RE: [ActiveDir] Printers AD GUI
Yes, but you can exclude machines which don't have printers attached. Don't know what your network is like but most of our machines don't have a local printer - they're networked from servers - so the standard browse list has loads of machines which don't have printers. Steve -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Albert Duro Sent: 29 August 2006 15:51 To: ActiveDir@mail.activedir.org Subject: Re: [ActiveDir] Printers AD GUI good stuff, Steve, thanks. But isn't all this really a duplication of what the Browse List already does? - Original Message - From: Steve Rochford [EMAIL PROTECTED] To: ActiveDir@mail.activedir.org Sent: Tuesday, August 29, 2006 4:46 AM Subject: RE: [ActiveDir] Printers AD GUI I'd guess it depends why you're wanting to manage a printer but if it's in response to someone reporting some kind of problem with their printer then you can just sit at your computer and type \\computername into explorer. You'll then see the printers and faxes folder - double click that and you'll have access to the printer(s)installed even if they're not shared. I don't think it's much more work than connecting through the AD GUI. If you don't know the name of the computers with printers then it wouldn't be too hard to use a WMI script to build a database of computers and their printers - this could then feed a web page listing them and you just click on the name to connect in the same way as typing the name above. If most of your machines are on all the time and there are not too many then the web page could even do a live query of each machine to get the printer details. Steve -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Albert Duro Sent: 28 August 2006 16:11 To: ActiveDir@mail.activedir.org Subject: Re: [ActiveDir] Printers AD GUI I figured out where the disconnect is in this discussion. You see, I'm the sole IT of a small org, barely over the SBS size, and I have to do *everything*. I had overlooked the fact that those of you who are at the top of a large IT pyramid have to leave the management of printers to lower admins, techs, and even users. I can't do that. If an unshared printer needs management, I have to either drill through the browse list, or travel to the workstation and disrupt the user. It would be just great if the AD printer list could make printers shared but invisible (to all but the owner and Admin). Kinda like Exchange mailboxes, which can still be used and managed even when invisible. Maybe the aforementioned Printer Management Console offers something like that - I haven't checked it out yet. But surely this couldn't be an unreasonable wish. List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.activedir.org/ml/threads.aspx List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.activedir.org/ml/threads.aspx List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.activedir.org/ml/threads.aspx
[ActiveDir] AD Site replication settings/costs
We have about 80 AD sites with DCs. All sites are set for a cost of 100 on the site to site replication, and a replication interval of 15 minutes. I'm presuming this is probably not a good thing. One slow bandwidth site is complaining that their DC is talking to every DC in the domain. What is everyone else using as a replication interval for inter-site replication? ~~ This e-mail is confidential, may contain proprietary information of Cameron and its operating Divisions and may be confidential or privileged. This e-mail should be read, copied, disseminated and/or used only by the addressee. If you have received this message in error please delete it, together with any attachments, from your system. ~~
RE: [ActiveDir] AD Site replication settings/costs
Intervals vary by company, domain structure, network topology and latency tolerances. That said, there is nothing inherently wrong with the replication parameters you list below. Are they the best parameters for your environment? That depends. Is this a Windows 2000 environment? Is automatic site link bridging enabled? There's a lot to consider in determining how to set site link properties; what you've listed below won't really be enough for anybody to give you any kind of realistic advice. (sorry) Laura From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Rimmerman, RussSent: Wednesday, August 30, 2006 11:59 AMTo: ActiveDir@mail.activedir.orgSubject: [ActiveDir] AD Site replication settings/costs We have about 80 AD sites with DCs. All sites are set for a cost of 100 on the site to site replication, and a replication interval of 15 minutes. I'm presuming this is probably not a good thing. One slow bandwidth site is complaining that their DC is talking to every DC in the domain. What is everyone else using as a replication interval for inter-site replication? ~~This e-mail is confidential, may contain proprietary informationof Cameron and its operating Divisions and may be confidentialor privileged.This e-mail should be read, copied, disseminated and/or used onlyby the addressee. If you have received this message in error pleasedelete it, together with any attachments, from your system.~~
RE: [ActiveDir] AD Site replication settings/costs
Is this a hub and spoke or are there multiple levels of hub spoke...costs don't always make much if any difference. Intervals vary by business requirements, link speeds saturations, etc. I've run everything from 15 minutes to certain days of the week... --brian From: [EMAIL PROTECTED] on behalf of Rimmerman, Russ Sent: Wed 8/30/2006 10:59 AM To: ActiveDir@mail.activedir.org Subject: [ActiveDir] AD Site replication settings/costs We have about 80 AD sites with DCs. All sites are set for a cost of 100 on the site to site replication, and a replication interval of 15 minutes. I'm presuming this is probably not a good thing. One slow bandwidth site is complaining that their DC is talking to every DC in the domain. What is everyone else using as a replication interval for inter-site replication? ~~ This e-mail is confidential, may contain proprietary information of Cameron and its operating Divisions and may be confidential or privileged. This e-mail should be read, copied, disseminated and/or used only by the addressee. If you have received this message in error please delete it, together with any attachments, from your system. ~~ winmail.dat
RE: Re[2]: [ActiveDir] Add folder with quota to existing mailboxes - via scripting or tool
Thanks for this Mathieu, the script which creates the folder under the inbox works good. To create it in the root must be a little more complex because this doesnt work yet. When I fire up the script it prompts me with the following error: Error: Object doesnt support this property or method: 'olApp.GetNamespace(...).Folder' Code: 800A01B6 Can you point me in the right direction to solve this? Cheers, Victor -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Mathieu CHATEAU Sent: maandag 28 augustus 2006 11:26 To: [EMAIL PROTECTED] Cc: ActiveDir@mail.activedir.org Subject: Re[2]: [ActiveDir] Add folder with quota to existing mailboxes - via scripting or tool this script goes through outlook. Each user need to fire this script (or fire it via logon script). for the Root Folder, change: set inbox = olApp.GetNamespace(MAPI).getDefaultFolder(6) to set inbox = olApp.GetNamespace(MAPI).Folder(Personal Folder) (should do the trick but i didn't test it yet) Regards, Mathieu CHATEAU http://lordoftheping.blogspot.com Monday, August 28, 2006, 11:00:14 AM, you wrote: vwpn Thanks Brian and Mathieu, vwpn I will tell a little bit more about the background of this. The vwpn customer has asked for a folder called private to be created in vwpn the root of every users mailbox and if possible set a quota to this folder. vwpn After this has been done, the customer wants to instruct his users vwpn to use only this folder only as their personal/private email vwpn folder and move everything that the users sees as being private, vwpn to the private folder. From that moment on, all other folders in vwpn the users mailboxes are no longer considered as private/personal. vwpn I do have some additional questions: vwpn - how would the script look if the requirement would be to create vwpn the folder in the root. vwpn - The way the script is set up now, do I have to set up which vwpn users this script will apply to, I mean will it now apply to all vwpn users in the entire domain which are mailbox enabled? vwpn - Is there any way that I can specify which users this script has vwpn to be applied to, I mean can I run it against all mailbox enabled vwpn users in a specific OU? vwpn -- vwpn -- vwpn --- vwpn Re[2]: [ActiveDir] Add folder with quota to existing mailboxes - vwpn via scripting or tool vwpn From: Mathieu CHATEAU [EMAIL PROTECTED] vwpn Date: Mon, 28 Aug 2006 00:24:47 +0200 vwpn -- vwpn -- vwpn vwpn Hello Victor, vwpn If the folder already exist, it will simply do nothing, except vwpn going into errors.. vwpn need to add a on error resume next or test if the folder exist before. vwpn will create in the inbox, as a subfolder vwpn I don't see your goal with this folder...except if you turn vwpn special rights on it. vwpn may ask them to put it [private] in the subject instead (it will vwpn work for the sent folders) vwpn Regards, vwpn Mathieu CHATEAU vwpn http://lordoftheping.blogspot.com vwpn Sunday, August 27, 2006, 10:26:59 PM, you wrote: vwpn Thanks Mathieu, nice. vwpn Does this create a folder in the root of the mailbox? vwpn vwpn Access all mailboxes you say, that sounds logical. I know that vwpn domain admins indeed dont actually have the full mailbox access vwpn (they have some denies). vwpn What if a user already has the folder, does this script take this vwpn into account? vwpn Again thanks. vwpn Victor vwpn From: Mathieu CHATEAU [mailto:[EMAIL PROTECTED] vwpn Sent: zondag 27 augustus 2006 22:04 vwpn To: Victor W. vwpn Cc: [EMAIL PROTECTED] vwpn Subject: Re: [ActiveDir] Add folder with quota to existing vwpn mailboxes - via scripting or tool vwpn Hello Victor, vwpn you will at least need an account that can access all mailboxes vwpn (not a domain admins one) vwpn (or give a script to everyone that they will execute) vwpn To my knowledge, quota is mailbox based. You may set up a special vwpn retention on this folder. vwpn sample _vbscript_ to create the private folder vwpn set olApp = CreateObject(Outlook.Application) vwpn set inbox = olApp.GetNamespace(MAPI).getDefaultFolder(6) vwpn set temp5 = inbox.folders.add(Private,6) vwpn hope it helps, vwpn Regards, vwpn vwpn Mathieu CHATEAU vwpn http://lordoftheping.blogspot.com vwpn Sunday, August 27, 2006, 8:57:03 PM, you wrote: vwpn Does anybody know what is the 'best' way to add vwpn automatically a folder to existing mailboxes and set a quota on vwpn that same folder? vwpn We would like all our users to get a folder called vwpn private added to the root of their mailbox and if possible, a vwpn quota to be set to that folder. vwpn Can this be done by scripting easily or is there perhaps vwpn even a tool which is capable of doing this?
RE: [ActiveDir] AD Site replication settings/costs
It's a Windows 2000 native domain, we're about 4 upgrades from having all Win2k3 DCs and from what I've read, that should help a lot with replication. Automatic site link bridging isnt enabled, and we have 0 site link bridges. We're a worldwide company with 3 main hubs, but it is a mesh network in design (MPLS). I guess i'm mainly confused because the DC at the slow bandwidth site in question only has one replication partner, yet we see connections to it from a large number of our DCs on a regular basis. Is this normal? From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Laura A. RobinsonSent: Wednesday, August 30, 2006 11:12 AMTo: ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] AD Site replication settings/costs Intervals vary by company, domain structure, network topology and latency tolerances. That said, there is nothing inherently wrong with the replication parameters you list below. Are they the best parameters for your environment? That depends. Is this a Windows 2000 environment? Is automatic site link bridging enabled? There's a lot to consider in determining how to set site link properties; what you've listed below won't really be enough for anybody to give you any kind of realistic advice. (sorry) Laura From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Rimmerman, RussSent: Wednesday, August 30, 2006 11:59 AMTo: ActiveDir@mail.activedir.orgSubject: [ActiveDir] AD Site replication settings/costs We have about 80 AD sites with DCs. All sites are set for a cost of 100 on the site to site replication, and a replication interval of 15 minutes. I'm presuming this is probably not a good thing. One slow bandwidth site is complaining that their DC is talking to every DC in the domain. What is everyone else using as a replication interval for inter-site replication? ~~This e-mail is confidential, may contain proprietary informationof Cameron and its operating Divisions and may be confidentialor privileged.This e-mail should be read, copied, disseminated and/or used onlyby the addressee. If you have received this message in error pleasedelete it, together with any attachments, from your system.~~ ~~ This e-mail is confidential, may contain proprietary information of Cameron and its operating Divisions and may be confidential or privileged. This e-mail should be read, copied, disseminated and/or used only by the addressee. If you have received this message in error please delete it, together with any attachments, from your system. ~~
RE: [ActiveDir] AD Site replication settings/costs
Are these manual or automatically generated connection objects? If automatic, were they created back when bridge all site links was enabled? If so, if you delete them, do they come back? Do the site links only have 2 sites, the remote and its designated hub, or do they have multiple sites in them? From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Rimmerman, RussSent: Wednesday, August 30, 2006 1:52 PMTo: ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] AD Site replication settings/costs It's a Windows 2000 native domain, we're about 4 upgrades from having all Win2k3 DCs and from what I've read, that should help a lot with replication. Automatic site link bridging isnt enabled, and we have 0 site link bridges. We're a worldwide company with 3 main hubs, but it is a mesh network in design (MPLS). I guess i'm mainly confused because the DC at the slow bandwidth site in question only has one replication partner, yet we see connections to it from a large number of our DCs on a regular basis. Is this normal? From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Laura A. RobinsonSent: Wednesday, August 30, 2006 11:12 AMTo: ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] AD Site replication settings/costs Intervals vary by company, domain structure, network topology and latency tolerances. That said, there is nothing inherently wrong with the replication parameters you list below. Are they the best parameters for your environment? That depends. Is this a Windows 2000 environment? Is automatic site link bridging enabled? There's a lot to consider in determining how to set site link properties; what you've listed below won't really be enough for anybody to give you any kind of realistic advice. (sorry) Laura From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Rimmerman, RussSent: Wednesday, August 30, 2006 11:59 AMTo: ActiveDir@mail.activedir.orgSubject: [ActiveDir] AD Site replication settings/costs We have about 80 AD sites with DCs. All sites are set for a cost of 100 on the site to site replication, and a replication interval of 15 minutes. I'm presuming this is probably not a good thing. One slow bandwidth site is complaining that their DC is talking to every DC in the domain. What is everyone else using as a replication interval for inter-site replication? ~~This e-mail is confidential, may contain proprietary informationof Cameron and its operating Divisions and may be confidentialor privileged.This e-mail should be read, copied, disseminated and/or used onlyby the addressee. If you have received this message in error pleasedelete it, together with any attachments, from your system.~~ ~~This e-mail is confidential, may contain proprietary informationof Cameron and its operating Divisions and may be confidentialor privileged.This e-mail should be read, copied, disseminated and/or used onlyby the addressee. If you have received this message in error pleasedelete it, together with any attachments, from your system.~~
RE: [ActiveDir] AD Site replication settings/costs
You have site link bridging enabled so this is quite plausible... From: [EMAIL PROTECTED] on behalf of Rimmerman, Russ Sent: Wed 8/30/2006 1:52 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] AD Site replication settings/costs It's a Windows 2000 native domain, we're about 4 upgrades from having all Win2k3 DCs and from what I've read, that should help a lot with replication. Automatic site link bridging isnt enabled, and we have 0 site link bridges. We're a worldwide company with 3 main hubs, but it is a mesh network in design (MPLS). I guess i'm mainly confused because the DC at the slow bandwidth site in question only has one replication partner, yet we see connections to it from a large number of our DCs on a regular basis. Is this normal? From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Laura A. Robinson Sent: Wednesday, August 30, 2006 11:12 AM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] AD Site replication settings/costs Intervals vary by company, domain structure, network topology and latency tolerances. That said, there is nothing inherently wrong with the replication parameters you list below. Are they the best parameters for your environment? That depends. Is this a Windows 2000 environment? Is automatic site link bridging enabled? There's a lot to consider in determining how to set site link properties; what you've listed below won't really be enough for anybody to give you any kind of realistic advice. (sorry) Laura From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Rimmerman, Russ Sent: Wednesday, August 30, 2006 11:59 AM To: ActiveDir@mail.activedir.org Subject: [ActiveDir] AD Site replication settings/costs We have about 80 AD sites with DCs. All sites are set for a cost of 100 on the site to site replication, and a replication interval of 15 minutes. I'm presuming this is probably not a good thing. One slow bandwidth site is complaining that their DC is talking to every DC in the domain. What is everyone else using as a replication interval for inter-site replication? ~~ This e-mail is confidential, may contain proprietary information of Cameron and its operating Divisions and may be confidential or privileged. This e-mail should be read, copied, disseminated and/or used only by the addressee. If you have received this message in error please delete it, together with any attachments, from your system. ~~ ~~ This e-mail is confidential, may contain proprietary information of Cameron and its operating Divisions and may be confidential or privileged. This e-mail should be read, copied, disseminated and/or used only by the addressee. If you have received this message in error please delete it, together with any attachments, from your system. ~~ winmail.dat
[ActiveDir] Moving user accounts.
I am I correct that to delegate moving user accounts from OU to OU I will have to allow them the ability to delete accounts. It appears accounts work similar to documents, a move is really a copy then delete.
RE: [ActiveDir] AD Site replication settings/costs
Yep, you need to manually create site links between sites to control what replication connections get created. For example create a site link between the HUB site and the site with slow bandwidth. This will only allow replications connection to be created with DCs in those two sites. Thanks, Anthony Scott From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Rimmerman, Russ Sent: Wednesday, August 30, 2006 2:52 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] AD Site replication settings/costs It's a Windows 2000 native domain, we're about 4 upgrades from having all Win2k3 DCs and from what I've read, that should help a lot with replication. Automatic site link bridging isnt enabled, and we have 0 site link bridges. We're a worldwide company with 3 main hubs, but it is a mesh network in design (MPLS). I guess i'm mainly confused because the DC at the slow bandwidth site in question only has one replication partner, yet we see connections to it from a large number of our DCs on a regular basis. Is this normal? From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Laura A. Robinson Sent: Wednesday, August 30, 2006 11:12 AM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] AD Site replication settings/costs Intervals vary by company, domain structure, network topology and latency tolerances. That said, there is nothing inherently wrong with the replication parameters you list below. Are they the best parameters for your environment? That depends. Is this a Windows 2000 environment? Is automatic site link bridging enabled? There's a lot to consider in determining how to set site link properties; what you've listed below won't really be enough for anybody to give you any kind of realistic advice. (sorry) Laura From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Rimmerman, Russ Sent: Wednesday, August 30, 2006 11:59 AM To: ActiveDir@mail.activedir.org Subject: [ActiveDir] AD Site replication settings/costs We have about 80 AD sites with DCs. All sites are set for a cost of 100 on the site to site replication, and a replication interval of 15 minutes. I'm presuming this is probably not a good thing. One slow bandwidth site is complaining that their DC is talking to every DC in the domain. What is everyone else using as a replication interval for inter-site replication? ~~ This e-mail is confidential, may contain proprietary information of Cameron and its operating Divisions and may be confidential or privileged. This e-mail should be read, copied, disseminated and/or used only by the addressee. If you have received this message in error please delete it, together with any attachments, from your system. ~~ ~~ This e-mail is confidential, may contain proprietary information of Cameron and its operating Divisions and may be confidential or privileged. This e-mail should be read, copied, disseminated and/or used only by the addressee. If you have received this message in error please delete it, together with any attachments, from your system. ~~
RE: [ActiveDir] Moving user accounts.
Hi Jim, Yes, I have found this to be true...there is no "move object" delegation.We have to use the create and delete. I wonder if that will change in future (I have a feeling it's been mentioned here several times before, but can't remember). -DaveC From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Kennedy, JimSent: Wednesday, August 30, 2006 3:17 PMTo: ActiveDir@mail.activedir.orgSubject: [ActiveDir] Moving user accounts. I am I correct that to delegate moving user accounts from OU to OU I will have to allow them the ability to delete accounts. It appears accounts work similar to documents, a move is really a copy then delete. To find out more about Reuters visit www.about.reuters.com Any views expressed in this message are those of the individual sender, except where the sender specifically states them to be the views of Reuters Ltd.
Re: [ActiveDir] Moving user accounts.
http://blog.joeware.net/2005/07/17/48/M@On 8/30/06, David Cliffe [EMAIL PROTECTED] wrote: Hi Jim, Yes, I have found this to be true...there is no move object delegation.We have to use the create and delete. I wonder if that will change in future (I have a feeling it's been mentioned here several times before, but can't remember). -DaveC From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]] On Behalf Of Kennedy, JimSent: Wednesday, August 30, 2006 3:17 PMTo: ActiveDir@mail.activedir.orgSubject: [ActiveDir] Moving user accounts. I am I correct that to delegate moving user accounts from OU to OU I will have to allow them the ability to delete accounts. It appears accounts work similar to documents, a move is really a copy then delete. To find out more about Reuters visit www.about.reuters.com Any views expressed in this message are those of the individual sender, except where the sender specifically states them to be the views of Reuters Ltd.
Re[4]: [ActiveDir] Add folder with quota to existing mailboxes - via scripting or tool
Hello Victor, sorry. Here is the working for the Root folder: On Error Resume Next set olApp = CreateObject(Outlook.Application) set inbox = olApp.GetNamespace(MAPI).getDefaultFolder(6).Parent set temp5 = inbox.folders.add(Added by vbscript,6) Regards, Mathieu CHATEAU http://lordoftheping.blogspot.com Wednesday, August 30, 2006, 8:01:50 PM, you wrote: VW Thanks for this Mathieu, the script which creates the folder under the inbox VW works good. VW To create it in the root must be a little more complex because this doesnt VW work yet. VW When I fire up the script it prompts me with the following error: VW Error: Object doesnt support this property or method: VW 'olApp.GetNamespace(...).Folder' VW Code: 800A01B6 VW Can you point me in the right direction to solve this? VW Cheers, VW Victor VW -Original Message- VW From: [EMAIL PROTECTED] VW [mailto:[EMAIL PROTECTED] On Behalf Of Mathieu CHATEAU VW Sent: maandag 28 augustus 2006 11:26 VW To: [EMAIL PROTECTED] VW Cc: ActiveDir@mail.activedir.org VW Subject: Re[2]: [ActiveDir] Add folder with quota to existing mailboxes - VW via scripting or tool VW this script goes through outlook. VW Each user need to fire this script (or fire it via logon script). VW for the Root Folder, change: VW set inbox = olApp.GetNamespace(MAPI).getDefaultFolder(6) VW to VW set inbox = olApp.GetNamespace(MAPI).Folder(Personal Folder) (should do VW the trick but i didn't test it yet) VW Regards, VW Mathieu CHATEAU VW http://lordoftheping.blogspot.com VW Monday, August 28, 2006, 11:00:14 AM, you wrote: vwpn Thanks Brian and Mathieu, vwpn I will tell a little bit more about the background of this. The vwpn customer has asked for a folder called private to be created in vwpn the root of every users mailbox and if possible set a quota to this VW folder. vwpn After this has been done, the customer wants to instruct his users vwpn to use only this folder only as their personal/private email vwpn folder and move everything that the users sees as being private, vwpn to the private folder. From that moment on, all other folders in vwpn the users mailboxes are no longer considered as private/personal. vwpn I do have some additional questions: vwpn - how would the script look if the requirement would be to create vwpn the folder in the root. vwpn - The way the script is set up now, do I have to set up which vwpn users this script will apply to, I mean will it now apply to all vwpn users in the entire domain which are mailbox enabled? vwpn - Is there any way that I can specify which users this script has vwpn to be applied to, I mean can I run it against all mailbox enabled vwpn users in a specific OU? vwpn -- vwpn -- vwpn --- vwpn Re[2]: [ActiveDir] Add folder with quota to existing mailboxes - vwpn via scripting or tool vwpn From: Mathieu CHATEAU [EMAIL PROTECTED] vwpn Date: Mon, 28 Aug 2006 00:24:47 +0200 vwpn -- vwpn -- vwpn vwpn Hello Victor, vwpn If the folder already exist, it will simply do nothing, except vwpn going into errors.. vwpn need to add a on error resume next or test if the folder exist before. vwpn will create in the inbox, as a subfolder vwpn I don't see your goal with this folder...except if you turn vwpn special rights on it. vwpn may ask them to put it [private] in the subject instead (it will vwpn work for the sent folders) vwpn Regards, vwpn Mathieu CHATEAU vwpn http://lordoftheping.blogspot.com vwpn Sunday, August 27, 2006, 10:26:59 PM, you wrote: vwpn Thanks Mathieu, nice. vwpn Does this create a folder in the root of the mailbox? vwpn vwpn Access all mailboxes you say, that sounds logical. I know that vwpn domain admins indeed dont actually have the full mailbox access vwpn (they have some denies). vwpn What if a user already has the folder, does this script take this vwpn into account? vwpn Again thanks. vwpn Victor vwpn From: Mathieu CHATEAU [mailto:[EMAIL PROTECTED] vwpn Sent: zondag 27 augustus 2006 22:04 vwpn To: Victor W. vwpn Cc: [EMAIL PROTECTED] vwpn Subject: Re: [ActiveDir] Add folder with quota to existing vwpn mailboxes - via scripting or tool vwpn Hello Victor, vwpn you will at least need an account that can access all mailboxes vwpn (not a domain admins one) vwpn (or give a script to everyone that they will execute) vwpn To my knowledge, quota is mailbox based. You may set up a special vwpn retention on this folder. vwpn sample _vbscript_ to create the private folder vwpn set olApp = CreateObject(Outlook.Application) vwpn set inbox = olApp.GetNamespace(MAPI).getDefaultFolder(6) vwpn set temp5 = inbox.folders.add(Private,6) vwpn hope it helps, vwpn Regards, vwpn vwpn Mathieu CHATEAU vwpn http://lordoftheping.blogspot.com vwpn Sunday, August 27, 2006, 8:57:03 PM,
RE: [ActiveDir] Moving user accounts.
In order to move an object in DS, you need the following three permissions: 1) DELETE_CHILD on the source container or DELETE on the object being moved 2) WRITE_PROP on the object being moved for two properties: RDN (name) and CN (or whatever happens to be the rdn attribute for this class, i.e. ou for org units). 3) CREATE_CHILD on the destination container. Met vriendelijke groeten / Kind regards, Ing. Jorge de Almeida Pinto Senior Infrastructure Consultant MVP Windows Server - Directory Services LogicaCMG Nederland B.V. (BU RTINC Eindhoven) ( Tel : +31-(0)40-29.57.777 ( Mobile : +31-(0)6-26.26.62.80 * E-mail : see sender address From: [EMAIL PROTECTED] on behalf of Kennedy, Jim Sent: Wed 2006-08-30 21:16 To: ActiveDir@mail.activedir.org Subject: [ActiveDir] Moving user accounts. I am I correct that to delegate moving user accounts from OU to OU I will have to allow them the ability to delete accounts. It appears accounts work similar to documents, a move is really a copy then delete. This e-mail and any attachment is for authorised use by the intended recipient(s) only. It may contain proprietary material, confidential information and/or be subject to legal privilege. It should not be copied, disclosed to, retained or used by, any other party. If you are not an intended recipient then please promptly delete this e-mail and any attachment and all copies and inform the sender. Thank you. winmail.dat
[ActiveDir] deleting subdomain
Hi, We had a DC that was taking out of AD without being demote. That DC was also the only domain controller for that child domain, child.domain.com I want to remove entirely that domain from the AD, any ideas on the step I should follow? I don't have access to that DC, so I cant do a clean removal. Thanks Rezuma List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.activedir.org/ml/threads.aspx
RE: [ActiveDir] AD Site replication settings/costs
He said that it *isn't* enabled... _ From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Brian Desmond Sent: Wednesday, August 30, 2006 3:03 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] AD Site replication settings/costs You have site link bridging enabled so this is quite plausible... _ From: [EMAIL PROTECTED] on behalf of Rimmerman, Russ Sent: Wed 8/30/2006 1:52 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] AD Site replication settings/costs It's a Windows 2000 native domain, we're about 4 upgrades from having all Win2k3 DCs and from what I've read, that should help a lot with replication. Automatic site link bridging isnt enabled, and we have 0 site link bridges. We're a worldwide company with 3 main hubs, but it is a mesh network in design (MPLS). I guess i'm mainly confused because the DC at the slow bandwidth site in question only has one replication partner, yet we see connections to it from a large number of our DCs on a regular basis. Is this normal? _ From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Laura A. Robinson Sent: Wednesday, August 30, 2006 11:12 AM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] AD Site replication settings/costs Intervals vary by company, domain structure, network topology and latency tolerances. That said, there is nothing inherently wrong with the replication parameters you list below. Are they the best parameters for your environment? That depends. Is this a Windows 2000 environment? Is automatic site link bridging enabled? There's a lot to consider in determining how to set site link properties; what you've listed below won't really be enough for anybody to give you any kind of realistic advice. (sorry) Laura _ From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Rimmerman, Russ Sent: Wednesday, August 30, 2006 11:59 AM To: ActiveDir@mail.activedir.org Subject: [ActiveDir] AD Site replication settings/costs We have about 80 AD sites with DCs. All sites are set for a cost of 100 on the site to site replication, and a replication interval of 15 minutes. I'm presuming this is probably not a good thing. One slow bandwidth site is complaining that their DC is talking to every DC in the domain. What is everyone else using as a replication interval for inter-site replication? ~~ This e-mail is confidential, may contain proprietary information of Cameron and its operating Divisions and may be confidential or privileged. This e-mail should be read, copied, disseminated and/or used only by the addressee. If you have received this message in error please delete it, together with any attachments, from your system. ~~ ~~ This e-mail is confidential, may contain proprietary information of Cameron and its operating Divisions and may be confidential or privileged. This e-mail should be read, copied, disseminated and/or used only by the addressee. If you have received this message in error please delete it, together with any attachments, from your system. ~~ attachment: winmail.dat
[ActiveDir] Logging successful logons in AD security log
What is the general consensus on logging successful logon events? For example if you have a domain with 100K users or so and you use AD as your primary authentication service for: application, file, email, and web access then it is plausible that you will end up with up to 100 log entries per second. That kind of volume will no doubt cause the logs to roll over frequently thus making them somewhat useless. The only alternatives I see are: a) Don't log success logon. b) Set your event log size to a very large (and possibly unmanageable) size. c) Invest in a fancy log management system that will collect, index, and retain all of your logs. List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.activedir.org/ml/threads.aspx
RE: [ActiveDir] AD Site replication settings/costs
Is it a GC? If so, then yes, that's to be expected. You may have *thought* that you gave it only one replication partner, but if you're seeing additional connection objects, then it has more than one replication partner. When planning replication, you must be aware of every partition that the DCs in a site are hosting. If you don't want that remote DC to have connection objects from all of those other DCs, you're probably going to need to set up connection objects for preferred DCs for it to use for replication of partition data. If it's a GC, and if you have a GC that is a DC for the same domain in another site, that would be a good choice to set as a replication partner, because they would be able to replicate all of their partitions (GCs can replicate partitions they don't own to other GCs). Laura From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Rimmerman, RussSent: Wednesday, August 30, 2006 2:52 PMTo: ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] AD Site replication settings/costs It's a Windows 2000 native domain, we're about 4 upgrades from having all Win2k3 DCs and from what I've read, that should help a lot with replication. Automatic site link bridging isnt enabled, and we have 0 site link bridges. We're a worldwide company with 3 main hubs, but it is a mesh network in design (MPLS). I guess i'm mainly confused because the DC at the slow bandwidth site in question only has one replication partner, yet we see connections to it from a large number of our DCs on a regular basis. Is this normal? From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Laura A. RobinsonSent: Wednesday, August 30, 2006 11:12 AMTo: ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] AD Site replication settings/costs Intervals vary by company, domain structure, network topology and latency tolerances. That said, there is nothing inherently wrong with the replication parameters you list below. Are they the best parameters for your environment? That depends. Is this a Windows 2000 environment? Is automatic site link bridging enabled? There's a lot to consider in determining how to set site link properties; what you've listed below won't really be enough for anybody to give you any kind of realistic advice. (sorry) Laura From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Rimmerman, RussSent: Wednesday, August 30, 2006 11:59 AMTo: ActiveDir@mail.activedir.orgSubject: [ActiveDir] AD Site replication settings/costs We have about 80 AD sites with DCs. All sites are set for a cost of 100 on the site to site replication, and a replication interval of 15 minutes. I'm presuming this is probably not a good thing. One slow bandwidth site is complaining that their DC is talking to every DC in the domain. What is everyone else using as a replication interval for inter-site replication? ~~This e-mail is confidential, may contain proprietary informationof Cameron and its operating Divisions and may be confidentialor privileged.This e-mail should be read, copied, disseminated and/or used onlyby the addressee. If you have received this message in error pleasedelete it, together with any attachments, from your system.~~ ~~This e-mail is confidential, may contain proprietary informationof Cameron and its operating Divisions and may be confidentialor privileged.This e-mail should be read, copied, disseminated and/or used onlyby the addressee. If you have received this message in error pleasedelete it, together with any attachments, from your system.~~
RE: [ActiveDir] deleting subdomain
Hi Rezuma, You would want to perform a metadata cleanup through NTDSUTIL to remove the child domain. ~Ben -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Ramon Linan Sent: Wednesday, August 30, 2006 1:57 PM To: ActiveDir@mail.activedir.org Subject: [ActiveDir] deleting subdomain Hi, We had a DC that was taking out of AD without being demote. That DC was also the only domain controller for that child domain, child.domain.com I want to remove entirely that domain from the AD, any ideas on the step I should follow? I don't have access to that DC, so I cant do a clean removal. Thanks Rezuma List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.activedir.org/ml/threads.aspx List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.activedir.org/ml/threads.aspx
RE: [ActiveDir] AD Site replication settings/costs
That shouldbe "GCs cannot replicate partitions they don't own"right? From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Laura A. RobinsonSent: Wednesday, August 30, 2006 5:05 PMTo: ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] AD Site replication settings/costs Is it a GC? If so, then yes, that's to be expected. You may have *thought* that you gave it only one replication partner, but if you're seeing additional connection objects, then it has more than one replication partner. When planning replication, you must be aware of every partition that the DCs in a site are hosting. If you don't want that remote DC to have connection objects from all of those other DCs, you're probably going to need to set up connection objects for preferred DCs for it to use for replication of partition data. If it's a GC, and if you have a GC that is a DC for the same domain in another site, that would be a good choice to set as a replication partner, because they would be able to replicate all of their partitions (GCs can replicate partitions they don't own to other GCs). Laura From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Rimmerman, RussSent: Wednesday, August 30, 2006 2:52 PMTo: ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] AD Site replication settings/costs It's a Windows 2000 native domain, we're about 4 upgrades from having all Win2k3 DCs and from what I've read, that should help a lot with replication. Automatic site link bridging isnt enabled, and we have 0 site link bridges. We're a worldwide company with 3 main hubs, but it is a mesh network in design (MPLS). I guess i'm mainly confused because the DC at the slow bandwidth site in question only has one replication partner, yet we see connections to it from a large number of our DCs on a regular basis. Is this normal? From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Laura A. RobinsonSent: Wednesday, August 30, 2006 11:12 AMTo: ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] AD Site replication settings/costs Intervals vary by company, domain structure, network topology and latency tolerances. That said, there is nothing inherently wrong with the replication parameters you list below. Are they the best parameters for your environment? That depends. Is this a Windows 2000 environment? Is automatic site link bridging enabled? There's a lot to consider in determining how to set site link properties; what you've listed below won't really be enough for anybody to give you any kind of realistic advice. (sorry) Laura From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Rimmerman, RussSent: Wednesday, August 30, 2006 11:59 AMTo: ActiveDir@mail.activedir.orgSubject: [ActiveDir] AD Site replication settings/costs We have about 80 AD sites with DCs. All sites are set for a cost of 100 on the site to site replication, and a replication interval of 15 minutes. I'm presuming this is probably not a good thing. One slow bandwidth site is complaining that their DC is talking to every DC in the domain. What is everyone else using as a replication interval for inter-site replication? ~~This e-mail is confidential, may contain proprietary informationof Cameron and its operating Divisions and may be confidentialor privileged.This e-mail should be read, copied, disseminated and/or used onlyby the addressee. If you have received this message in error pleasedelete it, together with any attachments, from your system.~~ ~~This e-mail is confidential, may contain proprietary informationof Cameron and its operating Divisions and may be confidentialor privileged.This e-mail should be read, copied, disseminated and/or used onlyby the addressee. If you have received this message in error pleasedelete it, together with any attachments, from your system.~~ To find out more about Reuters visit www.about.reuters.com Any views expressed in this message are those of the individual sender, except where the sender specifically states them to be the views of Reuters Ltd.
RE: [ActiveDir] Logging successful logons in AD security log
I have a pretty small site, and this probably won't scale very well, but
I have a script scheduled to run every day at midnight that backs up the
security log to a compressed folder clears it. I have the log size set
ridiculously high, so it doesn't rollover unexpectedly.
dtmThisDay = Day(Date)
dtmThisMonth = Month(Date)
dtmThisYear = Year(Date)
strBackupName = dtmThisYear _ dtmThisMonth _ dtmThisDay
_ Hour(Time) Minute(Time)
strComputer = .
Set objWMIService = GetObject(winmgmts: _
{impersonationLevel=impersonate, (Backup, Security)}!\\ _
strComputer \root\cimv2)
Set colLogFiles = objWMIService.ExecQuery _
(Select * from Win32_NTEventLogFile where LogFileName='Security')
For Each objLogfile in colLogFiles
objLogFile.BackupEventLog(c:\seclogs\ strBackupName _
_security.evt)
objLogFile.ClearEventLog()
Next
-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Isenhour,
Joseph
Sent: Wednesday, August 30, 2006 3:10 PM
To: ActiveDir@mail.activedir.org
Subject: [ActiveDir] Logging successful logons in AD security log
What is the general consensus on logging successful logon events?
For example if you have a domain with 100K users or so and you use AD as
your primary authentication service for: application, file, email, and
web access then it is plausible that you will end up with up to 100 log
entries per second. That kind of volume will no doubt cause the logs to
roll over frequently thus making them somewhat useless.
The only alternatives I see are:
a) Don't log success logon.
b) Set your event log size to a very large (and possibly unmanageable)
size.
c) Invest in a fancy log management system that will collect, index, and
retain all of your logs.
List info : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive: http://www.activedir.org/ml/threads.aspx
List info : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive: http://www.activedir.org/ml/threads.aspx
RE: [ActiveDir] AD Site replication settings/costs
No. GCs can replicate partitions thatthey don't own to other GCs. They can't replicate them to DCs for the domains in question, but they *can* replicate their read-only partitions to other GCs. Laura From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of David CliffeSent: Wednesday, August 30, 2006 5:40 PMTo: ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] AD Site replication settings/costs That shouldbe "GCs cannot replicate partitions they don't own"right? From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Laura A. RobinsonSent: Wednesday, August 30, 2006 5:05 PMTo: ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] AD Site replication settings/costs Is it a GC? If so, then yes, that's to be expected. You may have *thought* that you gave it only one replication partner, but if you're seeing additional connection objects, then it has more than one replication partner. When planning replication, you must be aware of every partition that the DCs in a site are hosting. If you don't want that remote DC to have connection objects from all of those other DCs, you're probably going to need to set up connection objects for preferred DCs for it to use for replication of partition data. If it's a GC, and if you have a GC that is a DC for the same domain in another site, that would be a good choice to set as a replication partner, because they would be able to replicate all of their partitions (GCs can replicate partitions they don't own to other GCs). Laura From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Rimmerman, RussSent: Wednesday, August 30, 2006 2:52 PMTo: ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] AD Site replication settings/costs It's a Windows 2000 native domain, we're about 4 upgrades from having all Win2k3 DCs and from what I've read, that should help a lot with replication. Automatic site link bridging isnt enabled, and we have 0 site link bridges. We're a worldwide company with 3 main hubs, but it is a mesh network in design (MPLS). I guess i'm mainly confused because the DC at the slow bandwidth site in question only has one replication partner, yet we see connections to it from a large number of our DCs on a regular basis. Is this normal? From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Laura A. RobinsonSent: Wednesday, August 30, 2006 11:12 AMTo: ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] AD Site replication settings/costs Intervals vary by company, domain structure, network topology and latency tolerances. That said, there is nothing inherently wrong with the replication parameters you list below. Are they the best parameters for your environment? That depends. Is this a Windows 2000 environment? Is automatic site link bridging enabled? There's a lot to consider in determining how to set site link properties; what you've listed below won't really be enough for anybody to give you any kind of realistic advice. (sorry) Laura From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Rimmerman, RussSent: Wednesday, August 30, 2006 11:59 AMTo: ActiveDir@mail.activedir.orgSubject: [ActiveDir] AD Site replication settings/costs We have about 80 AD sites with DCs. All sites are set for a cost of 100 on the site to site replication, and a replication interval of 15 minutes. I'm presuming this is probably not a good thing. One slow bandwidth site is complaining that their DC is talking to every DC in the domain. What is everyone else using as a replication interval for inter-site replication? ~~This e-mail is confidential, may contain proprietary informationof Cameron and its operating Divisions and may be confidentialor privileged.This e-mail should be read, copied, disseminated and/or used onlyby the addressee. If you have received this message in error pleasedelete it, together with any attachments, from your system.~~ ~~This e-mail is confidential, may contain proprietary informationof Cameron and its operating Divisions and may be confidentialor privileged.This e-mail should be
RE: [ActiveDir] AD Site replication settings/costs
The following documentation describes this in detail: http://technet2.microsoft.com/WindowsServer/en/library/c238f32b-4400-4a0c-b4fb-7b0febecfc731033.mspx Read-only and Writable Replicas When computing the replication topology, the KCC must consider whether a replica is writable or read-only. For each potential set of replication partners in the topology, the considerations are as follows: A writable replica can receive updates from a corresponding writable replica. A read-only replica can receive updates from a corresponding writable replica. A read-only replica can receive updates from a corresponding read-only replica. A writable replica cannot receive updates from a corresponding read-only replica. So as Laura states GCs can replicate amongst themselves. Thanks, -Steve From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Laura A. Robinson Sent: Wednesday, August 30, 2006 5:10 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] AD Site replication settings/costs No. GCs can replicate partitions thatthey don't own to other GCs. They can't replicate them to DCs for the domains in question, but they *can* replicate their read-only partitions to other GCs. Laura From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of David Cliffe Sent: Wednesday, August 30, 2006 5:40 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] AD Site replication settings/costs That shouldbe GCs cannot replicate partitions they don't ownright? From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Laura A. Robinson Sent: Wednesday, August 30, 2006 5:05 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] AD Site replication settings/costs Is it a GC? If so, then yes, that's to be expected. You may have *thought* that you gave it only one replication partner, but if you're seeing additional connection objects, then it has more than one replication partner. When planning replication, you must be aware of every partition that the DCs in a site are hosting. If you don't want that remote DC to have connection objects from all of those other DCs, you're probably going to need to set up connection objects for preferred DCs for it to use for replication of partition data. If it's a GC, and if you have a GC that is a DC for the same domain in another site, that would be a good choice to set as a replication partner, because they would be able to replicate all of their partitions (GCs can replicate partitions they don't own to other GCs). Laura From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Rimmerman, Russ Sent: Wednesday, August 30, 2006 2:52 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] AD Site replication settings/costs It's a Windows 2000 native domain, we're about 4 upgrades from having all Win2k3 DCs and from what I've read, that should help a lot with replication. Automatic site link bridging isnt enabled, and we have 0 site link bridges. We're a worldwide company with 3 main hubs, but it is a mesh network in design (MPLS). I guess i'm mainly confused because the DC at the slow bandwidth site in question only has one replication partner, yet we see connections to it from a large number of our DCs on a regular basis. Is this normal? From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Laura A. Robinson Sent: Wednesday, August 30, 2006 11:12 AM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] AD Site replication settings/costs Intervals vary by company, domain structure, network topology and latency tolerances. That said, there is nothing inherently wrong with the replication parameters you list below. Are they the best parameters for your environment? That depends. Is this a Windows 2000 environment? Is automatic site link bridging enabled? There's a lot to consider in determining how to set site link properties; what you've listed below won't really be enough for anybody to give you any kind of realistic advice. (sorry) Laura From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Rimmerman, Russ Sent: Wednesday, August 30, 2006 11:59 AM To: ActiveDir@mail.activedir.org Subject: [ActiveDir] AD Site replication settings/costs We have about 80 AD sites with DCs. All sites are set for a cost of 100 on the site to site replication, and a replication interval of 15 minutes. I'm presuming this is probably not a good thing. One slow bandwidth site is complaining that their DC is talking to every DC in the domain. What is everyone else using as a replication interval for inter-site replication? ~~ This e-mail is confidential, may contain proprietary information of Cameron and its operating
RE: [ActiveDir] AD Site replication settings/costs
One more thing to add. If you want to see why we are building the topology the way we are you can use ADLB in verbose reporting mode and it will help you determine why the selections were made. You can of course download ADLB from microsoft.com. Thanks, -Steve From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Steve Linehan Sent: Wednesday, August 30, 2006 5:20 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] AD Site replication settings/costs The following documentation describes this in detail: http://technet2.microsoft.com/WindowsServer/en/library/c238f32b-4400-4a0c-b4fb-7b0febecfc731033.mspx Read-only and Writable Replicas When computing the replication topology, the KCC must consider whether a replica is writable or read-only. For each potential set of replication partners in the topology, the considerations are as follows: A writable replica can receive updates from a corresponding writable replica. A read-only replica can receive updates from a corresponding writable replica. A read-only replica can receive updates from a corresponding read-only replica. A writable replica cannot receive updates from a corresponding read-only replica. So as Laura states GCs can replicate amongst themselves. Thanks, -Steve From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Laura A. Robinson Sent: Wednesday, August 30, 2006 5:10 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] AD Site replication settings/costs No. GCs can replicate partitions thatthey don't own to other GCs. They can't replicate them to DCs for the domains in question, but they *can* replicate their read-only partitions to other GCs. Laura From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of David Cliffe Sent: Wednesday, August 30, 2006 5:40 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] AD Site replication settings/costs That shouldbe GCs cannot replicate partitions they don't ownright? From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Laura A. Robinson Sent: Wednesday, August 30, 2006 5:05 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] AD Site replication settings/costs Is it a GC? If so, then yes, that's to be expected. You may have *thought* that you gave it only one replication partner, but if you're seeing additional connection objects, then it has more than one replication partner. When planning replication, you must be aware of every partition that the DCs in a site are hosting. If you don't want that remote DC to have connection objects from all of those other DCs, you're probably going to need to set up connection objects for preferred DCs for it to use for replication of partition data. If it's a GC, and if you have a GC that is a DC for the same domain in another site, that would be a good choice to set as a replication partner, because they would be able to replicate all of their partitions (GCs can replicate partitions they don't own to other GCs). Laura From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Rimmerman, Russ Sent: Wednesday, August 30, 2006 2:52 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] AD Site replication settings/costs It's a Windows 2000 native domain, we're about 4 upgrades from having all Win2k3 DCs and from what I've read, that should help a lot with replication. Automatic site link bridging isnt enabled, and we have 0 site link bridges. We're a worldwide company with 3 main hubs, but it is a mesh network in design (MPLS). I guess i'm mainly confused because the DC at the slow bandwidth site in question only has one replication partner, yet we see connections to it from a large number of our DCs on a regular basis. Is this normal? From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Laura A. Robinson Sent: Wednesday, August 30, 2006 11:12 AM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] AD Site replication settings/costs Intervals vary by company, domain structure, network topology and latency tolerances. That said, there is nothing inherently wrong with the replication parameters you list below. Are they the best parameters for your environment? That depends. Is this a Windows 2000 environment? Is automatic site link bridging enabled? There's a lot to consider in determining how to set site link properties; what you've listed below won't really be enough for anybody to give you any kind of realistic advice. (sorry) Laura From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Rimmerman, Russ Sent: Wednesday, August 30, 2006 11:59 AM To: ActiveDir@mail.activedir.org Subject: [ActiveDir] AD Site replication settings/costs We have about 80 AD sites with DCs. All sites are set for
RE: [ActiveDir] Logging successful logons in AD security log
That may work, but it sort of falls under option b. The logs will grow
so large that they will become unmanageable. I did some calculations
and it works out to be about 1TB a year.
-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Derek Harris
Sent: Wednesday, August 30, 2006 3:06 PM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] Logging successful logons in AD security log
I have a pretty small site, and this probably won't scale very well, but
I have a script scheduled to run every day at midnight that backs up the
security log to a compressed folder clears it. I have the log size set
ridiculously high, so it doesn't rollover unexpectedly.
dtmThisDay = Day(Date)
dtmThisMonth = Month(Date)
dtmThisYear = Year(Date)
strBackupName = dtmThisYear _ dtmThisMonth _ dtmThisDay
_ Hour(Time) Minute(Time)
strComputer = .
Set objWMIService = GetObject(winmgmts: _
{impersonationLevel=impersonate, (Backup, Security)}!\\ _
strComputer \root\cimv2)
Set colLogFiles = objWMIService.ExecQuery _
(Select * from Win32_NTEventLogFile where LogFileName='Security')
For Each objLogfile in colLogFiles
objLogFile.BackupEventLog(c:\seclogs\ strBackupName _
_security.evt)
objLogFile.ClearEventLog()
Next
-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Isenhour,
Joseph
Sent: Wednesday, August 30, 2006 3:10 PM
To: ActiveDir@mail.activedir.org
Subject: [ActiveDir] Logging successful logons in AD security log
What is the general consensus on logging successful logon events?
For example if you have a domain with 100K users or so and you use AD as
your primary authentication service for: application, file, email, and
web access then it is plausible that you will end up with up to 100 log
entries per second. That kind of volume will no doubt cause the logs to
roll over frequently thus making them somewhat useless.
The only alternatives I see are:
a) Don't log success logon.
b) Set your event log size to a very large (and possibly unmanageable)
size.
c) Invest in a fancy log management system that will collect, index, and
retain all of your logs.
List info : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive: http://www.activedir.org/ml/threads.aspx
List info : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive: http://www.activedir.org/ml/threads.aspx
List info : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive: http://www.activedir.org/ml/threads.aspx
RE: [ActiveDir] AD Site replication settings/costs
---BeginMessage--- We made every domain controller (80+) in our forest a GC. We did this because if a link went down, we wanted each DC to be able to hold its own. Maybe this wasn't such a good plan? From: [EMAIL PROTECTED] on behalf of Laura A. Robinson Sent: Wed 8/30/2006 5:10 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] AD Site replication settings/costs No. GCs can replicate partitions that they don't own to other GCs. They can't replicate them to DCs for the domains in question, but they *can* replicate their read-only partitions to other GCs. Laura From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of David Cliffe Sent: Wednesday, August 30, 2006 5:40 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] AD Site replication settings/costs That should be GCs cannot replicate partitions they don't own right? From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Laura A. Robinson Sent: Wednesday, August 30, 2006 5:05 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] AD Site replication settings/costs Is it a GC? If so, then yes, that's to be expected. You may have *thought* that you gave it only one replication partner, but if you're seeing additional connection objects, then it has more than one replication partner. When planning replication, you must be aware of every partition that the DCs in a site are hosting. If you don't want that remote DC to have connection objects from all of those other DCs, you're probably going to need to set up connection objects for preferred DCs for it to use for replication of partition data. If it's a GC, and if you have a GC that is a DC for the same domain in another site, that would be a good choice to set as a replication partner, because they would be able to replicate all of their partitions (GCs can replicate partitions they don't own to other GCs). Laura From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Rimmerman, Russ Sent: Wednesday, August 30, 2006 2:52 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] AD Site replication settings/costs It's a Windows 2000 native domain, we're about 4 upgrades from having all Win2k3 DCs and from what I've read, that should help a lot with replication. Automatic site link bridging isnt enabled, and we have 0 site link bridges. We're a worldwide company with 3 main hubs, but it is a mesh network in design (MPLS). I guess i'm mainly confused because the DC at the slow bandwidth site in question only has one replication partner, yet we see connections to it from a large number of our DCs on a regular basis. Is this normal? From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Laura A. Robinson Sent: Wednesday, August 30, 2006 11:12 AM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] AD Site replication settings/costs Intervals vary by company, domain structure, network topology and latency tolerances. That said, there is nothing inherently wrong with the replication parameters you list below. Are they the best parameters for your environment? That depends. Is this a Windows 2000 environment? Is automatic site link bridging enabled? There's a lot to consider in determining how to set site link properties; what you've listed below won't really be enough for anybody to give you any kind of realistic advice. (sorry) Laura From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Rimmerman, Russ Sent: Wednesday, August 30, 2006 11:59 AM To: ActiveDir@mail.activedir.org Subject: [ActiveDir] AD Site replication settings/costs We have about 80 AD sites with DCs. All sites are set for a cost of 100 on the site to site replication, and a replication interval of 15 minutes. I'm presuming this is probably not a good thing.
RE: [ActiveDir] Logging successful logons in AD security log
Depends on how much info you need but doing it through the native event log in an environment of that size is nearly futille unless you have SAN space and CPU cycles to burn, ours is 1/4 that size and I tried it and did the calcs and it's storage reqs were unbelievable. IIRC I was also seeing more than 100/sec in aggregate but I would need my notes and abacus to confirm that. For the short time I actually had it on, the logs were updating so fast it rendered event viewer useless, it couldn't even refresh on the PDCe. (they were set to 125MB and unmanagable at that size when I tried it) b) won't work because the total of ALL your event logs together are limited a practical maximum somewhere around 300MB since they have to be memory mapped and are sharing the 1 GB memory space of services.exe. Eric Fitzgerald had a great blog entry about it a while back. c) possible but still takes a lot of resources, I have been playing with 3rd party tools and DAD/MACS/ACS for a while, none are panacea IMO. I'm beginning to like the approach at least one of the 3rd party vendors uses of just grabbing the changes to the AD attribute instead of using the native audit subsystem. I'm leaning toward A and either checking the AD attribute or using something in a logon script to update a database with the who/what/when/where stuff. Depends on your needs I guess. Sorry this is a little choppy but I'm pressed for time. -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Isenhour, Joseph Sent: Wednesday, August 30, 2006 2:10 PM To: ActiveDir@mail.activedir.org Subject: [ActiveDir] Logging successful logons in AD security log What is the general consensus on logging successful logon events? For example if you have a domain with 100K users or so and you use AD as your primary authentication service for: application, file, email, and web access then it is plausible that you will end up with up to 100 log entries per second. That kind of volume will no doubt cause the logs to roll over frequently thus making them somewhat useless. The only alternatives I see are: a) Don't log success logon. b) Set your event log size to a very large (and possibly unmanageable) size. c) Invest in a fancy log management system that will collect, index, and retain all of your logs. List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.activedir.org/ml/threads.aspx List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.activedir.org/ml/threads.aspx
[ActiveDir] www.activedir.org MIA?; storing pictures in AD?
Can anyone else get to the archives? Specifically, I was looking for a thread from, I think, a couple of years ago where there was discussion about storing (not storing?) employee pictures in AD. I am concerned about how that attribute will grow our DIT. I seem to recall that maybe just a pointer could be stored that would point to maybe an oracle or access database. Any thoughts/recalls? Thanks! Mike Thommes
RE: [ActiveDir] AD Site replication settings/costs
Have they actually captured a sniff of this traffic while its going on? Is this actually AD replication traffic? Or maybe something like the printer thing that was discussed recently? Have you examined Sites Services for other servers that are supposedly talking with this server to see if they actually have automatic or manual connection objects to this server? Kurt Falde From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Steve Linehan Sent: Wednesday, August 30, 2006 6:45 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] AD Site replication settings/costs One more thing to add. If you want to see why we are building the topology the way we are you can use ADLB in verbose reporting mode and it will help you determine why the selections were made. You can of course download ADLB from microsoft.com. Thanks, -Steve From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Steve Linehan Sent: Wednesday, August 30, 2006 5:20 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] AD Site replication settings/costs The following documentation describes this in detail: http://technet2.microsoft.com/WindowsServer/en/library/c238f32b-4400-4a0c-b4fb-7b0febecfc731033.mspx Read-only and Writable Replicas When computing the replication topology, the KCC must consider whether a replica is writable or read-only. For each potential set of replication partners in the topology, the considerations are as follows: A writable replica can receive updates from a corresponding writable replica. A read-only replica can receive updates from a corresponding writable replica. A read-only replica can receive updates from a corresponding read-only replica. A writable replica cannot receive updates from a corresponding read-only replica. So as Laura states GCs can replicate amongst themselves. Thanks, -Steve From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Laura A. Robinson Sent: Wednesday, August 30, 2006 5:10 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] AD Site replication settings/costs No. GCs can replicate partitions thatthey don't own to other GCs. They can't replicate them to DCs for the domains in question, but they *can* replicate their read-only partitions to other GCs. Laura From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of David Cliffe Sent: Wednesday, August 30, 2006 5:40 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] AD Site replication settings/costs That shouldbe GCs cannot replicate partitions they don't ownright? From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Laura A. Robinson Sent: Wednesday, August 30, 2006 5:05 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] AD Site replication settings/costs Is it a GC? If so, then yes, that's to be expected. You may have *thought* that you gave it only one replication partner, but if you're seeing additional connection objects, then it has more than one replication partner. When planning replication, you must be aware of every partition that the DCs in a site are hosting. If you don't want that remote DC to have connection objects from all of those other DCs, you're probably going to need to set up connection objects for preferred DCs for it to use for replication of partition data. If it's a GC, and if you have a GC that is a DC for the same domain in another site, that would be a good choice to set as a replication partner, because they would be able to replicate all of their partitions (GCs can replicate partitions they don't own to other GCs). Laura From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Rimmerman, Russ Sent: Wednesday, August 30, 2006 2:52 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] AD Site replication settings/costs It's a Windows 2000 native domain, we're about 4 upgrades from having all Win2k3 DCs and from what I've read, that should help a lot with replication. Automatic site link bridging isnt enabled, and we have 0 site link bridges. We're a worldwide company with 3 main hubs, but it is a mesh network in design (MPLS). I guess i'm mainly confused because the DC at the slow bandwidth site in question only has one replication partner, yet we see connections to it from a large number of our DCs on a regular basis. Is this normal? From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Laura A. Robinson Sent: Wednesday, August 30, 2006 11:12 AM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] AD Site replication settings/costs Intervals vary by company, domain structure, network topology and latency tolerances. That said, there is nothing inherently wrong with the replication parameters you list below. Are they the best
RE: [ActiveDir] Logging successful logons in AD security log
I don't know that there is a 'general consensus' because everyone's
business needs differ. My environment has around 100K users and you're
right, there's a ridiculously high volume of logon events. We set the
security log size very high on the domain controllers, and collect and
clear the security logs several times per day using a
commercially-available fancy log management system. We don't allow
the security logs to rollover. The eventlog management software gives
us an impressive battery of audit reports, and a compressed eventlog
repository that we archive for FISMA compliance.
I'm sure our uncompressed event log archive is well above 1TB per year.
But we realize about a 20:1 compression using the commercial software.
Your options may be limited by legal requirements that may govern the
audit logs of your business or organization.
-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Isenhour,
Joseph
Sent: Wednesday, August 30, 2006 5:32 PM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] Logging successful logons in AD security log
That may work, but it sort of falls under option b. The logs will grow
so large that they will become unmanageable. I did some calculations
and it works out to be about 1TB a year.
-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Derek Harris
Sent: Wednesday, August 30, 2006 3:06 PM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] Logging successful logons in AD security log
I have a pretty small site, and this probably won't scale very well, but
I have a script scheduled to run every day at midnight that backs up the
security log to a compressed folder clears it. I have the log size set
ridiculously high, so it doesn't rollover unexpectedly.
dtmThisDay = Day(Date)
dtmThisMonth = Month(Date)
dtmThisYear = Year(Date)
strBackupName = dtmThisYear _ dtmThisMonth _ dtmThisDay
_ Hour(Time) Minute(Time) strComputer = .
Set objWMIService = GetObject(winmgmts: _
{impersonationLevel=impersonate, (Backup, Security)}!\\ _
strComputer \root\cimv2)
Set colLogFiles = objWMIService.ExecQuery _
(Select * from Win32_NTEventLogFile where LogFileName='Security')
For Each objLogfile in colLogFiles
objLogFile.BackupEventLog(c:\seclogs\ strBackupName _
_security.evt)
objLogFile.ClearEventLog()
Next
-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Isenhour,
Joseph
Sent: Wednesday, August 30, 2006 3:10 PM
To: ActiveDir@mail.activedir.org
Subject: [ActiveDir] Logging successful logons in AD security log
What is the general consensus on logging successful logon events?
For example if you have a domain with 100K users or so and you use AD as
your primary authentication service for: application, file, email, and
web access then it is plausible that you will end up with up to 100 log
entries per second. That kind of volume will no doubt cause the logs to
roll over frequently thus making them somewhat useless.
The only alternatives I see are:
a) Don't log success logon.
b) Set your event log size to a very large (and possibly unmanageable)
size.
c) Invest in a fancy log management system that will collect, index, and
retain all of your logs.
List info : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive: http://www.activedir.org/ml/threads.aspx
List info : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive: http://www.activedir.org/ml/threads.aspx
List info : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive: http://www.activedir.org/ml/threads.aspx
List info : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive: http://www.activedir.org/ml/threads.aspx
RE: [ActiveDir] Logging successful logons in AD security log
The option chosen for my environment is:
c) Invest in a fancy log management system that will collect, index, and
retain all of your logs.
The product we employ is EventSenty
(http://www.eventsentry.com/features.php?FEATURE=EVENTLOG) Though not
that fancy but good enough to do what is needed.
The events are collected and using sql reporting services a 24 hr
summary is emailed to the appropriate person.
It does not matter how many successful logons you have --I guess the
space on your sql server would be the limitation.
One aspect that drives what you choose is compliance if you have to
satisfy any audit requirements.
Good luck.
-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Isenhour,
Joseph
Sent: Wednesday, August 30, 2006 3:32 PM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] Logging successful logons in AD security log
That may work, but it sort of falls under option b. The logs will grow
so large that they will become unmanageable. I did some calculations
and it works out to be about 1TB a year.
-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Derek Harris
Sent: Wednesday, August 30, 2006 3:06 PM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] Logging successful logons in AD security log
I have a pretty small site, and this probably won't scale very well, but
I have a script scheduled to run every day at midnight that backs up the
security log to a compressed folder clears it. I have the log size set
ridiculously high, so it doesn't rollover unexpectedly.
dtmThisDay = Day(Date)
dtmThisMonth = Month(Date)
dtmThisYear = Year(Date)
strBackupName = dtmThisYear _ dtmThisMonth _ dtmThisDay
_ Hour(Time) Minute(Time) strComputer = .
Set objWMIService = GetObject(winmgmts: _
{impersonationLevel=impersonate, (Backup, Security)}!\\ _
strComputer \root\cimv2)
Set colLogFiles = objWMIService.ExecQuery _
(Select * from Win32_NTEventLogFile where LogFileName='Security')
For Each objLogfile in colLogFiles
objLogFile.BackupEventLog(c:\seclogs\ strBackupName _
_security.evt)
objLogFile.ClearEventLog()
Next
-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Isenhour,
Joseph
Sent: Wednesday, August 30, 2006 3:10 PM
To: ActiveDir@mail.activedir.org
Subject: [ActiveDir] Logging successful logons in AD security log
What is the general consensus on logging successful logon events?
For example if you have a domain with 100K users or so and you use AD as
your primary authentication service for: application, file, email, and
web access then it is plausible that you will end up with up to 100 log
entries per second. That kind of volume will no doubt cause the logs to
roll over frequently thus making them somewhat useless.
The only alternatives I see are:
a) Don't log success logon.
b) Set your event log size to a very large (and possibly unmanageable)
size.
c) Invest in a fancy log management system that will collect, index, and
retain all of your logs.
List info : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive: http://www.activedir.org/ml/threads.aspx
List info : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive: http://www.activedir.org/ml/threads.aspx
List info : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive: http://www.activedir.org/ml/threads.aspx
List info : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive: http://www.activedir.org/ml/threads.aspx
RE: [ActiveDir] www.activedir.org MIA?; storing pictures in AD?
Your DIT will grow (size of photo) * (# of users). Its certainly doable and if you have some sort of business reason, consider doing it, but, you could just as well store a path to a jpeg or something Thanks, Brian Desmond [EMAIL PROTECTED] c - 312.731.3132 From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Thommes, Michael M. Sent: Wednesday, August 30, 2006 8:22 PM To: ActiveDir@mail.activedir.org Subject: [ActiveDir] www.activedir.org MIA?; storing pictures in AD? Can anyone else get to the archives? Specifically, I was looking for a thread from, I think, a couple of years ago where there was discussion about storing (not storing?) employee pictures in AD. I am concerned about how that attribute will grow our DIT. I seem to recall that maybe just a pointer could be stored that would point to maybe an oracle or access database. Any thoughts/recalls? Thanks! Mike Thommes
Re: [ActiveDir] Logging successful logons in AD security log
Ask the PSS security guys and they want success and failure. Only
having half the story... is only half the story
Buy bigger harddrives and archive.
Sitton Glen E wrote:
I don't know that there is a 'general consensus' because everyone's
business needs differ. My environment has around 100K users and you're
right, there's a ridiculously high volume of logon events. We set the
security log size very high on the domain controllers, and collect and
clear the security logs several times per day using a
commercially-available fancy log management system. We don't allow
the security logs to rollover. The eventlog management software gives
us an impressive battery of audit reports, and a compressed eventlog
repository that we archive for FISMA compliance.
I'm sure our uncompressed event log archive is well above 1TB per year.
But we realize about a 20:1 compression using the commercial software.
Your options may be limited by legal requirements that may govern the
audit logs of your business or organization.
-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Isenhour,
Joseph
Sent: Wednesday, August 30, 2006 5:32 PM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] Logging successful logons in AD security log
That may work, but it sort of falls under option b. The logs will grow
so large that they will become unmanageable. I did some calculations
and it works out to be about 1TB a year.
-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Derek Harris
Sent: Wednesday, August 30, 2006 3:06 PM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] Logging successful logons in AD security log
I have a pretty small site, and this probably won't scale very well, but
I have a script scheduled to run every day at midnight that backs up the
security log to a compressed folder clears it. I have the log size set
ridiculously high, so it doesn't rollover unexpectedly.
dtmThisDay = Day(Date)
dtmThisMonth = Month(Date)
dtmThisYear = Year(Date)
strBackupName = dtmThisYear _ dtmThisMonth _ dtmThisDay
_ Hour(Time) Minute(Time) strComputer = .
Set objWMIService = GetObject(winmgmts: _
{impersonationLevel=impersonate, (Backup, Security)}!\\ _
strComputer \root\cimv2)
Set colLogFiles = objWMIService.ExecQuery _
(Select * from Win32_NTEventLogFile where LogFileName='Security')
For Each objLogfile in colLogFiles
objLogFile.BackupEventLog(c:\seclogs\ strBackupName _
_security.evt)
objLogFile.ClearEventLog()
Next
-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Isenhour,
Joseph
Sent: Wednesday, August 30, 2006 3:10 PM
To: ActiveDir@mail.activedir.org
Subject: [ActiveDir] Logging successful logons in AD security log
What is the general consensus on logging successful logon events?
For example if you have a domain with 100K users or so and you use AD as
your primary authentication service for: application, file, email, and
web access then it is plausible that you will end up with up to 100 log
entries per second. That kind of volume will no doubt cause the logs to
roll over frequently thus making them somewhat useless.
The only alternatives I see are:
a) Don't log success logon.
b) Set your event log size to a very large (and possibly unmanageable)
size.
c) Invest in a fancy log management system that will collect, index, and
retain all of your logs.
List info : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive: http://www.activedir.org/ml/threads.aspx
List info : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive: http://www.activedir.org/ml/threads.aspx
List info : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive: http://www.activedir.org/ml/threads.aspx
List info : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive: http://www.activedir.org/ml/threads.aspx
List info : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive: http://www.activedir.org/ml/threads.aspx
