RE: [ActiveDir] Getting computer name from a username
Might not be applicable, but most of the management tools such as Altiris Deployment solution, SMS, Landesk etc. offer a find by last logged on option as well. It will bring up all computers that were last logged into by userx. Bob -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of joe Posted At: Thursday, December 01, 2005 4:05 PM Posted To: ActiveDirectory Conversation: [ActiveDir] Getting computer name from a username Subject: RE: [ActiveDir] Getting computer name from a username Not from AD. AD doesn't store that info. If you have logging enabled you could get it from AD event logs. Alternatively if you have WINS you may be able to look at the WINS DB and find the userid 03 record and then find another 03 record or 20 record or 00 record for the machine with the same IP address. Lots of assumptions there though... -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Shane De Jager Sent: Thursday, December 01, 2005 4:50 AM To: ActiveDir@mail.activedir.org Subject: [ActiveDir] Getting computer name from a username Hi, Is there a way you can tell which computer a user has logged onto just from his username? -- Shane De Jager Technical Developer INTERGAGE High-performance, updateable Web sites Switchboard +44 (0)845 456 1022 == www.intergage.co.uk [EMAIL PROTECTED] Are you aware of our referral scheme? Learn how you could profit personally from passing us leads. Click here to pass a referral: www.intergage.co.uk/referrals List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
RE: [ActiveDir] Disabling "Distributed Link Tracking Server" on domain Controllers
Thanks! I'm not as bad off as I thought. I do most of that. Just need to look further into the filelinks, lost and found and a couple of others. Bob From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of joePosted At: Monday, November 28, 2005 4:45 PMPosted To: ActiveDirectoryConversation: [ActiveDir] Disabling "Distributed Link Tracking Server" on domain ControllersSubject: RE: [ActiveDir] Disabling "Distributed Link Tracking Server" on domain Controllers Heh. I don't think one exists. Items off the top of my head that need to be cleaned up o Inactive users (temp users and/or turnover) o Inactive computers o Inactive groups o Group memberships of groups that are still active but contain members that shouldn't have access o Unused or unresolvable FSPs o Unused filelinks o Unused contactso Objects in lost and found (all NCs, even config) o Conflict (CNF) objects o Unused trusts o Unused OUs/Containers o Unused Shares/Printers that were manually created outside of the computer object o Unused GPOS (including ipsec gunk that isn't being used) o Crud hanging around from failed DC Demotions (FRS objects, site objects, etc) o Make sure DNS objects are being scavenged out o Unused site objects o Unused subnet objects (this also should include collapsing subnets if possible, say 2 24 bit subnets for same site that could be set iup as a 23 bit subnet) All of these pretty much have possible issues with them in terms of when you might like to delete or if it is even safe to delete. Something that should be simple would be users or computers yet they aren't. Exchange can really confuse whether or not a userid is truly needed in the case of resource mailboxes. Computer accounts could be for a cluster or a PC that is on the other side of a VPN so doesn't update anything in AD, etc. When I was an ops guy I would regularly just fish around the directory looking for things to get rid of. I might spend a day looking at all of the trusts and delete 10, 20 or 100 of them because the NT domains were migrated in a long while back and someone forgot to tell the Enterprise Admins. I would run oldcmp to look for old computers and users and try to clean them up. I can't even guess how much that tool has helped folks with cleaning up. Groups was tough because you never really knew if they were used, you could make them into DLs which might help but some apps use them for security but don't use them as NT Security so being a DL has no bearing on whether they work or not. Group memberships is even tougher so you have to require the group or resource owner to "certify" the membership on regular say quarterly periods and make them responsible for anyone in the group who shouldn't be. Basically without this occasional pruning AD becomes like your closet or garage, you just stack things up in there as needed and then forget about them until you stumble over them looking for something else. From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of ActiveDirectorySent: Monday, November 28, 2005 4:23 PMTo: ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] Disabling "Distributed Link Tracking Server" on domain Controllers I will admin to being one of those Admins. Can you recommend a good book that shows a clean up best practices for all those items that require manual cleanup? Thanks! Bob From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of joePosted At: Monday, November 28, 2005 3:10 PMPosted To: ActiveDirectoryConversation: [ActiveDir] Disabling "Distributed Link Tracking Server" on domain ControllersSubject: RE: [ActiveDir] Disabling "Distributed Link Tracking Server" on domain Controllers They don't age out. You need to delete them. MS cleans up very little in the directory automatically. Actually I was having an offlist conversation with one of my MS friends about this topic in regards to the previous FSP question. When deleting them it isn't too much impact, however, when they get purged out after the tombstone expires you may find your DCs chugging away if you have lots. I have seen hundreds of thousands of the filelinks in a directory before eating up tremendous space. Personally I would hope the AD admins are doing a good job cleaning things up but for all practical purposes, most places aren't cleaning up and have no clue that they should be or that they need to be. The hard part, when SHOULD the system automatically delete something. It comes down it being able to identify without a shadow of a doubt that the object isn't needed (say computer objects, FSP, etc) or could be perfectly reconstituted if necessary in the event of a bad delete. joe From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of ADSent: Monday, November 28, 2005 12:52 PMTo: ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] Disabling "Distributed Link Tracking Server" on domain Controllers Thanks for info the jo
RE: [ActiveDir] Preventing local admin from rebooting servers
I think he said to then remove the Admins from that right also. Then you would only add users who "SHOULD" be able to shut it down to the special group. From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of MikePosted At: Monday, November 28, 2005 4:00 PMPosted To: ActiveDirectoryConversation: [ActiveDir] Preventing local admin from rebooting serversSubject: RE: [ActiveDir] Preventing local admin from rebooting servers Just a quick question here. I thought a new group was the way to go here, being given the appropriate rights/permissions. But why would you give this group the Shutdown computer right when that is the problem in the first place? The admins would still have the right and so would the new group. Maybe I'm missing something here. Regards, Mike Burns From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of joeSent: Monday, November 28, 2005 3:05 PMTo: ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] Preventing local admin from rebooting servers You can't guarantee to stop them but you can slow them down by creating a new group and adding it to the shutdown computer right and remove admins. I did this at a company that had previously given out admin to everyone who had any app on a server in the datacenter. The servers were rebooting all of the time and no one had a clue what was going on. After that one small change, 95% of the reboots stopped and most of the folks had no clue why they all of a sudden lost that ability. From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Santos, PavelSent: Monday, November 28, 2005 11:59 AMTo: ActiveDir@mail.activedir.orgSubject: [ActiveDir] Preventing local admin from rebooting servers Hello list, Is there a way to prevent members of the local admin group on a server from rebooting the servers? We are trying to prevent some developers that need admin rights from rebooting the servers. Thanks in advance, Pavel- Even though this E-Mail has been scanned and found clean of -- known viruses, OPM can not guarantee this message is virus free.- This message was automatically generated.---oo
RE: [ActiveDir] Disabling "Distributed Link Tracking Server" on domain Controllers
Yes, but if you have disabled the service on all servers as the thread is discussing what is going to do the cleanup? -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Almeida Pinto, Jorge de Posted At: Monday, November 28, 2005 3:22 PM Posted To: ActiveDirectory Conversation: [ActiveDir] Disabling "Distributed Link Tracking Server" on domain Controllers Subject: RE: [ActiveDir] Disabling "Distributed Link Tracking Server" on domain Controllers ehhh... according to the KB article (http://support.microsoft.com/?id=312403) objects do age out.. It is not critical that you manually delete the Distributed Link Tracking objects after you stop the Distributed Link Tracking server service unless you have to reclaim the disk space that is being consumed by these objects as quickly as possible. Distributed Link Tracking clients prompt the Distributed Link Tracking server to update links every 30 days. The Distributed Link Tracking Server service scavenges objects that have not been updated in 90 days. Jorge From: [EMAIL PROTECTED] on behalf of joe Sent: Mon 11/28/2005 10:10 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Disabling "Distributed Link Tracking Server" on domain Controllers They don't age out. You need to delete them. MS cleans up very little in the directory automatically. Actually I was having an offlist conversation with one of my MS friends about this topic in regards to the previous FSP question. When deleting them it isn't too much impact, however, when they get purged out after the tombstone expires you may find your DCs chugging away if you have lots. I have seen hundreds of thousands of the filelinks in a directory before eating up tremendous space. Personally I would hope the AD admins are doing a good job cleaning things up but for all practical purposes, most places aren't cleaning up and have no clue that they should be or that they need to be. The hard part, when SHOULD the system automatically delete something. It comes down it being able to identify without a shadow of a doubt that the object isn't needed (say computer objects, FSP, etc) or could be perfectly reconstituted if necessary in the event of a bad delete. joe From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of AD Sent: Monday, November 28, 2005 12:52 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Disabling "Distributed Link Tracking Server" on domain Controllers Thanks for info the joe and Guido, Because of our politics where I work, modifiying 4 workstations is not that easy. Changing 20 DCs on the other hand is a walk in the park. If I do not remove all of the filelinks manually, aren't they going to age out automatically after 60 days? Thanks Y From: Grillenmeier, Guido Sent: Mon 28/11/2005 11:46 AM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Disabling "Distributed Link Tracking Server" on domain Controllers nope, no known impact (unless you have specifically deployed an app that makes use of this service - none of the MS apps do, which is why the service is disabled by default in Win2003). however, if you want to make sure, why don't you just reverse your disabling process: first disable all clients, then disable the service on the DCs. Don't forget to cleanup the records underneath your domain's System\FileLinks\ObjectMoveTable and System\FileLinks\VolumeTable containers as these will surely contain a lot of garbage. /Guido From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of AD Sent: Montag, 28. November 2005 17:40 To: ActiveDir@mail.activedir.org Subject: [ActiveDir] Disabling "Distributed Link Tracking Server" on domain Controllers As anyone found any issues in disabling the "distributed link tracking server" on windows 2000 server domain controllers? I would like to take a two step approach in disabling this useless service. First on the DCs and them on all workstations. I was just wondering if there would be an impact on the clients seeing that cannot communicate with the server. Thanks Yves This e-mail and any attachment is for authorised use by the intended recipient(s) only. It may contain proprietary material, confidential information and/or be subject to legal privilege. It should not be copied, disclosed to, retained or used by, any other party. If you are not an intended recipient then please promptly delete this e-mail and any attachment and all copies and inform the sender. Thank you. List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/Lis
RE: [ActiveDir] Disabling "Distributed Link Tracking Server" on domain Controllers
I will admin to being one of those Admins. Can you recommend a good book that shows a clean up best practices for all those items that require manual cleanup? Thanks! Bob From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of joePosted At: Monday, November 28, 2005 3:10 PMPosted To: ActiveDirectoryConversation: [ActiveDir] Disabling "Distributed Link Tracking Server" on domain ControllersSubject: RE: [ActiveDir] Disabling "Distributed Link Tracking Server" on domain Controllers They don't age out. You need to delete them. MS cleans up very little in the directory automatically. Actually I was having an offlist conversation with one of my MS friends about this topic in regards to the previous FSP question. When deleting them it isn't too much impact, however, when they get purged out after the tombstone expires you may find your DCs chugging away if you have lots. I have seen hundreds of thousands of the filelinks in a directory before eating up tremendous space. Personally I would hope the AD admins are doing a good job cleaning things up but for all practical purposes, most places aren't cleaning up and have no clue that they should be or that they need to be. The hard part, when SHOULD the system automatically delete something. It comes down it being able to identify without a shadow of a doubt that the object isn't needed (say computer objects, FSP, etc) or could be perfectly reconstituted if necessary in the event of a bad delete. joe From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of ADSent: Monday, November 28, 2005 12:52 PMTo: ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] Disabling "Distributed Link Tracking Server" on domain Controllers Thanks for info the joe and Guido, Because of our politics where I work, modifiying 4 workstations is not that easy. Changing 20 DCs on the other hand is a walk in the park. If I do not remove all of the filelinks manually, aren't they going to age out automatically after 60 days? Thanks Y From: Grillenmeier, GuidoSent: Mon 28/11/2005 11:46 AMTo: ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] Disabling "Distributed Link Tracking Server" on domain Controllers nope, no known impact (unless you have specifically deployed an app that makes use of this service - none of the MS apps do, which is why the service is disabled by default in Win2003). however, if you want to make sure, why don't you just reverse your disabling process: first disable all clients, then disable the service on the DCs. Don't forget to cleanup the records underneath your domain's System\FileLinks\ObjectMoveTable and System\FileLinks\VolumeTable containers as these will surely contain a lot of garbage. /Guido From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of ADSent: Montag, 28. November 2005 17:40To: ActiveDir@mail.activedir.orgSubject: [ActiveDir] Disabling "Distributed Link Tracking Server" on domain Controllers As anyone found any issues in disabling the "distributed link tracking server" on windows 2000 server domain controllers? I would like to take a two step approach in disabling this useless service. First on the DCs and them on all workstations. I was just wondering if there would be an impact on the clients seeing that cannot communicate with the server. Thanks Yves
RE: [ActiveDir] Windows 2000 Server
I have also seen similar scenarios with faulty cabling or too long of a run on a Gigabit switch. We have 2 runs that are just over the maximum length for Gigabit. They work fine if we force the NIC to run at 100 Mbps instead. Bob -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Charlie Kaiser Posted At: Wednesday, November 16, 2005 9:13 AM Posted To: ActiveDirectory Conversation: [ActiveDir] Windows 2000 Server Subject: RE: [ActiveDir] Windows 2000 Server Is a remote backup job taking place at that time? I've seen saturated data connections cause this... ** Charlie Kaiser W2K3 MCSA/MCSE/Security, CCNA Systems Engineer Essex Credit / Brickwalk 510 595 5083 ** > -Original Message- > From: [EMAIL PROTECTED] > [mailto:[EMAIL PROTECTED] On Behalf Of Salandra, > Justin A. > Sent: Wednesday, November 16, 2005 5:43 AM > To: ActiveDir@mail.activedir.org > Subject: [ActiveDir] Windows 2000 Server > > I have a server that I just noticed about every 12 days around the > same time each time that the NIC reports that its link is down and > then back up and then down and then back up within a 2 minute period > and then all is calm for 12 days or so and then it happens again for > only 2 minutes. > > > > Do you think that it could mean that the NIC could be failing? > > > > Justin A. Salandra > > MCSE Windows 2000 & 2003 > > Network and Technology Services Manager > > Catholic Healthcare System > > 646.505.3681 - office > > 917.455.0110 - cell > > [EMAIL PROTECTED] <mailto:[EMAIL PROTECTED]> > > > > List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
RE: [ActiveDir] Force a Domain Sync
Title: Force a Domain Sync If the support tools are installed you can run repadmin at a command prompt, or replmon for a graphical view. From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Narkinsky, BrianPosted At: Wednesday, October 19, 2005 3:40 PMPosted To: ActiveDirectoryConversation: Force a Domain SyncSubject: [ActiveDir] Force a Domain Sync Isn’t there some command line that will force all the DCs in a Domain to sync immediately? I can’t remember what it is but, seems like there was some way. Brian Narkinsky System's Analyst Florida Department of Environmental Protection Tallahassee, FL 32399
RE: [ActiveDir] exchange confusion(OT)
You should be able to just do domain.com and it will pick up any child domains, unless you have a child that needs special priveledges. From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Tom KernPosted At: Monday, October 10, 2005 2:28 PMPosted To: ActiveDirectoryConversation: [ActiveDir] exchange confusion(OT)Subject: [ActiveDir] exchange confusion(OT) I have a contact with the addy of [EMAIL PROTECTED]. I created a smtp connector with an address space of *.domain.com. when exchange 2k sends an email destined for [EMAIL PROTECTED] thru that smtp connector, it rewrites the addy in the RCPT TO: as [EMAIL PROTECTED], taking out the servename. i see this in the smtp logs on the server and the remote server dosen't accept mail to that addy and is saying "relay not allowed". Now, my question- why is exchange rewriting the address just because i'm using a wildcard in the connector address space? is this by design? What if i wanted a connector going to every domain under domain.com like subdomain.domain.com and childdomain.domain.com ? wouldn't i just create a connector with an address space of *.domain.com? should exchange 2k just forward the email without changing the RCPT TO: headers? am i wrong and clueless as usual? what am i missing? i'm running Exchange 2k post sp3 rollup in mixed mode(but no exchange 5.5 servers or ADC). Thanks alot
RE: [ActiveDir] AD Migration Question
Just bring up a new 2k3 server, DCPromo it and it will do the rest as the first 2k3 DC. Once it is successfully promoted transfer all roles. Once you are sure everything is transferred and working correctly you can DCPromo to demote the old server wipe reinstall whatever. There is no coexistence other than working in Hybrid mode, and you can switch it to native once all of your 2K DCs are upgraded to 2K3. As to moving DNS, WINS, DHCP if your DC is serving all those functions then yes activate them on the new server, and make sure you have updated the required clients to point at the new server for those services. If those services are working on a separate stand-alone server then don't worry about them other than to make sure any static entries are updated. If you are planning to bring in Exchange 2k3 I believe it is best to get your 2k3 domain stable first. I don't think it is required though, but I'm not positive. Just like anything else though it is best to finish one project before starting the next that way you aren't caught trying to troubleshoot conflicting issues. From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Alborzfard, AlexPosted At: Monday, October 10, 2005 9:16 AMPosted To: ActiveDirectoryConversation: [ActiveDir] AD Migration QuestionSubject: RE: [ActiveDir] AD Migration Question Thanks for the advice! Excuse my ignorance, but how do I upgrade the schema, while I’m installing the WIN2K3 server? Ditto for migrating FSMOs. Does it mean that I would have a 2K and 2K3 AD domain coexisting for a while until I remove 2K AD? When you said move DNS, WINS, DHCP, you meant Just installing them on the new server, right? Did you also have to migrate Exchange (from 2K to 2K3) by any chance? If so, in what sequence you did the upgrade? Thanks --Alex From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Peter JohnsonSent: Monday, October 10, 2005 9:43 AMTo: ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] AD Migration Question I would, if budget allows, go the second route. Do the schema upgrade bring up new windows 2003 server. Migrate FSMO roles to it. Move DNS,WINS etc to the new server and then DCPROMO, one at time, your other servers out. Reinstall them with W2K3 and dcpromo them back in. Did this with a 700 user network with no downtime. Regards Peter Johnson P.S Look out for the article on migrating your DHCP database. From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Alborzfard, AlexSent: 10 October 2005 15:26To: ActiveDir@mail.activedir.orgSubject: [ActiveDir] AD Migration Question I have a W2K AD that I want to migrate to W2K3 AD. What’s the best option: In-place upgrade of the W2K DC or standing up a brand new W2K3 DC server And then upgrade the W2K DC to W2K3? By the way the W2K DC is also running DNS, DHCP, & WINS. I have one more DNS server. If I go the second route do I need to set up a DNS server or can I use the existing ones? Thanks --Alex
RE: [ActiveDir] AD Migration Question
My personal opinion is that you carry less crap over if you bring up a new 2k3 DC (even if only temporarily). You can always reformat and reuse the original server then move it back if you need to. Bob From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Alborzfard, AlexPosted At: Monday, October 10, 2005 8:26 AMPosted To: ActiveDirectoryConversation: AD Migration QuestionSubject: [ActiveDir] AD Migration Question I have a W2K AD that I want to migrate to W2K3 AD. What’s the best option: In-place upgrade of the W2K DC or standing up a brand new W2K3 DC server And then upgrade the W2K DC to W2K3? By the way the W2K DC is also running DNS, DHCP, & WINS. I have one more DNS server. If I go the second route do I need to set up a DNS server or can I use the existing ones? Thanks --Alex
RE: [ActiveDir] OT: Exchange alternate email address
You could also just manually add a proxy address to her existing account. We do this all the time for several alias accounts such as hostmaster, postmaster, and security etc. You can get more flexibility by creating an account/mailbox, but why bother if it isn't needed. Bob From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Brian DesmondSent: Monday, October 03, 2005 3:58 PMTo: ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] OT: Exchange alternate email address If I understand this correctly, You have Jane Doe ([EMAIL PROTECTED]), and she would like to send mail as suzy que ([EMAIL PROTECTED]). In order to do this, you actually need to create an additional account and mailbox for Suzy Que. You can disable this account, though. Once the account is created and the RUS has whacked it (e.g. it has an email address), go in the Exchange Advanced tab in ADUC for suzy que, and then into mailbox rights. You want to do two things: Add Jane Doe on there and give her rights to Send As In the SELF entry, tick full mailbox access and associated external account. Thanks,Brian Desmond [EMAIL PROTECTED] c - 312.731.3132 From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of [EMAIL PROTECTED]Sent: Monday, October 03, 2005 10:40 AMTo: ActiveDir@mail.activedir.orgSubject: [ActiveDir] OT: Exchange alternate email address Hi, all. Quick question for you: I have a user who wishes to send/receive email as a different address than her own. We use Exchange 2003 and Outlook 2003. I am just inquiring as to the ‘best practice’ for accomplishing this. Thanks in advance, James
RE: [ActiveDir] Cleanup of Active Directory...
You might also try ADModify from the PSS ftp site. It allows bulk modification and also allows you to narrow down the focus to certain OU, users etc using limited wildcards. Bob From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Brian DesmondSent: Monday, October 03, 2005 9:14 AMTo: ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] Cleanup of Active Directory... You can easily dump all this data with either csvde or adfind and the included perl script (the latter is probably better). As for importing it back in, you'll need some sort of simple script which takes the DN from the csv file and sets the values accordingly. Thanks,Brian Desmond [EMAIL PROTECTED] c - 312.731.3132 From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Frank AbagnaleSent: Monday, October 03, 2005 4:20 AMTo: ActiveSubject: [ActiveDir] Cleanup of Active Directory... Hi all, If you remember some of my previous posts, I've had issues with excessive numbers of Domain Admins and a poorly managed Active Directory network. I have now managed to control the number of Domain Admins to a suitable manner for our environment and delegated the appropriate permissions for the Service Desk. I now need ton data 'cleanse' Active Directory due to the number of fields which contain incorrect data which has been manually entered by previous Service Desk users. The fields which are showing incorrect data are the ones in the General and Organization tabs. Fields such as Description, Office, Title, Department etc are all showing the wrong data and are inconsistent. There are potentially 3500 users which may require account fields to be modified What I want to do is to clean this up. Is there a way in which I can export this data to an excel spreadsheet and then re-import with out duplicating any accounts? Do I need to script this?(if so, does anyone have any scripts?) Alternatively, is it worth employing someone to do it manually? time consuming and probably not the most favoured option, though any idea's would be appreciated. Oh, it's a Single W2k3 domain, 2003 FFL, thanks... frank Yahoo! for GoodClick here to donate to the Hurricane Katrina relief effort.
RE: [ActiveDir] Multiple forests with a common DNS parent zone
Also, if your Forests are all Native 2003 domains you might look into their consolidation features. Since none of your names overlap and the zones are the same you may have better luck. I don't know the details as I've never done it myself, but it is theoretically possible to merge them together. -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of [EMAIL PROTECTED] Sent: Monday, October 03, 2005 2:22 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Multiple forests with a common DNS parent zone IF the NetBIOS names of the new root will NOT be the same as the old root, I can not make a technical case against your migration plans. It should work. But, if the NetBIOS names are going to be the same (maybe because your users are too attached to that name, and you don't want to introduce too much changes), then you can't do it the way you described it. Sincerely, Dèjì Akómöláfé, MCSE+M MCSA+M MCP+I Microsoft MVP - Directory Services www.readymaids.com - we know IT www.akomolafe.com Do you now realize that Today is the Tomorrow you were worried about Yesterday? -anon From: [EMAIL PROTECTED] on behalf of [EMAIL PROTECTED] Sent: Mon 10/3/2005 2:30 AM To: ActiveDir@mail.activedir.org Subject: [ActiveDir] Multiple forests with a common DNS parent zone I have encountered a situation where 4 forests exist today, all of which have a common DNS parent zone - let's call it xxx.com. Forest 1 has root domain named xxx.com with multiple child domains Forest 2 has root domain named ap.xxx.com with multiple child domains Forest 3 has root domain named am.xxx.com with multiple child domains Forest 4 has root domain named jp.xxx.com with no children DNS resolution between the 4 forests works fine. Xxx.com is hosted on UNIX BIND servers with all child zones delegated to Windows DNS servers. All child zone DNS servers forward to the servers hosting xxx.com. Existing forests are w2k native and no trusts exist between these forests. There is a proposal to build a new, fifth forest and to migrate all objects from the 4 forests above into this new forest. Forest 5 will have root domain named global.xxx.com and 4 children - representing the 4 forests above. Does anyone have any concerns over the re-use of the same DNS name - xxx.com? I feel uncomfortable with this proposal but don't have any technical reasons to block it. Any comments? Thanks, neil ___ Neil Ruston Global Technology Infrastructure Nomura International plc Telephone: +44 (0) 20 7521 3481 PLEASE READ: The information contained in this email is confidential and intended for the named recipient(s) only. If you are not an intended recipient of this email please notify the sender immediately and delete your copy from your system. You must not copy, distribute or take any further action in reliance on it. Email is not a secure method of communication and Nomura International plc ('NIplc') will not, to the extent permitted by law, accept responsibility or liability for (a) the accuracy or completeness of, or (b) the presence of any virus, worm or similar malicious or disabling code in, this message or any attachment(s) to it. If verification of this email is sought then please request a hard copy. Unless otherwise stated this email: (1) is not, and should not be treated or relied upon as, investment research; (2) contains views or opinions that are solely those of the author and do not necessarily represent those of NIplc; (3) is intended for informational purposes only and is not a recommendation, solicitation or offer to buy or sell securities or related financial instruments. NIplc does not provide investment services to private customers. Authorised and regulated by the Financial Services Authority. Registered in England no. 1550505 VAT No. 447 2492 35. Registered Office: 1 St Martin's-le-Grand, London, EC1A 4NP. A member of the Nomura group of companies. List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/