -0500 Mike, Can you use ADfind and ADmod for this? ADfind -h DC -Default -f "(TSpath=Blah)" -dsq | ADMOD tspath::NewPath Now I don't remember f TS path (I know it's not the attribute name so you will need to look at it) is a string value or if t's contained in that blob value with the other TS settings. just an Idea Subject: [ActiveDir] TScmd help Date: Wed, 3 May 2006 15:12:42 -0600 From: [EMAIL PROTECTED] To: ActiveDir@mail.activedir.org IneedtotryandfinduserswhohaveacertainTSProfilepathand changetheservername. ItisW2K/W2K3mixed. Ihavegoogledandhavetscmd,butcantellIwillbeneedingtodosome voodooalso.Anyhelpisappreciated. MikeHutchins SysAdmin [EMAIL PROTECTED] Listinfo:http://www.activedir.org/List.aspx ListFAQ:http://www.activedir.org/ListFAQ.aspx Listarchive:http://www.mail-archive.com/activedir%40mail.activedir.org/ Upgrade for free to Windows Live Mail beta and you could win an African Safari Learn more Enter the Windows Live Mail beta sweepstakes Upgrade today Join the next generation of Hotmail and you could win a trip to Africa Upgrade today
Re: [ActiveDir] TScmd help
I have some code that sets TS parameters for users. What you need to do is bind to the user object and check the TerminalServicesHomeDirectory attribute and TerminalServicesHomeDrive if needed. Here is the a piece of sample code to set the values. It should be easy enough to check the value and set it to something else, if needed. Set objUser = GetObject(LDAP:// userDN) objUser.TerminalServicesHomeDirectory = strHomeDirobjUser.TerminalServicesHomeDrive = strHomeDriveOf course, if you do not have a list of target users, you will need to loop through the above code to check and modify the settings if necessary. Here is a URL that may help as well. http://www.msterminalservices.org/articles/Scripting-Server-Based-Computing-Terminal-Services-Attributes-Active-Directory-User-Objects.html Hope this helps. Arden On 5/3/06, Jef Kazimer [EMAIL PROTECTED] wrote: My first travesty with said blos, was when an admin could not reset a users password via the MMC. After some PSS support, it turns out it was the NWCLIENT attributes stored in the userParameters field. As it turns out these users in the NT4 days had the Netware client piece, and when they were migrated with ADMT to 2000, this nugget came with it. The solution? Just clear the userParameters attribute for all affected users if I remember. I think there is a KB article on it now. From: [EMAIL PROTECTED] To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] TScmd help Date: Wed, 3 May 2006 19:05:10 -0400 Joe? joe?me? The TS Attributes are stored in an amazingly efficient and highly useful format called a blob. Blob as you may or may not know stands for Big Lump of a, Ok, for now on we will call what the TS attributes are stored in a Blos. So this Blos is keptin the userParameters attribute. It is a form of a name value pair setup but is entirely undocumented by MS and dorking with it is surely going to impact how PSS supports you when you encounter an issue. Instead of hearing the ubiquitous That is By Design or I need you to crash the server and send us a dump you will hear the almost as ubiquitous That is unsupported or You are Unsupportable in that state. There have been some attempts in the SAMBA space to decode that information and I am not at liberty to say how they are doing on it but keep in mind, they may not have access to all different configs using that attribute because TS attributes are not the only ones that go in there. Yes, Microsoft had the opportunity to fix the issues with that and userAccountControl 6+ years ago with the release of AD and yes they did refuse that opportunity. On the positive side some thought is now going into userAccountControl nowadays with ADAM though it is still quite quite. quite rough. TS attributes unfortunately, are still dorked. I don't see that they are attempting to clean it up either, maybe they (MSFT) are hoping they (the attributes) will just get sick and tired of being treated like second class citizens and just go away. When people ask me about setting them with admod I tend to say, go away, don't come back until you grow up and become real attributes. You can set it with admod right now, you just need to know the actual binary chunk to send into admod to do it. joe -- O'Reilly Active Directory Third Edition - http://www.joeware.net/win/ad3e.htm From: [EMAIL PROTECTED] [mailto: [EMAIL PROTECTED]] On Behalf Of Jef KazimerSent: Wednesday, May 03, 2006 5:50 PMTo: ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] TScmd help Mike, Scratch that. It is not the string I was thinking about. I'm sure Joe will know though :) From: [EMAIL PROTECTED]To: ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] TScmd helpDate: Wed, 3 May 2006 16:38:42 -0500 Mike, Can you use ADfind and ADmod for this? ADfind -h DC -Default -f (TSpath=Blah) -dsq | ADMOD tspath::NewPath Now I don't remember f TS path (I know it's not the attribute name so you will need to look at it) is a string value or if t's contained in that blob value with the other TS settings. just an Idea Subject: [ActiveDir] TScmd help Date: Wed, 3 May 2006 15:12:42 -0600 From: [EMAIL PROTECTED] To: ActiveDir@mail.activedir.org IneedtotryandfinduserswhohaveacertainTSProfilepathand changetheservername. ItisW2K/W2K3mixed. Ihavegoogledandhavetscmd,butcantellIwillbeneedingtodosome voodooalso.Anyhelpisappreciated. MikeHutchins SysAdmin [EMAIL PROTECTED] Listinfo: http://www.activedir.org/List.aspx ListFAQ:http://www.activedir.org/ListFAQ.aspx Listarchive:http://www.mail-archive.com/activedir%40mail.activedir.org/ Upgrade for free to Windows Live Mail beta and you could win an African Safari Learn more Enter the Windows Live Mail beta sweepstakes Upgrade today Join the next generation of Hotmail and you could win a trip to Africa Upgrade today
RE: [ActiveDir] exporting list of members of a security group
I have just read My post - and the moral of the story is - do not leave your Blackberry on the table with a bunch of geeks when you go to the bar. G. Mark -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Mark Parris Sent: 02 May 2006 21:50 To: ActiveDir.org Subject: Re: [ActiveDir] exporting list of members of a security group Right click the group and say export list. Mark -Original Message- From: Antonio Aranda [EMAIL PROTECTED] Date: Tue, 2 May 2006 15:02:21 To:ActiveDir@mail.activedir.org Subject: [ActiveDir] exporting list of members of a security group Is there a way to export to text file a list of the members of a security group? Thanks Antonio List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/